Schneier on Security
A blog covering security and security technology.
« Random Stupidity in the Name of Terrorism |
| Encrypting Disks »
July 4, 2008
Hundreds of Thousands of Laptops Lost at U.S. Airports Annually
This is a weird statistic:
Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday. Laptops are most commonly lost at security checkpoints, according to the survey.
Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-sized airports, and 69 percent are not reclaimed.
Travelers seem to lack confidence that they will recover lost laptops. About 77 percent of people surveyed said they had no hope of recovering a lost laptop at the airport, with 16 percent saying they wouldn't do anything if they lost their laptop during business travel. About 53 percent said that laptops contain confidential company information, with 65 percent taking no steps to protect the information.
I don't know how to generalize that to a total number of lost laptops in the U.S.; let's call it 750,000. At $1,000 per laptop -- a very conservative estimate -- that's $750 million in lost laptops annually. Most are lost at security checkpoints, and I'm sure the numbers went up considerably since those checkpoints got more annoying after 9/11.
There aren't a lot of real numbers about the costs of increased airport security. We pay in time, in anxiety, in inconvenience. But we also pay in goods. TSA employees steal out of suitcases. And opportunists steal hundreds of millions of dollars of laptops annually.
EDITED TO ADD (7/14): Seems like this is not a story.
Posted on July 4, 2008 at 8:20 AM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Maybe losing your obsolete laptop at an airport (perhaps while covered by travel insurance) is a good way to trade up to a newer model? (Or is that very cynical?)
Or maybe some people just pretend they've lost it and try to get the refund from travel insurance.
but why lose them at the airport? there are plenty of places where one can lose a laptop...
You "lose" it at the airport because that's the most plausible place to lose it. "Everybody knows" that they get stolen from checkpoints, or the bathroom floor, or whatever.
(Bruce once wrote that certain people have the native ability to 'think crooked' and see vulnerabilities. I think I have that to some degree; it's almost a reflex to see how you can work around a system. I think some of those people go on to write mysteries and action-adventure novels...)
Astronomical number. Hard to believe. What happens to the laptops after they are "found" by the TSA?
Glenn: what do YOU do with your native ability to think crooked? My friend Terry Jones, who thinks crooked really well, wrote a bankrobbing scheme, Manhole: http://www.fluidinfo.com/terry/2008/05/09/...
Anyway, whether the laptops are lost, left, or stolen, this is a huge number and, as Bruce said, translatable into real dollars. All these cases involve wrong-doing, including accidentally leaving the laptop and failing to attempt to recover it.
There's a fine line between lying and pretending. If you wrap the truth in so many lies it makes it hard to find, people tend to be more interested in finding it.
"There aren't a lot of real numbers about the costs of increased airport security." The security cost per passenger should be easy to determine. Take the security spending and divide by the number of passengers. I'll guess it's around $3.00-$5.00 per passenger. I guessed wrong, it's $9.00 per passenger. "Furthermore, the cost of airport security ($9 per passenger) is 1000 times higher than for railway security ($0.01 per passenger), even though the number of attacks on trains is similar to that in planes." "Since 1969, only 2000 people have died as a result of explosives on planes, yet the US department of homeland security spends more than $500m annually on research and development of programmes to detect explosives at airports."
Cost of screening graph
Clear half a million dollars! Clear To Award $500,000 Clear Prize for Checkpoint
The idea is that faster+cheaper=better.
Do people lose laptops on trains?
I have lost my laptop on a number of occasions (not in airports but twice on trains) and it was always returned to me. Don't people have name tags with phone numbers on their luggage? Does the Lost and Found department not try to return lost items that have considerable value and have namtags on them? Or in them when you open/start them in the case of laptops?
It puzzles me.
We intercepted 13,709,211 prohibited items at our security checkpoints. Of this, 11,616,249 were lighters
Lots of lost lighters. Eventually this will go down when people quit bring lighters to the airport. Common sense should tell you to carry matches which are cheaper to replace. Because the dolts show up with lighters, security has to process 11,616,249 of the things when there's better things to do.
No, mare, no departments try to return property. Look at all the staffing cuts. Who's the first to go? An individual might try to return something, but not a department. Even if you KNOW you left something on a plane, even if you report it a minute after you get off, you can kiss it goodbye.
