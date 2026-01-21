In a recent social media video, Department of War Secretary Hegseth referenced an ongoing fraud investigation involving the 8(a) program — which includes approximately 4,500 small American businesses — and being carried out by the Small Business Administration.

I’ve already addressed him directly about the broader policy implications in an open letter, but this post focuses on something more basic and more dangerous: what it actually means, mathematically and constitutionally, to “test for fraud” using an AI-driven data-mining tool.

If you think this doesn’t apply to you, imagine the precedent it sets: a future President Alexandria Ocasio-Cortez or President Gavin Newsom inheriting — courtesy of today’s Republican Party — an AI system designed to “find fraud,” and handing it off to the IRS.

This is not a partisan nightmare.

If it’s not an outright constitutional disaster, it’s close to one. Presumption of guilt leading to devastating consequences that can destroy an innocent small business.

This is simply how the mathematics of probability works.

Here is the part most people don’t know.

When wrongdoing is rare — as fraud is in most large programs — even a system that is extremely accurate will mostly accuse innocent people.

That sounds wrong, but it isn’t. It’s just arithmetic.

Imagine a large program in which only a small fraction of participants are actually committing fraud. Now imagine a screening system that is extraordinarily accurate — far better than anything we typically see in the real world.

Even in that best-case scenario, most of the businesses flagged by the system will still be innocent.

That sounds impossible, but it isn’t. It’s the unavoidable result of applying pattern-matching to a population that is overwhelmingly innocent.

Not because the system is biased.

Not because the software is broken.

But because the innocent population is so much larger than the guilty one.

This is not a policy opinion. It is a mathematical fact.

And it’s not just an American problem: when the United States normalizes a new form of algorithmic enforcement, other governments — democratic and authoritarian alike — study it, copy it, and deploy it, because what happens here rarely stays here.

And if the thought doesn’t terrify you, you simply do not understand what’s at stake.

The Small Business Administration has obligated roughly $300,000 on a contract with Palantir for data integration and analytics tools used to identify potentially suspicious cases.

Palantir isn’t a magic “fraud detector.” It’s a system for pulling large amounts of data into one place, connecting it, and generating lists of “suspicious” cases for humans to review.

That matters, because the constitutional problem isn’t that the government uses spreadsheets. It’s that data-mining systems change what suspicion means, overriding fundamental due process protections.

They take a population of mostly innocent people and firms, run pattern-matching across everything they can ingest, and then produce outputs that look like findings: networks, scores, dashboards, ranked queues.

The aesthetic is certainty. But the reality is triage.

This is the same arithmetic described above — now operationalized at scale. In a low-prevalence environment, systems designed to “find fraud” inevitably generate large numbers of false positives, simply because the innocent population is so much larger than the guilty one.

I have an interactive tool here that you can play with, which goes into more depth on the math than I will in this post. (It’s not too scary, I promise. You’ll see a standard warning that it was authored by me rather than Google. That’s correct: the code is fully visible and performs only the calculations shown.)

In medicine, we at least admit the way the testing works.

Remember COVID? Remember all the times that you, someone in your family, or someone you knew was obviously infected but tested negative?

Worse, remember all the times when you had to test to be allowed to go do a thing and you felt fine — zero symptoms — but tested positive?

Remember “asymptomatic cases”, where you had to live as if you were sick even though you weren’t — just in case?

My doctor’s office had an official protocol for suspected false negatives — cases where symptoms or exposure suggested infection despite a negative test — and it included quarantine. Remember that?

I’m bringing up COVID testing because the mathematics behind the testing is literally identical. This isn’t an analogy. It’s just the same math.

That shared math should make us cautious. In medicine, we treat screening results as provisional precisely because we understand how easily false positives and false negatives arise in low-prevalence settings.

In fraud enforcement, that caution often vanishes — even though the underlying mathematics has not changed at all.

The software flags you, an investigator opens a case, and now you are inside the blast radius of a machine that was designed to manufacture leads at scale.

Foundry, Palantir’s flagship platform, is explicitly built for this. It ingests disparate data sources — emails, documents, spreadsheets, financial records, public databases, and extensive additional materials (that firms are being compelled to provide as a condition of continued participation), as well as anything else the government can get its hands on — then normalizes them, links entities, and allows users to define rules and models that generate alerts.

Those alerts do not remain abstract. They become objects in a workflow system: scored, sorted, assigned, escalated. A case-management interface turns suspicion into an assembly line.

One of the most dangerous features of this system is also one of the least examined: user-defined rules.

A rule is not a statute or a regulation. It is not debated, promulgated, or tested in court. It is a subjective trigger created by an analyst: flag businesses that grow “too fast,” that share an address, that resemble patterns from past cases, that show behavior a bureaucrat thinks of as suspicious for whatever reason.

