Schneier on Security
A blog covering security and security technology.
« Torture and the Ticking Time Bomb |
| A Million Random Digits »
October 13, 2006
RFID Tagging People at Airports
How's this for a dumb idea? Tagging passengers at airports. That's all passengers.
EDITED TO ADD (10/13): Ross Anderson said this to me in e-mail: "The real reason for wanting to tag airline passengers is that when people check bags but don't turn up for the flight in time, the bags have to be unloaded, causing expensive delays." Interesting analysis.
Posted on October 13, 2006 at 7:28 AM
• 60 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Tagging may work very well for sheep, but they are used to being herded and they don't have the ability to hand their tags over to a wolf.
What problem is this supposed to solve? Backtracking what a criminal did after he did it? I can't see how this could plausibly prevent anything.
Oh come on... it's simply brilliant! ... As another money-making scheme based on fear and waste.
Unfortunately the pool of ideas seems to be coming from bureaucrats and politicians. They aren't security experts. To someone who hasn't even studied the subject, "whatever they have to do to keep me safe" sounds like a good idea.
I am constantly astonished by some of my colleagues... quite intelligent people... who simply think whomever is making these kinds of decisions _are the experts_. Clearly, this is not the case.
They haven't stopped to think about what a specific security solution actually accomplishes. And in many cases, it's nothing...
While it could be spun as being related to security, that isn't what is fascinating about this. I'm betting even a small amount of data gathered by tracking multiple point movement through a busy airport could lead to interesting and possibly new perspectives on passenger processing and pass-through at airports. I can see efficiency analysts having a field day with this data.
"The project still needs to overcome some hurdles, such as finding a way of ensuring the tags cannot be switched between passengers or removed without notification."
I suggest stapling it to the ear. I hear it works great on cattle.
I like the way two huge reasons why the system wouldn't work (removing or switching the tags) are just presented as 'hurdles' to overcome, rather than fundamental flaws in the system.
It also doesn't address the problem that someone could just shield the tag; no need to remove it at all.
I wonder how hard they've thought about authentication? Could you spoof someone else's card? Could you jam the signal?
"...the tags could aid security by allowing airports to track the movement patterns of passengers deemed to be suspicious and prevent them from entering restricted areas."
Wait a minute. If these poeple are so dangerous, why let them roam freely in the airport in the first place. Just kick them out or call the police and have them arrested. Tracking "suspicious people" is a function of the police, not airports.
"It could also aid airports by helping evacuation in case of a fire, rapidly locating children..."
Oh-ya! Can't have a press release like this without a "save the children" plea.
"I'm betting even a small amount of data gathered by tracking multiple point movement through a busy airport could lead to interesting and possibly new perspectives on passenger processing and pass-through at airports"
I agree with pattern analysis. However, this can be done with a random sample of volunteers, not every passenger! At Disney World, when standing in long lines, random volunteers are asked to carry a "tag" (probably not an RFID, but same idea), to help them determine line wait times. This would be a great use of this type of technology.
While I agree that this seems pretty useless, I can see where it COULD be coupled with software that could detect suspicious movement, like loitering for hours, spending an excessive amount of time in the bathroom (assembling something?), making several trips between two areas, etc.
Once a large amount of data was collected, it might be easy for software to tag the very small number of people who are falling outside normal behavior, then to display these people to security personnel to keep an eye on them.
IOW, it doesn't detect bad guys, but it might be able to reduce the field of who security needs to keep an eye on.
Of course, there are "still a few bugs in the system":
The system would have to work in conjunction with the camera systems to detect things (people) moving around that aren't associated with an RF tag.
Otherwise a bad guy could either shield the tag and walk around undetected, or ditch the tag in a bathroom where a person might spend 20 minutes, so by the time a flag was raised they could be anywhere. Or they could hand their tag to a few accomplices who carried the tag around just doing normal activities, perhaps occasionally trading it off.
Since this is a powered tag, it seems like stopping shielding is simple; if the tag is unable to communicate with a reader for more than 30 seconds, it starts beeping, and 30 more seconds and it starts really making a lot of noise.
