Schneier on Security
A blog covering security and security technology.
« NSA Hiring Data Miners |
| Dogbert's Password Recovery Service for Morons »
January 25, 2007
In Praise of Security Theater
While visiting some friends and their new baby in the hospital last week, I noticed an interesting bit of security. To prevent infant abduction, all babies had RFID tags attached to their ankles by a bracelet. There are sensors on the doors to the maternity ward, and if a baby passes through, an alarm goes off.
Infant abduction is rare, but still a risk. In the last 22 years, about 233 such abductions have occurred in the United States. About 4 million babies are born each year, which means that a baby has a 1-in-375,000 chance of being abducted. Compare this with the infant mortality rate in the U.S. -- one in 145 -- and it becomes clear where the real risks are.
And the 1-in-375,000 chance is not today's risk. Infant abduction rates have plummeted in recent years, mostly due to education programs at hospitals.
So why are hospitals bothering with RFID bracelets? I think they're primarily to reassure the mothers. Many times during my friends' stay at the hospital the doctors had to take the baby away for this or that test. Millions of years of evolution have forged a strong bond between new parents and new baby; the RFID bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.
Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they're a cost-effective security measure or not. But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don't feel secure, and you can feel secure even though you're not really secure.
The RFID bracelets are what I've come to call security theater: security primarily designed to make you feel more secure. I've regularly maligned security theater as a waste, but it's not always, and not entirely, so.
It's only a waste if you consider the reality of security exclusively. There are times when people feel less secure than they actually are. In those cases -- like with mothers and the threat of baby abduction -- a palliative countermeasure that primarily increases the feeling of security is just what the doctor ordered.
Tamper-resistant packaging for over-the-counter drugs started to appear in the 1980s, in response to some highly publicized poisonings. As a countermeasure, it's largely security theater. It's easy to poison many foods and over-the-counter medicines right through the seal -- with a syringe, for example -- or to open and replace the seal well enough that an unwary consumer won't detect it. But in the 1980s, there was a widespread fear of random poisonings in over-the-counter medicines, and tamper-resistant packaging brought people's perceptions of the risk more in line with the actual risk: minimal.
Much of the post-9/11 security can be explained by this as well. I've often talked about the National Guard troops in airports right after the terrorist attacks, and the fact that they had no bullets in their guns. As a security countermeasure, it made little sense for them to be there. They didn't have the training necessary to improve security at the checkpoints, or even to be another useful pair of eyes. But to reassure a jittery public that it's OK to fly, it was probably the right thing to do.
Security theater also addresses the ancillary risk of lawsuits. Lawsuits are ultimately decided by juries, or settled because of the threat of jury trial, and juries are going to decide cases based on their feelings as well as the facts. It's not enough for a hospital to point to infant abduction rates and rightly claim that RFID bracelets aren't worth it; the other side is going to put a weeping mother on the stand and make an emotional argument. In these cases, security theater provides real security against the legal threat.
Like real security, security theater has a cost. It can cost money, time, concentration, freedoms and so on. It can come at the cost of reducing the things we can do. Most of the time security theater is a bad trade-off, because the costs far outweigh the benefits. But there are instances when a little bit of security theater makes sense.
We make smart security trade-offs -- and by this I mean trade-offs for genuine security -- when our feeling of security closely matches the reality. When the two are out of alignment, we get security wrong. Security theater is no substitute for security reality, but, used correctly, security theater can be a way of raising our feeling of security so that it more closely matches the reality of security. It makes us feel more secure handing our babies off to doctors and nurses, buying over-the-counter medicines, and flying on airplanes -- closer to how secure we should feel if we had all the facts and did the math correctly.
Of course, too much security theater and our feeling of security becomes greater than the reality, which is also bad. And others -- politicians, corporations and so on -- can use security theater to make us feel more secure without doing the hard work of actually making us secure. That's the usual way security theater is used, and why I so often malign it.
But to write off security theater completely is to ignore the feeling of security. And as long as people are involved with security trade-offs, that's never going to work.
This essay appeared on Wired.com, and is dedicated to my new godson, Nicholas Quillen Perry.
EDITED TO ADD: This essay has been translated into Danish and Portuguese.
Posted on January 25, 2007 at 5:50 AM
• 77 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
As well as the numerical risks of occurrence, are not the perceived impacts of the events being compared also relevant?
Infant death, while tragic, is a threat every parent must face, and may be caused by factors presently regarded as beyond control. Anyone suffering the abduction of their infant from a hospital might well find that vastly more difficult to cope with. Investing a little in reducing the level of risk is fully justified for such a high-impact threat.
By the way, welcome to Nicholas!
This also gets us all used to wearing RFID tags from an early age ...
I am not quite sure that posting military personnel with assault rifles has created a sense of security.
For me it usually creates a sense of imminent danger when I notice above-normal levels of security. It makes the impression that trouble is being expected.
Example (Germany): When there's a soccer game in a city, the police usually posts larger-than-normal patrols in train stations and other places where fans gather. These patrols are commonly equipped with ruggedized overalls, helmets, sticks or personal armour (or have these things ready) - instead of the normally quite nice uniforms.
When I happen to arrive by train in the city on such a day, I usually don't feel more secure but instead I wonder whether it was really a good idea to come there on that day.
Isn't there a risk that security theatre can reinforce risk overestimates and so make us feel less secure?
This offers another interesting trade-off. Security theater has its uses to make people worry less about security. It still costs money. Thus, in any given situation, one can decide whether it is better (cheaper) to spend money on security theater, or spend it on education. Both will readjust the feeling of security for the affected persons, but education will do it by teaching a more reasonable assessment of the threat, while security theatre will add virtual defenses against a virtual threat.
However, money is not the only cost involved. While education doesn't usually come with other sociological costs, security theatre typically does (personal freedoms, most likely). In your example, there are no such costs, babies won't mind being tracked too much. I find no reason to object in this case, since education of mothers about the real threats would be both tedious and probably pointless (you only have so many children in your life).
