Mr. Chairman, and Senators. I am pleased to appear before you this morning. I am Maurice Falk University Professor of Statistics and Social Science, in the Department of Statistics, the Center for Automated Learning and Discovery, and the Center for Computer and Communications Security, all at Carnegie Mellon University. I also served as the Chair of the National Research Council's Committee to Review the Scientific Evidence on the Polygraph. Accompanying me today is Dr. Paul Stern, who served as the Study Director for the committee. The committee's report, The Polygraph and Lie Detection, which was released last October reviewed the scientific evidence underlying the use polygraphs for security screening of employees at the national laboratories. It also considered the potential alternatives to polygraph testing for the detection of deception. My testimony today is based on that report.
Department of Energy Polygraph Policy
Hearing Before the Senate Committee on
Energy and Natural Resources
Statement of Stephen E. Fienberg
Chairman, National Research Council Committee to Review
the Scientific Evidence on the Polygraph
September 4, 2003
The NAS-NRC Committee Report
The committee's report begins by setting the current debate over the efficacy of polygraph testing in the context of the mystique that surrounds it--this includes a culturally shared belief that the polygraph is nearly infallible. As we note in the report, the scientific evidence strongly contradicts this belief.
Let me now briefly summarize the committee's principal conclusions:
1. The scientific evidence supporting the accuracy of the polygraph to detect deception is intrinsically susceptible to producing erroneous results.
2. In populations of naive examinees untrained in countermeasures, specific incidence polygraph tests can discriminate lying from truth telling at rates well above chance, though well below perfection. But the accuracy of the polygraph in screening situations is almost certainly lower.
3. Basic science gives reason for concern that polygraph test accuracy can be degraded by countermeasures.
4. The scientific foundations of polygraph screening for national security were weak at best and is insufficient to justify reliance on its use in employee security screening in federal agencies.
5. Some potential alternatives to the polygraph show promise, but none has been shown to outperform the polygraph and none is likely to replace it in the short term.
I have appended the Executive Summary of the report to this testimony as it contains the specific wording of these conclusions and details explaining how the committee reached them.
The DOE Proposed Regulations
In April of this year, the Department of Energy released new draft regulations on its program of polygraph testing of eight classes of federal employees and contractors who have access to classified information. The new regulations would continue a policy that was set in place in 2000 but suspended in 2001, pending the report of the NAS-NRC committee. Thus it might be natural to ask what in the report is of direct relevance to the proposed regulations.
Let me return to the specific wording of the committee's recommendation on the matter of security screening:
Polygraph testing yields an unacceptable choice for DOE employee security screening between too many loyal employees falsely judged deceptive and too many major security threats left undetected. Its accuracy in distinguishing actual or potential security violators from innocent test takers is insufficient to justify reliance on its use in employee security screening in federal agencies.
How does DOE square these conclusions with its plan to continue the polygraph policy unchanged? It says that the polygraph, though "far from perfect, will help identify some individuals who should not be given access to classified data, materials, or information." This may be true, but two other things about polygraph screening are also true that should give pause.
First, for every such individual identified, hundreds of loyal employees will be misidentified as possible security threats. Our report make clear that, given DOE's own expected rates of security violations, someone who "fails" the DOE polygraph screening test has over a 99 percent chance of actually being a truthful person. Unfortunately, the DOE doesn't have any other scientific tool to fall back on to distinguish the security violators from the innocent people falsely accused.
Second, any spy or terrorist who takes the DOE's polygraph test is far more likely to "pass" the test than to "fail" it--even without doing anything to try to "beat" the test. Efforts at so-called countermeasures are likely to increase further the chances that a committed spy or terrorist will "beat" the test. This is the most serious problem with polygraph screening, especially in these times of terrorist threat: the possibility that security officials will take a "passed" polygraph too seriously, and relax their vigilance.
The DOE regulations give every indication that the agency has just this sort of overconfidence in polygraph tests that give "passing" results. The proposed regulations say, "DOE's priority should be on deterrence and detection of potential security risks with a secondary priority of mitigating the consequences of false positives and false negatives." The committee found little scientific evidence to support the effectiveness of the polygraph in this regard. Moreover, it concluded that the consequences of false negative tests--tests that deceivers "pass"--should have top priority, because it is those test results that leave the nation open to the most serious threat, from people whose continued access to sensitive information is justified because they "passed the polygraph."
The DOE, in continuing to rely on polygraph screening just as before, is doing more for the appearance of security than for the reality. Moreover, while some potential alternatives to polygraphs show promise, none has led to scientific breakthroughs in lie detection. Thus we cannot look for a short-term quick technological fix to aid us in our quest for securing the nation and its secrets.
The nuclear weapons labs need a strong security program, not a false sense of security. There are better alternatives than maintaining the previous polygraph policy. Last year, the DOE's Commission on Science and Security recommended management and technological changes at the labs that could make unauthorized release of national secrets more difficult to conduct and easier to detect without relying on the polygraph or other methods of employee screening--all of which are seriously limited and have little or no scientific base. There may still be a place for polygraph testing in the labs, for investigations and for a small number of individuals with access to the most highly sensitive classified information, if the test's limited accuracy is fully acknowledged. But broad use of this flawed test for screening will probably do more harm than good. National security is too important to be left to such a blunt instrument.
Let me conclude by reminding you that polygraph testing now rests on weak scientific underpinnings despite nearly a century of study. And much of the available evidence for judging its validity lacks scientific rigor. Our committee sifted the existing evidence and our report made clear the polygraph's serious limitations in employee security screening. Searching for security risks using the polygraph is not simply like search for a needle in a haystack. It is true that, of the large groups of people being checked, only a tiny percentage of individuals examined are guilty of the targeted offenses. Unfortunately tests that are sensitive enough to spot most violators will also mistakenly mark large numbers of innocent test takers as guilty. Further, tests that produce few of these types of errors, such as those currently used by the DOE, will not catch most major security violators--and still will incorrectly flag truthful people as deceptive. Thus the haystack analogy fails to recognize the unacceptable trade-off posed by these two types of errors.
Our committee concluded that the government agencies could not justify their reliance on the polygraph for security screening. The proposed DOE regulations appear to disregard our findings and conclusions. As a nation, we should not allow ourselves to continue to be blinded by the aura of the polygraph. We can and should do better.
I would be happy to answer your questions and amplify on these comments.