If this were to become widespread, I don't think it would be too hard for bad guys to figure out what "normal behavior" looks like to the system and to plan their operations to not fall outside the range. This is definitely a losing action.
Oh c'mon, its being said by scientists as the article claims.
We all know that scientists have more claim to security than security people, especially in Hungary. :)
Its amazing though that throught the article on BBC they make a claim that it will improve security *magically* and don't back up the claim by saying how.
Marketing, airport's shops and developers would love its data but it'll be useless for security. It's still the needle in the haystack problem.
More importantly: why should I wear that thing? I'm not a sheep!
I must be missing something here... Even if there's no way to fool the system, how exactly does this solution prevent a terrorist attack? Which kind of attack, by the way?
==Cynic Mode ON==
There you are a Prof. in a Universtiy with funding issues, as the major consumer of your work (the mobile phone industry etc) is in a bit of a recesion you have research funding issues, life is looking a bit grim...
Then you here about E.U. funding of 2million Euros (about the same as USD ;)
You take your wares that are not realy marketable at the moment and spin a security aspect on them.
Then oh manner from heaven the cash comes rolling in...
==Cynic Mode Off==
I might well be doing the people at UCL an injustice and I am by no means having a dig specifically at them, it's just that I see so much of this shift of research to "security" with no real change I cannot help but wonder why, especially when there are very large bundels of cash involved.
Reading the Hungarian papers this morning, I noticed the same news. The most amazing thing is that they are going to test this in DEBRECEN! I was born and lived there until 17, and my parents still live there. It is a sleepy little agricultural city of 200 000 people, and the airport is tiny, it only has 1 normal-size runway (and another for small aircraft), and the traffic is that airport is minuscule. I would not expect more than 200 passengers to be present in the secure area at any time, possibly less (think 1 or 2 flights a day). This is the last airport on earth that would need this technology.
"But potentially, said Dr Brennan, the tags could aid security by allowing airports to track the movement patterns of passengers deemed to be suspicious and prevent them from entering restricted areas. "
I have another way to prevent them from entering restricted areas: it's called PUT A FREAKIN' LOCK ON THE FREAKIN' DOOR!
I think it will only take a grant of $1.1B or so to develop this into a workable prototype ;-)
'it might be easy for software to tag the very small number of people who are falling outside normal behavior'
So you let a piece of software decide what is suspicious behavior and what is acceptable behavior.
Humans always have been, and will be for some time to come, far better at detecting suspicious behavior. Reducing the field of view that security personel has, will not increase security, but increase the risk of missing important events, and focus attention on people with suspicously long bowel movements.
I read not long ago that there was an airport that was looking into this for two reasons, neither security related. One was to allow flight attendants to find late boarders and improve the flow of passengers. The second was to increase the amount of time passengers would spend in the shopping areas by analysing their movement and adjusting floor layouts. I think it might have been Manchester Airport in the UK. They were quoting earnings figures of something like £4 per minute per person spent on the floor and looking to improve this by 50%.
Sorry, £4 figure was way out. It was 4p a minute with a target of 7p.
"While I agree that this seems pretty useless, I can see where it COULD be coupled with software that could detect suspicious movement, like loitering for hours, spending an excessive amount of time in the bathroom (assembling something?), making several trips between two areas, etc."
Well, this is just great. How many people will be thrown out of airports and arrested because they suddenly experience a problem with their digestive tracts?
(Or a sudden "lust attack", for that matter? :) )
Any system of this kind will quickly be swaped by false positives. e.g I doubt police will continue to investigate people "spending an excessive amount of time in the bathroom" if the first few are found to have upset stomachs, etc.
I agree with you Waitaminute...it wouldn't be necessary to tag every passenger and doing so certainly introduces other types of issues such as compliance and privacy etc.
Bruce called this "dumb" which suprises me a little. Certainly there are practical and useful applications for this type of technology. Whether they are relevant for security matters is arguable, obviously.
Riiiight. Now security will be able to know, at any given point in time, where exactly every person that checked in is. (Assuming the system cannot be fooled by obvious means, that is.) And this improves security in exactly what kind of way?
