Schneier on Security
A blog covering security and security technology.
« Terrorism False Positives |
| British Pub Hours and Crime »
January 11, 2005
A nascent security trend in the U.S. is tracking schoolchildren when they get on and off school buses.
Hoping to prevent the loss of a child through kidnapping or more innocent circumstances, a few schools have begun monitoring student arrivals and departures using technology similar to that used to track livestock and pallets of retail shipments.
A school district in Spring, Texas, is using computerized ID badges to record this information, and wirelessly sending it to police headquarters. Another school district, in Phoenix, is doing the same thing with fingerprint readers. The system is supposed to help prevent the loss of a child, whether through kidnapping or accident.
What’s going on here? Have these people lost their minds? Tracking kids as they get on and off school buses is a ridiculous idea. It’s expensive, invasive, and doesn’t increase security very much.
Security is always a trade-off. In Beyond Fear, I delineated a five-step process to evaluate security countermeasures. The idea is to be able to determine, rationally, whether a countermeasure is worth it. In the book, I applied the five-step process to everything from home burglar alarms to military action against terrorism. Let’s apply it in this case.
Step 1: What assets are you trying to protect? Children.
Step 2: What are the risks to these assets? Loss of the child, either due to kidnapping or accident. Child kidnapping is a serious problem in the U.S.; the odds of a child being abducted by a family member are one in 340 and by a non-family member are 1 in 1200 (per year). (These statistics are for 1999, and are from NISMART-2, U.S. Department of Justice. My guess is that the current rates in Spring, Texas, are much lower.) Very few of these kidnappings involve school buses, so it’s unclear how serious the specific risks being addressed here are.
Step 3: How well does the security solution mitigate those risks? Not very well.
Let’s imagine how this system might provide security in the event of a kidnapping. If a kidnapper -- assume it’s someone the child knows -- goes onto the school bus and takes the child off at the wrong stop, the system would record that. Otherwise -- if the kidnapping took place either before the child got on the bus or after the child got off -- the system wouldn’t record anything suspicious. Yes, it would tell investigators if the kidnapping happened before morning attendance and either before or after the school bus ride, but is that one piece of information worth this entire tracking system? I doubt it.
You could imagine a movie-plot scenario where this kind of tracking system could help the hero recover the kidnapped child, but it hardly seems useful in the general case.
Step 4: What other risks does the security solution cause? The additional risk is the data collected through constant surveillance. Where is this information collected? Who has access to it? How long is it stored? These are important security questions that get no mention.
Step 5: What costs and trade-offs does the security solution impose? There are two. The first is obvious: money. I don’t have it figured, but it’s expensive to outfit every child with an ID card and every school bus with this system. The second cost is more intangible: a loss of privacy. We are raising children who think it normal that their daily movements are watched and recorded by the police. That feeling of privacy is not something we should give up lightly.
So, finally: is this system worth it? No. The security gained is not worth the money and privacy spent. If the goal is to make children safer, the money would be better spent elsewhere: guards at the schools, education programs for the children, etc.
If this system makes so little sense, why have at least two cities in the U.S. implemented it? The obvious answer is that the school districts didn’t think the problem through. Either they were seduced by the technology, or by the companies that built the system. But there’s another, more interesting, possibility.
In Beyond Fear, I talk about the notion of agenda. The five-step process is a subjective one, and should be evaluated from the point of view of the person making the trade-off decision. If you imagine that the school officials are making the trade-off, then the system suddenly makes sense.
If a kidnapping occurs on school property, the subsequent investigation could easily hurt school officials. They could even lose their jobs. If you view this security countermeasure as one protecting them just as much as it protects children, it suddenly makes more sense. The trade-off might not be worth it in general, but it’s worth it to them.
Kidnapping is a real problem, and countermeasures that help reduce the risk are a good thing. But remember that security is always a trade off, and a good security system is one where the security benefits are worth the money, convenience, and liberties that are being given up. Quite simply, this system isn’t worth it.
Posted on January 11, 2005 at 9:49 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
We are raising children who think it normal that their daily movements are watched and recorded by the police.
