Schneier on Security
A blog covering security and security technology.
« The Failure of US-VISIT |
| Risks of Losing Portable Devices »
February 1, 2006
Privatizing Registered Traveler
Last week the TSA announced details of its Registered Traveler program. Basically, you pay money for a background check and get a biometric ID -- a fingerprint -- that gets you through airline security faster. (See also this and this AP story.)
I've already written about why this is a bad idea for security:
What the Trusted Traveler program does is create two different access paths into the airport: high security and low security. The intent is that only good guys will take the low-security path, and the bad guys will be forced to take the high-security path, but it rarely works out that way. You have to assume that the bad guys will find a way to take the low-security path.
The Trusted Traveler program is based on the dangerous myth that terrorists match a particular profile and that we can somehow pick terrorists out of a crowd if we only can identify everyone. That's simply not true. Most of the 9/11 terrorists were unknown and not on any watch list. Timothy McVeigh was an upstanding US citizen before he blew up the Oklahoma City Federal Building. Palestinian suicide bombers in Israel are normal, nondescript people. Intelligence reports indicate that Al Qaeda is recruiting non-Arab terrorists for US operations.
But what the TSA is actually doing is even more bizarre. The TSA is privatizing this system. They want the companies that sell for-profit, Registered Traveler passes to do the background checks. They want the companies to use error-filled commercial databases to do this. What incentive do these companies have to not sell someone a pass? Who is liable for mistakes?
I thought airline security was important.
This essay is an excellent discussion of the problems here.
Welcome to the brave new world of "market-driven" airport security, where different private security firms run and operate different lanes at different checkpoints, offering varied levels of accelerated screening depending on how much a user paid and how deep of a background check he or she submitted to. Thus the speed at which you move through a checkpoint will theoretically depend on a multiplicity of factors, only two of which are under your control (the depth of your background check and the firm(s) with which you've contracted). Other factors affecting your screening time, like which private security firm is manning a checkpoint and what resources that particular firm has invested in a particular checkpoint (e.g. extra personnel, more screening equipment, and so on) at a particular time of day, are entirely out of your control.
This is certainly a good point:
What's worse than having identity thieves impersonate you to Chase Bank? Having terrorists impersonate you to the TSA.
Posted on February 1, 2006 at 6:11 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm not convinced this is a Bad Thing. Having gone through at least one pretty comprehensive background check, I can tell you that, if administered properly, with a standard set of things to check for (e.g. FBI/state criminal background), it might actually work. Of course, the data bases they use would have to *not* be filled with error (that is a weakness), and they might even have to do something more than simply do a database search (which, of course, will drive up the cost.)
I would think that the rigor of check would be at about the same level as required to obtain a Concealed Handgun permit in the states that allow it.
What I hope doesn't happen (as regards rigor of screening at the airports) is how an anti-spam feature in MS Exchange was configured: when the volume of mail to be processed reached a certain threshold (indicating a bottleneck condition, or maybe the beginning of an inbound spam run), the anti-spam filters were automatically bypassed, to allow the mail to be processed without delay. This would be a *Very Bad Thing* if applied to airport screenings.
Unless of course one successfully passing a through background check your identity is stolen and used to bypass security.
Just because someone has passed a background check doesn't mean the person passing through the checkpoint was the person the background check was done on.
Several 9/11 hijackers had illegally obtained ID papers. How hard will it be to pay someone to change the biometrics on a record so the fingerprint identifies a terrorist as someone who has already passed check?
How hard will it be when the people entering data will be low-paid wage earners.
I'm counting the days until it's discovered one of these privatized companies outsourced their data entry to Pakistan.
And I just finished telling a friend that I didn't think private citizens would wlilingly give their fingerprints to the government.
I'm bothered by this:
"The Registered Traveler programs will be market-driven and offered by the private sector. ...with prices established by private sector providers."
What are the penalties to the private-sector provider for clearing someone who shouldn't have been? What, other than profits, are going to motivate the private-sector provider?
What airports have such crappy security? For me, the lines at the check-in and luggage screening are worse than the metal detectors.