Lets have a scenario: Security is watching someone on their screens preparing some malicious deed. Now they are able to localize the subject. - Oh! They have been knowing where the subject is nontheless because the've seen it on the camera.
Right another one: Some badass-device is detected in the checked-in baggage. Security is able get the location of the person related to the baggage. They will recognize that a) the person will enter its plane shortly before departure or b) the subject has left the area of observation. Neither is of much help for there is no motivation for the evildoer to stick around the airport and not entering the plane.
It is not as dumb as you might think, provided it is used sensibly.
I was involved in a feasibility study for a similar project. A major airline had analysed flight delays and observed that the major cause of delays was somebody who had checked baggage then failed to get to the departure gate in time. The flight is then postponed while staff retrieve bags from the hold.
If passengers are tagged then the airline will know that the errant passenger is in duty free or the toilet and hurry them to the plane. I am prepared to bet that on your next flight the number of such passengers exceeds the number of terrorists.
What I meant by 'used sensibly' is that the tag should be necessary but not sufficient to get a passenger's bags on board. If the tag doesn't reach the gate then the bags don't reach the plane. It doesn't prevent the airline from continuing to check boarding cards or passports at the gate.
From a security perspective this is similar to holding the bags outside the plane until the boarding card is scanned at the departure gate.
What are its failure modes? If you shield or lose the tag then your bags are impounded. If you give your tag to another passenger this is similar to giving them your boarding card - in other words there should be checks for this at the gate, but they are no more onerous than existing checks.
A miscreant can do both: shield the tag and give it to another passenger. Provided the protocol for tags at the gate is similar to that for boarding cards this isn't a problem. One passenger, one tag, plus one passport, all of which must match, otherwise you are taken aside for questioning.
To analyse the proposal I would split it in two: the security gain is not in the tags themselves, but in making it easier to stop bags getting on a plane without a passenger. There is a cost benefit to the airline, quite independent from security, in being able to find lost passengers. If lost passengers are more frequent that terrorists - which I expect to be the case - then it is the latter issue that influences the business decision.
it's still a few years away, but we're headed toward everybody tagged, all the time, not just at airports.
It must be Daft Airport Ideas Friday: Manchester Airport has just announced that it is going to ban free parking for picking up passengers and direct cars to short term parking (a "discounted" rate of £1.80 for 30 mins). Why? For "safety and security reasons" of course. http://news.bbc.co.uk/1/hi/england/manchester/...
Hmmm, nice Bruce, tie this together with read/write RFID's in the lovely passports that come of us have now and call it soup!
It could be argued that every person carrying a cell phone is already "tagged". Whether or not computer systems exist to comprehensively track multiple "tags" in real time is something you might have to ask the NSA.
Sounds like it's more of a victim tracking system for pedophiles and pickpockets than an anti-terrorist security system.
So, whenever a flight is delayed, the software will determine that a large number of loiterers are active at once, signalling a massive terrorist attack?
gosh, you know, i wonder if these people thought of any of this already? well, yes they did - in fact the airport has video surveillance so if an object moves which is NOT tagged, then alarms ring.
but the MAIN aim is (in fact) to make sure there are bags and people on same planes to avoid missing takeoff slots - which is nothing to do with anti-terrorism - or surveillance of identities - it is ufficient (from the BAA and Airline point of view) to assure a boarding pass with person got on to same plane as the associated bags.... is all:)
Obviously, this is not for security at all, but more related to profits. And both the airlines and the airports will benefit:
1) It would help track people who check in and the "loose track of time" at the bar, thus delaying the flight. Hopefully. It will work, provided that they start looking for "stragglers" before it's too late. Result: Passengers got to arrive at the gate earlier than before. More hassle for passengers, but (possibly) less for the airlines.
Those who "loose track of time" at the bar are probably too drunk to be allowed on the flight anyway - perhaps the system can automatically "bump" you off the flight if your tag spends too much time in the bar? (likelyhood of intoxication etc) Quite a weak security argument here...
2) It can be used for tracking which shops are frequented by which type of traveller. Shops would probably love to get more demographics about their customers - although the identity of the customer may not be revealed, their destination might. And that's quite interesting for a shop...