This is an exception. Almost all types of security theatre I have experienced came at significant costs to freedom and convenience. In almost all cases, security theatre is a very bad choice for society. It may well be a good one for people who have a different agenda, especially if you want to avoid educating people about realistic threat assessment. (As I have come to suspect the governments collectively decided to do with regards to terror in general. Do I sound paranoid?).
I've noticed that politicians are good at lowering our sense of security using security theatre as well, to get what they want. The smoking guns of WMDs come to mind here.
"Anyone suffering the abduction of their infant from a hospital might well find that vastly more difficult to cope with. Investing a little in reducing the level of risk is fully justified for such a high-impact threat."
Risk reduction is statistical, not individual: when the system fails, the "high impact" will still occur somewhere. This is why arguments of the form "if we only save one life, it's all worth it" are usually the ones to suspect the most, especially ones that come at a large cost.
Looking at the immediate case, I get the impression these RFID's aren't for the parent's peace of mind -- it is highly unlikely any of them are issued with little alarms that sound when the nursery alarm is tripped, so the parent can respond in person in a timely manner (think: if the parent is willing to trust the hospital to monitor the alarm, why would they be touchy about their kids disappearing into a test of some kind? why indeed are not these touchy parents invited to attend the test to allay any kidnapping fears they may have?) -- nor is it intended as a defense against the unwashed hoards of kidnappers who assault the gates of the hospital every day. A more prosaic explanation is that it's just for simple inventory tracking and hospital mistake prevention than anything else. One speculates that all hospital patients get the RFID tag, not just babies.
Here in the UK (and I suspect in the US too) those security tags serve another purpose. Namely to ensure that babies do not get mixed up and given to the wrong parent. The tags are attached almost immediately after the birth whilst in close proximity to the mother. After that it makes it easy to ensure that a child is returned to the correct parent if medical staff need to attend to the child away from the parents.
It is a short step from having a handwritten tag to using an RFID tag (that probably has a handwritten name on it too). In this case the security comes almost for free.
A google search on Nicholas Quillen Perry reveals he is almost as famous as 'The Schneier' already. ;-)
You miss one point. Used properly the RFID bracelets may also reduce the real risk, the 1:145 infant mortality rate.
Hospital bracelets, all hospital bracelets, serve an important primary role - to ensure that the right patient gets the right treatment. It's even more important in neonates as they can't say " I wasn't supposed to get that drug" and also they can deteriorate frighteningly quickly. It's standard practice to check bracelets before giving treatments; however it's not uncommon for busy staff to skip this step or make a mistake (The wrong "John Smith" for instance).
If you have an RFID bracelet and a computerised patient record system it'd be quite easy to make the checks automatic. The nurse or doctor carries a medium range RFID reader linked to the patient management system. When they pull the drugs/whatever for the next treatment they're doing it goes into the system. This is already what happens in practice, even on paper based systems (yes, that's the British NHS for you in the 21st century - paper based). If they get to treatment distance from a patient the RFID tag can be read and a alarm sounded if they are about to apply the wrong treatment to the wrong patient.
This is significant because 250,000 deaths a year in the US are attributed to iatrogenic causes. Yes, doctors and nurses are the third largest cause of death after Cancer and Heart Disease*. Of these 250,000, seven thousand are medication errors and 20,000 other errors - many of which are related to patient misidentification. The balance is unnecessary surgery, drug side effects and hospital acquired infections.
* And we wanted to blame the lawyers... :-)
I agree with Paeniteo. Security theater may make sense in some cases when the benefits of the heightened feeling of security outweigh the costs of the security theater (RFID armbands for babies would be an example, I think), but I personally don't feel more secure when there is a strong presence of armed guards, police officers, soldiers or other such folks. Maybe that's because unlike (apparently) most others, I don't blindly trust authority and because I know that power corrupts (an attitude that you may describe as both cynical and realistic; personally, I think it's both), but it's true nonetheless.
Case in point: the local mall has put armed, uniformed guards on patrol for the last few years, and you can't go there for even five minutes without seeing at least one pair. Does that make me feel more secure? Hell no. Does it make me feel more inclined to shop there? Not at all, either.
I think it's a slippery slope, too - people get used to a strong guard/police/government/military/... presence, and over time, our freedoms might slowly get eroded (or they might not, but it's not a risk I'm personally willing to take). Today, it's only patrols; tomorrow, there will be guards posted at the entrances to airports/malls/stadiums/...; next week, they will ask you for some form of ID before you're allowed in; and next year, your personal information will be stored, collected, cross-referenced and shared all over the place.
And there's also a risk of intimidation, I think. If a pair of armed guards walk up to you in a mall and politely ask you to do (or not do) something, how likely is it that you will challenge them instead of complying? I doubt that most people would, even when what they're doing is perfectly legal and/or acceptable. Things like this only teach us to accept authority, not challenge and question it.
So in this case, the security theater is definitely not worth it.
> It may well be a good one for people who
> have a different agenda, especially if you
> want to avoid educating people about
> realistic threat assessment. (As I have come
> to suspect the governments collectively
> decided to do with regards to terror in
> general. Do I sound paranoid?).
Very good point. It's quite possible that the reason so much security theater happens, because the responsible people (government, airports etc.) are of the opinion that the actual security risk is much lower than what the public thinks, yet do not want to pass on the increased possibilites that this fear offers (some people have actually made quite persuasive cases, that current US government have made efforts to increase the sense of fear/danger). In that context it makes sense to use security theater instead of really increasing security - because in cases where actual risks manifest into some kind of attacks it furthers the goal thereby having a net positive effect on the agenda.
Of course on the other hand there is always the saying, never ascribe to malice, what can be explained by stupidity...
I'm not quite convinced about this being a "Security Theater".
1. As Richard pointed out, some kind of identification firmly attached to the child is needed anyhow.
2. The low abduction rate might at least partly be the result of other security measures (like vigilant personal) that bears price as well. Those measures can be reduced, if the RFID-Thing works.