Privatization is not always a bad thing. Public servants can be slow and irritating. I know; I am surrounded by them.
I don't know that the idea of opening this for competitive, side-by-side operation, but certainly, outsourcing this to a company that takes on the entire program across the TSA's jurisdiction might be a good idea.
I think the whole idea is just stupid. Wait in line. That is why my Nintendo DS goes *everywhere* with me, and most of the security guards know what it is so they don't even pull it out to look at it when they do anything more than scan my carry-on baggage.
Except, by the way, at the Parliament building in Ottawa. I nearly got strip-searched because I was carrying a camera on the wrong floor....
"They want the companies to use error-filled commercial databases to do this. What incentive do these companies have to not sell someone a pass?"
Surely an agreement with their customers and it's reputation (probably one of their best values)... ¿But what incentive do a civil servant has to not sell someone a pass? ;)
BTW i dont think that it's a good idea but i'm sure that the most interested people on not loosing planes are... air companyes.
All it takes is one terrorist with a non-typical background to pass the Registered Traveler program security checks and then we're screwed.
Alternatively, they could take a person who passed the background checks and either force him to doing something bad, or replace him with some one who will.
Given the corporate and government's proven lack of ability to identify who someone is with any reasonable certainty, and the flaws in their cyber-security, it is not too unlikely that the terrorists will be able to modify the credentials of whomever they choose to replace, or create their own.
I don't remember who said it...but a quote that comes to mind goes something like this:
"Good people can have bad papers, and bad people can have good papers."
"but i'm sure that the most interested people on not loosing planes are... air companies"
Unfortunately (for them), they don't seem to bother losing their customers. I for one refuse to let them treat me as a felon...
Background checking does not attract the best people, nor do they strive to develop best practices. Consider how many police officers have been sworn in before the later discovery that they should never have survived a background check. (It is fairly common to retain a sworn officer after his disqualifying background turns up.)
Background checking is like any other testing: management is inclined to keep cutting corners without limit, and whistleblowers are punished.
you are surprised? privatization is the mantra of neoconservatism, as grover norquist said, they want to reduce government to the size where it can be drowned in a bathtub.
the medicare prescription drug benefit made it open season for insurance salespeople to pitch oldsters plans which simply cannot be comprehended over the phone, and the law even exempted them from the earlier "do not call" law.
the privatized social security accounts would have turned every worker into a market player. some people get rich in the casino of finance, most don't, but the croupier always does well.
privatized airport security is a natural extension, yet another field for well-connected firms to occupy. if i knew jack abramoff back in the day, i get him to talk to several friendly congresswhores, they write letters, my company gets the contract and the next thing you know, your lives depend on the level of diligence exerted by my hires in our pursuit of profits. i will have carefully crafted tiers, diamond, gold and silver levels depending on what the traffic will bear. by way of reassurance, if osama bin laden's distant nephew qualifies as a silver trusted traveler, gets on one of the new airbus 380's with a block of c-4 in his briefcase and blows 600 people out of the sky, the manager who approved him will be permanently relieved of his/her duties and escorted out of my building by security. that should put your fears to rest.
we even have a stealth provision ready to insert in the next budget bill at the last minute. in order to protect our nascent industry from the specter of crippling, catastrophic liability, and to protect the american jobs we have created, our liability will be limited to the cost of your ticket in the event of a major whoopsie. we can't have slick ambulance chasers clogging our courts just because you won the terrorism lottery.
Come to Jeff and Akbar's TSA screening Shack.
We offer Guaranteed screening with a genuine certificate of screening at the end of it all.
Simply fill out the background check form, sign it, including the declaration that you're telling us the truth and that you're not a terrorist. Then detach your certificate from the bottom.
When you get to the airport remember to use Jeff and Akbar's security lines. We're the cheapest and we promise you none of those inconvenient searches that other lines perform (Unless you're really hot, or you ask nicely).
So remember for Dirt Cheap Security Theater, it's Akbar and Jeff, the screeners in the Fez.