Frisbee asked "What happens to the laptops after they are "found" by the TSA?" I don't know about laptops, but prohibited items like pocket knives are sold in large lots to resellers (after choice items disappear, of course). I know people who sell TSA-confiscated pocket knives on ebay.
"The Transportation Security Administration (TSA), a new division of the Department of Transportation, has mandated that all U.S. airlines add a security fee to all tickets sold on or after October 1, 2003. This government-imposed fee, called the "September 11th Security Fee," will be used to pay the government’s cost for providing Federal civil aviation security services. This includes training, salaries, and benefits for the Federal security screeners and law enforcement personnel, as well as the Federal Air Marshal program.
The government-imposed September 11th Security Fee will apply to all airline tickets, including frequent flyer award travel, and will be calculated at $2.50 per flight number to a maximum of $5 per one-way or $10 per roundtrip. In other words, if you fly from Dallas to New Orleans and change planes in Houston (which means the flight number will also change) – you will be charged $5. However, if you fly through Houston on the same plane, your flight number stays the same and you will be charged $2.50. The fee will be collected from all Customers at the time of reservation." Source, Southwest Airlines
The old idea that security should pay for itself went out the window. On top of the new fees, now you have higher fuel costs and new per bag fees. Coming next, pay toilets. $1.50 per flush.
Laptop recovery fee will be $5.00 after you pay $10.00 laptop check in fee. The logic is that people without laptops should not pay for those with them.
Competition went out the window.
"The Transportation Security Administration did not fully justify the lack of competition for 15 single-source contracts totaling $469 million that it awarded in fiscal 2006"
"The TSA, when it was created by Congress in 2001, was allowed an exemption from the Federal Acquisition Regulation. Under the exemption, TSA was allowed to award noncompetitive single-source contracts when they can be justified in the best interests of the agency." Source, http://www.fcw.com/online
Who needs competition when you can just dictate more fees? Wouldn't competition be in their best interest? Better solutions tend to be competitive ones. If competition can make a cheeseburger better, it should make the TSA perform better and cost less.
I'd not have believed it if I weren't in an airport departure lounge right now, having half an hour ago witnessed a mobile phone pass through security with the owner failing to pick it up on the other side.
That's where the $3.00 mob phone fee comes in Edd. If they paid that, they would of remembered. Then there's the $5.00 mob phone recovery fee.
@off: "Lots of lost lighters."
Sure, but we don't know how many of those were decent lighters.
I don't smoke, but everyone I know who does uses disposable lighters and throws them around like confetti. The value of a disposable lighter *new* can't be more than about 50c, let alone whatever old one you happen to have in your pocket on the day. So I wouldn't be at all surprised if for 11 million passengers per year it simply isn't worth the effort of getting matches especially for flights.
Of course the numbers might go down as people get more used to the restrictions. But then again they might not.
TSA-Don't Buy American
"The Transportation Security Administration is reconsidering its recent decision to arm U.S. commercial airline pilots with German-made Heckler & Koch handguns, only a few days after House Small Business Chairman Donald Manzullo, R-Ill., inquired about the agency's method of choosing a supplier, according to congressional and gun industry sources.
The companies that competed for a three-year, $5 million contract to supply TSA with as many as 9,600 .40-caliber semiautomatic pistols have been told that their bids will be re-evaluated, but the reasons were left unclear, industry sources said. TSA officials told at least one firm they had questions about information the agency used earlier this month to select H&K as the winner.
The questions came from Manzullo, an outspoken advocate of "Buy American" laws to help support U.S. manufacturing jobs."
When they do try competition, they make U.S. companies less competitive. You have the Air Force importing jets (maybe) and these guys looking at buying German pistols. No wonder we have problems. What next, the FBI driving Toyotas. FAA in Hondas.
This is something.
Woman gets 1-year sentence in drunkest-driver case
"Jarrett served as a Seattle police officer and detective from 1979 to 1998, according to police records. She worked at Seattle-Tacoma International Airport as a supervisor and screener for the Transportation Security Administration (TSA) from 2002 until she resigned after her 2007 arrests.
Her former TSA supervisor told Steiner on Friday that he'd known Jarrett for six years and never saw any evidence of alcohol abuse, with Jarrett going beyond the requirements of her job to do superior work."
They never saw your laptop either.
OK, someone has to ask.
Given all the increased security in airports, how can anything be "lost"?
If it is really lost, left lying somewhere, surely there should be a security alert?
Obviously this doesn't happen (even the current braindead news media would realise something is up if there were half a million security alerts per year) but why not?
