From 7a01a73cb4ce39fb75b339c19f1cf9fb2f93a0c7 Mon Sep 17 00:00:00 2001 From: Kevin Thompson Date: Fri, 15 May 2015 10:29:53 -0500 Subject: [PATCH 1/5] started working on a blog post about polygraphs --- _posts/2015-05-xx-polygraph.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 _posts/2015-05-xx-polygraph.md diff --git a/_posts/2015-05-xx-polygraph.md b/_posts/2015-05-xx-polygraph.md new file mode 100644 index 0000000..eafa5ab --- /dev/null +++ b/_posts/2015-05-xx-polygraph.md @@ -0,0 +1,21 @@ +--- +layout: post +title: "Polygraph Fraud: fraudulent instruction, fraudulent test" +categories: Polygraph +--- + +_Occasionally [Kevin "@bfist" Thompson](https://twitter.com/bfist) gets a bee +in his bonnet about something and decides to write about it on this blog. Why? +Nobody knows but we're happy to have his contributions_ + +> Some notes. I want to talk about the guy that just pleaded guild to fraud +> http://arstechnica.com/tech-policy/2015/05/polygraph-com-owner-pleads-guilty-to-training-customers-to-beat-polygraph/ + +> I want to talk about the case itself and what he appears to be in trouble +for but also talk about the folly of the poly (ooh, maybe that's the title +of this post). I think my conclusion is that the dude did commit fraud but his +sentence should be really light because of the sillyness of the polygraph. + + +I'm going to make a bold claim here, *"I can beat a polygraph.""* I'll go even +further and say From 43bac9d784b9ee82aca3d3a7a295aad0c6921752 Mon Sep 17 00:00:00 2001 From: Kevin Thompson Date: Fri, 15 May 2015 10:48:48 -0500 Subject: [PATCH 2/5] adds more content to the intro and a few more notes --- _posts/2015-05-xx-polygraph.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/_posts/2015-05-xx-polygraph.md b/_posts/2015-05-xx-polygraph.md index eafa5ab..27970ff 100644 --- a/_posts/2015-05-xx-polygraph.md +++ b/_posts/2015-05-xx-polygraph.md @@ -16,6 +16,23 @@ for but also talk about the folly of the poly (ooh, maybe that's the title of this post). I think my conclusion is that the dude did commit fraud but his sentence should be really light because of the sillyness of the polygraph. +> I think I also want to talk about whether this knowledge should be a secret. +Is this a national security issue? Is polygraph weakness in the same category +as classified information about drone construction? -I'm going to make a bold claim here, *"I can beat a polygraph.""* I'll go even -further and say +[Today I read an article](http://arstechnica.com/tech-policy/2015/05/polygraph-com-owner-pleads-guilty-to-training-customers-to-beat-polygraph/) about Douglas Williams, the man behind polygraph.com, +who plead guilty to obstruction of justice and mail fraud charges for teaching +people how to beat the lie detector tests used by three-letter agencies as part +of their employment process. I was intrigued because I wondered how, in the +United States with our strong first amendment protections, could someone be +guilty of a crime for sharing knowledge. This strikes a chord with me in part +because I'm also an educator and I have a deep loathing of the concept of +forbidden knowledge. Finally, of course, I'm interested because there are very +real problems with the polygraph and in a way this is very similar to the +punishing of security researchers that find flaws in software. + + +I'm going to make a bold claim here, *"I can beat a polygraph."* I'll go even +further and say that *"I can give completely false answers and pass a polygraph +exam."* However, I feel like that statement has to be tempered with *"I can also +give completely truthful answers and fail a polygraph exam."* From 48c904873803f4301c8c4199944c61bd51a6df4c Mon Sep 17 00:00:00 2001 From: Kevin Thompson Date: Fri, 15 May 2015 11:35:50 -0500 Subject: [PATCH 3/5] adds more content about why the poly sucks --- _posts/2015-05-xx-polygraph.md | 45 +++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 6 deletions(-) diff --git a/_posts/2015-05-xx-polygraph.md b/_posts/2015-05-xx-polygraph.md index 27970ff..dce2123 100644 --- a/_posts/2015-05-xx-polygraph.md +++ b/_posts/2015-05-xx-polygraph.md @@ -1,6 +1,6 @@ --- layout: post -title: "Polygraph Fraud: fraudulent instruction, fraudulent test" +title: "Polygraph Preparation: technically fraud" categories: Polygraph --- @@ -8,9 +8,6 @@ _Occasionally [Kevin "@bfist" Thompson](https://twitter.com/bfist) gets a bee in his bonnet about something and decides to write about it on this blog. Why? Nobody knows but we're happy to have his contributions_ -> Some notes. I want to talk about the guy that just pleaded guild to fraud -> http://arstechnica.com/tech-policy/2015/05/polygraph-com-owner-pleads-guilty-to-training-customers-to-beat-polygraph/ - > I want to talk about the case itself and what he appears to be in trouble for but also talk about the folly of the poly (ooh, maybe that's the title of this post). I think my conclusion is that the dude did commit fraud but his @@ -20,8 +17,17 @@ sentence should be really light because of the sillyness of the polygraph. Is this a national security issue? Is polygraph weakness in the same category as classified information about drone construction? +# TL;DR +People selling training on how to beat a polygraph exam are probably guilty of +fraud but the penalty should reflect that they didn't defraud their customers. +The real victims of their fraud are the organizations which are also defrauding +themselves by relying on this horribly inaccurate measurement. The penalty should +also reflect that with a little care in how the training providers market their +material their product could be 100% legal. + +# The folly of the poly [Today I read an article](http://arstechnica.com/tech-policy/2015/05/polygraph-com-owner-pleads-guilty-to-training-customers-to-beat-polygraph/) about Douglas Williams, the man behind polygraph.com, -who plead guilty to obstruction of justice and mail fraud charges for teaching +who pleaded guilty to obstruction of justice and mail fraud charges for teaching people how to beat the lie detector tests used by three-letter agencies as part of their employment process. I was intrigued because I wondered how, in the United States with our strong first amendment protections, could someone be @@ -31,8 +37,35 @@ forbidden knowledge. Finally, of course, I'm interested because there are very real problems with the polygraph and in a way this is very similar to the punishing of security researchers that find flaws in software. - I'm going to make a bold claim here, *"I can beat a polygraph."