Ubiquitous and unpredictable, the threat of a terrorist attack hovers over society like an ominous rain cloud. In the post 9/11 context, a perceived need to actively confront this threat dominates the security discourse in the United States and around the world. Yet, the vastness and amorphous nature of the threat poses great challenges to governments, who bear the primary responsibility for keeping their citizens safe. The problem lies in the potential for virtually anything to become a target. The impossibility of protecting every airport, bridge, water supply center, and other piece of critical infrastructure has given rise to a system of risk management whereby authorities attribute a level of dangerousness to a wide spectrum of potential risks and treat each one accordingly. The idea is to mitigate risk by employing security technologies within new frameworks that seek to manage the underlying uncertainty.
While no universal definition of security technologies exists, the term was introduced in 1978 by the French philosopher Foucault and may be understood as an assemblage of commercially available technologies that seek to predict and preempt possible future risks. Such technologies generally share certain characteristics. For example, they are open, interactive structures, often hybrid, that have multiple uses and integrate easily with technologies from other sectors. The development of security technologies facilitated the shift in focus from locating bombs and other potentially dangerous objects to trying to read peoples’ intentions in order to determine whether or not they pose a risk. In the process, issues of identity, travel documents, the Internet, and other aspects of daily life which previously had nothing to do with the security field have become instrumental to counterterrorism as part of the expanded notion of security. Created in the aftermath of 9/11, the Department of Homeland Security (DHS) embodies this trend. With its mission to “prevent and deter terrorist attacks and protect against…threats…” DHS explicitly draws terrorism into the realm of security where as it had previously fallen under the category of international crime. This gave rise to new global security norms that dramatically altered many aspects of daily life for most people around the world.
Technological advancements opened new possibilities in the realms of surveillance, identity management and border control, which emerged as the key areas of counterterrorism after 9/11. This paper therefore seeks to explore the impact of security technologies on counterterrorism and on society as a whole as the struggle to deal with uncertainty expands the scope of security. Part I describes security technologies as they are employed in counterterrorism, including the role of the Internet in tracing terrorist activity. Part II looks more broadly at new approaches of managing populations and their transnational movements through identity and border management spawned by the trend toward risk management. Finally, Part III assesses the effectiveness of counterterrorism technologies and considers their ethical implications.
Part I: Security technologies employed in the fight against terrorism
Security technologies’ main tasks are to predict and control probable future risks, to manage uncertainty, and to facilitate predictive intelligence. Developed by the United States in the early 1980s, security technologies were initially relics of the Vietnam War redeployed to intercept drug smugglers along the U.S.-Mexican border. Since 9/11 three areas of security have emerged as key aspects of the fight against terrorism: identity management, border management, and predictive intelligence. Each of these comprises assemblages of security technologies, some of which were developed by other sectors. For example, biometrics, DNA, and cameras all “spun in” to the security sector from civilian R&D, while others such as GPS “spun-off” the defense industry to security. In light of security technologies’ multiple uses, rather than focusing on individual technologies, it is helpful to consider them as parts of a multi-layered system.
Historically, only select groups of people, such as prisoners for example, were routinely surveilled. Yet, ever since closed circuit television (CCTV) emerged as a tool for crime prevention in the 1970s, progressively advanced surveillant technologies have become omnipresent. Surveillance technologies include cameras, satellite, facial recognition systems, motion sensors, and border surveillance robots. Today, third generation CCTVs capture the image of an average urban dweller approximately every five minutes. Kevin Haggerty and Richard Ericson explain that increased societal monitoring stems from the convergence of “what were once discrete surveillance systems.” The result is surveillance technologies assemblages. The “assemblage operates by abstracting human bodies from their territorial settings and separating them into a series of flows. These flows are then reassembled into distinct ‘data-doubles,’ which can be scrutinized and targeted for intervention.” For example, facial recognition uses algorithms (automatic step-by-step instructions) to transform an image captured by a surveillance camera (or any other tool) into data that can be matched against digitized facial images stored in a database.Such tools enable security authorities to identify individuals in a crowd as known terrorists and to observe suspicious behavior. Haggerty and Ericson go on to explain that surveillance is expanding rhizomatically (as opposed to hierarchically). In other words, modern societies are constantly surveilled not by an Orwellian “big brother’ figure, but rather by myriad “small brothers” such as the government, private corporations, organizations, and, thanks to social networking, even our Facebook friends.