Could it be that airport security is still a joke?
Somewhere, some lucky airport employee has a *killer* Beowulf cluster of these things.
Hard drive removed from computer, and put back in sloppy. On a T43, you can tell, especially with BIOS settings. Computer was checked in baggage. USA - USA flight.
Side intelligence gathering I bet. TSA powers are being abused.
Just another report, wonder how much of this is going on.
Microcode is everywhere, even in hard drives. Not cool.
Never trust any inspection of a computer...Another reason why **AA want power to inspect, etc.
The world is being deconstructed. Measured, weighed, divided.
(disclaimer: I live in Europe)
I don't see what's wrong with the FBI driving toyotas. They would save a whole lot of money on maintenance, and even more on gas. If they would buy US build cars, only because they were build in the US, that would be irresponsible usage of government funding. The only considerations should be functional and economical. Why is it so hard to admit that maybe Japan *is* better at building efficient, low-maintenance, low-cost cars?
Re "TSA- Don't buy American".
It seems you like forcing the free market on others but aren't so keen when others produce better value goods than yours.
"TSA employees steal out of suitcases."
Yes they do. I recently found my camera replaced by a TSA calling card. Since there is nothing you can do about it, I didn't bother to complain. Still, it was only $99 at Walmart. Who'd want to steal it?
Where do the missing laptops go? Think 'looting'. And think of eBay as the world-wide 'fence'.
Here's an exercise.
Purchase a bunch of laptops on E-Bay. Determine the amount of personal information recoverable from this sample and extrapolate to the airport laptops. This should be a very conservative estimate, assuming that people try to clean up their machines when they sell them.
I'm sure it'd be a decidedly non-trivial quantity.
When American companies are paying for what government buys, it should buy American products. To tax U.S. firearms makers and buy imported firearms makes no sense. It's bad enough that we are stuck importing oil. The free market has limits. Look at oil. The price is fixed, not a result of supply and demand. If you want a Toyota that your business. When the government buys, it should buy American which supports the jobs that pay for government. The only way to remain a free country is to support your own industry. That way you keep your own country competitive. That's why we don't need to import fireworks.
www.zambellifireworks.com We have the ultimate boom town http://www.newcastlepa.org/
The TSA has a policy of not lifting a finger to help anyone with anything.
Expecting them to make any sort of effort to reunite a passenger with a lost laptop is unrealistic. They might grudgingly point you towards the lost and found department and after half a dozen false starts you might even find it but you will be completely on your own from there on.
For fun sometime ask the screener for a complaint form once you get through security. The best part is that if you actually get one (very unlikely) it turns out to be a top secret document which states that it is a felony for you to be in possession of. (It's also quite useless -- it allows you to provide praise but no negative feedback is allowed for.)
I don't think the TSA is the problem here. If you know where your laptop is at all times, and understand the risks of having it go missing, you're very unlikely to lose it. This is a traveler stupidity problem, not a TSA security issue.
The real problem is that the TSA has narrowly defined "security" exclusively as reacting to 9/11 and other specified terrorist acts or threats in the stupidest, most intrusive possible fashion to show the public that "they're on top of it." That means they're concerned only with attempting to prevent extremely rare acts of terrorism while ignoring (and even encouraging) the far more common risks to passenger security such as theft, or the loss of property mislaid during the stressful and chaotic screening process.
A passenger who has to juggle shoes, a 3-1-1 "victory baggie," a laptop, a carry-on, and possibly whatever items the screener decides to remove from the carry-on for inspection, while showing a boarding pass repeatedly and possibly being wanded or asked questions, has a high likelihood of forgetting or leaving something behind at the checkpoint. That's clearly a "security problem," but since it's unconnected with terrorism the TSA isn't responsible for it, isn't accountable for it, and has no reason to care about it. It's a "cost of security," but it's not something the government bean counters have either the means or the inclination to count. Nor do they count the cost of millions of people waiting for extra hours at airports, either in security queues or at the gate because there's no way to predict how long the "security" process will take.
The TSA's approach to "security" clearly has very poor cost-effectiveness. But because much of the cost is in the form of numerous uncountable externalities borne by passengers, it will never be possible to subject the TSA to any objective assessment of their cost-effectiveness. Which I'm sure suits Michael Chertoff and Kip Hawley just fine.
