Schneier on Security
A blog covering security and security technology.
« How Terrorist Groups Disband |
| Friday Squid Blogging: Squid Ink as a Condiment »
November 9, 2012
How To Tell if Your Hotel Guest Is a Terrorist
From the Department of Homeland Security, a handy list of 19 suspicious behaviors that could indicate that a hotel guest is actually a terrorist.
I myself have done several of these.
More generally, this is another example of why all the "see something say something" campaigns fail: "If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."
Posted on November 9, 2012 at 1:32 PM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't think a hotel has ever asked me to provide my place of employment...
Wow. Thanks to DHS I now know that I'm at high risk of committing terrorism when I stay in hotels. I'd better report myself immediately. I'm glad we have people to alert us to these things.
The part "Non-VIPs who request that their presence at a hotel not be divulged" made me laugh for some reason.
You aren't special so you don't get to control your privacy.
The sad part is that almost all of these features of a possible terrorist have a workaround, and listing them publicly like this might improve the operational security of actual terrorists.
The ultimate workaround? Check in with a lady that doesn't look like she could be your wife (i.e. too young or pretty for you, dresses differently). Now almost anything you do to be low-profile is easily explained away as common everyday marital infidelity. Or check in alone, pay with cash or a pre-paid credit card, and ask for two keys.
Everybody shacking up will be labeled a terrorist. "Sir! Step away from the floozie!!!"
I think McCarthy had a similar list for communists
@Steve: yea, because "If my wife calls I'm not here and I'm *definitely* not in a room for two" is obviously something only a terrorist would ask for.
When I first saw this, I had assumed it was a joke. Silly me.
On the positive side, we will now have millions and millions of suspected terrorists for people to deal with and the aftermath of so many false positives wont put anyone off from continuing to report random events.....
These behaviors are also shared by budget film crews and rock stars who don't trust hotel security.
DHS clearly thinks *everybody* is a terrorist. So why haven't they turned themselves in?
"Or check in alone, pay with cash or a pre-paid credit card, and ask for two keys."
I've seen that (asking for two keys for yourself) given in the past as personal safety advice, aimed mainly at women - probably a bit outdated now with electronic keys, but the idea was to ensure you held *both* keys to your room, not just one (since a would-be intruder might sneak the second key to your room from behind the desk, I suppose). Or maybe I'd stumbled across an online terrorist training camp cunningly disguised as personal safety advice...
"Leaving the property for several days and then returning."
I did that in 2008 - vacation to see a few states (fly into NJ, stay in a hotel near the airport for a few days, then work up through NY-CT-RI-MA, then back for another few days before flying back to the UK).
"Noncompliance with other hotel policies."
Ah, nice and specific there. In short ... be suspicious of ... anyone. Doing anything. For any reason.
I think I'd clocked up half-a-dozen of those before I reached the age of 18.
So was I recruited as a child terrorist?
I wonder if this list was compiled from research on actual terrorists, or is it just someone's fantasy of what they imagine a terrorist would do in a hotel?
"Interest in using Internet cafes, despite hotel Internet availability."
Indication of terrorist tendencies, rather than indication of not wanting to be royally ripped off by hotel Internet charges?
How is using hotel internet different from using internet cafés'? Or is this implying that your internet activity in a hotel is recorded if you're too dumb to know how to hide it?
They are worried when people show interest in emergency exits?
I firmly believe that information about emergency exits should be classified and hotels should not be allowed to post information about them in public spaces. Otherwise terrorists can find and block them. Obviously that also goes for safety equipment such as fire extinguishers which should be securely locked in so that terrorists can't sabotage them or use them as weapons.
15/19. Easier to list the ones I (think I) didn't do (yet):
- Interest in using Internet cafes (my employer pays it anyway)
- Unusual interest in hotel staff operating procedures (I know too much already)
- Leaving the property for several days and then returning (not without checking out inbetween, I've been lucky with client appointments so far)
- Non-VIPs who request that their presence at a hotel not be divulged (didn't know that was possible)
Not bad, and I'm not even a terrorist, just a consultant and regular conference traveller.
Also I think they forgot:
- attempting to use the Interwebs other than with HTTP and HTTPS
- not using a "smart" phone, despite clearly being able to afford one
- not posting Facebook updates every 10 minutes, maybe even refusing to have a Facebook account
indicators of terrorist leanings, and warranting law enforcement smashing hotel room doors, and extended questioning with a side dish of physical coercion.
They forgot a few:
- Has "shifty eyes" or wears sunglasses so you can't even see their eyes.
- Talks with a thick accent - or no accent whatsoever.
- Wears sneakers - for sneaking.
- Owns and carries a camera - could be researching targets.
- Is tired or stressed upon arrival - long flight? Or long day of terroring?
- Upon departure, takes a cab to the airport.
- Looks a little too average - or not average enough.
