Mitre Corp – Inside America’s Secretive $2 Billion Research Hub – Collecting Fingerprints From Facebook, Hacking Smartwatches and Fighting Covid-19

Mitre Corp. runs some of the U.S. government’s most hush-hush science and tech labs. The cloak-and-dagger R&D shop might just be the most important organization you’ve never heard of.

Thomas Brewster06:30am EDT July 13, 2020

Whether it’s an invisible Aston Martin or an exploding pen, whenever James Bond needs a high-tech edge, he heads right for Q and his secretive MI6 lab. In the real world, American agents often rely on a less clandestine, but far better-funded group. Armed with 8,000 employees and an annual budget of between $1 billion and $2 billion of taxpayers’ money, Mitre Corp., a government-linked Skunk Works, has been making bleeding-edge breakthroughs for U.S. agencies for more than six decades. With its HQ housed in four towers atop a hill in McLean, Virginia, Mitre’s research centers employ some of the nation’s leading computer scientists and engineers to build digital tools for America’s top military, security and intelligence organizations.

Among the government’s wilder Mitre orders: a prototype tool that can hack into smartwatches, fitness trackers and home thermometers for the purposes of homeland security; software to collect human fingerprints from social media websites like Facebook, Instagram and Twitter for the FBI; support in building what the FBI calls the biggest database of human anatomy and criminal history in the world; and a study to determine whether someone’s body odor can show they’re lying.

These varied, multimillion-dollar projects, revealed in hundreds of pages of contract details obtained via Freedom of Information Act requests, as well as interviews with former Mitre executives and government officials, provide just a glimpse into this sprawling contractor’s secretive world. Mitre’s influence goes far beyond its vast tech development; it’s also a major consultant for myriad government agencies on how best to deploy tech and policy strategies. Its latest gig: helping the Centers for Disease Control and Prevention (the CDC) and Homeland Security’s ominously named Countering Weapons of Mass Destruction office craft sweeping plans for curtailing the Covid-19 pandemic.

“If there’s a national security or public interest [problem], Mitre probably has a hand in it,” says former Mitre cybersecurity engineer Matt Edman. Bald, bearded and baritone-voiced, Edman could have worked at his pick of hot Silicon Valley tech companies, but instead focused his talents on challenging national security problems. During his time at Mitre, Edman partnered with the FBI, using his hacking skills to help take down the infamous Silk Road dark web drug bazaar. Shortly after he left Mitre, he was allowed to finish the job in October 2013, and was in Reykjavik, Iceland, alongside FBI agent Ilhwan Yum, to shutter the site run by the Dread Pirate Roberts (real name: Ross Ulbricht), who is now serving a life sentence. Edman was also at Mitre when it helped the FBI hack and monitor users of multiple child exploitation sites as part of Operation Torpedo, in what then attorney general Loretta Lynch hailed as a landmark dark web investigation.

“The prospect of law enforcement agencies being able to cheaply, easily and quickly obtain people’s fingerprints off of social media is extraordinarily chilling.”

Mitre’s history is full of such uncredited public service. As its promo material says: “You may not know it, but Mitre touches your life most every day.” Wanting to know the extent of Mitre’s touch, Forbes launched an investigation to pull Mitre’s staggering range of work from the shadows. What we found is an elite institute that has proved a major boon to the U.S. government, providing tools for surveillance of criminals, diseases and immigrants illegally trying to enter the country. But some of the same projects are setting off alarm bells among human rights organizations and privacy advocates like the ACLU, which are concerned about surveillance overreach from Mitre’s sophisticated technology. Despite multiple requests to meet with Mitre executives in person and visit its headquarters, Mitre declined to provide comment for this article. The FBI and DHS acknowledged requests for comment but have not provided any.

Few have heard of Mitre or know its mission, despite its vital importance to the security of the nation. Even locals who live near its large office complex often have no idea it’s been such a stalwart supporter of American national security and defense over the last six decades. “It was just miles away from where I was living and had been there since the mid-50s,” says Shawn Valle, who went to the campus for the first time for a job interview in 2008. “I’d never heard of it.” Valle ended up working on cybersecurity for the Air Force and looking for security issues in Google’s Android operating system during his five years there.