The TSA is a political organization, not a security organization. One of its features is that it is the nucleus of a potential nationwide Federal operations agency, and could be rapidly expanded to operate as such. (I balk at calling it a 'police' force.)
The TSA's well-known indifference to earning public respect should scare anyone who studies organizational history; and the rest of us.
With air travel in decline, I don't believe that TSA will rapidly expand. Running checkpoints isn't that difficult. This could be done by any number of local law enforcement organizations or security companies . Before TSA it was done by private industry working with law enforcement. The system worked fine. What failed, failed at the national level, intel failed. The terrorists should of never got to the checkpoints. So then then the system that failed, produced a new system that is failing differently. The screening process could of been beefed up. It was changed to make it more like what failed.
"The indictment of TSA is complete. The Israeli airline, El Al, is asking permission to screen it’s own baggage instead of the TSA agents. The underlying question is, are the TSA agents so incompetent that a foreign airline will not trust our agents to check their baggage for bombs?"
“El Al knows our security isn’t worth a hoot,” said Michael Boyd, an aviation industry consultant from Colorado and a longtime TSA critic. “It’s a heck of an indictment for the TSA when a foreign airline says they want to screen their own luggage. It says they don’t trust us.”
"Aviation experts agree El Al has the toughest airline security system in the world, including intensive training of its personnel, extensive luggage searches, tough questioning of passengers and armed guards on board every flight." Source
Security of the airline, by the airline and for the airline goes a long way.
Following are the claims made for theft by TSA agents between November, 2002 and August, 2004....http://thetravelbloggers.com/2006/03/06/tsa-claims-and-theft-statistics/
Unreal, security needs security to watch security.
> Where do the missing laptops go? Think 'looting'.
Mmmm... TSA *is* a part of the gang of looters called "the government". Any surprise that it's members are prone to habitual theft?
Important data would be know if these were corporate PC's or personal . .. I bet 90% + of the losses are business.
Most people will steal from their employer in a hearbeat but are generally afraid of insurance companies!
Let's look at the last 2 pars from Bruce's original link to PC World:
"The Ponemon survey was commissioned by Dell, which on Monday announced new security services to commercial customers that include tracking and recovery of lost laptops and prevention of data theft.
Dell's laptop tracking service uses technology including GPS (Global Positioning System) to locate and recover lost laptops. The data protection services include the ability to remotely delete data on a hard drive and services to recover data from failed hard drives."
and @ Dell:
and the Dell Press release at the Ponemon Website:
and the full research report:
and here's the kicker:
"Laptop loss frequencies were collected from a confidential field survey as either a direct weekly estimate or as a range variable as reported by airport officials. Exact loss frequencies were typically not calculated or available for review."
Anyone care to caluclate the error rate in this?
And for those of you aiming for TSA, the % of laptops lost at airports which are lost at security checkpoints is said to be a mere 40%.
Otherwise you've got your departure gate, your restroom, your food service, your club or lounge, your transport system, your retail establishment and your ticketing to pick on now.
You all forgot to think about visa.
If someone live overseas, he needs to apply and pay for a new plane ticket, a new visa (100 $ !), custom fees, and two or three spare days. What if the visa is refused ?
Noone at aiport will bother to pay UPS fees, even if asked to by phone.
So it is cheaper to buy a new laptop.
TSA, what poor service. Lost items get sold and somebody gets kickbacks and $. You know this is being exploited to the max.
Would be nice to be able to reclaim your OEM DELL etc computer. Heck, the government will spy on us, make extensive databases, but they will not use any of the info for good, to return lost computers and protect USA secrets and integrity. GRR.
PGP could help, especially for TSA to only get ownsership, who to call etc. No vision by TSA/gov.
Wonder if EL-AL does something like this? Good to have a society evolving.
When is the USA going to learn? Gov supporting a fence like some online auction? No wonder TSA is corrupt and problematic, mostly like current government.
Thankfully this blog exists, to expose the lack of vision and real insecurity, and lack of problem solving. Dirt needs to get out and comments need to be made.
"It seems you like forcing the free market on others but aren't so keen when others produce better value goods than yours."
"More Buicks were sold in China last year than in the U.S., and Ford increased its sales in China last year by 30 percent, the Discovery series says."
Buy a Buick.
"The Transportation Security Administration (TSA) is testing prototype bags at airports in Ontario, Calif.; Austin, Texas; and Chantilly, Va., that would mean some passengers would no longer have to remove laptops from their carry-on bags at security checkpoints." Seattle Times reports.