If the tag can be used for identifying travellers, then the shops can use them for billing people too :=) The duty-free sexy underwear can appear only your company credit card as "American Airlines" :-) Why bother with the credit card after you checked in? (if you break it, it migh be sharp and therefore dangerous. Cannot be allowed on board! Think about the children!)
3) Who's selling those tags? They'll profit for sure.. And it's not only the tags: They'll need some sort or receiver (probably quite a few), computers to "track" people, new software for it, network infrastructure, maintenance, monitoring and whatnot... Lots of billable hours awaits!
Besides: If security *really* was the issue, then they would have to tag people ON ENTRY to the airport - not wait until check-in. And remove the tag on the plane.. Elderly lady picking up her granddaughter? Please wear this tag...
Always follow the money as it leads to the real reason for such decisions.
Why there is not more jail time for the billions stolen through fraud and abuse during this war on terror and on Iraq is disappointing to be sure.
Steal a loaf, go to jail. Steal millions and more and be a successful businessman and lobbyist.
I really like the way they regard the civil liberties implications as a minor problem.
From the edit: "The real reason for wanting to tag airline passengers is that when people check bags but don't turn up for the flight in time, the bags have to be unloaded, causing expensive delays."
If that's the case, just add a few networked barcode readers that scan the boarding pass: once when you reach the back of the security line (where they check your boarding pass anyway), once when you are actually getting screened, and once at the gate. For full coverage, also scan people who leave the secure area.
A pain? Sure. But certainly less so than making them wear RFIDs around their necks.
Apropos shielding/ removal/ swapping of tags, I believe that these concerns can be adequately addressed by proper design. The key is to realise that in this context the customary practice of miniaturisation is not only unnecessary but actively counterproductive: we want the tags to be robust enough to resist interference and visible enough that their absense will immediately be obvious not merely to trained security staff, but to alert members of the public. Some sort of lockable collar, perhaps, worn above the travelers' outer garments, or a robust sphere attatched to wrist or ankle by a tamper-resistant chain?
Also, though I haven't explored this possibility in detail, it seems to me that the combination of a suitable design of tag with some very minor changes to the passenger-handling procedures already in place at major airports like Heathrow would make it feasible to dispense with the electronic component altogether. The resulting cost savings - both for the tags themselves and the supporting infrastructure - would make deployment much more practicable.
-Flight delays having been getting worse, not better and airlines are using their power to involuntary bump more frequently. So "loitering" is the traveling norm.
-Anyone who travels a lot has probably had indigestion, so "spending lots of time in the bathroom" is also a norm.
-Walking around the terminal is a great way to relax so watching a person walking back and forth from two points is normal too!
Doesn't an RFID tag do the opposite of what Bruce recommends? It gathers lots more data for humans and computers to sift through and creates a waste of time questioning people who ate bad food.
Spend the money on good intelligence and more trained officers looking for real problems.
@Karl E. Jorgensen:
"Those who "loose track of time" at the bar are probably too drunk to be allowed on the flight anyway - perhaps the system can automatically "bump" you off the flight if your tag spends too much time in the bar? (likelyhood of intoxication etc)"
Right, because everyone who spends an hour or two at the bar comes out plastered. The first airline that does this to me because I stop off to read a book while drinking a soda in a bar that's far more comfortable than the seats outside of the gates is going to get a really annoyed series of calls climbing the corporate ladder, from the customer service rep on up through whatever executives I can track down through whatever means.
Offtopic: Please keep in mind that the proper spelling in your context is "lose." There are no double-vowels in the word.
Why not address the root problem? People can act "normal" and still be capable of terroristic actions on board a plane.
So we anesthetize all passengers (pre-boarding) for the duration of the nice, quiet, flight. You will never get from New York to L.A. so safely, or so "fast".
Oh...and we're going to need more Soylent over here.
The purported explanation makes no sense. That's an argument for tagging bags, not for tagging people. If you tag the bags then it's easier to find the bags which need to be removed because the peole didn't make their plane. When it comes time for the plane to close it's doors, the airline already knows who has boarded and who hasn't boarded.