Z. (Apologies to Matt Groening)
"... the manager who approved him will be permanently relieved of his/her duties and escorted out of my building by security."
He will then set up a TSA Screening consulting firm, thus creating more jobs and an even higher level of security.
"but i'm sure that the most interested people on not loosing planes are... air companies"
- if their planes are well-covered by insurance, I wouldn't want to bet the national security on this fact.
I am remembering back to the days shortly after 911, when the solution to the low-paid employees of private security companies at the airports doing inefficient screening was //begin fanfare// making them federal employees //end fanfare//. This would provide the best possible screening methods and make America safe for air travel.
So now the next generation of that is to provide numerous side channels of traffic flow administered by //begin fanfare// low-paid employees of private security companies //end fanfare//. Golly, that sound great to me.
The one point I'd take issue with is the implication that privatization increases the potential for incompetence and corruption, which is boundless regardless of whether capitalists or bureaucrats are running the show. At least the private companies can be fired when they screw up spectacularly.
"but i'm sure that the most interested people on not loosing planes are... air companies"
Narpo was on the trail of a better overall solution: The government should stop giving the airlines a free pass on liability and responsibility for safe operations. It's one more example of how government regulation benefits those regulated, at the public's expense. If something goes wrong, the airline need not prove due diligence, only that it obeyed the government rules. The airline continues business as usual, and responsibility is buried in the government labyrinth.
As with everything in life, the likelihood that people will perform competently is directly related to their stake in the outcome.
I am always curious about how strong the airline professional controls are since they have more clearance than the rest of the herd. Their credentials are not impossible to break (e.g. Frank Abignale has some funny pilot impersonation stories), and yet today they seem to bypass most of the controls used for passengers.
Their role-based access suggests security can actually expedite pilot/flight attendant access to the plane based on some form of more "trusted" status. It thus makes sense that people would believe that many roles could be established with varying levels of efficiency for flying. Isn't that the nature of trust? On the other hand, what's to stop privatization from leading to weaker controls and becoming more susceptible to breaches, since markets don't always start out with the right dynamics?
Great. Now all Osama has to do is to buy the TSA database from Checkpoint (or whatever), or just wait for somebody to lose the tapes, or the laptop. And bingo! Thanks a lot, infidel Americans!
Lets not forget two other things free market magic will bring:
Screening companies looking to cut costs by lobbying TSA to reduce onerous regulations without regard to safety.
Screening companies looking to increase revenues by lobbying TSA to make non-RT's screening even more burdensome, thus increasing their customer base.
This is not market-based security. Real market-based security would make the security companies liable for damages if a terrorist got through. And encourage insurance policies for those damages, with the insurance companies doing audits and penetration tests, and boosting rates if the companies fail.
It's just like Bruce talks about for security flaws in software: get the financial incentives right, and we'll get better results.
Here's a thought: Let's assume for a moment that RT works perfectly (please, just go with me for a minute) - what actual benefits accrue to the participants? They get through the screening a bit faster and then can spend the time saved ... waiting on the aircraft while the plebs get dicked around in the plebian queue. Cool. That'd be worth paying for.
I suppose you might save time at the other end and delay your departure form home to the airport by a few minutes/hours. That might be useful I suppose, but somewhat prone to chance (unknown traffic, unknown length of wait at Jeff & Akbars Screening, etc).
* shrug *
It just doesn't seem like a very good deal to me even if it works as advertised, but then I don't have to cope with TSA on a daily basis ;)
It works two ways. Right now the comments indicate the thought process is about what happens if a terrorist is let throgh the low security path.
The opposite is also true.
How many decent upstanding travellers will be assumed to be terrorists because they do not wish or cannot perhaps gain access for one reason or another, to the private firms biometric pass?
I know i have no wish to enable a private firm to finger through my private details. Will I then be assumed to be a terrorist suspect moreso because I wish to maintain a discrete level of privacy in an increasingly public and intrusive world?
