To Profile or Not to Profile?

A Debate between Sam Harris and Bruce Schneier

Sam Harris's Blog
May 25, 2012

Introduction by Sam Harris

I recently wrote two articles in defense of "profiling" in the context of airline security (1 & 2), arguing that the TSA should stop doing secondary screenings of people who stand no reasonable chance of being Muslim jihadists. I knew this proposal would be controversial, but I seriously underestimated how inflamed the response would be. Had I worked for a newspaper or a university, I could well have lost my job over it.

One thing that united many of my critics was their admiration for Bruce Schneier. Bruce is an expert on security who has written for The New York Times, The Economist, The Guardian, Forbes, Wired, Nature, The Bulletin of the Atomic Scientists, The Boston Globe, The San Francisco Chronicle, The Washington Post, and other major publications. His most recent book is Liars and Outliers: Enabling the Trust that Society Needs to Thrive. Bruce very generously agreed to write a response to my first essay. He also agreed to participate in a follow-up discussion that has now occupied us, off and on, for two weeks. The resulting exchange runs over 13,000 words.

This debate was conducted entirely by email, without a moderator. While the gloves came off early, Bruce and I permitted one another to modify previous statements and to insert comments into each other's text. This occasionally complicated matters -- requiring further work from the freshly injured party -- but the resulting exchange is more temperate than it would have otherwise been, as well as more complete. Of course, there is only so much ripping and mending that a linear conversation can accommodate. And, as readers will see, Bruce and I still occasionally talk past one another, grow a little prickly, and leave important issues unresolved. Despite its imperfections, I think the following debate is a good example of how two people with very different perspectives on a controversial topic can engage in a rational conversation.

* * *

SH: First, let me say how much I appreciate your willingness to engage on this issue, Bruce. Whether or not our views fully converge in the end, I suspect that readers will find this discussion useful.

There are many things in your essay that I'd like to respond to, but I don't want us to just hurl op-eds at each other. My hope is that this will be a proper conversation. So rather than attempt to hit every point in each round, I think we should assume that we will keep turning the problem of terrorism over and over until we are both satisfied (or have killed our readers with boredom).

In the essay that got me into so much trouble with my fellow secular liberals, and in response to which you have now attempted an exorcism, I was addressing the problem of airline security. In fact, I was talking about only one aspect of airline security -- the most visible part, where passengers and their luggage get screened for bombs and weapons by the TSA. 

It is important to acknowledge the narrowness of this focus, and I hope you will agree that your bringing up Timothy McVeigh and the Unabomber in this context was misleading. Everyone passing through security at an airport is getting on an airplane. Consequently, when it comes to airline security, we are not merely faced with a generic threat of "terrorism."  When searching the bodies of passengers (either with back-scatter X-ray scanners, magnetometers, or pat downs), we are worried about the threat of suicidal terrorism.

In fact, the profile for airline security is even more specific -- we are worried about suicide bombers who want to kill hundreds of people selected at random (i.e., the people who just happen to be on a particular airplane). Therefore, the terrorist knows that his intended victims are not directly responsible for whatever grievance he might have. We are not talking about anti-tax maniacs bombing a federal building, animal rights activists targeting laboratories, or unhinged Christians killing abortion doctors. We are talking about people who have a cause for which they are eager to die (and perhaps have their families die), and who believe this cause can be advanced by hideous acts of instrumental violence, in which truly innocent and uninvolved people are murdered.

So, to begin, I just want us to agree about this initial focus. I'm happy to explore related issues of terrorism and to even talk about security in general, but let's stay on point for the moment and discuss the unique circumstance of screening passengers and their luggage at the airport.