My gut feeling is that this is actually the primary objective of this system, and that we will continue to see systems like it, on grander and grander scales.
In re the 'agenda' argument: I've thought for a while that this also explains the terrorism-alert system: it may be wholly ineffective, but it covers the Homeland Security department's collective butt.
However, does that really make sense? Suppose the anti-kidnapping system is ineffective, and that some child ends up getting kidnapped in a city that has deployed the system. Then won't the school administrator still lose his job? In other words, how could an ineffective system ever cover anyone's butt?
It would cover their butt because they made an effort... AND it gives them someone to pass the buck to. I agree that this is further attempts to erode mankind's natural BS Sensors (tm).
Re: "We are raising children..."
I agree with Bruce that this is the most important aspect of this system, and not only this system - of every 'security by established identity' mechanism employed by organizations.
In 2025, when kids turn 18 and no longer need to wear their RFID bracelet, they'll feel that something is missing, not that they have gained a freedom.
In 2045, when kids turn 18, it is legal for them to surgically remove their subdermal smart-RFID. But most will rather not, because there will be many places they can't get into without it, like collage or airports.
It's amazing that schemes like that are legal, even in the US (certainly not in Europe because over there, the law requires privacy intrusions to be justified). An interesting question is whether the parents were asked for their consent.
Call me crazy, but I think all the people involved with these systems aren't all stupid. The agenda idea is interesting. It seems these systems have goals of their own, a confluence of intention between the designers, the sellers, the authorities involved, the parents and the schools. Ultimately, the system's achievements may be very different from most people's intentions. However, I think some people involved with these systems know exactly what these systems will do.
To me, a useful way to frame the question of "what is a system intended to do" is to answer the question "what does the system actually do?" Obviously these systems will not, and cannot actually protect children in any meaningful way.
Bruce, you outlined five steps. You used this to make your point that the systems are ineffective, in the way they're portrayed. So we can ask the same questions in a different light.
1. What assets are we trying to protect? To me, it's clear that these systems are not trying to protect children. Rather, that seems to be a marketing point. I don't know what assets these systems are really trying to protect.
2 & 3, What are the risks and how well does the system mitigate those risks - depends on the answer to #1.
I think steps 4 and 5 lead in an accurate direction generally pointing to the answer to #1. These support your idea of agendas. This looks like good ground for exploration.
The road to hell is paved with good intentions...
What price privacy? Very little, since people are giving it away without question, without thought, without something useful in return. What a wicked web we weave.
The guys over at OK-Cancel did a comic about this sort of thing a while back, and a pretty good associated column where they pinned this sort of trend on the replacement of Big Brother with "Big Mother": http://www.ok-cancel.com/archives/...
Fingerprints. In this context useful only to identify bodies. Here in New England there was a group running around trying to scare parents into getting their kids fingerprinted after a high profile missing child incident. As far as I could tell no one was ever asked to explain how having fingerprints on file protects the fingerprinted.
On the other hand, the assistant principal would love to be able to use the database, I'm sure.
Glancing through the report, one of its weaknesses appears to be using a definition of "child" as being from 0-17 years of age. 59% of the non-family kidnappings are of "children" in the 15-17 age range. From the examples given, most of these involve teenagers kidnapping other teenagers.
The general tendency towards risky behavior and the vastly lower level of parental supervision means that lumping together pre-pubescent and adolescent children together for the purposes of assessing their risk of being a crime victim is counterproductive.
Adding teenagers does make the numbers more impressive, however, and probably does help sell security systems.
A couple of schools in Osaka and Wakayama prefectures in Japan have been routinely using RFID tagging for the children (via badges, bags, clothes) since August 2004. This is partly in response to what used to be a very rare crime: violent crime against children. The readers are scattered throughout the schools and specific readings are sent home via email or phone. The system is meant to be used in primary, junior high and cram schools. Since in Japan kids spend much time in school, if not several schools in one day, this is considered a valuable system. Also, I do not think the tradeoff between security and cost is absolute, cultural differences between USA, EU and Japan are very significant. NAJ (www.naj.co.jp) make the RFID system.