Drones equipped with surveillance cameras and weapons to carry out reconnaissance and/or targeted killings of suspected terrorists exemplify how surveillance technology can be used in counterterrorism intelligence. For example, in September 2011 a drone targeted and killed Anwar al Awlaki (who inspired the Fort Hood shooter and the Detroit “underwear bomber”) in Yemen. Though highly controversial, this method is increasingly commonplace in the context of the “War on Terror,” blurring the line between surveillance and acts of war. Drones are also used in law enforcement and border management.
Dataveillance and the role of the internet
Dataveillance, as defined by Webster’s New Millenium Dictionary, is “the surveillance of a person’s activities by studying the data trail created by actions such as credit card purchases, mobile phone calls, and internet use.” Tracing internet activity plays an especially important role in counterterrorism. Web harvesting, the process of gathering and organizing unstructured information on the web, allows authorities to rank websites according to their relevance to terrorism and then to use Google’s back-link search tool to discover new terrorist websites. Then, by pairing terrorist websites and analyzing the links between them, authorities can learn about the relations between different known terrorist groups as well as uncover hidden Web communities. Known as link analysis, this process reveals clusters highlighting communication patterns between various actors connected to these terrorist sites.
Data mining uses statistical models, algorithms, and cluster analysis to transform information such as credit card purchases, travel history, and internet activity into electronically processed data with the aim of targeting suspects and profiling risks more precisely. Increasingly relied upon by both the public and private sectors, it has also become a tool of counterterrorism, and more specifically of predictive intelligence. In this regard, data mining enables Homeland Security officials to identify factors that are likely to indicate great risk, such as whether the person belongs to an extremist group or has ever bought explosives. By assigning these factors a higher weight than slightly less relevant factors such as the individual-in-question’s travel patterns, or internet activity, a formula can be calculated to predict whether the person is likely to be a terrorist. Data mining, in essence, is a predictive analysis technique that helps authorities deal with uncertainty.
Given that non-state actors, such as terrorists, have eclipsed state aggressors as the greatest threat to global security, identifying and authenticating individuals as they move across borders has become incredibly important. Consequently, identification technologies such as biometrics, DNA, and semantic behaviorism (so-called ‘soft biometrics‘) have proliferated. Identification technologies are devices or interrelated systems that collect, process, store, compare/match, and disseminate information to identify individuals and authenticate their identity. They rely on computerized databases, contact-less smart cards, and radio-frequency identification (RFID) waves to process the information.
Biometric identifiers are optimal because, “The biometrical representation of the body de-links it from consciousness and subjectivity making it a readable text composed of signs and codes. At the same time it operates like an anatomist or physiologist revealing the possible pathologies that it contains.” As such biometrics have become standard in travel document and other uses such as in gaining access to highly restricted areas or information, replacing traditional passwords and badges. The face has emerged as the preferred biometric identifier for several reasons. Firstly, the face has long been used to identify people unofficially. Moreover, since individuals are required to submit photographs of their face to obtain driver’s licenses, employment and school ID cards, and a myriad of others, it is relatively easy to build a comprehensive database of citizens’ portraits. It has been reported that facial recognition was used to authenticate bin Laden prior to killing him.
Based on the assumption that “the body doesn’t lie,” the International Civil Aviation Organization (ICAO) introduced biometric passports and visas as the second generation interoperable travel documents. They feature a chip storing all relevant passenger information and use facial recognition (fingerprints and/or iris patterns are optional additional biometric identifiers) to authenticate travelers’ citizenship. Biometric passports are believed to be the most secure type of identity documents because they are protected by three layers of security: a digital signature proves the encoded data is genuine and shows which country has issued the passport; Basic Access Control protects against unauthorized readings (“skimming”); and Public Key Infrastructure (PKI) is a digital encryption technology, which shows any change, addition or deletion on the passport chip. Accordingly, biometric passports not only make it more difficult for terrorists to forge their identities, but also facilitate the sharing of real-time information about passengers as they attempt to cross international borders. As such, they enhance international cooperation bestowing confidence in the integrity of travel documents issued by other states.
