How far has the U.S. government come in removing security vulnerabilities that allowed the 9-11 attackers to obtain travel visas fraudulently and remain in the country even after they expired?
The terrorist attacks of 9-11 were carried out by 19 hijackers who used as many as 164 sets of personal information and aliases. Four of the terrorists held legitimately issued—if fraudulently obtained—U.S. visas that allowed them to enter the country legally. Those documents had expired well before the attack, but because the U.S. government had no means of tracking persons with expired visas, nor any policy of enforcement, these terrorists were free to change history. Now it turns out that the latest alleged terrorist plotter—Hussein Smadi—also overstayed his visa.
These incidents reveal the difficulties of controlling who enters the country and who remains. In an effort to address that issue, the U.S. Department of Homeland Security (DHS) established a plan for collection of biometric identification data from foreigners who enter and exit the country as one of its first initiatives in 2003. DHS dubbed its program U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT), but nearly six years after the program’s launch, full entry scanning remains elusive, and the program’s exit component is still on the drawing board.
While Congress, DHS, and private stakeholders mull the future of US-VISIT, experts remain divided over whether its potential for risk reduction justifies the billions of dollars the government believes full implementation would cost.
While 9-11 brought issues such as immigration fraud and “visa overstays” to the fore, they were not new concerns to the federal government, nor was 9-11 the first time the violations had contributed to terror on U.S. soil. Jordanian Eyad Ismoil, convicted for his role in the first attack on the World Trade Center in 1993, had overstayed a student visa when he helped co-conspirator Ramzi Yousef drive a truck bomb into the underground parking lot of the Twin Towers, where it detonated, killing six and injuring more than 1,000.
Congress took note, and in 1996 required that the U.S. Attorney General develop an entry and exit management system. The program, handled by the former U.S. Immigration and Naturalization Service (INS), was solely biographic as opposed to biometric, in that it relied on the veracity of personal and travel documents and the data they contain. Further mandates in 2000 required that the program, called simply Entry-Exit, be integrated into an electronic system and deployed to airports and seaports.
At the time of the 9-11 attacks, however, the management systems were passive and relied on a visa holder reporting his or her exit to U.S. authorities. If a visa holder did nothing, there was no way for the government to flag and find incidents of visa holders who had not departed when the visa expired. And there is still no system to record exits to verify departure; the government could, therefore, waste time looking for someone who left without filling out the departure form.
Soon after 9-11, Congress passed the USA PATRIOT Act, which moved Entry-Exit to the nascent DHS and recommended inclusion of biometric components—such as fingerprints—in monitoring. DHS officially re-launched the effort as US-VISIT early in 2003.
DHS found early success in meeting the deadlines set forth by Congress for Entry-Exit before 9-11. By the end of 2003, photo and electronic fingerprint collection were in place at the country’s 115 air points of entry (POEs) and 14 sea POEs, and scanning began in early 2004. By the end of 2006, data collection was in place at 154 of the 170 land POEs that had U.S. Customs and Border Protection (CBP) checkpoints.
US-VISIT’s primary security benefit at entry is vetting of an individual’s biometric data against data collected when the U.S. State Department issued the traveler’s corresponding visa. It is now extremely difficult, if not impossible, for an individual to obtain a visa, then pass his or her identification to another individual who would then present it at a POE in an effort to enter the United States using a false identity.
In addition to screening that occurs during consideration of the individual’s visa application, the individual’s personal information and fingerprints are vetted at the POE against several federal databases containing information on prior deportees and individuals with suspected links to terror.
At its outset, US-VISIT only collected two fingerprints, from travelers’ index fingers. Over the past several years, however, the program has implemented 10-digit fingerprint collection. US-VISIT Director Robert Mocny of DHS explains that the change came in response to the FBI’s post-PATRIOT Act investigations into terrorist and insurgent activities around the world. In many cases, sets of latent fingerprints collected at crime scenes are incomplete and do not provide index fingers. Thus, US-VISIT’s 10-print collection increases the chances of “hits” from the additional prints. Enrollment currently takes as little as 10 seconds, according to DHS.