"The real reason for wanting to tag airline passengers is that when people check bags but don't turn up for the flight in time, the bags have to be unloaded, causing expensive delays."
Wait a minute. I don't see how this is going to work. How will this be any different than it is now. Are they saying that they won't load bags onto the plane until the associated person gets to the gate? So the baggage handlers are going to stand around on the tarmac until all the passengers "arrive" at the gate, and only then put their bags on the plane? How is this any different than the current system, where one can't get on the plane without out a boarding pass. When the boarding pass is scanned at the gate, the person's bag is put on the plane.
How will tagging passengers with RFID change the current baggage handling system? And if the change the way bags are loaded onto planes, then the curent system should suffice.
As far as finding "lost" passengers, this would be a great way to never miss a flight. Just check-in, then wander off to some uncrowded location in the airport to read, watch TV, work on laptop, etc. No worries about missing your flight, since the airline personal will use this great RFID technology to come find you and escort you to the gate, just in time for departure! No more time wasted standing around the (almost always crowded) departure gate!!
"While I agree that this seems pretty useless, I can see where it COULD be coupled with software that could detect suspicious movement, like loitering for hours, spending an excessive amount of time in the bathroom (assembling something?), making several trips between two areas, etc."
Hmmm... "...loitering for hours..." And just how will you distinguish between loitering and such normal airport activities as waiting for a flight that has been delayed because of some stupid security measures? Or because the airline messed up the schedule again? Or people who actually listened to the stupid suggestions that passengers show up 3 hours before their flights?
So they're officially trying to brand us... Great.
Btw, how are these tags to be attatched? Would would prevent someone from holding two tags? Or from placing a clone of one in a rest area?
Where do they stick the tag when we all have to fly naked?
"People will be told to wear radio tags round their necks ... " reminds me of dogs.
To make boarding more efficient - assuming it will work.
Tight enough, you won't get it over the head, and not opened without destroying it or without special tools.
Behaving like well drilled monkeys is a lesson early learned, to automate processes.
The word 'security' came into the text by accident - by association (RFID, airport, ...).
My first inclination is shielding it. But the suggestions that the tag emit sound if it loses touch with the mother ship for 30 seconds make me wonder if it is perforated so that it can effectively emit that sound. I wonder what water in the washroom would do to it?
Or a very tiny piece of metal like a pin, staple, or a sewing needle that might accidentally slip by security. I once accidentally disabled a friend's laptop's peizo-electric beeper while looking for its reset button. Hmmm...
And, the procedures for leaving the secured areas will have to be beefed up too, otherwise someone may mingle with arriving passengers and abscond with their unit.
I wonder what happens when they return and recheck in after they've ditched their unit? Especially if they didn't check their bags. (oops, I left my credit card in my car and must have accidentally left the tag there when I was getting it).
What happens when you happen to lose it? Jeez, I'm sorry, it fell in the toilet just as I flushed it.
I sure don't want to be carrying some unsanitary thing around that's been handled by hundreds of [potentially] unsanitary people during the past month.
>> Where do they stick the tag when we all have to fly naked?
Well, doesn't this thought directly lead to a natural choice of design and placement, which guarantees most people will be eager not to loose their tag ... ;-)
Take for example Heathrow. Roughly 70 million people a year pass through Heathrow (not including staff). That's about 190 thousand a day. If we assume each passenger spends 4 hours in the airport that's about 32,000 tags issued at any one time (again not including staff.)
If just 1 in a thousand tags fail or get lost security has to find a tag 32 times a day. If the tag has failed it's quite possible they will have to search the entire airport just in case.
If it necessary to issue and collect around 190,000 tags a day, somebody has to do it. Assume it takes five minutes per person, you are going to need 600 staff just dealing with security tags.
A very silly idea.
"The purported explanation makes no sense. That's an argument for tagging bags, not for tagging people. If you tag the bags then it's easier to find the bags which need to be removed because the peole didn't make their plane. When it comes time for the plane to close it's doors, the airline already knows who has boarded and who hasn't boarded."