These rules are not subject to legal scrutiny, yet once encoded, they operate with the force of accusation.

Rules like this are not evidence.

They are hypotheses, expressed in code.

In a courtroom, hypotheses are interrogated. They are challenged. They are exposed to adversarial testing. In a data-mining platform, they are simply run.

Once run, they produce consequences.

For a small business caught in this system, there is no pause button. Payroll still comes due. Rent is still owed. Employees still expect to be paid.

A small business cannot survive ninety days, or longer, when payments are delayed, contracts are moved to suspension stage, and the government quietly presumes guilt while inviting the owner to prove innocence.

And that is how the presumption of innocence collapses in practice.

Nobody announces the suspension of the presumption of innocence as a fundamental legal doctrine.

But it happens all the same, as a lived procedural reality, through a silent inversion of burden.

The algorithm flags you. The case opens. Now you must explain yourself, document yourself, justify yourself, while the government takes its time.

If you want to challenge the basis for the suspicion, you quickly hit a wall.

You cannot cross-examine a black box. You cannot subpoena a risk score.

You cannot meaningfully rebut a proprietary system whose assumptions, thresholds, and decision rules you are not allowed to see or challenge.

Due process is not just about eventual outcomes. It is about procedure, timing, and power.

A system that allows the government to operationalize suspicion at scale, based on opaque rules and proprietary analytics, while imposing real-world harm on people who have not been charged, let alone convicted, cannot pass constitutional muster.

The problem is not that Palantir’s software is malicious. It is that it is powerful, subjective, and insulated from challenge in precisely the ways the Constitution exists to restrain the government and protect its citizens.

When low-prevalence phenomena, subjective rule-making, opaque algorithms, and enforcement timelines that small businesses cannot survive are combined, the result is not fraud detection.

It is automated suspicion enforced by economic attrition.

That is not compatible with a system that claims to respect the presumption of innocence.

When Near-Perfect Still Fails Miserably

This is the part most people miss, and it’s pure math.

When actual fraud is rare — as it is in most large programs — the number of innocent firms vastly outnumbers the number of guilty ones. Even a system that is very good — nearly perfect — at identifying fraud will still make mistakes. And those mistakes are made against the much larger innocent population.

That means something counterintuitive but unavoidable: as the true rate of fraud goes down, the share of flagged cases that are false positives goes up — not because the tool is getting worse, but because the innocent population is so much larger — even if the tool is highly accurate.

To see how the math works: consider a population of 5,000 businesses and a screening system with a sensitivity of 0.99 and a specificity of 0.99 — performance that would be just shy of perfect in practice, and far better than any known real-world test.

In COVID terms: sensitivity measures how good the test is at catching real infections (how many sick people it correctly flags/how many real fraudsters it flags), while specificity measures how good it is at not falsely diagnosing healthy people as infected or innocent people as guilty. (The notebook has a deeper explanation of sensitivity and specificity for the math-curious.)

If the true number of fraudulent businesses is just 5, the system performs “well” in purely technical terms: it correctly flags nearly all of the fraud. But it also incorrectly flags dozens of innocent firms. Even under unrealistically good, just-shy-of-perfect testing accuracy, there will be on the order of fifty total flags, and more than 90% of the businesses flagged are innocent.

This is not a flaw in Palantir’s software. It’s not bad intent. It’s the same arithmetic that governed COVID tests, airport screenings, and every mass screening system ever built.

It is basic probability.

It is mathematical law and simply not up for revision or debate.

To make this even more concrete, I’ve built an interactive notebook where you can enter your own assumptions — population size, true fraud rate, and how “accurate” the system is — and see exactly how many innocent firms get flagged, and how many guilty ones are missed.

You don’t have to take my word for it; you can change the numbers and watch the results update in real time.

The notebook is here.

Once you see the math, it becomes clear why treating algorithmic flags as evidence — rather than as weak, preliminary signals — is not just a technical mistake.

It’s a constitutional one.

I’ve been writing on Substack for over five years, and I can count the number of “call to action” posts I’ve written — where I explicitly ask you to do something — on two fingers.

But I’m asking this time. Please share this post.

Very few Americans are good at remembering that the other side will eventually have power again.

Well, I am good at remembering that.

Even if you hate the 8(a) program and want all 4,500 of the small businesses inside it to die, you shouldn’t want any of them to die this way — unless you’re perfectly ok with the idea that the IRS, under the leadership of President Gavin Newsom or President AOC or President Pick-your-poison, will be using data mining to flag you (or your favorite conservative influencer, commentator, etc.) for “fraud,” trigger IRS enforcement actions that can freeze bank accounts or seize funds (and worse), and invite you to prove your innocence.

This is the ballgame, folks.