US-VISIT’s full coverage of POEs does not mean, however, that all legal entries are enrolled in US-VISIT or checked against the program’s growing database, which DHS says contains more than 103 million identities. Citizens of the 35 countries enrolled in the State Department’s Visa Waiver Program are not required to obtain visas for trips in the United States shorter than 90 days, and they were initially not required to enroll in US-VISIT.
That changed in late 2004, and now they must enroll if they enter through an air POE. At land POEs, however, only travelers selected for secondary screening are registered for or screened under US-VISIT. This, Mocny says, generally spares Canadian citizens who state they are visiting briefly, and any Canadian or Mexican citizen who presents one of several “trusted traveler” cards, like SENTRI cards issued to vetted Mexican citizens.
Seeking to address congressional concerns about the lack of full US-VISIT vetting at land POEs, Mocny told lawmakers in 2007 that more than 90 percent of foreign visitors to the U.S. from so-called “countries of interest” enter the United States by air—not land or sea.
Free to Go
US-VISIT’s robust, if not universal, entry processing was implemented with relative ease, due primarily to existing physical infrastructure at POEs and established customs and security screening procedures. With regard to exit monitoring, however, there weren’t established procedures, and while checkpoints could do double-duty as exit screening points for people departing by air, that was not the case for land POEs.
The New York Times reported in 2006 that DHS had given up on implementing exit data collection, with then assistant secretary of homeland security Stewart Baker placing the cost of exit monitoring in the “tens of billions of dollars.”
Complicating implementation is the absence of checkpoint booths for outbound lanes at POEs. The U.S. Government Accountability Office (GAO) found that expansion of some land crossing facilities to accommodate the need for exit checkpoints would be inhibited by nearby railroad tracks and commercial structures or the natural terrain, such as solid rock in the case of a crossing in Alexandria Bay, New York.
Last year, DHS had issued a proposed rule for implementation of exit data collection for departure by air, proposing that airlines collect biometric data at exit. But the plan was rebuked not only by airlines, which saw the plan as a massive unfunded mandate, but also by the country’s airport operators, which feared delays for travelers and diversion of DHS personnel from their existing responsibilities for oversight of the exit component, says A.J. Muldoon, senior manager of the Airports Council International – North America’s Center for Policy and Regulatory Affairs.
DHS has yet to issue a final rule for air exit. However, in the meantime, Congress has required that the agency conduct two separate pilot tests for air exit data collection: one to be conducted by airlines and one by CBP.
The airlines, which were not obligated to participate, declined. Elizabeth Merida, spokeswoman for the Air Transport Association, says the airline industry remains opposed to involvement in border management. “We feel that both the entry and exit portions of the program should be performed by the government authorities who are already part of the program,” Merida says.
DHS conducted two air exit pilot tests earlier this year, one with the CBP; the other with the U.S. Transportation Security Administration (TSA), which runs U.S. airport security checkpoints. Both exit pilot tests mirror US-VISIT entry electronic collection of fingerprints and photographs, using either a countertop machine or a hand-held camera/scanner. The TSA pilot tests incorporated the process into existing checkpoints, while CBP collected data at departure gates.
Merging US-VISIT scanning with existing TSA checkpoints is the simplest option, but Mocny notes that it carries a critical flaw: foreigners screened by the TSA could pass through the checkpoint and leave the airport. The option tested by CBP could better maintain the integrity of the process, Mocny notes.
Officials in the U.K., meanwhile, have conducted pilot tests in which, at boarding, airline personnel scan personal data incorporated into travelers’ boarding passes, then scan travelers fingerprints using a small optical reader. Mocny says that the U.S. airline industry has expressed openness to such an option because it would place only moderate burdens on airline staff and would not dramatically affect passenger throughput. The airline industry, however, has not publicly accepted such a proposal.
Lawmakers await DHS’s official report on its two pilot programs, which will likely affect future funding for US-VISIT’s exit component. For now, U.S. departure reporting remains limited to the requirement that persons in the United States on a visa turn in their I-94 arrival-departure form—a hand-written, biographical document—to CBP or their transportation carrier before they leave the U.S. Failure to do so may affect future attempts to travel legally in the United States, but it will not prevent departure.