As an introvert who is more comfortable with privacy than without, I would systematically trigger 9 out of the 19 flags in every hotel I used, if I thought they would comply. Then again, as with many introverts, I find the likelihood of non-compliance to have a disproportionate chilling effect.
On the other hand, a hotel chain that offered the privacy-oriented half of that list as features would certainly get far more introverts than terrorists as customers. Think anyone is likely to try that as a business model? I'd pay extra.
(I said part of the above wrong -- non-compliance has a disproportionate chilling effect on asking for these things, i.e. I'm not likely to request most of them unless they were mentioned explicitly in hotel literature).
Given the craptastic and overpriced Internet access most hotels provide, and its intense hackability, why would it be strange to ask for an Internet cafe?
B-b-but...where were the Groucho glasses? Because lists like this are slapstick-2bit jokes. Same w/ the trendy prolefeed "textforterror" & "seesomethingsaysomething". I saw an ad for one of those programs, and it was a dude with binoculars at a baseball game; really taking his civic duty a bit too far. Those are trust-oriented and enhancing programs, aren't they Bruce?
Obviously we can question whether a list like this could actually be useful at all.
But apart from that, this version is so bone-headed stupid that quite a few people are wondering if it could possibly be real.
Dear DHS: if this is real, you need to take a big reality check. This is dumber than a bag of hammers.
Half of these "suspicious behaviours" fall within the gamut of perfectly ordinary behaviour, such as: avoiding exorbitant hotel costs (2, 3, 9); standard safety advice that's often even posted on your room door (13); typical behaviour for certain travellers such as experienced tourists, or group or corporate travellers (10, 12, 17); or common personal preferences (7, 11).
Number 1 is plain silly: I've never had a hotel ask for more than contact details, and they don't check those. Number 19 is an obvious "catch all" that is just inviting bad staff to bully customers to avoid getting written up by their supervisors.
The other 8 items are at least a little odd maybe, but mostly they are little more than that. Out of the whole list, the only ones that are really suspicious are accessing restricted areas, and abandoning your room. Even then, these more likely suggest a potential thief rather than a terrorist.
I would be very, very surprised if this ridiculous list is evidence based. And if it isn't, then you should be ashamed at the shoddy and unprofessional nature of this "work".
— (U//FOUO) Use of a third party to register.
Uh-oh. A few days ago I booked a hotel room for a friend who needed to get away from her husband for a few days.
Does that make her the terrorist? Or me? Or both of us?
The Dept. of Homeland Security sounds exactly like UNATCO from the game Deus Ex released 12 years ago - right down to the lists of "suspicious" behavior.
If you abandon your room and leave behind minor belongings, but you didn't provide any details when you checked in... then whether you're a terrorist or not the hotel's snitching on you isn't going to be much use to anybody.
More for the list
20. Is a VIP customer of Paladin Press
21. Reads all Schneier posts on terrorists & tactics
22. "really interested in flying planes, but isn't interested in learning how to land" (comedian, forgot who)
Wasn't there a similar list published a few years ago claiming to list the behaviors of teens likely to shoot up a school? Basically every teen in the USA matched the profile.
It's always interesting how we always put our business out there. This is why these other guys are winning the war because they don't announce themselves this much. GOOD JOB US GOVERNMENT.
>"Interest in using Internet cafes, despite hotel Internet availability."
Based on the prices I have been charged for hotel internet access, this is merely being frugal. As well as looking for better service than the hotels I've been stuck with.
There are actually several alternative explanations for the list:
1) The DHS are hoping that terrorists that read the list will laugh so hard that they will cause harm to themselves
2) The DHS are publishing a list with stuff normal people do so terrorists that will try to avoid doing it will stand out and be easy to spot
3) The DHS doesn't want to tell terrorists what they are really looking for so they publish a BS list
"Unusual interest in hotel staff operating procedures, shift changes, closed-circuit TV systems, fire alarms, and security systems."
What if you're bruce Schneier? Or Kevin Mitnick? Or someone (like me) who wants to understand how all of the systems work if I'm going to be staying there?
I'm amused about the FOUO classification for a document about suspicious hotel behaviour. Guess they can't give it to anybody working at a hotel, except maybe the House Detective. (At least it's not also marked NOFORN.)
I don't think I've ever provided my employment information to a hotel unless I was checking in at a special rate for $DAYJOB or $TECHCONFERENCE.
Extended stays with little baggage? Like the time my "1-hour layover" turned into "airport snowed in for 2 days" or that business trip that was just supposed to be overnight for one or two meetings?
As many others above, I am also guilty of 9 or 10 items on the list. Glad to see I am not alone.
Many of the items on the list are part the standard advice that many branches of the federal government give to their employees when traveling (more strongly when traveling abroad). Does that mean US Federal employees are terrorists? (Don't answer that.)
— (U//FOUO) Not providing professional or personal details on hotel registrations—such as place of employment, contact information, or place of residence.