Before I discuss what I think is wrong with your analysis, I want to see if we share the same background assumption about the reality of suicidal terrorism in the year 2012:

Imagine that a terrorist is attempting to board an airplane bound for a major city in Europe or the United States with a bomb strapped to the body of his four-year-old daughter. Let's also assume that he is not some lone lunatic engaged in an inexplicable crime. Rather, he has a community of supporters behind him who have helped bring this terrible plot to fruition. A trained engineer made the bomb and showed him how to detonate it; another accomplice drove him and his daughter to the airport; even his wife gave her blessing and vowed to perform a similar act of terrorism with their son in the near future. The man has dozens of confederates who would have been willing, even eager, to take his place with a child of their own -- and each of these people knows a score of others who fully support his aims. In fact, there are hundreds of thousands of people, in dozens of countries, who would actively support this man's actions, if given the chance, and perhaps millions who would do nothing to dissuade him, even if they could. What are the chances, in your view, that this terrorist is Muslim.

BS:  High.

But so what?  You've proposed a correlation between being Muslim and being a terrorist.  I could propose other correlations with terrorism: wearing a gun, carrying a certain kind of reading material, having a certain micro-facial expression, appearing on a particular government list, buying a one-way ticket, holding a passport from a particular set of countries.  There's no shortage of correlations.

You've gone further, though.  You've advocating a nationwide security system with two tiers of security based on your correlation.  What you're missing is that your correlation is just a small piece of that complex system and, as such, you've skipped a lot of steps along the way.

Security is a trade-off, and requires some sort of cost-benefit analysis.  What is the cost of your security system?  What are the benefits?  What, exactly, is your correlation?  (TSA screeners can't sort based on religion; they have to sort based on something they can detect.  And since there's no such thing as "looking Muslim" -- it's a belief system, not an ethnic group -- they're going to sort on something like "looking Arab," whatever that ends up meaning.)  Then, you're going to have to analyze the resulting security system.  How does it work, and how does it fail?  What's the false-positive and false-negative rate?  (You'll have to do some theoretical analysis, at the very least refuting current research.)  Can your system be gamed?  (You'll need some experimental data with real-world TSA agents in real-world conditions.  The last thing we want is a security system that can be defeated with a bottle of blonde hair dye.)  You will need it to relate to other security systems.  We only have a limited security budget.  Is your security system better than other airport security options?  How does it affect the other security systems already in place at airports?  Would we be better off spending that money on some other aspect of airport security?  Or something more general than airports?  In my book Beyond Fear, I proposed a five-step process to think through some of these questions.  There are other, more rigorous models.  But security engineering requires something more than intuition.

Here's another correlation, perhaps easier to understand.  Pilots have long complained about being subjected to the same security as everyone else.  They can crash the planes, for heaven's sake.  It's just common sense.  But you can't actually sort on "being a pilot" at a security checkpoint; you have to sort on "wearing a pilot's uniform" or "carrying a valid pilot ID."  So now the question becomes whether it makes sense to develop an unforgeable pilot ID, train TSA screeners in how to recognize that ID, and develop a separate set of screening procedures for people with that ID -- or simply screen pilots like everyone else and ignore their whining.  And this is where the analysis starts.

Your intuition on the efficacy of an airport profiling system is wrong.  The psychology of security is complex, and there is a great deal of of research about how our brains systematically get security decisions wrong.  This is an example of that.  Profiling at airports gives us less security at greater cost.

SH: You have delivered a litany of concerns about profiling that are (in my view) easily answered. I do not think that the problem we are discussing -- how to keep people from blowing up airplanes -- is as recondite or as complicated as you make it out to be. It seems to me that there are many things you are pretending not to know -- or pretending that other people can't easily know -- that make the problem of preventing terrorism reasonably straightforward.

And I am not proposing a mere correlation between extremist Islam and suicidal terrorism. I am claiming that the relationship is causal. There are many ways to see this, and not too many ways to credibly deny it (though Robert Pape keeps at it by skewing his data with the Tamil Tigers).

The first sign of a religious cause comes from what the terrorists say of themselves: al Qaeda and its sympathizers have not been shy about discussing their motives in public. The second indication is what they say when they think no one is listening. As you know, we now have a trove of private communications among jihadists. The fine points of theology are never far from their thoughts and regularly constrain their actions. The 19 hijackers were under surveillance by German police for months before September 11, 2001 (read Perfect Soldiers). Islam was all that these men appeared to care about.

