RAND Corporation on Trusted Traveler

New paper: "Assessing the Security Benefits of a Trusted Traveler Program in the Presence of Attempted Attacker Exploitation and Compromise":

Current aviation security procedures screen all passengers uniformly. Varying the amount of screening individuals receive based on an assessment of their relative risk has the potential to reduce the security burdens on some travelers, while improving security overall. This paper examines the security costs and benefits of a trusted traveler program, in which individuals who have been identified as posting less risk than others are allowed to pass through security with reduced security screening. This allows security resources to be shifted from travelers who have been identified as low risk, to the remaining unknown-risk population. However, fears that terrorists may exploit trusted traveler programs have dissuaded adoption of such programs. This analysis estimates the security performance of a trusted traveler program in the presence of attacker attempts to compromise it. It finds that, although these attempts would reduce the maximum potential security benefits of a program, they would not eliminate those benefits in all circumstances.

Tags: , , , , , ,

Posted on June 20, 2011 at 7:01 AM • 29 Comments

Comments

AlanJune 20, 2011 7:23 AM

The paper analyzes the potential security benefits. It fails however to consider the potential political risks. The ultimate problem is that the first time a "trusted traveler" commits an act of terrorism, it will become a political and public-relations disaster. The safer course politically is to have a baseline security screening the applies to everyone, without exceptions.

Clive RobinsonJune 20, 2011 7:35 AM

This idea of "trusted travelers" has been looked at many times and every time some one comes up with some way to do it, it turns out they have failed to consider what an intelligent observer can learn and then exploit.

That being said as others have observed in the past there is a "trusted traveler" scheme in place already, it's called "rent a private plane".

BobJune 20, 2011 7:43 AM

> The safer course politically is to have a baseline security screening the applies to everyone, without exceptions.

Except, or course, our political leaders, who don't have to use public transportation, so don't have to endure the same level of screening...

LouisJune 20, 2011 7:52 AM

I surmised that in a somewhat distant future, travel will follow a broker / container security model.

Where one traveller will have to provide his own security outfit; some will be able to afford top security other will use minimal.

And the transporter will be void of responsability, and build their "transport vehicules" accordingly.

The decision of security will rest of the traveller's risk assessment, not the airline or the govt.

GreenSquirrelJune 20, 2011 8:08 AM

To be honest, I take my hat off to any one who read through that report in full. I found it quite hard going.

I have plenty of issues with this as a concept so I may not be the most unbiased reviewer however, I will try to look at some of the points in the report:

1 - The whole thing is based around selling access to the plane. This is a bad thing because terrorists tend to have access to money (at least the scary international ones).

2 - It undermines the basic concepts of passenger screening - i.e. everyone is screened the same - which have been used to justify the screening of aircrew etc. Without this basic, default level, then the general public screening is pretty pointless. (more on this in a second)

3 - The conclusion *appears* to be based on counting the possible options and assigning an equal probability. This doesnt make sense to me as the concept gives potential terrorists a fantastic way of narrowing down the people they need to either become or coerce.

4 - Who takes responsibility? By taking a fee to decide who gets reduced screening and who doesnt there now appears to be some kind of authoritative claim "this person is not a terrorist." When it is inevitably proven wrong, what happens?

The overarching annoyance, is that this implies current screening is unnecessary (we agree) but the only way to get round it is to *charge* people to avoid bits of it. This makes no sense to me.

As several recent incidents have shown, even people who *have* been background checked turn out to be bad. Spies exist in every organisation and even at the highest levels despite intensive background checks, polygraphs etc., so there is no way on this Earth a "background screening" company can offer anything but the most generalist idea on the person. If we are to believe the idea that the terrorist threat to air travel is legitimate enough to justify the *current* levels of screening, how can we accept the fact that a select few can effectively pay their way out of it?

From the report:
"Though this attacker pathway appears very problematic for those designing a trusted traveler program,
in practical terms, it affects only the decision about how much screening can be reduced for trusted
travelers. Addressing this potential adaptation pathway likely requires that a certain minimum “floor”
of screening must remain in place to provide both some probability of detecting weapons carried by
coerced individuals and an opportunity to detect people exhibiting signs that suggest they might have
been coerced. How much residual security is needed to achieve a reasonable probability of detecting such situations is an empirical question. For the basis of our analysis, our floor for screening trusted
travelers is 25 percent of the intensity of screening applied to the general public; that is, screening
cannot be reduced more than 75 percent."

This stuns me. Basically it is saying up to 75% of security screening at airports is theatre and doesnt help prevent the attacks any more than a generalist search of someone's background.