3. Compared to other "Theater Measures" that do not add any security at all, this one seems to actually work if there was an "attack";
As a parent who had a child shortly after a baby was abducted I paid a considerable interest in what security measures where in place at the Hospital we used.
I found that most of the physical security (to use an Americanisum) "sucked" badly and was easily circumvented by other parents children. Likewise the paperwork etc.
However on reflection I like the idea of RFIDs on "new citizens" for a couple of reasons,
1, Although in general they are of low (financial) worth, to the parents they are again in general without price.
2, Although technicaly human, they are incapable of displaying the normal responses of a child to danger.
So if you as a hospital administrator view the child as a "high value package" it is not actually surprising when you adopt the same tracking / protection methodologies as UPS / Walmart.
Looked at that way it does make a good deal of sense.
I should say however I do in no way advocate it as a method for many other reasons.
It gets pitched as abduction protetion but, it also serves as a prop to keep the identification procedure working. When we brought our daughter home last year, they didn't remove the RFID tag until my wife and my daughter were positively identified, so it ensures that no mistakes are made mixing up babies and mothers at final checkout.
i have practiced Ob/Gyn for nearly 20 years
i agree with your assessment that hospital baby abduction is a very, very rare event
but, the primary reason for the new born RFIP is that if such an abduction does happen and the hospital doesn't have a such a mechanism in place (despite its many drawbacks), the outcome would be a sure win for the family (plaintiff) and major loss of $$$ for the hospital
also, some hospital "cannot" get insurance or some hospital may have to pay a larger insurance premeium if the don't have this pacifier RFID system
~ an Ob-Gyn with 20 years experience
"If you have an RFID bracelet and a computerised patient record system it'd be quite easy to make the checks automatic. The nurse or doctor carries a medium range RFID reader linked to the patient management system"
In the US, at least at my local hospital, the RFID tag IS NOT used for patient identification at all. It is only used for the security doors. The baby must also wear a barcoded, human-readable identification tag, and two additional "matching" tags to match the baby with parents. When my son was born last year, he had to wear FOUR tags. (He didn't mind).
So although in theory the RFID tag could be used to help prevent incorrect administering of medication, etc, it is not currently being used that way. We're still just using normal, human-readable (or barcoded) hospital bracelets for that purpose.
I can only comment about the hospital where my daughter was born (3 years ago give or take).
These bracelets are NOT like the patient bracelet. She got that one too which is smaller, has a human readable name, patient number and bar code. It also can be removed with a little bit of effort.
The RFID bracelet is a rubberized monstrosity, like a the parole ankle bracelets. As a matter of fact it went on her ankle. It also had a tendency to fall off, and actually stay off for long periods of time without any alarm sounding anywhere. It IS theater and not good theater either. It did reassure my wife though. She actually did make the comment that it made her feel good they had that. I know by know not to use my male brain when she is using her female brain. It just is not good for either of us.
So why do they use the bracelet? Lowers liability in the off chance something happens? Makes the families feel better? It is just expected? It is cheap? It is cool?
The hospital where we had our children used RFID tags that they attached to our infant's legs, and the tags would trigger alarms if the tags came too close to the ward's exit doors. However, it was obvious to me that this was "security theater" since the tags slipped off our infant's legs more than once during routine handling...
What am I missing here? If I wanted to abduct a baby, isn't it pretty simple to remove the tag?
I'm guessing these tags are more to prevent babies from getting mixed up (see Richard, above).
My wife just gave birth five days ago, and there was enough medical intervention involved that we spent a fair amount of that time in the hospital. So I've some first-hand experience. The hospital issued electronic bracelets to both my wife and the baby. If either bracelet leaves the ward more than ten feet from the other, an alarm sounds.
The nominal reason is to prevent abduction, but given the system I wonder if it isn't instead to prevent new moms from absconding.
A corollary, though, is that you can't walk past the doors of the ward if they are open -- it's close enough to set off the alarm.
If I'd known that the National Guard in airports didn't have bullets in their guns, it would have allayed my sense of insecurity. Having men in camouflage, carrying combat rifles, standing around in airports, emphatically did not make me feel secure about anything.
"The Culture of Fear: Why Americans Are Afraid of the Wrong Things" by Barry Glassner is also a good read when it comes to the feeling of security.
At the hospital where my second son was born ~5 months ago, there was an additional feature of these tags: The mothers got a tag that was both an RFID tag, *and* an RFID reader. Whenever our baby got within a few feet of mom, her tag let out a small and pleasant noise. If her tag got within a few feet of someone *else's* baby, it made a not-so-pleasant noise. It was kind of refreshing to hear the hospital tell us "the reason for this is that if for some reason we completely screw up and bring you the wrong baby, you'll know, and we can sort things out." That seemed like a decent security measure, specifically because it was security against a non-malicious threat. Securing against incompetence is generally much easier, because incompetence doesn't concentrate its efforts at weak links.
The staff told us that the infant tags, if they came too close to one of the exit doors, would set off an alarm and lock down the entire floor, disabling the elevators and locking all the doors. I don't know if I believe them, but my thought was: if an infant is near an exit door and the fire alarm is going off, which security measure wins? My money's on the fire alarm unlocking all the doors. So it's security theater, because a *malicious* attacker will focus energy on the weaknesses of the system. But, as this article points out, it made my wife feel better, and that's a worthwhile goal.
also, @Pete, the tag my son got was fairly securely fastened, and there was a metalic trace in the fastener. They told us, and I believe it's probably true, that if that fastener was cut, it would immediately set off alarms. It's much more than just a simple passive RFID tranciever.
"I think they're primarily to reassure the mothers."
So only mothers have irrational worries about their newborns? Not fathers?
You do talk about "parents" being unnecessarily worried at least once, but you invoke specifically "mothers" three times, including one "weeping mother [making] an emotional argument."
Dads get emotional too. You may have fallen prey to the availability heuristic...
"What am I missing here? If I wanted to abduct a baby, isn't it pretty simple to remove the tag?"