The quoted statistics seem very questionable to me. Two data points that leave me suspicious:
(1) A chance of 1 in 340 of being kidnapped each year means that I would expect to see about one or two children per year kidnapped from my son's school. But I'm not aware of *any* in the last ten years.
(2) If you look at the fine print on missing child ads in newpapers, buses and milk cartons, the date of abduction is almost always years in the past. If the problem were that big, wouldn't these ads concentrate on recent cases, which are generally more easily solved?
In short, someone without an axe to grind needs to take a good look at the data and publish their findings. (IMHO, "without an axe to grind" excludes NISMART.)
The RFIDs already in some kids textbooks could be adequate for tracking. Commodity RFID readers, not just in the library, picking up the digital pheremone as children move through the school or on and off buses.
Would it make children safer? No.
Would it protect schools from liability? Probably not.
Would it teach kids to accept living in a world with an invisible digital leash, keeping them within the delineated bounds of our orwellian society? Likely, yes.
Would it be pushed aggresively as a legitimate solution to some phantom problem by the powerful RFID consortium and their PR and lobbying apparatus to suck funds from public schools? You betcha.
All too often, I think schemes like this are due to "Politicians' Logic":
He's suffering from Politicians' Logic. Something must be done, this is something, therefore we must do it.
- Yes, Prime Minister: Power to the People; Jonathan Lynn and Antony Jay
As a former school bus driver, I can see reasons to have this that have nothing to do with kidnaping.
First off, the driver may only legally let kids off at their stop, at their school, to their parrent, or to a school official. This would make it hard for kids to get off at the wrong stop, intentionally or acidentally (and I have seen both). This would make it easy for the district to figure out where the kid did get off.
I do not understand the mania for fingerprinting school kids though.
Think of this as an inventory control system for school busses.
I have melded the quoted kidnap figures, of 1 in 340 per annum by family and 1 in 1200 per annum by strangers. Under assumptions of general randomness, this gives a 6.22% chance of being kidnapped at least once before one's 17 birthday. Is this true?
Bruce didn't give the precise reference, but I think that the kidnapping figure includes all of the custody dispute kidnappings. These tend not to make even the local news, since in most cases it is a custodial parent versus a non-custodial parent. The nature of such a kidnapping is very different and much less newsworthy.
this program is not to increase child safety. it is simply to limit school district liability. if a child is kidnapped on a day X and the bus driver can produce both sets of prints for day X the school is off the hook.
Re: We are raising children
Or perhaps the opposite is true? Schemes like this could give children an early start at figuring out how/why to defeat/disarm surveillance.
It seems to me that while Bruce's analysis maybe correct in his view, it is possible to hold beliefs or understandings so that his analysis is incorrect. In other words, since everything is a trade-off, I would argue that even reasonable and informed people can disagree and come to different conclusions on the correct trade-off. The initial conditions to the reasoning process just vary too much between individuals.
Also, I think that the comment by Ronald Pottol above probably provides the best (likely) justification for the existence of the systems: If someone is notified as soon as the child gets off at the wrong stop, a policeman or the bus driver or someone else can take immediate action to get the child home safely (reducing the potential for kidnapping presumably while walking a longer distance home). The CNET article is just not detailed enough to know how the systems are used.
"In other words, since everything is a trade-off, I would argue that even reasonable and informed people can disagree and come to different conclusions on the correct trade-off." It is true that almost everything can somehow be justified. The people who have the power to make those decisions, whether school authorities or governments, tend to undervalue freedom in the trade-off with security. That's why civil liberties, including privacy, must be protected by laws. In a decent society, it shouldn't be possible that children be treated like that just because somebody in power "holds the belief" that it might be a good idea.
Having skimmed the report, custody disputes are not included. The figures are for non-family kidnappings. The number of "stereotypical kidnappings" (child taken by a stranger or slight acquaintance, transported 50+ miles, kept overnight, with intent for ransom, murder, or other bad things) in 1999 was 115 for the country. As a crime, kidnapping can be included as a charge in other cases where the victim was either held against their will, or transported against their will. Most of the examples given in the report were from sexual assaults against 15-17 year olds. Bad crime, but not what is commonly thought of by parents as a child kidnapping.