And we should recall how other people behave when subjected to military occupation or political abuse. Where are the Tibetan Buddhist suicide bombers? They have the suicide part down, because they are now practicing a campaign of self-immolation -- which, being the incendiary equivalent of a hunger strike, is about as far from suicide bombing as can be conceived. And where is that long list of Palestinian Christian suicide bombers you've been keeping in your desk? Now would be a good time to produce it. As you know, Palestinian Christians suffer the same Israeli occupation. How many have blown themselves up on a bus in Tel Aviv? One? Two? Where, for that matter, are the Pakistani, Iraqi, or Egyptian suicide bombers killing for the glory of Christ? These Christian communities are regularly attacked by suicidal jihadists -- why don't they respond with the same sort of violence? This is practically a science experiment: We've got the same people, speaking the same language, living in the same places, eating the same food -- and one group forms a death cult of aspiring martyrs and the other does not.

As I've written elsewhere, it isn't impossible to conceive of Tibetan Buddhists practicing suicide bombing or of Middle Eastern Christians practicing terrorism at the same rate as their Muslim neighbors, but Islam offers a doctrine of jihad and martyrdom that makes such behavior perfectly understandable. And, again, it is the reason that jihadists themselves give for their actions.

In any case, you have conceded that the next person who will try to blow himself up on an airplane bound for Europe or the United States is very likely to be Muslim. When considering the details of the example I gave -- of terrorists who will even build their own children into their bombs -- it should be clear that, in the year 2012, we are talking about Muslims waging jihad.

For this reason, I have argued that we should profile for Muslims, or anyone who could conceivably be Muslim, at airport security. More specifically, I argue that we should anti-profile -- paying less attention to people who, based on the totality of their characteristics, could not conceivably be jihadists. Once again, I would not put you or myself in this category, but many people one sees at the airport would fall into it.

I think you overestimate the ability of jihadists to recruit people who do not fit the profile, and you seriously underestimate the talent that neurologically intact observers (not to mention trained screeners, like those who work for El Al) have for spotting high-risk individuals. While it is clearly prudent to scan everyone's bags, doing a secondary screening of low-risk travelers, purely for the sake of fairness, seems like a dangerous waste of time.

Please remember, we are talking about recruiting people who want to die for the privilege of waging jihad against infidels. Just how deep a recruiting pool could this be among people born as non-Muslims? Not very. How easy can it be to recruit an old rancher and his wife from Texas to be suicide bombers? What about a pretty blonde from San Diego who once had a walk-on part on Battlestar Galactica? If it were easy to recruit such people -- people about whom you would say, "Are you kidding me? They are members of al-Qaeda?" -- then we would not be seeing young middle-eastern men show upon on the news, again and again.

Take a look at the FBI's most wanted terrorists. There appears to be one non-Muslim among them -- an animal rights extremist. The rest fit the profile (absurdly well). Muslim terrorists have no trouble finding people willing to martyr themselves in places like Pakistan, Yemen, Saudi Arabia, and Somalia -- and in their satellite communities in Europe -- but, lucky for us, they still have a hard time recruiting a family that looks as if it just stepped out of a Ralph Lauren ad. Until this changes, it strikes me as completely irrational not to take these facts into account when screening for terrorists.

Of course I'm aware that a terrorist could place a bomb in an old lady's bag -- and that is why I was careful to say that everyone's baggage should be screened. But it is very far-fetched to think that jihadist organizations will successfully recruit people of the sort pictured in my original blog post. And if we are concerned that terrorists might kidnap some old lady's grandchildren and force her to walk through security with a bomb in her girdle -- well, that's what behavioral profiling is for. Presumably, our screeners would find themselves in the presence of one very nervous old lady.