Rather than mess about with additional, paid for, invasions into personal privacy and what you did as a teenager, which still require policy makers to be prepared for the political fall out of the inevitable terrorist success - why cant we just skip the trusted traveller bit.

Drop screening to the 25% that really matters, stop caring if this person wrote a blog about sending President X to jail (or whatever they will look for) and prepare the public for the very, very rare terrorist success.

Much cheaper. Much more effective. Exactly the same outcome.

phred14June 20, 2011 8:22 AM

A while back I was chastised for suggesting something like a trusted traveler program, thinking of course that extra screening effort used on me or those like me is effort wasted. I would have to agree that any trusted traveler program offers an ideal target for terrorists.

Really, any system of "focused trust" that presumably offers "enhanced security" makes itself a target, which is why I've become opposed to widespread/universal encryption. It may solve the technical problem, but simply increases the human risk, which has always been the biggest hole.

As an alternative to a trusted traveler program, I would suggest that the security process begin at reservation time. Today it's not clear to me whether security begins at check-in time or when we finally make it to the front of the security line and hand over ID to the agent. But in either case the security process and the window for discoverability is measured in minutes. If the security process began at reservation time, it would generally have months or days.

Even today, a short-notice reservation is generally a warning sign in itself. For that matter, if there were anything about the physical traveler who showed up that didn't match the reservation-time security process, that would be another warning sign.

billswiftJune 20, 2011 8:24 AM

>However, fears that terrorists may exploit trusted traveler programs have dissuaded adoption of such programs.

Nonsense, that is just an excuse. The real reason is PC and "profiling". That is, the dread political types have of facing reality.

Clive RobinsonJune 20, 2011 8:40 AM

Well I've skim read through 2/3 of the document and it does not realy impress me in the slightest.

First of their basic security model has the "Trusted Traveler" (TT) route and the "others" route. But importantly their analysis stops at the end of the screening process, it fails to consider the fact that in most airports the two groups mix again after screening.

And this is important as it criticaly effects the model. They have considered coercion but have hardly concidered the situation of "terrorist facilitators" and "terrorist actors".

The terrorist actor is the person or persons actually carrying out the attack whilst the facilitators get the weapons etc to the actors.

Now consider the case of a prominante Middle Eastern or Far Eastern business man, he would in all likleyhood get TT status, whilst a Somalia youth is almost certainly not.

The Business man travels with his wife and family and could easily get "weapons" through the TT route and can then transfere them to a Somalia youth or others on the other side of the check point. In many airports they do not need to be flying on the same flight...

This is the same threat model as the catering / maintanence / cleaning / other worker in the airport acting as a facilitator...

For this Rand TT scheme to work the TT passengers and other pasangers for other flights must not be alowed to mix directly or indirectly in displaced time. That is the TT passenger who is actually a terorist facilitator travels on an earlier flight from the same departure lounge and hides the weapon in a toilet cistern etc etc for a non TT pasenger traveling on a later flight to pick up and use as a terrorist actor.

GreenSquirrelJune 20, 2011 9:21 AM

Nothing "PC" about it.

The "trusted traveller" program wont work as promised. At best it will reduce a 1 in 60million chance to 1 in 60.001 million or some other minor "improvement."

And for that we will have to pay more cash while enduring more intrusion into our lives.

If you can check one person with 25% of the current checks and still prevent an attack then why not do that to everyone. Trusted or untrusted, they still have to get the weapons on board.

GreenSquirrelJune 20, 2011 9:28 AM

@Clive - good points as always. I am impressed you made it through the report!

On the whole, it just smacks of fail from the outset. Not only does it create a whole host of new attack vectors but it fundamentally signals most of the current screening process is pointless.

In a previous life, part of my job was convincing people to do things they didnt really want to do and we were remarkably successful. If there is a weakness in the TT scanning, it would be trival to convince a neutral yet trusted businessman to smuggle XYZ through for committed Jihadist ABC to collect for his own flight. It happens all the time with narcotics.

The only solution is for the trusted traveller screening to be equally effective which begs the question (several in fact).

I just cant get over the fact that not only is this monumental security theatre aimed at reducing an already shambolic system, but it asks people to pay for the privilege. Amazing. Truly amazing.

leuk_heJune 20, 2011 9:47 AM

The whole problem is that the actual data is mostly missing. the change might be 1 in 625 million, or 1 in 6 million. Making risk assumptions based on these differences is very hard.

Normally security is a trade-off between effort and result. However some of the airport theater is not based on that. The report continues to make assumptions about this, but without citing relevant research on these numbers.