Part II: Moving toward risk management
The tragic events of 9/11 made clear that risk is inherent in today’s globalized world. A risk-based approach to security recognizes the impossibility of addressing all risks equally. Rather, it understands risk as a function of likelihood (threat or vulnerability) multiplied by consequences, such as the destruction of people, facilities, and financial loss. Accordingly, this approach assess the extent of the risk posed by a possible scenario by using mathematical logic and scientific method to calculate the probability of that scenario becoming real Managing risk involves reallocating security resources more efficiently by focusing more on the risks with the greatest chance of being actualized. Doing so involves assigning a weight to as many potential risks as possible. Thus, not only is the domain of security expanding to include more issues, the way these issues are approached are also undergoing transformation.
Until recently, an individual’s identity was considered a personal matter, but in light of the fight against terrorism, it has morphed into a security issue relying on a broad range of technologies. Defined as, “the use of personal information in order to adequately identify an individual who is trying to access your products or services,” identity management is a tool to help individuals protect their personal information from being shared across databases. Yet, while it was initially conceived by Microsoft, the concept of identity management has taken off in the security field and is also used in counterterrorism. This transition began with governments seeking to develop interrelated systems to collect, process, store, match, and disseminate information about individuals. The next phase involved a shift in focus from authentication to identification. In other words, instead of merely verifying the individual is in fact who he or she claims to be, authorities search for individuals in security databases to cross check them against no-fly or no-access lists. Businesses also capitalize on the user-centric nature of identity management, using it to streamline their customers’ online purchasing experience. Thus, for the first time, individuals voluntarily entered into the identity-management system, by, for example, creating password protected profiles at their favorite online stores to store their address and credit card information for more convenient shopping. As a by-product of the gradual shift to identity management, the notion of separating people into a categories of “riskiness” (with respect to security, finances, and other aspects of life) has become a social norm as well as a security one.
With respect to counterterrorism, preventing identity fraud is paramount because a terrorist who successfully poses as someone else may gain access to potentially dangerous information or material with little chance of detection. According to the 2004 9/11 Commission report, at least two of the terrorists entered the U.S. with fraudulent passports. In an effort to prevent something like this from recurring, DHS relies on the identification technologies described in Part I to manage identities. Additionally, DHS collects Passenger Name Record (PNR) data from airlines and runs it through the Automated Target System, which generates a risk assessment score for all passengers.
Border management is closely linked to identity management. Prompted by 9/11, today’s “smart borders” are understood as zones of activity that facilitate flow of goods and people while filtering out objects or individuals that pose a threat. Borders are no longer tied to a specific geographic area, since U.S. border control authorities “deputized airline agents to inspect documents of U.S. – bound passengers” before they have left their country of origin. The screening process employs technologies ranging from surveillance cameras at airports and along a country’s physical border to biometric passports. In the United States, this task falls to the DHS, who is responsible for increasing transportation and border security, minimizing the risk of future terrorist attacks, and emergency preparedness. The enormity of the task of intercepting terrorists at over 300 ports of entry and along the Canadian and Mexican borders coupled with budget constraints necessitates efficiency. Thus, they rely on border management to balance the competing, but not conflicting, aims of facilitating economic activity with expedited clearance of low-risk people and goods and enhancing security by intercepting risky people or goods before they enter the territory of their destination.
In airport security, the focus on locating “bad” objects by screening baggage is gradually being replaced by a focus on identifying people who warrant additional scrutiny. In January 2005 the DHS launched the U.S.-Visit program, designed as “end-to-end management of processes and data on foreign nationals [coming] to the United States covering their interactions with U.S. officials before they enter, when they enter, while they are in the U.S. and when they exit.” Mandating biometric visas, DHS checks the biometric information of all non-immigrant visitors to the U.S. against watch lists before entry. Many countries have implemented systems that assign their own citizens to a category of risk and treats them and their belongings accordingly. Travelers about whom all relevant information is known are deemed more trustworthy and therefore benefit from an expedited screening process. Not only does this permit authorities to spend less than the $10/person average, it also reduces the “hassle factor” for frequent travelers. At the other end of the spectrum, travelers who are suspected to pose a risk (as determined by a lack of information about them and/or certain questionable behaviors such as buying airline tickets in cash and frequent travel to the Middle East) face additional screenings and their baggage is subjected to the slower, more expensive, yet more accurate machines. Passengers falling somewhere in between these two extreme categories face an average level of scrutiny, costing the average $10 / person, resulting in an experience largely the same as that faced by all international travelers departing from American airports today. Thus, border-management generates new security language and produces typologies of objects according to the calculus of risk.