While out of the public eye, Mitre’s history is remarkable. The nonprofit company was born out of the Cold War, spun out of perhaps the world’s most famous tech campus, the Massachusetts Institute of Technology. (The MIT acronym provides Mitre the first half of its name). In the late 1950s, facing the threat of a Soviet nuclear strike, the U.S. Air Force called on MIT to help it create an air defense system that would help it detect incoming bombers. The institute came up with the Semi-Automated Ground Environment (SAGE). The system combined radar, radio and network communications to detect incoming enemy aircraft, alert and continually update nearby Air Force bases, which would scramble jets to intercept approaching threats. It was the first air defense system of its kind in America, and Mitre was founded by MIT administrators in 1958 to manage SAGE and its future development.

“DHS has asked Mitre to help build an enduring national capability to contain Covid-19.”

Over the next 40 years, Mitre was behind the scenes of now-famous air surveillance technologies such as the Airborne Warning and Communications Systems (AWACS) and the Surveillance Target Attack Radar System (STARS). It also played a significant role in the development of much-used tech like GPS and the commercial airline Traffic Collision Avoidance System. Today its remit is even wider, leading all manner of cybersecurity initiatives and healthcare projects, while sticking to its core role of protecting national security.

“The characteristic of Mitre that I’ve always explained to people is that when we say we do information sciences, we go way beyond what people would typically call IT,” Martin Faga, the Mitre CEO from 2000 to 2006, tells Forbes. It would, for example, design a specialized antenna to go on military aircraft to send and receive data from a communication satellite, says Faga, a white-haired, suitably inconspicuous longtime employee of U.S. intelligence agencies and contractors. Mitre would then design the satellite communications system, too, as well as the radar—basically “every kind of information system,” he adds.

Its broad expertise is now being employed to help yank America out of its Covid-19 crisis. In a $16.3 million contract signed with the CDC in late June, Mitre was asked to help build “an enduring national capability to contain Covid-19.” The CDC, which spent $20 million with Mitre on disease surveillance tech and services in 2019, hadn’t responded to Forbes’ requests for more detail on those pandemic plans. Meanwhile, on March 17, four days into the national emergency caused by Covid-19, the DHS Countering Weapons of Mass Destruction (CWMD) office called on Mitre to effectively act as a fulcrum of a pandemic response plan, to “engage, inform and guide” mayors, governors and emergency response leaders dealing with a pandemic. Mitre would also create disease models to track a pandemic and determine what “nonpharmaceutical interventions” (a.k.a. NPIs—think closing schools, stores and implementing social distancing) could help lawmakers “bend the curve.”

Mitre’s Moola

Government data shows taxpayer dollars directed to Mitre have been rising in recent years, heading toward $2 billion. Mitre says its overall revenue for 2019 was $1.8 billion.

The $200,000 contract (microscopic by Covid spending standards) states: “As the pandemic progresses, the contractor will identify, collect and analyze data to enable near real-time learning to state and local leaders for the eventual appropriate retrograde of NPI implementation efforts.” In other words, Mitre is helping America’s leaders decide when and how to open up again. (Neither Mitre nor the DHS explained why the CWMD unit was managing such a contract.) And pro bono, Mitre has created a contact tracing system called Sara Alert that’s been helping various states—Arkansas, Pennsylvania and Vermont, to name a few—monitor outbreaks. The system lets people known to be at risk of Covid-19 infection to upload their symptoms and temperature to their state and local health bodies’ databases. In Arkansas, 12,861 have enrolled since early April, updating the health department via text, call, email or website on their condition. “This system allows us to more readily identify secondary cases, really establishing a better handle on social clusters, which has been a challenge,” says Dr. Mike Cima, chief epidemiologist at the Arkansas Department of Health. It’s been so successful, Cima plans to carry on using Sara Alert for other infectious diseases beyond Covid-19’s eventual demise.