Not _that_ easy, but that's why they will soon begin implanting all newborns with RFID tags rather than just using the bracelets.
As Joe Patterson notes, the system works best when integrated with the mother's RFID bracelet - for our daughter (born last year), when my wife pushed a button on her bracelet, a green light would turn on in the room if our daughter was also in the room. Apparently baby mixups are very common, especially with the number of new parents who don't keep their child with them (we seemed to be unusual, in that there was a five minute window where we left our daughter with one of the nurses while moving from delivery to maternity, but had one of us with her continuously beyond that).
Several commenters have noted that, like all security systems, there are ways to circumvent this one. Folks, no security system is foolproof. The goal of most security systems is to increase the cost of attack to be higher than the likely benefit. Without systems like this, the complexity of abducting a baby is pretty low. With this system, an attacker needs more insight into how the system works, and has a greater risk of being detected. As a user of the system, I'm happy to have my child in a hospital with this. You can have your child in a hospital without this. If there is a baby abductor out there, I bet I know which hospital is safer to be in.
Whenever theatrics make people make bad choices, such policy is wrong. Especially if those people ar jurors.
If safety posters make people at theme parks unjustly feel the rides are safe, the posters are bad policy.
If posting armed guards with no ammunition at airports unjustly makes passengers feel safer, the fraud is bad policy.
Fraud is always bad policy, as is counterfeiting.
By the way, RFID tags on the maternity ward babies will do nothing to prevent baby swapping, which does occur on purpose, as when a mother, to her horror, thinks her new baby looks exactly like its father, not her husband, so that late the first night she will swap for a baby that looks more like her husband. Workers studying genetic inheritance -- who were first to put out figures for this phenomenon -- give numbers like 1 in 20 or 1 in 30 as a national average. (Compare this to the 1 in 10 for children who are their mother's child but not her husband's.)
Also, simply yanking the tag off the baby utterly defeats this 'defense'.
In addition to preventing infant abduction the tags probably also prevent a fair amount of stupidity-with-infants where a parent or family member thinks it would be nice to take the baby out for just a minute or two. There's also fairly long checklist for leaving a hospital with a baby (even a perfectly healthy one), so putting RFID removal at the end of it tends to make sure all bases are covered.
People have mentioned not carrying babies too close to the door. This requirement is complicated by the fact that RFID tags are perfectly readable through interior partitions, so you have to make sure that babies in rooms near the door don't get in range either.
Nicely put, I've been making this case for ages. The way I put it was this:
"Employees at a company that see high-profile dog and pony security measures (the kind that do no actual good) often respond positively to the visible measures, relaxing more and becoming more focused on work and therefore productive. Since most security measures targeted at actually addressing a threat take place behind the scenes, these stupid-yet-visible actions are often all the employees see, and no less a part of the overall plan than measures taken that actually reduce or mitigate risk to the business.
"Remember, security is about serving the overall business mission and protecting business assets, resources, personnel, and the like. Risk analysis has a gaping blind spot when it comes to lost worker productivity due to worker ignorance of actual security issues and imagined threats, and often the resultant impact to business can be greater than its annual security budget."
Bruce, Greatly enjoyed your blog read at Wired Online and posted it on AskRackmountRanger. I did a Google search for "it security blogs" and you were number one (#1) so added your RSS feed to by Google reader. I look forward to more great itmes from you.
Couldn't you say similar things about TSA security theatre? The actual risk of a terrorist attack on any given flight is next-to-nothing, but people are still anxious about terrorism. So if the security theatre helps people relax to the point where their feeling of security is closer to the reality of security, then isn't it very much like these RFID tags? Yes, technically there are gaping security holes terrorists could exploit (generating their own boarding passes, etc), but they haven't been. Same thing with child abductors--hospitals are now secure facilities and I'm sure a baby could be snatched with some planning--but nobody's doing it.
The difference (and you hinted at this, but not strongly enough) is cost. Cost in money and cost in liberty. RFID tags are cheap and (in this scenario) don't rob anyone of their freedoms. TSA security theatre costs more than I'd like to imagine, and even US Senators are being deprived of their rights if their names show up on a list.
That's the difference in my mind. The "palliative effect" of security theatre isn't so different from one scenario to another as you'd think.
Many good points, all! I personally believe RFID tags are just a high tech version of the wristband they put on babies elsewhere, as a way to ID the baby so there's no mix-up. This is obviously a good thing. It offers no better security because the bracelet can easily be removed.
Armed guards don't make me feel more secure. The more armed guards, the more insecure the area must be.
And the slippery slope argument is huge, as the more we accept armed security forces and individual searches, the less we'll ever be able to return to a free time. Have the times really changed that require this? I mean, the USA had a revolution, a wild west, a civil war, riots, the KKK, attack on Pearl Harbor, etc. during "the good old days" and we didn't need all this intrusion into our lives.
The best government is one that governs least.
I sympathize with the need to feel secure -especially with a new baby. I also like the example, because for specialists it is all too easy to dismiss the very real incidence that perceptions and feelings have in normal citizens' expectations and reactions with respect to security. If nothing else for the sake of achieving better security, advocates of security must understand these "nontechnical" elements, as they placy a central role in what is permitted, or demanded, by the public.
However, I have to disagree with Bruce on the specific example of National Guard troops in the "sterile" area, which I think is a bad tradeoff even if it makes (some) people feel more secure. The risks:
(a) This practice introduces firearms in an otherwise secure area. Now an attacker simply needs to subdue a soldier (the "gotta pee" weakness) to get a firearm. Is an unarmed civilian going to challenge a person to fire a shot to prove the weapon is loaded?
(b) If the firearms are instead loaded, you get the risk of soldiers in the midst of a bunch of unarmed civilians. Unlike elite military or police, soldiers do not do well in such situation -even if they have been to Iraq.
(c) There's also the issue of an attacker impersonating a soldier, then using the attendant authority of the uniform.
Last but not least, one should generally oppose security theatre if we ever expect the general public to be more rational about security. Resources are always finite by definition, and those soldiers could certainly be put to a better use.
