Invasive and Ineffective: DHS Surveillance Since 9/11

This blog is part of ACS’s Blog Symposium exploring the Legal Legacy of 9/11.

In the aftermath of the September 11 attacks, President George W. Bush and Congress created the Department of Homeland Security (DHS), consolidating twenty-two different agencies and their functions under one umbrella. Much has been written since the Department’s creation about its dysfunction and systemic challenges. But DHS’s sweeping collection, retention, and use of data about Americans, immigrants, and travelers has received far less scrutiny. Much of this information – which can reveal everything from a person’s political and religious leanings to the identity of their friends, relatives, and associations and their fingerprints or facial signatures – is not related to “specific…threat(s) from…specific terrorist(s),” which was identified as a significant intended focus of DHS in President Bush’s proposal to create the Department. Instead, it is often used to make opaque and unscientific determinations about who might pose a threat in the future.

There is scant evidence that the combination of suspicionless surveillance and speculative threat assessments have made us safer. Moreover, former DHS officials have emphasized the impact of DHS’s operations on Americans’ civil rights and civil liberties, noting that the “privacy and due process concerns resulting from other homeland security operations, such as information collection by the National Security Agency, pale by comparison.” As the administration turns its focus toward domestic terrorism in the wake of the January 6 insurrection, and far-right violence in particular, it must take care in deploying DHS’s significant resources not to simply recycle practices that jeopardize historically targeted communities and individual privacy.

Beginning a decade ago, for instance, the Obama administration began to entrench Countering Violent Extremism (CVE) initiatives. Programs in this mold recruited community leaders, social workers, teachers, and public health providers, purportedly to help identify people who were at risk of becoming violent extremists. Instead, these efforts broadly painted members of American Arab and Muslim communities as terrorists and everyday political activism and religious practices as signs of violence. While President Biden promised during the election that he would scrap such programs, his administration has instead doubled down on this same basic approach, funding efforts that direct the public to report supposedly suspicious activity or behaviors – including vaguely defined indicators such as having a grievance, being socially isolated, or behaving unusually – to the police or to “threat assessment” teams involving law enforcement. These programs, which are run out of DHS’s new Center for Prevention Programs and Partnerships (CP3), are essentially a repackaging of the repudiated CVE programs that relied on unscientific criteria to flag potential threats, even if they do not overtly target marginalized communities.

In addition, some reports of suspicious activity will be disseminated to “fusion centers,” products of the post-9/11 push to supercharge information-sharing and surveillance coordination between federal, state, and local governments and the private sector. These centers were roundly criticized in a bipartisan 2012 U.S. Senate investigation that found they had “yielded little, if any, benefit to federal counterterrorism intelligence efforts” while releasing reports that were useless or corrosive of civil liberties. More recent events do not inspire confidence that much has changed: last year, one fusion center was caught distributing fake posts by right-wing activists as evidence of potential violence at anti-police brutality demonstrations, while others were found to have monitored racial justice organizers and protests. Nevertheless, DHS and DOJ guidelines encourage fusion centers to assess terrorism risk by drawing on a plethora of extraneous sources, from social service providers and public health departments to hospitals and phone and internet providers.

Between the threat assessment framework and the involvement of fusion centers, issues unrelated to public safety threats – a fight between classmates, for instance, or a mental health condition requiring care – will be elevated to often unaccountable law enforcement bodies, thereby undermining efforts by social service and health providers to get people the help they may need. Moreover, these unreliable threat indicators are likely to be tainted by well-documented racial and religious biases that disproportionately identify Muslims and individuals of color as posing a threat.

In the travel and immigration screening context, too, the Department fuses reams of disparate and unreliable information to conduct risk assessments, an opaque process that purports to determine who might pose a threat among both foreign travelers and Americans. To facilitate this process, DHS uses automated tools that pull from a broad list of datasets, including detailed passenger information submitted by airlines, license plate data, DMV records, law enforcement and intelligence information, visa and immigration enforcement records, and social media data. Some tools incorporate data sets tainted with bias, such as NSEERS, a defunct Bush-era registry for Arab men. In the past, border agents have even added notes on books carried by travelers, documenting First Amendment-protected activity.