Mitre differs from other military and intelligence contractors in that it has no mandate to make any money. Unlike commercial contractors like Northrup Grumman, Raytheon and General Dynamics, it runs seven of those Skunk Works, known in the industry as “federally funded research and development centers” (FFDRCs), a mundane name belying their influential work. Mitre only charges for employees’ time, with a small fee, usually around 3% of the overall cost, that supports further independent research, says Faga. “People come forward with a great idea and say, ‘Gee, if I had $100,000, I could turn this into something great.’ And the company can give it to them.”

This put the former CEO in an unusual position among his Beltway rivals. “I’d go to the annual meeting of the board. I go to my report and say, ‘We worked hard this year. And we broke even.’ And they’d all cheer. Any other CEO would hear, ‘You’re fired!’”

Mitre doesn’t commercialize the technology it creates. Once a prototype is built, it’s licensed to either the government, private business or academic institutions. Since 2014, it’s transferred more than 670 licenses to industry and university partners.

Unshackled from commercial pressures, Mitre’s given latitude to develop some of the more radical answers to the government’s most pressing questions. Take a project to collect fingerprints from peoples’ Facebook, Twitter and other social media posts. Emails and details of a Mitre contract obtained by Forbes outline a $500,000 “social media image fingerprinting project” for the FBI, which started in 2015. It was run by an FBI hacking unit in Quantico, the Operational Technology Division, and funded by a previously unreported research funding body called Triad. Chris Piehota, the recently retired chief that Triad was designed to fund innovative research from objective outside bodies and that “image fingerprinting” is as literal as it sounds: trying to capture biometric information from social media images. Think of gang members who put up photos of themselves online, making gang signs with their hands, explains Piehota. “They’re also giving us access to their fingerprint patterns,” he adds. “[The FBI] can take your fingerprint characteristics from those images and they can build fingerprint files or fingerprint characteristics for individuals [for whom] we don’t have biographic information.” This could be useful for individuals violating immigration laws where the U.S. doesn’t have a record of their fingerprints in another database, adds Piehota. It could also be used to identify someone in a child exploitation video or, as in an investigation in the Welsh city of Swansea, catch drug dealers using tools like WhatsApp.

“Think of people crossing the U.S.-Mexico border and a surveillance tool that can detect smartwatches and hack them.”

The technology, if it works as described, is potentially useful for the law enforcement and intel agencies Mitre works with, and potentially dangerous for personal privacy. Nate Wessler, staff attorney at the ACLU Speech, Privacy and Technology Project, says the surveillance project raises “serious privacy concerns,” especially during a time of pan-American civil unrest over the Covid-19 pandemic and racial inequality. “Nobody expects that by posting a digital photo online, they are exposing their unique biometric identifiers including their fingerprints, to collection in a law enforcement database,” he says. “Not only are we seeing historic protests against anti-Black racism and police brutality, but we’re also seeing historic levels of digital recordings of those photos of those protesters by the media and by law enforcement. . . . The prospect of law enforcement agencies being able to cheaply, easily and quickly obtain people’s fingerprints off of those photos is extraordinarily chilling.” Piehota notes that as a privacy precaution the FBI would only take fingerprints from social media images where the target was a valid suspect and it wouldn’t simply trawl the likes of Facebook for all available prints.

Mitre has a history in assisting the U.S. government’s expansion of biometric surveillance. Another 2014 contract details Mitre’s work assisting the FBI on facial recognition tools, right down to “creating local watch lists by flagging subjects of interest.” It’s also helping the FBI build the Next Generation Identification (NGI) system, which is one of the biggest databases of criminal suspects’ faces, fingerprints and other identifying body parts on the planet. According to the FBI, the NGI is “the world’s largest and most efficient electronic repository of biometric and criminal history information.” It’s cost the FBI at least $500 million since its incipience in 2007, much of it going to early developer Lockheed Martin, according to a review of contract records. Piehota says that all manner of law enforcement agencies, from local to federal, can access it to check the identity and background of a criminal. And Mitre, since at least 2013, has received millions in contracts to provide technology and guidance to build it as part of a previously unreported project called “Sugar Bowl II,” an unexplained code name, FOIA records show.