I will leave to others the analysis of the effects to an open, democratic society of having armed military personnel (as opposed to police!) visibly deployed on public spaces.
ac's point about TSA security theatre is interesting, most especially because it shows the way that security theatre can fail. Anyone who follows the news knows that security personnel routinely fail to identify test weapons sent through scanners, and that airport security perimeters are porous. So whenever they stand in a line holding baggies full of shampoo and mouthwash while watching crates of ostensible water trundle up to the airside concession stands, people are reminded of the enormous potential risks at the same time that they see so little effective is being done.
To be effective for morale and cooperation, security theatre has to give the audience participants the impression that the visible parts are being handled well; otherwise they'll never have faith in what they imagine happens behind the scenes.
A key aspect of "security theatre" is that the performers claim their little play and all the props are, in fact, there for your own good.
Now in most cases, it's basically illegal to actively test their claims. You can't hide a gun in your carry-on, just to see if the guards find it. You are simply told to trust the system. And this message is given to you at gunpoint. (Oh, the irony!) And of course, not only is this lack of verifiability a key reason why this kind of security theatre is so dangerous, but it also teaches the audience a certain about of "learned helplessness" re: security. "You know nothing, peon! Eyes down, move along!"
However, absent of this sort of coercion, security theatre is less bothersome, at least if you ignore the "helplessness" the government wants you to carry around. From Mr. Patterson's comments:
"They told us, and I believe it's probably true, that if that fastener was cut, it would immediately set off alarms. It's much more than just a simple passive RFID tranciever."
Let's play along. Since this is one's baby "on the line", why should you take anyone's mere word? Had I been in this position, I would have instantly cut the bracelet to test the system, I would have walked the bracelet to test the alarms and (I personally find it incredible a hospital would build a man trap like this, but hey, it's their claim!) to verify that indeed attempting to take the baby off the floor would result in a lock-down. Indeed, I would expect, in this case, that people making these claims should be offering to make the demonstration to actively put people at ease -- if in fact that is the purpose of these systems. What do they have to lose? Testing their systems on a regular basis like this is arguably a good thing to begin with.
Sometimes security theater is a latent threat for hooligans to behave themselves. In other words, the theatrics may not have been intended for you.
Re; National Guard at airports.
Most of the guardsmen I saw were from Military Police units.
> Much of the post-9/11 security can be explained
> by this as well. I've often talked about the
> National Guard troops ...
> But to reassure a jittery public that it's OK to fly,
> it was probably the right thing to do.
This ignores one important fact:
Security theater is not perceived identically by everyone.
Some, who have a high confidence w.r.t. selection/education/quality of the national guard troops, may actually feel more secure due to their presence.
On others, who are afraid of hysteria/overreaction/poor-selection-standards, may actually feel a lot less secure by the presense of the national guard and would rather have them absent.
The question is: who makes the call on what makes "us" feel more secure and is worth spending the money on?
I had a son two weeks ago and RFID tags were used. Supposedly, if they got close to an exit the floor would get locked down, elevators would stop working, etc. As others noted, the tag was fairly loose and did come off on its own once during our stay.
One point that no one else has made: what is the nature of the attack? As I recall, the profile of the majority of the baby snatchers was a middle aged woman with histories of mental illness who snatched a baby with little planning. Some cases involved a woman visiting a hospital for another reason, they stop by the maternity floor on the way out and see a vulnerable infant that they walk off with.
Against this type of attack even small measures can have a large impact and the costs seemed pretty low to me.
You say that the rates of abductions have declined and attribute the decline to education while you label RFID as "security theater." Are there statistics to back this up or did the introduction of RFID contribute to the decline?
Armed (apparently) guys in fatigues around airports does not make one feel secure, unless the idea of a big camp with chimneys makes you feel secure.
At least at the hospital where our daughter was born, they used bracelets but not RFID tags.
And I am indeed sure that their measures were in part security theater, but the security wasn't quite as meaningless as some of the comments here would suggest. They also had a guard at the entrance to the floor, all visitores signed in and out, they issued bracelets to the parents, and they instructed the guard not to let anyone leave the floor with a baby without a matching bracelet. (It looked to me like the guard really did check.) They also instructed parents on what hospital employee badges looked like, and instructed parents not to give the baby to anyone not wearing such a badge.
Still quite possible to circumvent that security, but the most obvious holes did seem to be covered.
National Guard troops along the Mexican border sounds like the government is thinking security, until you find out they haven't been issued firearms.
"Stop! Or I'll say 'Stop' again!"
When our baby was born last year, his mother was quite concerned about the possibility of him being stolen, or mixed up with another baby.
The hospital had a simple but very reassuring response to those fears. They just said "We NEVER take the baby away".
And they didn't.
From the time he was born until we took him home, he was never more than six feet from his mother.
She did of course use a bathroom with the door shut, and she did of course sleep, but surely that policy is a much better solution than RFIDs?
Bruce's post is entirely logical, but takes for granted that the baby needs to be removed on a regular basis "for this or that test".
Another 'cost' to the system (the mom-baby RFID that is) is that Moms can't go into the nursery, lest they get too close to another baby and set off the 'wrong baby' alert. They also can't visit other moms' babies.
National Guards at the airport *do not* make me feel secure. Do you have any idea of what would happen if a young soldier felt compelled to use an M.16 rifle inside an airport? These are automatic weapons, designed to send a lot of projectiles in the general direction of the target. Not very efficient when that general direction includes a crowd. Not very reassuring when the crowd includes *me.*
In fact, learning that the guards did not actually carry bullets made me feel a bit better.
@Christian, FYI, all modern "M16"s (M16A2 or M4) are selectable semi-auto or 3 shot burst, not full auto. The military doesn't have any more desire for a hail of unaimed fire than you do.
And a long gun is generally much more accurate than a handgun...
"This also gets us all used to wearing RFID tags from an early age ..."
Hahahaah, yes, because if I wore an RFID tag when I was a kid, I'd be brainwashed into wanting to wear one now.
