THE BLOG
12/03/2015 01:27 pm ET Updated Dec 06, 2017

Visa Waiver Program Has Same Weak Links; Mass Surveillance and Terrorist Watchlisting Don't Work

Gina Ferazzi via Getty Images

Co-written with Huffpost blogger Georgianne Nienaber

Politicians are scoring points with a frightened U.S. population by hyping the supposed danger of letting in up to 10,000 Syrian refugees, but a much greater or actual risk exists in the current gaps in a visa-waiver program. Yesterday's massacre in San Bernardino again underscores the ineffectiveness of relying upon bulk data collection and intelligence agencies' watch-listing processes to "keep us safe from terrorism."

All the hyped political angst regarding the possible resettling of a few thousand Syrian refugees stands in stark contrast to the relative lack of congressional concern about the equally, if not more inherently problematic Visa Waiver Program (VWP). This longstanding, historically-proven dangerous, but little understood Department of Homeland Security (DHS)-administered program, allowed 21,231,396 foreign visitors from 38 countries to pass through U.S. ports of entry with minimal to no screening according to 2013 official records (the most recent data published).

The numbers should give pause, since visitors admitted each year via the VWP are over 2,000 times greater than the "up to 10,000" Syrian refugees proposed a few months ago by President Barack Obama for eventual resettlement in the U.S. The number of VWP entrants is nearly 20,000 times greater than the 1,300 Syrians previously allowed into the U.S. since the conflict began over four years ago. The VWP program allows 300 times more foreign visitors into the U.S. than refugees from all countries combined.

Of those entering under the VWP: 293,217 came from Belgium; 1,804,035 from France; and 512,299 from Sweden. Even before the more recent "Charlie Hebdo" and Nov. 13 attacks in Paris, it was known that the United Kingdom, France, Belgium and Sweden were emerging as home bases for Islamic extremists joining the Islamic State (also known as ISIL, ISIS or Daesh). So do these countries, among others in the waiver program, offer potentially easy access to the United States for some of their increasingly radicalized citizens now supporting known terrorist organizations?

What We Know and Don't Know

We suggested last year that the United States has a gaping hole in its DHS and Immigration and Customs Enforcement (ICE) monitoring. There had been little public discussion of the VWP, a program that 38 countries currently participate in. Participating countries agree to loosen travel restrictions in order to encourage tourism, trade and business travel.

Before traveling to the U.S. by sea or air, VWP participants must fill out an Electronic System for Travel Authorization (ESTA) form online. It costs a modest $14 and assumes that the applicant is telling the truth about previous visa denials and run-ins with the law.

Since November 2014, new information, including additional passport data, contact information, and potential names or aliases, is required. Once the applicant has the ESTA application completed, he/she needs no other paperwork other than a valid passport from one of the participating countries.

"Upon landing in the U.S.," according to the optimistic March 2015 testimony of the Director of the Heritage Foundation Steven P. Bucci, "individuals must provide biographic and biometric information that is checked against additional sets of biometric databases controlled by DHS (Automated Biometric Identification System or IDENT) and the FBI (Integrated Automated Fingerprint Identification System or IAFIS). The individual is once again checked through TECS, the ATS, and the APIS and undergoes additional inspection if necessary. At any point in this process, security officials can prevent an individual from entering the U.S. if they are deemed a security risk or ineligible for travel to the U.S."

Testifying before the Subcommittee on Border and Maritime Security, Committee on Homeland Security, in the U.S. House of Representatives, Bucci made it sound like a "robust screening process" but what we don't know, what is critically missing from his rosy prognosis, is how many of the over 1.1 million terrorist suspects that have made it onto key "terrorist watch lists" can be conclusively identified by biometric data alone, as Bucci's testimony suggests.

Could it be more likely that the only real barrier to entrance to the United States is the Customs and Border Protection officer at the port of entry, who stamps the passport, with or without a few questions, and with little means of verification? Unless a match comes up with someone entered on the Terrorist Watch List or the no-fly list, the VWP traveler is free to enter for up to 90 days or vanish underground.

The Heritage Foundation director's testimony included an impressively complicated chart (below) about how the VWP system is supposed to work, but the chart raises as many questions as it answers. It certainly doesn't answer the most important questions about the actual effectiveness of the watch listing, checking and flagging process.

2015-12-03-1449156312-8294290-HHRG114HM11WstateBucciS201503172.jpg

The ESTA regulations also have gaping enforcement holes. In 2010 (the latest data available), 364,000 travelers were able to travel under the VWP program without even the minimum verified ESTA approval by airlines, according to the Government Accountability Office (GAO). No one knows to what extent these passengers presented a security risk or if they left the country after the required 90-day limit on their stays.