It is dangerous because with this kind of procedure you need to look past just the technology and look at how human nature will interact with it. People take the easy way out, and if the media begins to tell people that if you dont get the background check that youre an evil terrorist, then people will begin to believe it and their perceptions and actions will change. Propaganda at its 'finest'.
"Will I then be assumed to be a terrorist suspect moreso because I wish to maintain a discrete level of privacy in an increasingly public and intrusive world?"
It seems so, and from an outsider point of view, it seems to be increasingly the point of the whole thing.
The more stuff I see the states doing, the more it seems they want to make
"wants privacy = evil terrorist" to be what people think.
Why you would want that is beyond me.
"BTW i dont think that it's a good idea but i'm sure that the most interested people on not loosing planes are... air companyes."
Unfortunately, it's not that simple. Airlines recognise that from time to time they will lose a plane, it's an inevitable fact of life in an imperfect world. Thus rather than "not losing planes", they must apply some sort of fatal calculus to optimise the losses that will occur. It sounds ghoulish if you've never been involved in safety engineering, but really it is the best way to approach the problem.
Thus their objectives in maintaining flight safety are twofold:
a. for a given available safety budget, minimise direct losses from aircraft crashes, including both the loss of the aircraft and compensation to relatives of the victims; and
b. minimise loss of business caused by reduced public confidence.
So far as terrorism is concerned, they quite correctly observe that the rate of loss of aircraft due to deliberate attacks is MUCH lower than the rate of loss due to accidents. Thus, their logic has always been that any money spent on anti-terrorism security is money wasted, that could have been better spent improving general aviation safety. Similarly their approach to public confidence about airline security has always been "security theatre", i.e. relatively inexpensive  measures that don't really achieve much but look good to the ignorant.
This isn't a new attitude: I recall airlines violently resisting security measures back in the 80's, and they still do. (US airlines *still* haven't made cockpits inaccessible during flight. The ones that have, surprise surprise, are largely state owned.) Furthermore, except for one tiny little flaw which I privately call "the bean counter fallacy", their thinking is absolutely correct and perfectly moral: they really will minimise suffering and loss of life by spending as little as possible on real security, and using the money saved for safety programs and fooling the public about anti-terrorism security (because it is, in fact, safer than the alternatives).
But there is the bean counter fallacy. The bean counter fallacy is the error which occurs when we use past statistical data to summarise the risk from an intelligent opponent. It usually goes something like "our total losses from burglaries last year were less than the wages of the night watchman, so it would be more economical to retire him." It is perfectly valid to use, say, the past incidence of lightning strikes on aircraft to estimate the risk of that happening again in the future (assuming we do not radically change the design of aircraft). However using the past incidence of aircraft hijackings to estimate the future risk of aircraft hijackings is abject nonsense. It is wrong in two important ways:
a) the future risk is likely to change in dramatic ways according to the political climate. (It is also true that the incidence of natural phenomena varies from year to year, but rarely to anything like the degree that human activity does.)
b) more seriously, an intelligent opponent will analyse your strategy and adept his own accordingly. For example, if you retire that night watchman, it is very likely the number of burglaries will soar!
1. Some people argue that the current generation of security theatre in the US is an expensive gravy train, but in fact the total expenditure on it is a microscopic fraction of the annual budgets of airlines. In a previous blog entry on this topic, I calculated that the total is about $1 per passenger per 1000 miles of flying.
Well then, maybe a 9/11-level event killing 3000 people should be a much more expensive loss to the airline than mere loss of a plane.
This Registered Traveler scheme lets the TSA say, essentially, "OK, we've seen this guy before, we know he is who he says he is, we can pass him quicker through screening". It's just part of the profiling process. Provided that it doesn't mean exemption from baggage scan, random search, etc., I'm not sure there's a problem.
Schiphol airport, Amsterdam, operates a Registered Traveler scheme called Privium. You register for it by proving your identity, providing biometric data (iris scan) and paying some money; then you get a card which lets you use a special channel. When you go through this channel you put your card in the machine and present your eye to the scanner, thus verifying your identity, so you bypass passport control. Outbound, you get the normal hand baggage scan and metal-detector gate. But it's a hell of a lot faster, both inbound and outbound, than the standard lines, and that makes it really worth while if you travel through Schiphol a lot.