Historically, intelligence entailed collecting information in secret and analyzing and disseminating that information to decision-makers in order to counter potential threats. Today, sensors, cameras, and communication technologies facilitate information gathering and processing in real-time, which has the concept of intelligence to include business and strategic intelligence, information and data processing. It is a form of knowledge building. This expansion results in a shift toward predictive intelligence, which includes everything mentioned above plus data management and behavioral analysis to anticipate possible terrorist attacks. Since terrorist threats can come from anywhere, rather than focusing on well-defined targets, predictive intelligence relies on data mining to gather information about nearly everyone’s private lives. Ideally, trends and patterns, frequency, and probability provide information to make an intelligent prediction, but when key details are missing, intelligence focuses on risk assessment. Predictive intelligence is essential to counterterrorism because it reduces the chances of being caught by surprise. Its task is not only to collect information, but also to interpret that information correctly in order to warn policymakers in time to react before the attack occurs. This task is extremely difficult and the intelligence community is not always successful, yet predictive intelligence played an integral part in locating and capturing 9/ll mastermind Osama Bin Laden, previously the United States’ most wanted terrorist.
Part III: Assessing the broader impact of counterterrorism technologies
The move toward identity and border management, ICAO norms regulating travel documents, the widespread adoption of biometric identifiers, advances in surveillance technology, and means of tracing online activity were all driven by a belief that these measures enhance society’s security. Arguably, we are more secure today than we were on September 10, 2001, in part because these measures have raised our collective awareness of the threat. Yet, technology offers no panacea for security risks. Problems exist at nearly every level of security technologies from technical errors to philosophical concerns over privacy issues. In the post-9/11 era, all individuals are subject to technological identification and surveillance.
Technological weaknesses and ways to fool the system
Security technologies do not always work as designed. In some cases, technical errors produce mistaken results. For example, machines, occasionally “read” the travel document of someone standing near the person whose identity is supposed to be authenticated. In other cases, the technology works as intended, yet terrorists find ways to fool the system at either the authentication or verification step. Patrick O’Neil, a computer scientist and expert on databases, cites the example of Ahmed Ressam, an Algerian political asylum detained in 1999 at the U.S.-Canadian border with bomb materials and plans to attack the Los Angeles airport. Ressam had obtained a legitimate Canadian passport by providing a false name on a stolen blank birth certificate. (He was only caught because he was acting suspiciously at the border). Even if the passport had included biometric identifiers, the data would have matched perfectly. In other words, Ressam successfully circumvented authentication. Likewise, the effectiveness of the verification step depends on the completeness of reference database. In other words, if the watch list did not include Ressam’s name (and false name) the system could not have caught him. Finally, as any James Bond fan knows, fingerprint replicas (and nowadays also high-quality iris and retinal scans) can fool the biometric system.
The main distinction between security and defense technologies is that the former are commercially available, while the later are not. Accordingly, many of the security technologies described above are also available to terrorists, who have become quite adept at using them to their own advantage. Open and universally accessible, the Internet is an incredibly useful tool for “good” and “bad” people alike. The Internet also offers a wealth of information of interest to terrorists from bomb-making to ideological postings inciting violence. Moreover, terrorists use the same tools as DHS (link analysis, encryption techniques etc) to track who is tracking them. Additionally, like many successful businesses and savvy political campaigns, terrorist networks rely on the Internet to gather followers and communicate with adherents. For example, al-Qaeda has grown quite adept at creating a strong online presence through their own websites as well through mainstream social media networks such as Facebook and Twitter. Contrary to an instinctive impulse that warns us to deny terrorists the use of such an important tool, security authorities welcome the online presence of terrorists because they can learn a great deal about them through keeping track of their postings.
