[WIP] started working on a blog post about polygraphs

_posts/2015-05-xx-polygraph.md

@@ -0,0 +1,148 @@
+---
+layout: post
+title: "Polygraph Preparation: technically fraud"
+categories: Polygraph
+---
+
+_Occasionally [Kevin "@bfist" Thompson](https://twitter.com/bfist) gets a bee
+in his bonnet about something and decides to write about it on this blog. Why?
+Nobody knows but we're happy to have his contributions_
+
+# TL;DR
+People selling training on how to beat a polygraph exam are probably guilty of
+fraud but the penalty should reflect that they didn't defraud their customers.
+The real victims of their fraud are the organizations which are also defrauding
+themselves by relying on this horribly inaccurate measurement. The penalty should
+also reflect that with a little care in how the training providers market their
+material their product could be 100% legal.
+
+# The folly of the poly
+[Today I read an article](http://arstechnica.com/tech-policy/2015/05/polygraph-com-owner-pleads-guilty-to-training-customers-to-beat-polygraph/) about Douglas Williams, the man behind polygraph.com,
+who pleaded guilty to obstruction of justice and mail fraud charges for teaching
+people how to beat the lie detector tests used by three-letter agencies as part
+of their employment process. I was intrigued because I wondered how, in the
+United States with our strong first amendment protections, could someone be
+guilty of a crime for sharing knowledge. This strikes a chord with me in part
+because I'm also an educator and I have a deep loathing of the concept of
+forbidden knowledge. Finally, of course, I'm interested because there are very
+real problems with the polygraph and in a way this is very similar to the
+punishing of security researchers that find flaws in software.
+
+I'm going to make a bold claim here, *"I can beat a polygraph."* I'll go even
+further and say that *"I can give completely false answers and pass a polygraph
+exam."* However, I feel like that statement has to be tempered with *"I can also
+give completely truthful answers and fail a polygraph exam."*
+
+This claim is not even in dispute. [The Global Polygraph network claims](http://www.polytest.org/lie-detector-polygraph-information.asp) that a
+properly done polygraph is 90-95% accurate. There are several other sources that
+repeat the 90% claim but I haven't been able to figure out if that claim means that
+90% of liars will be detected or if that means that 90% of individual lies will
+be caught. Still, that 90% rate is for a single-issue test, meaning that they're
+only going to ask about a single topic. By their own numbers, a multiple issue
+test will have about 80% accuracy. Also, the number of relevant questions matters.
+To quote from the above link:
+
+> In general, the more relevant questions asked the less accurate the results
+will be. ... Adding even one question to a specific issue test double the error
+rate.
+
+So if I were taking a polygraph intended to simulate the test that DHS would give
+me as part of their employment screening the best case scenario is that one out
+of five times I would fail even if I gave truthful answers. However, if they ask
+multiple questions about the issues of concern (drug use, criminal associates, etc) then
+we might be looking at failing 2 out of 5 times in the best case scenario. If
+there are any problems around question design or techniques used this can easily
+get to be a 50/50 crap shoot.
+
+And in fact other scientific sources seem to indicate that it is exactly that.
+I am blatantly stealing sources from Wikipedia here, but the National Academy of
+Sciences has thoroughly ripped the poly to shreds. I appreciate, in particular,
+their point that even if the test was as accurate as claimed, it would still be
+terrible for detecting spies because of the [Base rate fallacy](http://en.wikipedia.org/wiki/Base_rate_fallacy). You would reject thousands
+of qualified truthful candidates to weed out some of the spies.
+
+## The immeasurable value of the poly
+All that having been said, the poly is an amazing tool and there is probably a
+good reason that the government continues to use it. When used as part of a complete
+theater production it can create a very convincing [appeal to authority](http://en.wikipedia.org/wiki/Argument_from_authority) that most
+candidates will accept.
+
+A candidate is brought in and told about the infallibility of the machine. The
+person is told stories of all the liars that were caught by the machine, and most
+importantly they're told about the stakes if the machine says that they lied. They
+are connected to a very scientific looking machine the output of which they can't
+interpret and then they're asked uncomfortable questions.