Privium is of course not privatised - it's operated by the airport, and the Dutch have more sense than to privatise their airports. But in principle, I wouldn't see a problem with such a scheme being operated by a private company; after all, they would have no more details about you than you give to the airline every time you make an international flight. I can't see an airport having the space to allow multiple lines operated by competing companies.
The only problem I have with the TSA's "Registered Traveler" is that they want to use fingerprint as the biometric, which seems to me to much more at risk of error, and maybe forgery, than iris scan.
It *was* much more expensive for them: the massive loss in public confidence caused the largest string of airline bankruptcies in history.
Unfortunately, the airlines who "learned their lesson" through this process are no longer in business. The ones who are still in business -- in fact, have expanded market shares -- are patting themselves on the backs for managing the crisis so well. Now, would they survive another atrocity of such magnitude? Probably not. But the way they think, is that the attacks of 11 September 2001 were a once in a century event, so the odds of it happening again on their watch is negligible.
This is of course completely wrong-headed thinking, and is an example of what I mean by the bean counter fallacy.
> This Registered Traveler scheme lets the TSA say, essentially, "OK, we've seen this guy before, we know he is who he says he is, we can pass him quicker through screening".
I think you miss much of the point of Bruce's objections. The scheme may well enable the TSA to say they've seen the guy before and know his identity, but why exactly does that enable them to pass him quicker through screening? The fact is that quite a few of the 9/11 hijackers were frequent air travellers who had been "seen before" many times, and while some used fake IDs, most of them used their real ID documents because they weren't under suspicion.
Successfully registering for this scheme has almost nothing to do with whether or not one is likely to carry out a terrorist attack. True, some people will be unable to register because they will be under suspicion. However, all this does is tell the terrorist cell which members are under suspicion and which are not. So long as they have some who are not (and it is practically certain that they will), it will not reduce the risk of an attack in any way.
As such, persons who successfully register for the scheme should not be any less subject to search (to the extent that it is effective in any case) than other passengers. Indeed, you wrote:
> Provided that it doesn't mean exemption from baggage scan, random search, etc., I'm not sure there's a problem.
I'd add, and also no exemption from magnetic/X-ray scanning at the entry to the "secure" area, and I'd agree: I don't see a problem. I also don't see any point, since the only thing that is left is swapping an iris scan for inspection of the passport, and the difference in time for these processes is quite small.
> ... and paying some money; then you get a card which lets you use a special channel.
This is the real utility of the system: by providing a line which can only be entered by paying money, we ensure that most folks can't afford to use it, so therefore the usage is much lower than the regular line, so the "special" line moves faster. A side effect is that (as you noted) there is only limited space available for lines, so the plebian lines will be even more crowded and hence even slower. It has nothing to do with security, it's just entrepreneurial. And as others have noted, the problem for which they are selling a solution was created by them in the first place, so really it's a form of extortion ("pay us more money or we'll make you late for your flight!"), and creates a perverse incentive (the more obnoxious they are at the plebian queue, or the more careless they are at the rich queue, the more money they make).
It's a replacement for *border control*, not for security. It also stores all its iris-scan biometric data on the card, rather than a central database.
I'm not sure if that model translates well to the US system, where the vast majority of travel is domestic, and any equivalent would only replace the cursorary check of the drivers' license that occurs before security screening.
Privium doesn't presume a 'trusted' status for any traveller with a card. It just presumes that the traveller flies out of Schiphol often enough to think that the EUR99 is worth paying for border control (or the EUR119 for business-class check-in and priority parking).
Implementing a Privium equivalent, in that regard, would be something of a 'push', in that it neither adds to security nor takes away from it. If someone wants to pay $100 to beat the lines to get his/her license checked, then fine and dandy, as long as that person goes straight back into the security line afterwards.
The TSA's model, on the other hand, seems much more troubling.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.