It only says that the trade-of is a policy decision. Too bad that the report looks like a science presentation with number and graphs, but fails to fill in the actual risk number (because there are no numbers how effective or uneffective the security is). My personal opinion is is that the false positive are very high, and the missed positives are higher than would be publishable by the operation that want to sell "trusted traveller": program.

You can write the same report with different assumptions, and base the opposite conclusion on these assumptions.

Or in short {Citation required}


WinterJune 20, 2011 10:04 AM

Is the basic problem not that:

1 The number of terrorists is vanishingly small, measured in 0.1 PPB (passengers per billion)

2 Both terrorist and those determined to find them follow the "Basic Laws of Human stupidity"
http://wwwcsif.cs.ucdavis.edu/~leeey/stupidity/basic.htm

Most importantly:
"Non-stupid people always underestimate the damaging power of stupid individuals. In particular non-stupid people constantly forget that at all times and places and under any circumstances to deal and/or associate with stupid people always turns out to be a costly mistake. "

In short, no scheme can both handle the false positives and predict the acts of terrorists and anti-terrorist personnel.

Dirk PraetJune 20, 2011 11:12 AM

If I read the paper correctly, then the benefits of the program would depend on an assumption of both maximum public buy-in and minimum TT-application by terrorists, while being constantly at risk of voiding itself through political backfire the moment even one terrorist slips through. Which is a statistical certainty, not just because of false negatives, but just as much through other vectors such as identity theft or men inside.

Despite the math and stats, I'd say that's very little to go on, made even worse by being very vague on what constitutes minimum security screening for trusted travellers, TT application approval criteria or the authority vetting the applicants. Besides the flaws already pointed out by several other people, the ultimate fail in this paper is monetising the issue, which makes it read more like a manifesto from some guys with a business plan rather than scientific research.

There is really no way I'm going to fork out anywhere between 35 and 200 bucks for an annual "subscription", even if I were able to collect (or forge) all necessary paperwork and background checks don't reveal anything suspicious. From where I'm sitting, this is an utterly braindead idea lifting airport security theatre from US to African or South-American standards.

If the math behind the paper has any value - which I have no reason to doubt - I would like to propose an approach based on common sense where some program/algorithm compiles and cross-references all data already available to authorities/LEA's and automatically flags anyone as a TT whose profile is determined fully incompatible with that of a potential terrorist. Like toddlers and 93-year olds for example. There's no reason why profiling and a TT program couldn't go hand in hand.

leuk_heJune 20, 2011 11:26 AM

@dirk Praet.

The math is valid, it shows logic formulas. However the number you can plug in those forumulas are assumptions, not supported by citations.

Terry ClothJune 20, 2011 11:29 AM

I know anecdotes are useless, but this one's too good to forgo. A couple of weeks ago, a college student of my acquaintance flew from the U.S. to Puerto Rico. He chose the patdown, his carry-on was X-rayed, but when he got to the gate, he hit the jackpot---he was chosen to have his bag searched. No sweat. After take-off he reached into the bag for some water (bottle filled _after_ TSA checkpoint), and found the box cutter he'd been using for an art project.

Needless to say, he put it in the checked luggage for his return.

ArclightJune 20, 2011 11:41 AM

It seems like a better approach might be "regular traveler" and "untrusted traveler."

Why can't we eliminate the 75% of mostly ineffective security that people are currently subject to, then focus the remaining 75% on those people who exhibit hinky behavior or fit some statistical profile?

Alternatively, we could jsut eliminate 75% of airport security and just learn to manage risk and not be terrorized. That might actually work a lot better than any "trusted traveler" program.


mooJune 20, 2011 1:41 PM

@Terry Cloth:
It's an all-too-common story. A time or two, I've accidentally flown with knives in my carryon and did not notice until I got to my destination. Occasionally someone accidentally carries a gun through (or even more rarely, the security screeners notice a gun being accidentally carried through).

Most of the security theatre at airports has no purpose except to line the pockets of certain politicians/companies, and perhaps to reassure travellers that something is being done. What was it Bruce said once on this topic? (I don't recall exactly, I'm paraphrasing...) "Clearly something must be done, and this is something, therefore we are doing it."

Tony H.June 20, 2011 1:44 PM

@Clive
"For this Rand TT scheme to work the TT passengers and other pasangers for other flights must not be alowed to mix directly or indirectly in displaced time. That is the TT passenger who is actually a terorist facilitator travels on an earlier flight from the same departure lounge and hides the weapon in a toilet cistern etc etc for a non TT pasenger traveling on a later flight to pick up and use as a terrorist actor."

By the same token, they can never use the same airplane in the wrong order either; we know there is all kinds of room for stuff to be left undetected on a plane from one flight to a later one. How many times have you found a previous passenger's garbage in the seat pocket when boarding a flight?