We have to ask ourselves which is more plausible -- that terrorists will find it easier to recruit or coerce the least likely suspects, or that they will benefit from our needlessly searching these suspects by the hundreds of millions, year after year? I do not doubt that a profile can be gamed -- and this is worth worrying about -- but I am more concerned about the risk of airport screeners obviously wasting their time. 

So I hope we can put that bit about mere "correlation" behind us. Generally speaking, we know who we are looking for -- Muslim jihadists.

In your article, you declare that my profile isn't accurate because "it isn't true that almost all Muslims are out to blow up airplanes. In fact, almost none of them are." Unfortunately, this gets things exactly backwards. The question is not, What is the probability that any given Muslim is a terrorist? The question is, What is the probability that the next terrorist will be a Muslim? You can bury the signal in as much noise as you want; it will not change the fact that the threat of suicidal terrorism is coming from a single group.

We face an ongoing threat of people bringing bombs onto airplanes. There will surely be a next attempt, and one after that, and one after that. Even as you and I have been conducting this debate, we have been hearing reports about new and improved "underwear bombs" and about the prospect of terrorists having IEDs surgically implanted in their bodies. How likely is it that these ghoulish attempts to murder innocent people will come from Muslims waging jihad? It isn't 1 in 80 million, or 1 in 8 million, or even 1 in 8. You admit that the likelihood is "high."

Your concern about the low base rate of terrorism, leading to the problem of too many false positives, seems misguided. The problem of base rate is often very important, of course, but not in the case of airport security. For readers who might be unfamiliar with Bayesian statistics, let me briefly illustrate what I think you were trying to do with your math:

Let's say I get a blood test designed to screen for some terrible disease and it comes back positive. My doctor tells me that this test is 99% accurate and only produces false positives 1% of the time. Does this mean that that I have a 99% chance of having the disease? No. We need to know how prevalent this disease is in the population of people who share my risk factors (the base rate). If the disease is rare, the chance that I have it will still be quite low. A false-positive rate of 1% will produce 100 errors per 10,000 tests. If the disease only affects 1 in 10,000 people like me, my actual chance of having the disease (given that I tested positive) will be 1/101 -- or slightly less than 1%.

This seems to be the kind of sobering and counterintuitive demonstration of the "base rate fallacy" you were attempting in your article. The lesson that you and many others seem desperate to draw is that a little Bayesian analysis proves that profiling Muslims makes absolutely no sense. But what is interesting about false positives in my medical example is that the consequences of entertaining them (i.e., believing that one has a deadly illness) are huge, and learning the base rate completely changes one's sense of the risk. This is not the case with the threat of Muslim terrorism.

What is a false positive in the context of airport security? It might be nothing more than asking a person a follow-up question or performing a hand inspection of his bag. We are not talking about imprisoning people who fit the profile at the airport. A concern about false positives only makes sense if paying closer attention to innocent Muslims has some truly terrible consequences. You suggest that it will have two: it will produce a backlash in the Muslim community and allow terrorists to game the system (rendering the profile inaccurate). I am skeptical about both these claims for reasons that I hope we will discuss.

Of course your base rate argument could also be used to justify taking no security precautions whatsoever -- which I'm beginning to worry is what you recommend. In your essay, you assume that false positives (screening innocent Muslims) are so unpleasant as to be morally unacceptable, while false negatives (letting the occasional bomb-laden terrorist onto an airplane) aren't so bad that we should seek to prevent every instance of them. I am open to the idea that we are irrationally afraid of airline terrorism (and airplane crashes generally), but you have not made this case. And I would point out that our horror at the prospect of planes exploding at 30,000 feet is part of the cost of terrorism that we must consider. If, as result of some quirk in human psychology, a few downed airplanes will cripple our economy in a way that a few blown up trains never will, then it is rational for us to have a zero-tolerance policy regarding bombs on airplanes.

BS:  It turns out designing good security systems is as complicated as I make it out to be.  Witness all the lousy systems out there designed by people who didn't understand security.  Designing an airport security system is hard.  Designing a passenger profiling system within an airport security system is hard.  And I'm going to walk you through an analysis of your security design.