Exposés of Transportation Security Administration (TSA) risk assessment programs depict a department run amok. In one program, Screening of Passengers by Observation Techniques (SPOT), later rebranded as the “Behavioral Detection and Analysis Program,” officials flagged travelers as potential security threats on the basis of innocuous behavior such as whether they were wearing “improper attire for the location” or gazing down. TSA officers administering the program reported that it enabled racial profiling, and the program was the subject of multiple critical GAO and DHS Inspector General  reports, which found that the majority of TSA’s indicators were not empirically supported and the agency had not determined the effectiveness of the program. Though TSA has stopped this stand-alone behavioral detection effort, it appears that aspects of the program have been incorporated into general TSA activities.

Another TSA risk assessment program, “Quiet Skies,” identifies incoming international passengers (including Americans) based on routine behaviors like fidgeting, sweating, using the bathroom, or conversing with fellow passengers; once flagged, armed federal air marshals may board their flights to observe them. TSA officials disclosed to Congress that 5,000 US citizens – none of whom were ultimately deemed suspicious or requiring further scrutiny – had been monitored in a single six-month period, and the DHS Inspector General issued a scathing audit that documented DHS’s extensive failures to follow basic processes.

Social media is also an emerging frontier of broad-scale surveillance both abroad and domestically. The Obama administration started using social media to screen people coming to the U.S., a practice significantly expanded by former President Trump’s Muslim Ban. Since 2019, for instance, the State Department has collected social media identifiers from about 15 million people who apply for U.S. visas annually. These are shared with DHS and accessible through its risk assessment platforms, and the Department continuously monitors select visa holders’ social media during their time in the country. Domestically, DHS’s Office of Intelligence & Analysis (I&A) is responding to the January 6 insurrection by rolling out an initiative to identify online “narratives” that they believe are likely to incite violence, as well as to identify people who may be susceptible to these narratives based on their social media behavior.

There is little proof, however, that social media screening is an effective threat detection tool. DHS’s own internal tests examining the utility of social media to screen people coming to the U.S. suggest that officials found it of little use in identifying national security concerns, and that it was difficult to understand the context or to ascertain the reliability of what they were reviewing. The Department ultimately concluded that “mass social media screening” was a waste of resources. In addition, earlier this year, the White House office that reviews federal regulations rejected a proposal by DHS to follow the State Department’s lead in collecting social media identifiers because the Department had not “adequately demonstrated the practical utility of collecting this information.” And I&A’s intelligence gathering and dissemination process has had a poor track record of protecting civil rights and liberties, raising concerns about its foray into social media monitoring.

Moving forward, policymakers should learn from the experiences of the last twenty years. None of the DHS-led programs described above have a documented track record of providing security benefits. Yet their ill-conceived methods persist, and continue to be expanded, in current policy. Indeed, the effectiveness and potential impact of these programs was never meaningfully considered – or, in some cases, was even ignored as the programs were rolled out. Before implementing new initiatives, DHS must empirically validate their utility using concrete assessment criteria and account for impacts on privacy, civil rights, and civil liberties. To ensure this happens, DHS should bring its Offices of Privacy and Civil Rights and Civil Liberties into the fold at the outset of the policy design process, give them a voice in whether programs should be implemented and not simply how, and direct them to regularly audit programs that go into effect. DHS should also halt support for efforts that have not been demonstrated to work, including the violence prevention programs, fusion centers, and broad-scale social media surveillance initiatives discussed above.

Commentators will continue to discuss whether DHS should be restructured or eliminated. In the meantime, there are ample steps that the Secretary and Congress should take to ensure that the Department enters this decade by taking a new approach: measuring effectiveness, engaging only in empirically proven methods, and dedicating itself to robust protection of civil rights and civil liberties.

National Security and Civil Liberties, Surveillance and Privacy