Mitre’s high-tech snooping also extends to the fast-growing world of connected devices: Think smartwatches, speakers, TVs and security cameras. In a $500,000 September 2017 contract, the DHS asked Mitre to create a system that could locate and hack into smartwatches, fitness trackers, home automation devices or anything that could be classed as an Internet of Things (IoT) system. The contract says the tech could be used either by law enforcement or border officials to help them “rapidly detect and exploit for evidentiary purposes IoT devices in a security or crime scene environment,” or for use at “physical security boundaries” to hack into devices “passing through or approaching the boundary.” Think of people crossing the U.S.-Mexico border and a surveillance tool that scans every device coming through, checking which ones are smartwatches or other IoT systems. When one is worn by a criminal suspect, it could quickly be drained of data and evidence of their activities gathered, from their text messages to their previous locations.

One source, a former police officer and surveillance industry expert who claimed knowledge of the contract, says the tech was only ever used by Customs and Border Protection (CBP). Another source, a former Mitre and government employee, says Mitre has long provided digital forensics expertise to CBP staff carrying out searches of electronic devices at the border. And FOIA-obtained contracts worth more than $13 million show Mitre has provided expansive CBP technical support since at least 2016, including a study of the efficacy of Rapid DNA technology—another controversial tool that’s led to an outcry among civil rights organizations, who say the tools infringe on immigrants’ privacy. Designed to help uncover immigrants lying about being related to each other at the border, it can quickly determine whether people entering the U.S. are related. As the government cannot legally detain migrant children for longer than 20 days, they’re typically released before an immigration court hearing and ICE has claimed this is being used as a loophole to smuggle children into the country.

The power to hack into smart IoT devices could be hugely advantageous for federal agents, though the government wouldn’t tell Forbes where or how it’s been deployed. As explained in the September 2017 project outline, police have been lacking in the skills and resources to acquire evidence from these kinds of technologies. “IoT devices capture a lot of telemetry and I can imagine lots of places where this is useful,” says Jake Williams, a former NSA analyst turned cybersecurity practitioner, who adds that he was shocked that such a tool would be used at border checkpoints. It’s got civil rights lawyers spooked too. “It would appear to only require the person using the tools to be in range of the device signals and would not require physical possession or access,” says Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society. “Law enforcement use would be troubling, and it would be difficult to hold them accountable for how they use it.”

Mitre isn’t just helping the government interrogate tech; it’s done some work on human interrogation, too. Going back to 2009, the year when the Homeland Security-funded Mitre lab—the Homeland Security Systems Engineering and Development Institute—was founded, some more left-field work was being undertaken in a study dubbed “Human Odor as a Biometric for Deception.” In research reminiscent of the left-field projects more often associated with the CIA, Homeland Security set out to see whether there was any scientific basis to the saying “I think I smell a rat.” Its aim was to investigate the possibility of using the “human odor signature” as an “indicator for deception.” Samples were taken from volunteers before and after they committed or didn’t commit some deceptive act to see whether or not there was a difference. They also wanted to find evidence to “support the hypothesis that an individual’s odor signature can serve as a biometric identifier.” The essential question was: Do you have an odor that is entirely unique to you when you lie? Yes, was the answer, according to Homeland Security, which hadn’t responded to other inquiries about Mitre’s operations. In the executive summary of their final report in 2011, the authors said the “results indicate that measurable variations in human odor do seem to permit differentiating between deceptive and nondeceptive individuals.”

This may be an example of Mitre’s more outré research, much of which remains stored in the vaults of those McLean towers or locked up under classified seals in government servers. But such is its standing, even when the value of the work is doubted, Mitre’s name is enough for it to be taken seriously within the halls of government. Faga, the former CEO who remains on an advisory board at Mitre, recalls a recent trip to the Pentagon, where a meeting had been called to discuss worrying vulnerabilities in GPS. A delegate anxious to know just how worried they should be about the security weaknesses asked where the Pentagon got the information. When an official said Mitre, the atmosphere in the room changed, says Faga. Everyone, adds Faga, concluded, “Okay, well, then it’s real.”