In your response above, you make a big deal about two points that are unimportant.

One, it doesn't matter that the correlation between Muslim and terrorist is a causal relationship. We're taking about a detection system.  You're proposing that we can detect attribute A (terrorist) by using attribute B (Muslim).  That's what matters, not whether or not there's a causal arrow or which direction it points.  In using the word "correlation" I was giving you the benefit of the doubt; it's a lower bar.

And two, "the probability that the next terrorist will be a Muslim" doesn't matter either.  To demonstrate that, for now I'll just assume the probability equals one.

To analyze your system, I first need to describe it.  In security, the devil is in the details, and it's the details that matter.  Lots of security systems look great in one sentence but terrible once they're expanded to a few paragraphs.

You're proposing an airport passenger screening system with two tiers of security.  Everyone gets subjected to the lower tier, but only people who meet your profile, "Muslims, or anyone who could conceivably be Muslim," would be subjected to the higher tier.

SH:  Yes, and anyone else whose bag or behavior seems to merit follow up (e.g., the Hindawi affair).

BS:  That's behavioral profiling, completely different from what we're discussing here.  I want to stick with your ethnic profiling system.

SH: Well, I disagree. And the Israelis, who are generally credited with being the masters of behavioral profiling, appear to disagree as well. A person's behavior can only be interpreted in context. What does a man's sweating profusely and looking agitated mean? It means one thing if he is a morbidly obese senior from Alabama traveling with his wife and their church group, who is struggling to get all the trinkets he purchased in Jerusalem into a bursting suitcase; it means another if he is a 23-year-old man traveling on a Pakistani passport who is doing his best to not make eye contact with anyone. The distinction between behavioral profiling and everything else that can be noticed about a person is a myth. However, we can table this issue for the time being.

BS: You can disagree, but I assure you that the Israelis understand the difference between ethnic profiling and behavioral profiling.  Yes, they do both together, but that doesn't mean you can confuse them.  But let's stick to topic: ethnic profiling.

In practice, this would mean that everyone would go through primary airport screening: x-ray machine for hand luggage, and the magnetometer or full-body scanner for their bodies. But when primary screening results in an anomaly -- this is generally because the magnetometer beeps, the full-body scanner shows something, or there's something suspicious in an x-ray image -- in some cases people who don't meet the profile would be allowed through security without that anomaly being further checked.

SH:  Yes, depending on the anomaly.

BS: TSA screeners would have to make the determination, based on some subjective predetermined criteria which they would have to apply, whether or not individuals meet the profile.  You are not proposing this because it will improve security.

SH: On the contrary, I believe it will improve security. Let's say that in each moment the TSA has $100 worth of attention, and they can spend it any way they want. A dollar spent on a toddler whose family does not stand a chance of having turned him into an IED is a dollar wasted (i.e., not spent elsewhere).

BS:  That's also a separate issue.  We're comparing profiling with not profiling. You are essentially making an efficiency argument in support of profiling: "I am more concerned about the risk of airport screeners obviously wasting their time."  This efficiency, you argue, could result in either cost savings as TSA staffing was reduced, or in increased security elsewhere as superfluous screeners were retasked to do other things that might improve security.  But that is independent of, and irrelevant to, the analysis of the proposed security system.  The proposed benefit of the profiling system is the same security at reduced cost, and reduced inconvenience to non-profiled people.

SH:  I agree. I would just emphasize that I think of efficiency in terms of increased security, not in terms of reducing costs. Efficiency allows for more eyes on the problem -- another person watching the scanner images, another person able to study the behavior of a suspicious person. Every moment spent following up with the wrong family is not just a moment in which the line slows down -- it's also a moment in which someone or something else gets ignored.

BS:  Of course.  Again, when you have an efficiency gain you can either realize it by reducing your cost or by doing more of what you're already doing.  But that potential additional security has nothing to do with the efficacy of profiling.  If we believe that an extra $10 of attention will make us safer, we can either add $10 to the TSA's budget, or save $10 by increasing efficiency somewhere else.