The idiocy of this pretense of a defense can be shown by borrowing a baby to take to the hospital to visit someone in the maternity ward. Visitors do not get tagged, remember. Your group comes in with one baby, splits into two groups, each leaving separately with a baby. In with one, out with two. How does the staff and security people know a visitor from a patient? Simple: visitors do not get tagged. So, remove the tags and breeze right through security.
In the vein of security theater as entertainment, I can only hope that some enterprising aspiring MTV contestant for goofy shows that shall remain nameless will read JoeN's blog post about his new Nike+ shoes:
It would be "fun" to watch a twenty-something try this out for real. Even better theater if they claim its to protest the oppression of the downtrodden air traveller masses. Mix Nike+ shoes with traditional Muslim garb for a truly spectacular TSA response.
Sometimes its best, or at least most convenient, to ignore silly, unenforceable airline regulations. The rule requiring me to turn off my Zune was probably written by lonely little old ladies who want a captive audience on board every airliner...
Thank you for a good thought-provoking essay to break readers out of a rut.
With so much derision of bad cases of security theatre, it is easy to fall into a habit of automatically dismissing all security theatre rather than seeing security theatre as the show and weighing its context, the value vs. costs, etc. Such habits are common in other aspects of security & privacy. How many times, when something new comes along, many will assume a privacy or security threat without examination or thought.
On a slightly light note, playing on the analogy implied by "security theatre":
Maybe people who are more aware of security issues tend to be like (non-security) theatre & film critics, analysing performances & panning them but often missing what appeals to the general public.
There will always be collateral damage in society. The government must decide an appropriate response to the amount of damage being caused. If the collateral damage caused by a certain type of attack is low, then they employ a complex power play in which they emplace different security theatre type measures while overhyping the threat through the media to keep the public looking to the good shephard for protection from, say, the dread scourge of terrorism. Statistics are meaningless to the general public. I doubt that the government could do very much against a massive, coordinated, well organized terrorist attack on a national scale except recover afterwards.
In some hospitals a tag is place on the umbillical stump, close to the skin. It then becomes very difficult to remove the tag without amputating the stump and causing significant bleeding. The tag can be removed with the proper key, making discharge simple, but making kidnapping more difficult.
The RFID tag also makes medication and other accidental errors less likely...which is of significant concern in all hospitals.
Having worked in IT at a hospital, I'm not entirely convinced that its purpose is security - it may be presented that way to parents, but there's many reasons to tag things (and people). Asset tracking is a big one, and one that almost requires readers all over the place. Hospitals are also very concerned about nurses delivering the wrong medication and/or moving to electronic charts rather than paper charts. Scan an ID (barcode, RFID, etc) and information about what medications a patient needs pop up on the screen - some even propose going as far as scanning each medication as it's delivered "bzzzt Wrong med!... bzzzt next dose not due for 4 hours!".
If you want the technology anyway and can get a grant for it by claiming "security", there's no reason, at least in a hospital's mind, to not go for it. Also, having RFIDs on the million dollar equipment (or the wheel chairs) and sensors on the doors prevents loss due to theft.
Can this be used in reverse? If our perceived level of security is higher than our actual security, can those who wish to bring these two levels back in line (to help enable smart security choices, as you'd mentioned) use some sort of security anti-theatre to show people the reality of their safety?
Isn't this a case where the risk is low, but the consequences of it happening are very high indeed. I thought that such cases justified such measures? One need only ask what the consequences would be for the hospital if it was sued and found guilty of failing to fulfil a duty of care to the baby and parents.
What one would need to do is measure the cost-effectiveness of these particular measures (RFID) versus 24 hour security, CCTV, etc.
If 1 in 375,000 is too high, please provide the correct trade-off at which it makes sense to provide bracelets.
"If 1 in 375,000 is too high, please provide the correct trade-off at which it makes sense to provide bracelets."
That would require a lot more information about the plethora of risks newborns face in hospitals, the various security and safety countermeasures that can reduce those risks, the costs of those countermeasures, and the effectiveness of those countermeasures.
My link below is a response to this post. The bottom line is this:
...This so reminds me of another security expert I admire, Gavin de Becker. De Becker wrote The Gift of Fear, my second-favorite security book (after Schneier’s Beyond Fear). De Becker’s approach is nicely complimentary to Schneier’s: he addresses those moments when that primal part of your brain (the amygdala, I suppose) is saying “Something is wrong here…��? His work is about tuning into, educating, and using that part of your mind to protect yourself in bad situations.
Schneier’s work is more about the situations when that part of your mind is a bad fit for the problem: it can save your life in a dark alley, or save you money in a bad business negotiation, but it won’t help you assess the security measures for your company’s network, or think sensibly about national security. When you aren’t confronted with visceral, accurate signs of human malice, Schneier clarifies things immensely. When you are, de Becker is your man. Problems occur when the wrong part of the mind is used to make security decisions.
I think there is important work to do around that boundary, between times when our primal minds will save us, and times when our rational minds will do a better job. In his post, Schneier is talking about a subtle point of detail in that boundary. I think it would be useful, socially and politically, for these two to get together. If Schneier and de Becker worked together, they could create some really useful mind-training, to help people use their entire mind-stack effectively to address the real threats we face.
How ’bout it, guys?
"That would require a lot more information about the plethora of risks newborns face in hospitals, the various security and safety countermeasures that can reduce those risks, the costs of those countermeasures, and the effectiveness of those countermeasures."
In that case, I don't believe you can state that 1:375000 is too high.
In addition, the comparison to overall infant mortality rates is also unreasonable. Infant kidnapping -- 1:375000 sounds unreasonably high, by the way -- can be dramatically reduced by a combination of training and hardware. And once past the initial investment, the cost per baby is down the cost of the RFID tag -- well under $1.
Reducing infant mortality is a seperable job: Better pre-natal care, re-training doctors and nurses, re-labeling of medicine to prevent incorrect dosing, and a plethora of other measures. One does not preclude the other. Hospitals don't have infinite resources, but the push for better error prevention is really taking hold.