Elsewhere in the world, only Japan collects fingerprints and photos at entry. Only Japan, Hong Kong, and Australia conduct mandatory exit inspections, requiring review of travel documents. The European Union has drafted plans for entry fingerprint collection, while several countries—including the U.K. and Saudi Arabia—collect fingerprints as part of the visa application process.
Worth Our While?
Randolph C. Hite of GAO, who has written reports for Congress on the performance of US-VISIT, notes the limitations of any program securing POEs: Even if the program could be implemented perfectly, determined criminals and terrorists would likely only be deferred to other means of entry, such as sneaking across undefended borders. US-VISIT, however, is not only imperfect, but also incomplete.
Even so, most experts say that the country has seen a return on investment for US-VISIT’s entry component, as distinct from the exit component. Susan Ginsburg, a staff member for the 9/11 Commission and now director of security and mobility programs for Washington, D.C.’s nonprofit Migration Policy Institute, says that US-VISIT bolsters the security of the U.S. visa process, which was exploited by the 9-11 hijackers. “Although it could be defeated, it would really be quite rare, and that should not stop us from having a program,” she says.
While it is impossible to quantify the worth of a security measure’s deterrence value, Mocny of DHS asserts that US-VISIT creates deterrence, a view shared by Jena Baker McNeil, a homeland security policy analyst with The Heritage Foundation think tank, also in Washington, D.C. She acknowledges that a determined, would-be terrorist who is rejected entry under US-VISIT at a POE might well attempt to enter the U.S. at an unprotected point on the border, but she notes that the individual will have been frustrated, and his plot complicated by the country’s border security. That interruption could derail the plan or force the person to delay, possibly giving law enforcement time to discover the plot.
It’s the value of US-VISIT’s proposed exit element that divides experts. Some, including McNeil, note that the program is of no value in detecting visa overstays. Without full exit monitoring at air, sea, and land crossings, it will have little value, he says.
In his recent paper Is it Time to Rethink U.S. Entry and Exit Processes?, RAND Corp. senior economist C. Richard Neu suggested abandonment of biometric data collection at exit. He recommends that the government strengthen existing, biographical methods of departure monitoring, which include CBP’s I-94 arrival and departure forms, which would be less costly. That might allow DHS to achieve much of the US-VISIT’s desired goal of establishing that an individual has left and where he or she went next.
Ginsburg disagrees. She supports full implementation of exit monitoring, which she argues would pay dividends in providing data for analyzing suspected terrorist or criminal travel.
Full implementation, Ginsburg says, would further strengthen confidence in the U.S. travel system, and that could help justify the lifting of restrictions on visas issued to students and professionals, which many professionals say are affecting the country’s ability to compete in the global marketplace.
As for the cost of full implementation, DHS has yet to respond to a repeated request from GAO for an estimate of US-VISIT’s full lifecycle cost. A ballpark figure would allow Congress to assess the program’s return on investment (ROI) based on risk reduction, Hite says.
But an ROI analysis would be difficult even with a cost estimate because it would require quantifying the program’s deterrence value, others say.
Some data in that regard does exist. At a cost so far of roughly $2 billion, US-VISIT has resulted in the rejection of more than 8,000 attempted entries, or about 1,500 each year, out of 175 million nonimmigrant entries in 2008. Among these rejections were, for example, a range of criminals attempting document fraud.
Success stories include a foreign criminal who arrived at New York’s John F. Kennedy International Airport and presented his twin brother’s travel documents. His fingerprints gave him away, and he was denied entry, DHS says. One would-be immigrant sought asylum in the United States using an alias and a phony date of birth, but his fingerprints revealed pending charges for rape, assault, and kidnapping. DHS spokeswoman Anna Hinken says the agency cannot confirm whether US-VISIT has resulted in denial of entry to travelers with suspected ties to terrorism.
Mocny says the difficulty of assessing the program’s worth is not unique in government or in security. “In any big, government program, it’s always difficult to measure that ROI, because what we do is prevent bad things from happening,” he says. “And how do you know what you’ve prevented?”
Joseph Straw is an assistant editor at Security Management.