As much as respect Bruce in general, I think his analysis here has gotten off on the wrong foot:
Step 1: What assets are you trying to protect?
The School District.
Step 2: What are the risks to these assets?
Children getting off at the wrong stop, getting hurt/kidnapped/etc., and the parents suing the school district. The school district does have liability if they let the children off at the wrong stop.
To a lesser extent, there is the risk of children getting onto the wrong bus in the morning. When this happens, if it isn't noticed immediately, the school district has the burden of sending the bus out of its way to correct the problem.
Step 3: How well does the security solution mitigate those risks?
When children get off at the wrong stop, the system will notice. The next day, when the child shows up at school, he/she will be given detention or otherwise punished. Children will quickly learn not to do that, and the risk to the school district is substantially reduced.
Sure, children will learn to give their ID cards to other students so the system doesn't notice them getting off at the wrong stop. But in this case, the district will have records "proving" the child got off at the correct stop. These records will be useful defense in a lawsuit, even if they aren't accurate.
If the system immediately notifies the driver when a student gets off at the wrong stop in the afternoon or on the wrong bus in the morning, the driver can attempt to intervene, reducing the risk further. This would all but eliminate the "wrong bus" problem in the mornings.
(Ask anyone who took buses to school in cold, rural climates if they would have appreciated a system that would have saved them from the trouble/embarassment of getting on the wrong bus. I imagine most would say "Yes, please").
I'm sure school districts will sometimes enact policies with the intention of benefitting or protecting the students, but in general, that's not their goal.
And, yes, they'll use threat of kidnapping as their public motivation, because that always scares parents and gets them to accept almost anything. But that doesn't mean the threat of kidnapping has anything to do with the district's actual decision making.
It would be interesting to see if truancy was a problem in the cities where it was implemented. Keeping kids from skipping school would be another alternative ulterior agenda.
This system raises so many questions about exactly how it will protect children that I don't even know where to start.
What happens if the child gets off the bus at a friend's house, for a scheduled play date? Do I have to notify the police that my son is going to his friend's house after school? If my daughter is sick and doesn't get on the bus will the police phone my home to find out where she is? Does the system spit out a printout every morning and afternoon listing all children who did not get on the bus or got off at the "wrong" stop? Will amber alerts be immediately issued for these children? Will the police be devoting a significant amount of their workday to figuring out where all these "missing" children are?
Of course not.
If the goal really is to protect children, I have a better solution. Hire bus drivers who will get to know the children and care about them. They will know where the child lives, where she gets on the bus, and where she gets off the bus. They will notice if the child isn't there. They won't let a child off at a friend's stop without a note from me. A clip board with a list of names and a pencil can be issued if the school district needs a physical record.
Most schools have teachers who take attendance soon after the children arrive, and will notice if a child isn't there. The school then usually calls the parents.
Someone also has to be at home to see that the child gets on the bus, and to be there when the child gets off.
Bruce usually points out that humans are the best security. This "surveillance system" of parents, bus drivers and teachers is the best security I can think of. By involving the police we are all given a false message that we don't have to be vigilant about our children's (and our neighbor's children's) whereabouts, because the police know where they are and therefore our children are (somehow) protected. This scares me even more than the privacy issue.
havin just read the article i think its a good thing that they are doing
I work closely with school transportation systems and there are many reasons this type of tracking is needed. Complaint calls are frequently logged concerning "little Johnny" not arriving home when he was supposed to. Bus drivers are constantly defending "when and where" the chlid got off the bus. This is an additional layer of protection for the school systems to support and defend the actions of the drivers (if warranted) rather than getting into a "he said she said" dialog. We live in a society where less and less people take responsibility for there actions and put the blame others. In turn, the effected parties must provide evidence to the contrary - i.e. student tracking
Hello ... I'm franch and I wanna know how can parents and the police prevent young people from getting into trouble ?
Tanks you !!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.