* I'll go even further and say that *"I can give completely false answers and pass a polygraph exam."* However, I feel like that statement has to be tempered with *"I can also give completely truthful answers and fail a polygraph exam."* + +This claim is not even in dispute. [The Global Polygraph network claims](http://www.polytest.org/lie-detector-polygraph-information.asp) that a +properly done polygraph is 90-95% accurate. There are several other sources that +repeat the 90% claim but I haven't been able to figure out if that claim means that +90% of liars will be detected or if that means that 90% of individual lies will +be caught. Still, that 90% rate is for a single-issue test, meaning that they're +only going to ask about a single topic. By their own numbers, a multiple issue +test will have about 80% accuracy. Also, the number of relevant questions matters. +To quote from the above link: + +> In general, the more relevant questions asked the less accurate the results +will be. ... Adding even one question to a specific issue test double the error +rate. + +So if I were taking a polygraph intended to simulate the test that DHS would give +me as part of their employment screening the best case scenario is that one out +of five times I would fail even if I gave truthful answers. However, if they ask +multiple questions about the issues of concern (drug use, criminal associates, etc) then +we might be looking at failing 2 out of 5 times in the best case scenario. If +there are any problems around question design or techniques used this can easily +get to be a 50/50 crap shoot. + +And in fact other scientific sources seem to indicate that it is exactly that. +I am blatantly stealing sources from Wikipedia here, but the National Academy of +Sciences has thoroughly ripped the poly to shreds. I appreciate, in particular, +their point that even if the test was as accurate as claimed, it would still be +terrible for detecting spies because of the [Base rate fallacy](http://en.wikipedia.org/wiki/Base_rate_fallacy). You would reject thousands +of qualified truthful candidates to weed out some of the spies. From 2c1b54f4261ceb5ef65b082bd4d70a2338c29c99 Mon Sep 17 00:00:00 2001 From: Kevin Thompson Date: Fri, 15 May 2015 11:44:08 -0500 Subject: [PATCH 4/5] starts to talk about the value of the poly --- _posts/2015-05-xx-polygraph.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/_posts/2015-05-xx-polygraph.md b/_posts/2015-05-xx-polygraph.md index dce2123..9b6277a 100644 --- a/_posts/2015-05-xx-polygraph.md +++ b/_posts/2015-05-xx-polygraph.md @@ -69,3 +69,9 @@ Sciences has thoroughly ripped the poly to shreds. I appreciate, in particular, their point that even if the test was as accurate as claimed, it would still be terrible for detecting spies because of the [Base rate fallacy](http://en.wikipedia.org/wiki/Base_rate_fallacy). You would reject thousands of qualified truthful candidates to weed out some of the spies. + +## The immeasurable value of the poly +All that having been said, the poly is an amazing tool and there is probably a +good reason that the government continues to use it. When used as part of a complete +theater production it can create a very convincing [appeal to authority](http://en.wikipedia.org/wiki/Argument_from_authority) that most +candidates will accept. From 255bf4c9623e9538d3d1b43a474e4dd785b64cf4 Mon Sep 17 00:00:00 2001 From: Kevin Thompson Date: Fri, 15 May 2015 15:37:52 -0500 Subject: [PATCH 5/5] first draft stage --- _posts/2015-05-xx-polygraph.md | 89 ++++++++++++++++++++++++++++++---- 1 file changed, 80 insertions(+), 9 deletions(-) diff --git a/_posts/2015-05-xx-polygraph.md b/_posts/2015-05-xx-polygraph.md index 9b6277a..bac75ff 100644 --- a/_posts/2015-05-xx-polygraph.md +++ b/_posts/2015-05-xx-polygraph.md @@ -8,15 +8,6 @@ _Occasionally [Kevin "@bfist" Thompson](https://twitter.com/bfist) gets a bee in his bonnet about something and decides to write about it on this blog. Why? Nobody knows but we're happy to have his contributions_ -> I want to talk about the case itself and what he appears to be in trouble -for but also talk about the folly of the poly (ooh, maybe that's the title -of this post). I think my conclusion is that the dude did commit fraud but his -sentence should be really light because of the sillyness of the polygraph. - -> I think I also want to talk about whether this knowledge should be a secret. -Is this a national security issue? Is polygraph weakness in the same category -as classified information about drone construction? - # TL;DR People selling training on how to beat a polygraph exam are probably guilty of fraud but the penalty should reflect that they didn't defraud their customers. @@ -75,3 +66,83 @@ All that having been said, the poly is an amazing tool and there is probably a good reason that the government continues to use it. When used as part of a complete theater