And airports already have more than a binary "Secure" vs "insecure" (or traditional airside/groundside) state to be managed for their physical spaces, e.g. the "cleared customs for country/region X" state is orthogonal to the "secure" state, and someone has to decide which takes precedence, i.e. which carries the worse punishment for the airport or alrline. And even "secure" has degrees: a passenger just cleared locally and one just off a flight from a dodgy country shouldn't be mixing, but often they are able to.

Airports repartition their spaces to various combinations of states dynamically over the day, and there is no way they are checking them exhaustively every time they open a doorway to enlarge a departure area or change the flow direction of a corridor. Look at those cases in the news a couple of times a year where someone (usually quite innocently) goes unchecked into a "secure" area, and they shut down the entire terminal for hours and make everyone go through the checkpoints again. Security Theatre strikes again...

Eric BuddingtonJune 20, 2011 3:19 PM

At the risk of jumping to a higher level of abstraction, I still believe that the Fourth Amendment guarantees me freedom from search unless I am plausibly suspected of a crime. Choosing to travel by airplane is not a reasonable cause for suspicion.

I also claim that my First Amendment right to free association requires that I be able to travel without having to announce my identity and travel plans to the government or anyone else.

I believe that both these principles can coexist with pretty good security.

DGJune 20, 2011 3:42 PM

I'm struck by the Animal Farm flavor of all this, that there is a "superior class" wanting to be trusted travelers and willing to pay for the privilege, proving their innocence in a Napoleonic law fashion. (A "four legs good, two legs best" study).

The net affect is to charge the consumer the cost of a national agency check, which also makes one wonder why someone thinks there is a correlation between non-questionable personal history and the likelihood of committing terrorism. This is simply introducing a recruitment criteria for terrorists.

Consumer funded security theater, cost burden shifting. If there's any value to the idea it points out the security theater is simply too onerous today for the return.

Richard Steven HackJune 20, 2011 4:09 PM

Everyone here has pretty much covered the ways in which this is nonsense.

My take is simply that it's a band-aid approach to fixing the basic problem of airline security theater - let alone the real problem of airline security. It's all about reducing the PERCEPTION that current TSA practices are security theater by allowing some people to avoid it (at additional cost to THEM, not the government.)

The whole concept of airline security (let alone security in general) is a joke. But it's impossible to make that point in public. So we get nonsense like this. I don't even bother to read papers like this since they're fundamentally wrong.

If one doesn't understand the fundamental fact that there is no security in the large, one has no business commenting on security in the small.

As an aside, when I started my criminal career, I had absolutely no criminal background. Had I the money and equipment, I would have been able to do some pretty heavy stuff (probably ending up dead, but hey, stuff happens.) A program like this would have had zero reason to prevent me entering an airport or any other public space for whatever purpose. And that would have been a huge mistake for the program.

There are probably plenty of terrorists and potential terrorists out there with no criminal or other suspicious backgrounds that would necessarily surface in a normal background check. And as others have pointed out, recruiting from that milieu would be no problem.

mcbJune 20, 2011 5:40 PM

Enough with the screening, which they can't possibly make any more intrusive, and which only verifies what we already know, that millions of people are not going to hijack an airliner today. Let's change the ROI by doing some catching. How about we positively identify every air traveler by collecting fingerprints, iris scans, and DNA swabs? Compare the results to every crime and terror database in the world and arrest anyone wanted for anything anywhere there's an extradition treaty. Even those technologies which require time to process (DNA) will serve to fix a suspect in one place at one point in time while collecting unchangeable biometric signatures. Terrorists, criminals, and deadbeat dads will choose not to fly for fear of arrest, detention, deportation, rendition, or disappearance. No, I'm not really serious (unless you think it's a fabulous idea), but thinking about the same old problem the same old way with the same old objections is getting us nowhere. Aack! Thpt!

Dr. TJune 20, 2011 5:41 PM

We already have nearly worthless but high-cost and high-annoyance security procedures. The trusted traveler modification would give us nearly worthless, high-cost, and less annoying security procedures for trusted persons while not changing anything for other passengers. I believe this is gilding a dead horse.

The security I want is: 1. Keep cockpits sealed with bulletproof, locked doors. 2. Scan luggage, food carts, maintenance tool kits, and carryons for bombs. 3. Scan passengers for guns. 4. Allow passengers who have been trained to use guns on planes to keep their guns if loaded with bullets that won't shred the plane. 5. Allow all passengers to carry knives. 6. Say "rest in peace" to anyone who attempts to hijack a plane.