This is insightful. Also, the manpower to attach/remove rfid tags from luggage is already half there: bags get tagged on checkin. You would only need to deploy twice as many staff to remove them on arrival. (The usefulness of removing them shortly before loading is very limited.) Some efficiencies in luggage searching are available here; losing track of which bags have been searched and which haven't is a bookkeeping error that becomes a security risk.
If you really wanted to make certain all passengers kept their tags, attach the tags to their boarding passes. (Issue tags embedded in a plastic boarding pass holder?)
On the other hand, if you _really_ want to make sure that both passenger and bag make it on the flight, making each gate a separately secured area with its own bathroom would make sense. Moving the security check to each gate also would prevent long lines of passengers presenting themselves as targets. While most US airports are not well designed for that kind of thing, remodeling that moved all of the nonessential businesses outside the current security perimeter would be adequate. *shudder* Note that this solution would make connecting flights nearly impossible to manage.
"""..., you are going to need 600 staff just dealing with security tags.
A very silly idea."""
... unless you're the company contracted to supply those 600 staff.
Nice analysis though.
Even 1 failure in 100,000 (pretty good for something that's gonna get abuse the way these things will be) you get 1 false alarm every 3 days.
I wonder.... Can I just get one implanted and save those extra 5+ minutes at the airport?
This brings up another security question:
In the days of suicide bombers, what difference does it make if the passenger is on board or not? At this stage, the passenger and his baggage have already been cleared to fly. Either you trust the screening the baggage is going through, and then no reason to take the baggage off if the passenger isn't present, or you do not, and then you have not solved anything, as the passenger can simply commit suicide.
Seems like the added value is minimal at best, and the cost is huge.
Around the neck? Odd, given the RFID passport implementations. At least they're not implanted.
SAS is trying out this technology on its domestic flights within Sweden:
A passenger’s fingerprint is associated with each piece of luggage, using technology from Precise Biometrics AB. The fingerprint scanned at baggage check in is then compared with the fingerprint scanned at boarding.
Who needs RFIDs when you've got fingerprints? Those can't be flushed down the toilet or mechanically disabled.
The biggest problem of this idea is data protection law. I wonder how the data protection authorities will react...
> wonder how the data protection authorities will react...
Probably by helpfully mentionning that the DPA needs another "update" to make it kosher.
"A passenger’s fingerprint is associated with each piece of luggage, using technology from Precise Biometrics AB. The fingerprint scanned at baggage check in is then compared with the fingerprint scanned at boarding."
Oh, good, finally a solution to the old bait-and-switch tag-team suicide bombers. If you just used the boarding pass, it would be possible for suicide bomber A to check the bag, and suicide bomber B to actually get on the plane (to get the bag loaded) and get blown up. Now they have to be one and the same.
And congratulations to Precise Biometrics AB on their win! With this new contract, I expect them to meet and exceed their earnings estimate this year. I rate them a Strong Buy. What's their ticker symbol again?
(Hey, this is satire. I'm not actually recommending any stocks, here. But you know that, right?)
Re: "gosh, you know, i wonder if these people thought of any of this already? well, yes they did - in fact the airport has video surveillance so if an object moves which is NOT tagged, then alarms ring."
Really? How will they correlate the 2-D video from one angle with an RF signal among thousands from a potentially seperate point or set of points? Sounds like something fairly tricky to do accurately. Simply using 2-D images to reconstruct a convex 3-d object correctly requires more than a dozen images.
OTOH, matching baggage to passengers makes some security sense. The pool of people willing to commit suicide to launch attacks is smaller than those willing to commit homicide. Just read some of the stories about the drivers of bomb-laden cars who attempt to bail out at the last moment in Israel.
Hi I stumbles across this website. thought it was on topic and might become the way of the future if you want to tavel. Scary Thought.
RFID CHIPS - Border Security
I would say, implementing the RFID technology into airports as a way to increase security is really money drained doun the toilet .RFID will never be able to do the work, since the technology is not safe enough to prevent tempering, removing or cloning of the tag. The airports save their money and wait a few years until the technolgies improve. Why change their whole procedures and invest in a new system that will need to be changed in a year?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.