Historically, it must be noted that Al Qaeda- aligned terrorists have already used the VWP to gain access to soft targets in the United States. French citizen and later convicted 9/11 participant Zacarias Moussaoui traveled on the VWP before he enrolled in Oklahoma and Minneapolis flight training schools prior to 9/11.

Richard Reid, the "Shoebomber," along with Ahmed Ajaj, also traveled on the VWP. In December 2001, Reid used an Amsterdam-issued British passport to board an American Airlines flight from Paris to Miami. In a separate incident, border agents caught Ajaj with bomb-making materials and a cheat sheet explaining how to lie to border officials. Ajaj was using a Swedish passport on the VWP.

Ramzi Yousef, one of the main perpetrators of the 1993 World Trade Center bombing and a co-conspirator in the Bojinka (airline bombing) plot to blow up 11 American jumbo jets, used the VWP on a fraudulent British passport:

"Yousef had boarded in Peshawar with a fraudulent British passport, presumably with no U.S. visa, and when he arrived at JFK [Airport in New York], presented an Iraqi passport in his own name, with no visa. Yousef was sent to secondary inspections where he requested political asylum; he was released on his own recognizance and went on to finish organizing the WTC bombing."

Despite the fact that both Youssef and Ajaj were caught in 1992 with numerous false passports, Youssef was not even detained, but was released in the U.S., and Ajaj was also later released. These egregious examples all occurred before or shortly after "9/11 changed everything." Some of these problems were likely remedied, but no one knows if the post 9/11 collection and management of "big data" did not create new snafus.

A 2004 OIG evaluation of the VWP still found significant problems and asked for reforms in 14 areas. One reform involved development of a process to check all Lost and Stolen Passport (LASP) data provided by participating VWP governments against entry and exit data in U.S. systems.

A 2014 report, prepared for Congress by the Congressional Research Service, says the 2008 reform mandates, which were required because of the 2004 OIG evaluation, are not complete. DHS has completed the pilot programs, but according to the Government Accountability Office (GAO), "DHS cannot reliably commit to when and how the work will be accomplished to deliver a comprehensive exit solution to its almost 300 ports of entry."

In 2012, testimony to the GAO by Rebecca Gambler, Acting Director of Homeland Security and Justice, revealed that data is being collected by some VWP countries but not shared by any.

"As of January 2011, 18 of the 36 Visa Waiver Program countries had met the PCSC (Preventing Combating Serious Crime) and information-sharing agreement requirement, but the networking modifications and system upgrades required to enable this information sharing to take place have not been completed for any Visa Waiver Program countries."

In July 2015, DHS, in collaboration with DOJ and the Department of State (DOS), completed PCSC Agreements, "or their equivalent with 35 (VWP) countries and two additional countries to share biographic and biometric information about potential terrorists and serious criminals." The agreements are in place, but information is vague about data sharing. Would complete data sharing make a difference? Or are officials creating an even bigger haystack of unusable data?

More recently, on Nov. 18, Sen. Mark Warner, D-Virginia, told Federal Computer Week that the information travelers supply to the waiver program does not "necessarily include off-the-books travel to territory controlled by the Islamic State group." Warner added that VWP doesn't record where passport holders travel beyond their initial destinations:

"We don't know how many European nationals have gone from France or elsewhere to Turkey or where they've gone from there, and [they] come here with virtually no screening. Literally 10 million people with German passports last year traveled to Turkey because there's such an enormous Turkish population in Germany and many travel back to see relatives."

More Questions than Answers

Far from inspiring confidence, this history and limited available information should raise more questions, including the following:

-Are the "Terrorist Identities Datamart Environment" (TIDE) and the Terrorist Screening Database (TSDB), the main or only "terrorist watch lists" checked for the names and passport identifiers of VWP applicants and/or entrants in order to detect any terrorist suspects seeking to enter? (TIDE is the U.S. Government's central repository of information on international terrorist identities, but the list has grown to an unwieldy 1.1 million persons.)

-Does the over-inclusiveness of mostly non-relevant, non-biometrically (and even non-biographically) identified data in the larger "total information awareness" primary U.S. and foreign agency databases, where trillions of pieces of metadata have been vacuumed and stored, help or hinder the accuracy of the complicated winnowing or "nomination" process to compile TIDE/TSDB and the "No Fly" and "Selectee" lists?

Before Dec. 25, 2009, the Terrorist Screening Center (TSC) did not watch-list the "underwear bomber" Umar Farouk Abdulmutallab. Since he was not on the Terrorist Watch List (TSDB), he was allowed to board a flight to Detroit. The failure was never fully made clear, but getting on the list, it seems, is more art than science as it requires "nomination" from "originator" intelligence and law enforcement agencies possessing "reasonable suspicion" and biographical identifying info for the person nominated.