The technolgoization of security has transformed formally disparate security structures into a highly interconnected system. Today, many aspects of security depend on computerized databases that allow information to be shared in real-time. The advantages of this system have been outlined above. Yet, it is equally important to be aware of the risks posed by the centralization of security. First of all, the setup risks a complete system shutdown if any part of it becomes subject to an attack or technical error. O’Neil uses the example of biometrics to highlight the vulnerability of centralized systems, stating “Rather than making the system more secure, this new layer of complexity will in fact construct new possibilities to weaponize the complex system of modern societies.” O’Neil basis his argument on Chalres Perrow’s complex organization theory, which defines organizations comprised of independent parts as linear and those comprised of highly interdependent parts, as complex. Perrow further distinguishes loosely coupled organizations from tightly coupled ones, which are more interconnected. In sum, a tightly coupled complex organization is the most likely target of a terrorist attack, because its high degree of interconnectedness increases its vulnerability to complete system-wide disruption. For terrorists seeking to wreak maximum havoc and instill fear into society, tightly coupled complex organizations such as critical infrastructure, biometric databases, and airport control systems are natural targets. “Even if increased security could prevent attacks on high-value like targets like the Twin Towers, it would run the risk of simply pushing terrorists to softer targets.
The Department of Homeland Security has spent over $1 trillion dollars since 9/11 to prevent terrorist attacks. According to a new academic paper by John Mueller and Mark Stuart, “to be deemed cost-effective, [the increased expenditures] would have to deter, prevent, foil, or protect against 1,667 otherwise successful Times Square type attacks per year, or more than four per day.” In the wake of the global financial crisis and the United States debt crisis, it is questionable whether such counterterrorism spending can be maintained.
Concerns over the right to privacy abound because biometric identity documents enable the system to stealthily distinguish between “risky” and “non-risky” people, which goes beyond their explicit purpose of authentication. Likewise, algorithms used by the U.S.-Visit program are likely to invisibly flag a traveler with family in Pakistan and a history of traveling there as risky, which gives rise to concerns over racial, religious, and ethnic profiling. Pervasive surveillance of ordinary citizens also sparks societal malaise. The controversy that recently erupted over news that Apple iPhones have been storing personal information signals the publics’ discomfort with constant surveillance and monitoring, even by private companies. This is also exemplified by U.S. reluctance to adopt the risk-based approach at domestic airports, which stems from the inherent American notion that all citizens are equal and are protected by the constitution from discrimination based on personal history (which is necessary to create a registered traveler program, for example). While all security technologies go through a period of debate during which society gets accustomed to the idea, it remains to be seen just how far the public will accept being surveilled and having their data stored by the government in the name of security and fighting terrorism.
Terrorism truly poses a grave threat, but statistically it kills fewer people annually than car accidents. So how does one justify the dedication of so much of attention and resources, not to mention compromises on civil liberties, to this issue? In reality, only a tiny percentage of those implicated by the security technologies used in counterterrorism pose a risk to society. The vast majority of those surveilled, biometrically identified, and subjected to scrutiny at border crossings are law-abiding citizens who seek to cause no harm. Meanwhile, as security technologies advance, they become progressively silent. As a result, individuals are increasingly oblivious to the fact that they are being tracked. Accordingly, one may wonder whether it is appropriate to gather and store so much information about ordinary people.
Born out of a teleological society whose faith in progress is unshakable, the technologization of security is largely perceived as a positive development. Technology is an incredible tool that changes society profoundly. When applied to security, technology empowers law enforcement and government authorities to assess situations, identify potential risks, and counter threats in ways that were unimaginable only a decade ago. Biometric travel documents and the new concepts of identity and border managements have revolutionized international travel with the goals of preventing identity fraud, enhancing airport security, and filtering out dangerous people and objects, all while facilitating trans-border commerce and travel by low-risk passengers. As we have seen, today surveillance and dataviellance constitute the primary layers of global intelligence systems. However, they are not fool-proof. To deal with the uncertainty that characterizes today’s globalized world, security authorities should accept it, rather than try to reduce it as prescribed by traditional scientific methods. They should focus on building knowledge networks that expand and interconnect rhizomatically. By replacing the traditional concepts of identity and border control with more integrated approaches, we are moving toward a system of risk management. As we learn from past short-sightedness which led to the failure to prevent 9/11, we are struggling to cope with the complexity and ambiguity of contemporary threats. Moving forward, technology will play an increasingly vital part in helping us see through the complexity and ambiguity of these threats and in some cases prevent terrorist attacks from occurring.