— (U//FOUO) Non-VIPs who request that their presence at a hotel not be divulged.
— (U//FOUO) Refusal of housekeeping services for extended periods.
— (U//FOUO) Requests for specific rooms, floors, or other locations in the hotel.
— (U//FOUO) Unusual interest in hotel access, including main and alternate entrances, emergency exits, and surrounding routes.
— (U//FOUO) Use of entrances and exits that avoid the lobby or other areas with cameras and hotel personnel.
— (U//FOUO) Unusual interest in hotel staff operating procedures, shift changes, closed-circuit TV systems, fire alarms, and security systems.
I don't get how not refusing housekeeping for "significant periods" is the standard. I don't clean my room daily at home, I don't change my towels daily at home. When I have a one-week hotel stay, I need housekeeping to come in about zero to one times during the stay.
Staff seems weirded out by "do not disturb" signs hanging there for days. If I ran a hotel, there wouldn't be any "do not disturb" signs. There would be a door sign "please clean room", and a nice poster explaining that staff is not going to enter your room unless the sign is there.
I, honestly, think that this list is (with all do respect) childish. I understand the need for such thing but this list will give a high ratio of false positives. Look at these terms:
- Requests for specific rooms, floors, or other locations in the hotel (!)
- Not providing professional or personal details on hotel registrations—such as place of employment, contact information, or place of residence(!)
I cannot tell you how many times I tried to use the hotel Internet and I failed simply because the speed was less that 1 hr/bit. I think that this fear of terrorist attack is being turned to a propaganda.
Remember they are to look for a "totality of circumstances."
The good stuff is the basic "line officer training": http://publicintelligence.net/sar-training-video/
Toward the end the statement, "Protection of privacy, civil rights, and civil liberties is paramount." Hmm. They protesteth too much. Paramount: superior to all others, supreme
By the way - as opposed to the police and TSA, the hotel has a direct incentive to treat the customer well. This ensures that they will probably not harras "suspicious" regular customers by reporting them.
Came here to say that. This list has an awful lot of overlap with the list of recommended behaviors given in federal anti-terrorism training.
I see this a checklist for everything I'm going to try at HOPE 2014...
About half of these are unremarkable behaviors at science fiction conventions.
Jesus. 1-3, 6 to 12 inclusive, 14 and 16, probably 19. I'm Osama bin Laden and Ulrike Meinhof all at once.
I once gave my permanent address as that of the hotel because it was the most true value possible in the middle of my house move.
So what does this list mean anyway? Are hotel personnel supposed to call the authorities about anyone who exhibits N or more of these behaviors? Are they supposed to tell the hotel detective to watch them more carefully? Put them on a no-book list? Or just feel really nervous?
"Using payphones for outgoing calls or making front desk requests in person to avoid using the room telephone"
Pay phones? Do those even exist anymore? And are there any travelers who don't prefer the cell phone to the room phone?
And while hotel staff was scrutinously observing this highly intelligent list, even tailing suspicious Arab guests into their internet cafes, some Caucasian male with body armor and Joker make-up walked in with a machine gun to wreak havoc on a party of frozen yoghurt salesreps in the lounge bar who were just discussing how much safer they felt after a particularly thourough TSA pat-down at the airport.
@David Leppik: payphones do exist still and are used quite often - surprise - by tourists, who do not want to be ripped off by their cell phone company or don't even have a cellphone supporting the most dominant cellular system of the visited country.
1) Release list of suspicious activities we want reported that will have each hotel sending at least two reports a week.
2) Sit on this pile of useless leads.
3) When lead pile is big enough petition congress for enough money to 'process our huge pile of leads,' after all, you don't want to let the terrorists win.
The 'security' guards at my place of employment have all just passed some sort of DHS training in 'recognizing internal threats' or some such. There's a whole row of certificates, considerably fancier than my professional credentials, lining the walls of the guard station.
The fact that I regularly walk past one of these highly-trained threat assessors asleep at their desk makes me question the credibility of such training.
@Roger - Of course this list is evidence-based.
Every terrorist who has ever stayed in a hotel has done at least ten of these things.
(Just like every non-terrorist, but that's not the point...)
Another favorite of mine comes from the Colorado Information Analysis Center https://www.ciac.co.gov/. Here they define what "suspicious activity" is (which should of course be reported). According to CIAC, anyone taking pictures of historic structures and national landmarks should be immediately reported. Same with anyone trying to say...sketch the internet!
I've done all these things when going to hotels, I stopped using the hotel phone for calls decades ago, they rip people off. These rules just create paranoia and collect false positives, and evidence of nothing.
— (U//FOUO) Refusal of housekeeping services for extended periods.
I stayed at a Sheraton hotel recently, and this behavior is *rewarded* by the hotel on environmental grounds to the tune of $5 per day.
I spent it on my breakfast.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..