Of course officials will always tend to err on the side of caution, which means the list of 1.1 million on TIDE ends up containing many false positives, or incorrectly identified "persons." This is why, after years of complaints, officials had to devise a way for incorrectly listed individuals to challenge the listing and get their names off the "no fly list."

The government counters -- probably rightly -- that it's far better to tolerate the problem of "false positive" inaccurate listings than to err by not including a true "needle in the haystack" terrorist suspect. What's left unsaid is the degree to which the list of 1.1 million persons is still under-inclusive as well as being over-inclusive.

-We realize that the pre- and circa-9/11 examples of egregious failures now should be moot in light of the vast changes initiated in data-collection, data-mining and refining the watch listing processes after 9/11. These failures occurred before "Top Secret America" began vacuuming up trillions of pieces of data on people all over the world, including that done by the NSA's massive communication interception programs; before TIDE or the no-fly list even existed. Congress needs to learn whether any of the recent participants in the Mideast or the European terrorist attacks could have used the waiver program to enter the U.S.

-The new "$64 million question" becomes what is the actual, current track record of the watch listing process? How many, if any, of the dozens of citizens of any of the 38 participating countries who have, in hindsight, been identified as participating in recent terrorist incidents were NOT listed in TIDE or the TSDB so would not have been flagged if they had sought to enter the U.S. through the VWP? How accurate is the actual operation of the tiered nomination process in its attempts to accurately strain the wheat from the chaff, i.e., to get more "needles" and less "hay?"

DHS and NCTC will invariably know the full answers to these important questions while the public must rely on reporters' limited prying. In all fairness, it's been reported that brothers Saïd and Chérif Kouachi, who shot 12 "Charlie Hebdo" employees, were on the U.S. terrorist watch list for years. One of the brothers was known to have traveled to Yemen, possibly for training with Al Qaida in the Arabian Peninsula. Also on the plus side, Reuters reported that four of the Nov. 13 attackers in Paris were listed in TIDE and at least one of the attackers was also on the U.S. no-fly list.

The US Refugee Program

Last week, the House of Representatives voted to tighten restrictions on the resettlement of Syrian refugees into the United States based on their concerns about national security. With a veto-proof majority, the bill passed 289-137 as Democrats joined Republicans, pointing to the fact that one of the participants in the Nov. 13 Paris attacks was a Syrian who entered Europe with a fake passport while posing as a refugee.

The House bill requires that the FBI and Department of Homeland Security devise rigorous background checks on refugees, guaranteeing that they pose no threat. But the current process of so thoroughly vetting refugees can take years before approval, since it requires repeated interviews, applicants' furnishing of full biometric data before traveling to the U.S. (in contrast to the VWP), and much more rigorous screening than merely checking terrorist watch lists. Further legislative restrictions would almost invariably prove so onerous as to effectively block almost all Syrian refugees from resettling in the U.S.

In 2013, DHS recorded a total of 69,909 persons admitted to the United States as refugees. The leading countries of nationality for refugees were Iraq, Burma, and Bhutan. This is almost seven times the number of proposed Syrian refugees, but no one raised an eyebrow about these refugees.

Of course, the bigger the haystack, the harder it is to find a terrorist. It is counter-intuitive to the "collect it all" mentality, yet whistleblowers, even before Edward Snowden, have been trying to make the public aware of the problems that inherently undercut the meaningfulness of "big data" gathering and analysis.

"The problem with mass surveillance is when you collect everything, you understand nothing," said Snowden, a former National Security Agency contractor. Data collection, even with biometric identifiers added, will inherently prove far less useful for predicting or preventing terrorism or any crime, than it will be in identifying a perpetrator, i.e., solving a crime, after the crime has been committed. That's essentially how the FBI's fingerprint repository works. A fingerprint identified one of the dead Paris attackers AFTER he died in the attack.

Yet no one would accuse the fingerprint database of having failed. That is because, unlike the massive data collection undertaken after 9/11, no one ever claimed or justified the fingerprint repository as the ultimate solution that could detect criminals/terrorists and prevent would-be crimes/terrorist attacks before they happen.

A similar realistic appreciation of the benefits, difficulties and vulnerabilities of terrorist watch listing based on big data collection, along with honest answers instead of government secrecy is necessary to justify continuation or possible expansion of the VWP.

Given the apparent urgency of plugging holes in the VWP, President Obama announced on Monday, Nov 30, that he would raise the potential fine for airlines who do not verify their passengers' identities. But bigger issues such as disallowing those on the "no fly list" to buy guns will have to wait as that would depend upon congressional action.