Testing? It's a bag, it works or does not work. You can take a monkey in a bag. http://www.tsa.gov/press/madness/monkey.shtm Why not just have a different line for laptop users. It's not like everybody carries one. Making millions of bags when everybody already has a bag is dumb and expensive. Throw out your bag to make some TSA screener have an easier day on the job. The thing won't work, because the threat will be that people try to use the bags to smuggle other stuff making the bags a security threat. After the TSA convinces millions of people to buy a new bag of course.
Somebody please make a list for the TSA of stuff to be smuggled in new TSA Special Purpose laptop bags so we don't end up with a bomb on a 737.
These new foam and nylon cases will set you back between $100 and $200. Targus's X-rayable cases vary from a $39 backpack and a $100 business traveler version. And there are at least four or five other manufacturers also submitting prototypes to the agency for checking.
But there's still a catch, of sorts: the TSA is not certifying these bags, and asks that manufacturers use terms like "checkpoint friendly" instead, and avoid buckles pockets or zips in the design. Does that mean your impractical bag won't seal securely and some officious security guard may still make you fish out your laptop anyway, as he doesn't believe it to be "friendly" to the X-ray machine? Time will tell.
6 months later they'll be opening the bags because people get creative and TSA will say the new bags didn't go as planned. Keep your old bag if it still works.
Come on! Even in London Heathrow Terminal 5 you do not have to take your Laptops out of the bags anymore. Here is another defense complex scheme to gain tax payer money and get rich...Forcing me in the name of security to buy a TSA approved bag....
"The Transportation Security Administration is out of control. Recently, I was returning home to Denver from Salt Lake City after a long day of work. I was wearing a white cotton blouse over a white jockey undershirt. At the Salt Lake Airport's security line, a young, male TSA officer told me to remove my blouse before proceeding through the metal detector."
Personally, I have a very close relationship with my laptop and could never imagine leaving it behind...but then again, I've yet to travel through the airport with my children, so I'm sure that would probably distract me enough. In any event, I just recently made a post on my blog about some new support options from Dell and my analysis of if these options are worth the money or not that could be of interest to people and/or companies that commonly have this problem.
From the article: "The Ponemon survey was commissioned by Dell, which on Monday announced new security services to commercial customers that include tracking and recovery of lost laptops and prevention of data theft."
The survey was commissioned by *Dell*- who..oh, by the way announced new laptop security services the very same week?
No, I'm not buying the numbers (nor the services).
Whether you believe this number or not, the fact is, there are daily news on lost and stolen laptops and the impact on the businesses and personal lifes. Check out NWW's Laptop Hall of Shame (http://digg.com/tech_news/Laptop_losers_hall_of_shame). There is good news though, Alcatel-Lucent has an innovative solution that not only protects the laptop data, but also simplify IT management and provide visibility into the "mobile blindspot". It is called the NonStop Laptop Guardian, check it out on: www.alcatel-lucent.com/nlg
@ Bob Meade
You are spot on. The rate of error is so high, subsequent stories have essentially discredited the study.
Note this article:
"Data doesn't add up on study of missing laptops at U.S. airports"
"'We consider this study very nonscientific,' said Sari Koshetz, a TSA spokeswoman, who added the study doesn't accurately reflect the number of laptops lost at TSA checkpoints. The TSA says that, nationally, about 75 laptops are reported lost or missing each month. More than 2 million passengers go through TSA checkpoints each day."
Or howabout this?
"Computerworld asked Miami International officials to provide what records they have on lost, missing and stolen laptops. Their data shows that for all of 2007, 68 laptops were reported stolen and 480 were turned in to the airport's lost and found. For its part, the TSA in Miami reported that in the 12-month period that ended May 31, it had received only 38 missing laptop claims."
Ouch. Seems like Ponemon, a supposed expert on "ethics and social accountability" now has some accountability issues of his own to address.
A decent workaround (at the lost of some productivity on the plane -- which is a minimal tradeoff compared to the overall productivity loss of a stolen laptop) would be to just package up your laptop and send it to your destination with full disk encryption through some reputable courier like FedEx with tracking and insurance.
Its the same application with regard to the "how do you transport expensive stuff" problem with jewels and vaults in one of your earlier posts Bruce -- use obfuscation and misdirection whenever possible to counter well known, predictable attack scenarios.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..