I cant believe it took so long (so many comments) before someone (Ob-Gyn doctor) to hit the nail on the head, so to speak. It came to my mind almost immediately.
RFID tags on babies is not about improving real security, nor is it about Security Theatre.
Any improvements in actual security or the patient's perception of security (securitytheatre) are simply desireable side-effects using the tags, which are without doubt there only to reduce litigation and insurance premiums.
The hospital is a business after all.
I don't know about you, but the 'security theater' of airport guards armed with automatic rifles makes me feel less safe, not more.
What about audits for the sake of auditing? Checklist-based "Best Practices"? What percentage of those are "Theater"?
Level 2 PCI "self-assessments"? Mostly theater.
ISO 27001 "audits"? Can be theater, easily. Same goes for NIST/OCTAVE Risk Assessments. Heck, think about HIPAA. There haven't been any real fines, have there? If your standard has no teeth, what do you call it? I'd call it theater.
We go through these processes, come up with terms like ROSI, and for the most part, it can be 80% theater for 20% result (or 64/4 if you'd rather). But there is some small benefit. The trick is that most risk/security analysts out there are stuck with that 80% that is "theater" (a friend of mine once complained that out of any 20 work days, he spends 15 answering multiple compliance demands).
I think the question of theater and benefit should also consider risk tolerance. When babies are involved, it can be argued that any abduction amount greater than one is worth a limited potential benefit for the investment.
I believe for the infant RFID, security is probabily only one aspect of the use of this technology. The ability to correctly identify infants to reduce "baby-swapping" and also keep track of health care information would probabily be other features that RFID would allow. And as said before, this will reduce insurance premiums and such.
What happens when a tag gets removed? Can't they just use the anti-shoplifting tags? If you'd see someone with a baby covered in blue ink, one could safely assume they had a stolen baby.
It seems flawless.
Plus, babies covered in blue ink would be funny.
"This is significant because 250,000 deaths a year in the US are attributed to iatrogenic causes. Yes, doctors and nurses are the third largest cause of death after Cancer and Heart Disease*. Of these 250,000, seven thousand are medication errors and 20,000 other errors - many of which are related to patient misidentification. The balance is unnecessary surgery, drug side effects and hospital acquired infections."
A better way to have mothers (and fathers) re-assured that their baby is safe from abduction is to encourage mothers to birth at home. Done right, home birth with an experienced midwife is safer for mother and child during a normal delivery. Hospital births should be reserved for deliveries where pre-natal checks have indicated an abnormal situation that would benefit from medical intervention, or where the mother insists on birthing in a hospital.
Bruce is right about the value of re-assuring the mother though. A mother who is relaxed during delivery will typically have a shorter and easier birth - whereas a mother who is tense or worried is more likely to have a longer labor and is more likely to need medical intervention. Everyone is different, but most mothers are more relaxed at home surrounded by a few supportive people she chooses including an experienced midwife, than in a hospital setting.
Although home birth carries a higher risk in some ways because medical expertise and technology are not as immediately available, this risk is more than compensated for by the reduction in hospital-specific risk - including that of abduction.
Widespread home-births would also result in a huge cost savings, not just RFID tags, but Doctors, nurses, overnight stays etc. Of course this comes at a cost of reduced revenues to the medical industry, so they won't support it. But spending huge amounts of medical system resources on birthing is very wasteful. Those resources could be spent on people who really are sick.
When analysing the security aspects of birthing, the analysis needs to be done in a context wider than simply RFID tags and the risk of abduction. It also needs to be done in a context wider than just the hospital or medical industry as it stands. All risks to both mother and child should be considered, as well as having an open mind about alternatives to a medicalised birth.
We've had three children; the first was born in hospital, the other two at home. They were all midwife attended (by a midwife we'd built up a relationship with during the pregnancy, not a rostered midwife.) None of the births had complications and we felt they all went well. However, having to go to hospital and return with the first birth was an interruption. My wife's labor was stopped during the trip to hospital and the whole birth process was undoubtedly lengthened by it.
We of course know a huge amount more about birthing after having three children than we did at the start. I guess in life you can have two attitudes - just be a passive consumer and accept everything the experts and officials tell you, or you can investigate stuff that affects you and make an informed judgement. For me I'd rather be the informed consumer. I wish we'd known more about our options before our first birth - that would have been at home too.
I can't understand dlg: "I find no reason to object in this case, since education of mothers about the real threats would be both tedious and probably pointless (you only have so many children in your life)." Sure, education about say just the threat of infant abduction from hospital in isolation might be pointless. But why not a wider education about the real risks and opportunities of childbirth and early parenting? That would be really valuable.
Do you advise people to buy a car or a house without any kind of educaton and information about those decisions (you only have so many cars or houses in your life)? Do you see no value in informing and educating parents?
I guess it comes down to whether you prefer to remain ignorant.
I think you're correct but this begs the question of why the infant
needs to be out of the sight of the parent(s) anyway?
I suspect hospitals have a strong interest in not having parents
accompany the infant when performing tests and procedures. Childbirth
seems to have become highly medicalized and bureaucratized. 'Tagging'
newborns is another example of internalizing the culture of control, no
different than obediently taking off our shoes at the security checkpoint.
Either me or my wife accompanied both of our daughters in the hospital,
not because we thought someone would snatch them, but because we felt it
was important that they have contact with us in a loud, bright
disorienting environment (A different kind of theater to reassure
ourselves?). While we were not treated with hostility for this, we
often sensed annoyance on the part of the staff.
I thought I'd written enough already.
I agree, if you have hospital birth, isn't it a good idea to keep sight of your child all the time? This is a great way to ensure your child isn't abducted, swapped, given the wrong medical treatment or made to feel any more anxiety than necessary for the treatment they are receiving.
When we had our child in hospital, she was born in a birthing unit which was homely and comfortable, she was always with us in the room we were in, and stayed with my wife the whole time ( about 14 hours, overnight, the birth was at 3am.) All tests, measurments, treatments etc. were done by our midwife in our presence.