+
+When it's over the investigator appeals to the authority of the machine saying
+that the machine things they're lying about some part of the questioning. And if
+they've put on a good show the candidate might believe that this infallible machine
+has detected their lie. It's really no different than a police interrogator telling
+a suspect that the suspect's partner just confessed in the other room and implicated
+him as well. If you believe the investigator ([or even if you don't](http://www.innocenceproject.org/news-events-exonerations/polygraph-tests-contribute-to-false-confessions-in-chicago)) you migth
+confess in exchange for a more lenient sentence. Or you might confess if the
+investigator tells you that this is a minor admission that wont affect your
+employment and if you don't admit to it then it will delay your employment and
+possibly result in a different candidate being hired.
+
+# Is this forbidden knowledge?
+Since the US government uses the polygraph in employment screening for sensitive
+positions there is an obvious incentive to keep it under wraps that this serious
+weakness exists in their screening. When governments try to censor these facts it
+becomes [Forbidden Knowledge](http://en.wikipedia.org/wiki/Forbidden_knowledge).
+The first amendment to the US Constitution makes it difficult to censor information
+about the polygraph. However the US government has been able to use fraud laws to
+go after people selling training on how to beat the polygraph. Essentially the
+reason I'm able to tell you everthing I did above is because I'm not selling it for
+the express purpose of beating a real polygraph.
+
+# The specific fraud
+[The indictment against Douglas Williams](http://cdn.arstechnica.net/wp-content/uploads/2014/11/williamsindictment.pdf) accused him of defrauding the federal government by obtaining money and property by means of the materially
+false statements of his clients. He enriched himself by helping his customers lie to the government.
+For example, the indictment claims that he instructed people on specific lies to tell, and
+specific facts to omit. We can only speculate, but the lies probably consist of
+not telling the government that they know the polygraph is bullshit because they
+will reject a candidate that doesn't appear to be taken in by the security theater.
+Most importantly, an undercover investigator told Williams that he had made false
+statements to DHS and Williams agreed to help with the deception by treaching the
+undercover agent how to lie on the test.
+
+It's a fine line, but once he should have known that he was helping someone defraud
+the government then the act of taking money to assist with that fraud is itself an
+act of fraud. So the government has a case and Williams was probably wise to eventually
+enter a guilty plea.
+
+# Could it have been legal?
+I believe it is possible to legally offer information about how to beat the polygraph
+as I've done above. I also think it's possible to legally sell training on how to
+beat a hypothetical polygraph test, as long as you don't claim that you're selling
+this training so that they can beat the specific polygraph test given to people
+that are seeking employment with the government. It's kind of like how stores are
+able to sell crack pipes and marijuana pipes as long as you don't say anything to
+suggest that you're going to use these things for smoking illegal drugs.
+
+In the case of Williams, the undercover investigator told him several times that he
+intended to lie to the government about his involvement in illegal smuggling. By
+continuing to cooperate Williams became party to that smuggling. If Williams had
+told the undercover that they couldn't do business the first time the undercover
+said that then he probably wouldn't be looking at 20 years.
+
+# The sentence should fit the crime
+Although Williams did knowingly engage in a schema to make money by encouraging
+people to lie to the government, the government going after people like Williams
+seems like an effort to censor the knowledge that the polygraph can't actually
+do anything except persuade you to make an admission. If the government were
+screening people based on their height to weight ratio and I sold training on
+how to dehydrate yourself to pass the test would it really be worth 20 years?
+What Williams did might technically be fraud but the government is relying
+on a modern day fortune tellers to decide who can work for them. What should the
+penalty be for pointing out that a fortune teller is full of shit?
+
+It also seems oddly similar
+to efforts to go after security researchers that publish vulnerabilities in
+software. In this case the government has a serious vulnerability in their
+applicant screening process and instead of fixing the vuln by investing in different
+controls, they prosecute people that point out the problems with their process.
+
+So when we try to decide how to penalize Mr. Williams we shouldn't ask ourselves
+what the penalty should be for defauding the government. We should ask what the
+penalty should be for revealing that professional wrestling is [kayfabe](http://en.wikipedia.org/wiki/Kayfabe).