production it can create a very convincing [appeal to authority](http://en.wikipedia.org/wiki/Argument_from_authority) that most candidates will accept. + +A candidate is brought in and told about the infallibility of the machine. The +person is told stories of all the liars that were caught by the machine, and most +importantly they're told about the stakes if the machine says that they lied. They +are connected to a very scientific looking machine the output of which they can't +interpret and then they're asked uncomfortable questions. + +When it's over the investigator appeals to the authority of the machine saying +that the machine things they're lying about some part of the questioning. And if +they've put on a good show the candidate might believe that this infallible machine +has detected their lie. It's really no different than a police interrogator telling +a suspect that the suspect's partner just confessed in the other room and implicated +him as well. If you believe the investigator ([or even if you don't](http://www.innocenceproject.org/news-events-exonerations/polygraph-tests-contribute-to-false-confessions-in-chicago)) you migth +confess in exchange for a more lenient sentence. Or you might confess if the +investigator tells you that this is a minor admission that wont affect your +employment and if you don't admit to it then it will delay your employment and +possibly result in a different candidate being hired. + +# Is this forbidden knowledge? +Since the US government uses the polygraph in employment screening for sensitive +positions there is an obvious incentive to keep it under wraps that this serious +weakness exists in their screening. When governments try to censor these facts it +becomes [Forbidden Knowledge](http://en.wikipedia.org/wiki/Forbidden_knowledge). +The first amendment to the US Constitution makes it difficult to censor information +about the polygraph. However the US government has been able to use fraud laws to +go after people selling training on how to beat the polygraph. Essentially the +reason I'm able to tell you everthing I did above is because I'm not selling it for +the express purpose of beating a real polygraph. + +# The specific fraud +[The indictment against Douglas Williams](http://cdn.arstechnica.net/wp-content/uploads/2014/11/williamsindictment.pdf) accused him of defrauding the federal government by obtaining money and property by means of the materially +false statements of his clients. He enriched himself by helping his customers lie to the government. +For example, the indictment claims that he instructed people on specific lies to tell, and +specific facts to omit. We can only speculate, but the lies probably consist of +not telling the government that they know the polygraph is bullshit because they +will reject a candidate that doesn't appear to be taken in by the security theater. +Most importantly, an undercover investigator told Williams that he had made false +statements to DHS and Williams agreed to help with the deception by treaching the +undercover agent how to lie on the test. + +It's a fine line, but once he should have known that he was helping someone defraud +the government then the act of taking money to assist with that fraud is itself an +act of fraud. So the government has a case and Williams was probably wise to eventually +enter a guilty plea. + +# Could it have been legal? +I believe it is possible to legally offer information about how to beat the polygraph +as I've done above. I also think it's possible to legally sell training on how to +beat a hypothetical polygraph test, as long as you don't claim that you're selling +this training so that they can beat the specific polygraph test given to people +that are seeking employment with the government. It's kind of like how stores are +able to sell crack pipes and marijuana pipes as long as you don't say anything to +suggest that you're going to use these things for smoking illegal drugs. + +In the case of Williams, the undercover investigator told him several times that he +intended to lie to the government about his involvement in illegal smuggling. By +continuing to cooperate Williams became party to that smuggling. If Williams had +told the undercover that they couldn't do business the first time the undercover +said that then he probably wouldn't be looking at 20 years. + +# The sentence should fit the crime +Although Williams did knowingly engage in a schema to make money by encouraging +people to lie to the government, the government going after people like Williams +seems like an effort to censor the knowledge that the polygraph can't actually +do anything except persuade you to make an admission. If the government were +screening people based on their height to weight ratio and I sold training on +how to dehydrate yourself to pass the test would it really be worth 20 years? +What Williams did might technically be fraud but the government is relying +on a modern day fortune tellers to decide who can work for them. What should the +penalty be for pointing out that a fortune teller is full of shit? + +It also seems oddly similar +to efforts to go after security researchers that publish vulnerabilities in +software. In this case the government has a serious vulnerability in their +applicant screening process and instead of fixing the vuln by investing in different +controls, they prosecute people that point out the problems with their process. + +So when we try to decide how to penalize Mr. Williams we shouldn't ask ourselves +what the penalty should be for defauding the government. We should ask what the +penalty should be for revealing that professional wrestling is [kayfabe](http://en.wikipedia.org/wiki/Kayfabe).