Dirk PraetJune 20, 2011 7:54 PM

@ Dr. T

7. Replace current safety procedures demo/video and movie channels by instructional video on basic Krav-Maga techniques.

8. Put cameras all over the plane so any fight breaking out can be broadcast in real time to an audience of paying subscribers. Panem et circenses all over again.

Steven HooberJune 20, 2011 9:09 PM

> And airports already have more than a binary "Secure" vs "insecure" state...

They don't even call it secure, but "sterile." There are, however, guys with guns all over the place. If you want a sterile area, it needs to be more prison-like, with the armed guards on walkways with good fields of vision.

tommyJune 20, 2011 11:39 PM

@ Eric Buddington:

Right ideas; wrong support.

First Amendment:

"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances."

Are you boarding that airplane so that you and the other peacefully-assembled passengers can petition the Gov for a redress of your grievances? (Your grievances about intrusive searches can be addressed from the ground.)

Fourth Amendment right protects you, your home, person, papers, anything else you own including your car and private airplane. But before you use that car or airplane on public streets or airways, where you subject thousands of others to danger (as opposed to driving or flying it around your own farm), you are quite reasonably required to demonstrate the ability to do so safely, by licensing tests.

In most US states, when you accept the *privilege* of driving on streets used by the rest of the populace, you give consent to be stopped and checked for license, registration, insurance, and sobriety, provided that the stop is either based on other violations, or is truly random (checkpoints, every 7th car, etc.) vs. singling out any group on irrelevant factors. However, a stop based on profiling *that has been statistically or empirically validated" has generally been held up by the courts.

Similarly, you do not have to board a common-carrier airline. You can charter a plane, drive, walk, hitch-hike, etc. Given the vast potential for harm to thousands or millions of people, which has already occurred, I doubt a Fourth Amendment defense would work. You are free to decline the search or scan, turn around, and walk back out the terminal.

Please don't get me wrong - I'm on your side. But let's base the arguments on uselessness, expense, and *unnecessary* invasion, because it's ineffective. If an effective method were ever developed to screen out likely terrorists, the 4th would probably uphold it. (reasonable grounds to believe that the person has committed, is committing, or *is about to commit* a crime. Terry v. Ohio 1966 upheld frisks if there is valid grounds for such suspicion.) Fortunately for our privacy, if unfortunately for our safety, that will probably never happen, because it's probably impossible.

Ari ManiatisJune 21, 2011 7:32 AM

The problem with this approach can, I think, be summarised like this: TT provides security around WHO is allowed to fly; conventional airport inspections provide security around WHAT you take on board.

The discontinuity between these two very different concepts is what creates the problems previous posters have detailed. And in fact TT doesn't even provide security around the WHO, but in reality only verifies a proxy stand-in for the WHO: some form of photo id. So rather than verifying that you don't have a weapon, it purports to verify that your id represents someone who doesn't normally carry weapons onto a plane. There are several logical steps from "id represents someone with no criminal history" to "person at airport is correctly identified by that id" to "person not actually carrying weapon".

IANAL but I like the ConstitutionJune 22, 2011 2:45 PM

@Tommy
I think you're right about the First Amendment failure, but I also think that the scanners and enhanced patdowns are "unnecessary searches" so the Fourth Amendment protections should hold. It seems, however, that they do not under terrorism FUD.

Did want to mention a comment about "You are free to decline the search or scan, turn around, and walk back out the terminal"

I believe the "don't touch my junk" guy, John Tyner, found that he wasn't free to leave. Or at least, his departure was not free. They tried to fine him for exercising his right to walk out. I'm not sure if the fine held up.
http://www.wired.com/threatlevel/2010/11/tsa-investigating-passenger/

The TSA blog (http://blog.tsa.gov/2010/11/opting-out-of-advanced-imaging.html) states:
"...Will you receive a $10,000.00 fine if you opt out of screening all together and leave the checkpoint? While TSA has the legal authority to levy a civil penalty of up to $11,000.00 for cases such as this, each case is determined on the individual circumstances of the situation."

Apparently "It is important that all screening procedures are completed. This ensures that terrorists do not have an opportunity to probe TSA’s procedures by electing not to fly just as TSA’s screening procedures are on the verge of detecting that the passenger is a terrorist."

Of course, as many have before pointed out, if an actual terrorist/wacko wants to commit violence at that point, that individual could just complete their plot there in the security queue while surrounding by the rest of the flying public. An $11,000 deterrent wouldn't faze them, especially if they don't plan to be alive to pay it.

What's the price for TT? Presumably less than $11,000.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

← Fourth SHB Workshop The Life Cycle of Cryptographic Hash Functions →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.