This is a classic case of different actors having different perspectives. As parents, the security afforded by keeping an eye on our child is worthwhile because it costs us little. OTOH to the hospital, having a parent accompany the child for everywhere has a cost (lost time and annoyance to the medical staff) which isn't necessary in their view to gain the security benefits. It's cheaper to put an RFID bracelet on the child than to let her mother or father follow her everywhere.
It also gets the population more used to RFID tagging of people as a concept, and I think this is one of the greatest dangers. Once this becomes normal (it isn't used yet in my country afaik, our births were 8 - 14 years ago so I could be wrong), the progression to an RFID implant that keys to your national hospital number, social security number, drivers license and passport isn't so far away.
Assuming the RFID tags identify each baby, then they would be useful to help keep babies from being mixed up. I don't have any data, but I wouldn't be surprised that mixing up babies or giving them the wrong tests is a much bigger problem than infant abduction. Hospital might describe the RFID tags as a infant abduction security preventative, when they might be really be doing it to prevent hospital mistakes. The latter isn't something they would tell the families.
On 1-25-07, Steve S wrote: "I'm surprised you missed this gem that made the Merc. Just this month, a 1 day old was taken from the hospital without the alarms going off."
But, he missed a few interesting, and troubling, complications. See http://www.securityinfowatch.com/article/...
The mother cut the tag off and left the hospital with the baby. Per the news, she "escaped" in a cab. Apparently the hospital did a (involuntary?) blood test of the mother during childbirth and found drug use, and were in the process of calling in child protective services. The local cops eventually found mom and baby, and convinced her to go back to the hospital. The DA declined to press child endangerment or kidnapping charges, since it was unclear whether or not the child services paperwork had gone through.
The troubling questions, in addition to why bother basing security on a removable tag. Should drug using moms not deliver babies in a hospital? Should they only do so anonymously or with false names? Is it smart to encourage drug using moms to avoid medical care under our system of mandatory reporting to child services? How can one get emergency medical services without giving involuntarily drug tests? Does the 5th Amendment still apply to mothers of crack-babies? Should it? Why would anyone sign the broad hospital-written waiver, without significant revisions, when they legally must provide emergency services anyway?
Interestingly, the above article cites statistics that makes your US baby abduction statistics too conservation, by a factor of about 50. Of the 233 abductions in 22 years, only half (116) occurred in health care facilities, and only 5 were not later found. So these security systems are based on a about 1-in-16 million successful US baby abduction risk.
I suspect that the risk of "rational crack baby mothers" avoiding medical care to avoid child protective services is much higher. To say nothing about the very real risk of child protective services wrongly taking away babies from mothers mistakenly labeled as crack-heads, or otherwise unfit.
Of course, societal allowance and justification of this stuff gets starting in the context of stopping terrorists and protecting children (including child porn).
Back to "baby safety." Next time you or a significant other delivers in a hospital, have the mother insist on walking out holding sans wheelchair on discharge. Or, to really shake things up, have dad carry the baby out independent of mom. Although both are perfectly legal, every hospital will go completely nuts for so called reasons of safety and security, respectively. And of course stopping you could very well be cause for illegal involuntary detention.
"And the 1-in-375,000 chance is not today's risk. Infant abduction rates
have plummeted in recent years, mostly due to education programs at
The above is a Good Thing. I'm inclined to believe that part of the reduced risk is an effect of the RFID tags being there.
If there is a recurring theft of something (in this case; babies) and we introduce an efficient countermeasure, then I don't see why we should be *surpriced* to see the theft rate (and the risk of theft) going down. That was the intention, wasn't it?
Imagine that the RFID tags would be removed, because of the low theft rate. Don't you think the rate (or the risk) would increase again?
>in the early 90's. At a large market store in Mankato, that is no
>longer in the area. I was in an aisle and grandma was by the small
>ketchup bottles. She takes one off shelf, removes lid, inserts finger,
>removes finger and inserts in mouth, rplaces cap and sets bottle back on
>shelf. She repeated this four times. the fourth bottle must a been ok
>as she put it in the cart. I started buying items that could not be
>opened in such fashion.
>And on the RFID tags for newborns. Chance of baby getting wrong mother
>is lessoned also. OB wards can be hetic places and mixups have
>occurred, I think this would be more piece of mind than a tag that could
>be removed before anyone knew you had left the building.
I am father of two, and I would like to add a comment here.
It is not only the fear of bay abduction. It is only the fear of baby exchange.
As Richard Dowkins state at Selfish gene, we, as a human been, we afraid of caring babies that not carry our genes. I agree with him.
Security Theater frequently has just one purpose: to make you feel insecure and scare you.
Scared people give up their civilian rights voluntarily, therefore (certain) politicians really, really do love security theater...
What they frequently don't consider: scared people (or people being pissed by the security theater) will not go near your place anymore, unless they really have to.
Care do have a look at the US tourism industry statistics?
Just read this linked from a later post of yours.
"I've often talked about the National Guard troops in airports right after the terrorist attacks, and the fact that they had no bullets in their guns."
" As a security countermeasure, it made little sense for them to be there. They didn't have the training necessary to improve security at the checkpoints, or even to be another useful pair of eyes."
" But to reassure a jittery public that it's OK to fly, it was probably the right thing to do."
No. It was a terrible thing to do. That was the first time ever I was afraid to fly. I find men with machine guns very scary. Police are scary enough. Military folks holding their guns ready? I seriously expected one to go nuts and gun down the entire concourse.
I'm not alone. My POV is *NORMAL* here. In fact, the prime argument for prohibiting people from waving weapons around is that it makes everyone *feel less safe*.
The "theater" in this case was designed to frighten people so that the government could get away with stuff, and it temporarily worked. My reaction, however, is not to give up my rights but to start assuming bad will on the part of the government, and treat it as a hostile actor. Multiply this by millions and you begin to understand the *actual* effect this had on the public.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.