SH: Now I see what you are getting at -- and I'm prepared to agree for the sake of letting you continue with your analysis. But I want to point out that there might be more to it than the question of efficiency. I think a policy of not profiling -- that is, remaining committed to the fiction that we have no idea where the threat of suicidal terrorism is coming from -- might cause screeners to be much worse at their jobs than they would otherwise be. Gains in efficiency due to profiling might not just be a matter of "doing more of what you're already doing." It could be doing more of what the Israelis are already doing -- which I don't think entails their lying to themselves about the source of the problem.

BS: You are, however, implying a different type of profiling system: to take a security procedure now randomly applied -- swabbing luggage for explosive residue, for example -- and apply it according to the profile.  Leave that aside for now; I'll come back to it later.

One piece of security philosophy to start.  Complexity is the enemy of security.  Adding complexity to a security system invariably introduces additional vulnerabilities (see my 2000 essay).  Simple systems are easier to analyze.  Simpler systems have fewer security assumptions.  Simpler systems are more robust against mistakes in analysis.  And simpler systems are more secure. 

More specifically, simplicity tends to completely remove potential avenues of attack.  An easy example might be to think of a building.  Adding a new door is an additional complexity, and requires additional security to secure that door.  This leads to an analysis of door materials, lock strength, and so on.  The same building without that door is inherently more secure, and requires no analysis or assumptions about how it will be secured.  Of course, this isn't to say that buildings with doors are insecure, only that it takes more work to secure them.  And it takes more work to secure a building with ten doors than with one door.  I will appeal to simplicity multiple times in any analysis of your profiling system.

Let's get started, then.  Security is always a trade-off: costs versus benefits.  We're going to tally them up.

The primary benefit to your system is increased efficiency, but it's not as much as you think. In Kip Hawley's memoir of his time as head of the TSA, he talks about the shoe scanning process. After Richard Reid's failed shoe-bombing attempt in late 2001, TSA screeners started requiring people wearing thick-heeled shoes and boots to remove them and put them through the x-ray machines.  They deliberately chose the most accurate correlation in order to minimize the passenger inconvenience. But when they revised the rule to require everyone to take their shoes off, checkpoint throughput increased.  There is an inherent inefficiency to non-uniform procedures, and when passengers knew what to expect, there was less delay.

Your system is different.  The non-uniformity is in the resolving of anomalies, not in the basic security procedures that everyone has to go through. There would be an efficiency benefit resulting from your system, but it would still be diminished because passengers wouldn't know what to expect.

SH: Perhaps. But this is also a problem with our current system -- and it would be a bigger problem with any system that fully implemented randomness (which you have recommended). People would be surprised to be pulled aside, or have their bag swabbed for explosive residue, when this didn't happen last time around. What we have now is a system in which we pretend not to profile (while still profiling, and probably doing it badly) by wasting precious resources on obvious non-threats and further inconveniencing the profiled and non-profiled alike.

BS: "Obvious non-threats" to you, not real obvious non-threats.  But I'm getting ahead of myself.

Your system has a secondary benefit as well: reduced inconvenience to people who don't meet the profile.  You correctly point out above that the extra inconvenience from this secondary screening is low, so I'm going to largely ignore this.

That's it for benefits.  Let's now get into the costs.

For the purposes of this analysis, I'm assuming that the correlation between attribute A (terrorist) and attribute B (Muslim) is 1.  Attribute B is a belief system, and effectively undetectable within the context of an airport security checkpoint.  As such, you are proposing attribute B' ("anyone who could conceivably be Muslim") as a substitute for B. This why I previously described this as Arab-looking, or Semitic.

In your system, people who don't meet the profile would in some cases not be further screened if primary screening resulted in an anomaly.  There is a potential security cost associated with each of these incidents.  Since we're assuming that all terrorists are Muslims, that cost is zero if only we could profile based on attribute B.  But since we're profiling on related attribute rate B', there is a cost that's proportional to our error rate.

SH: I like the approach you are taking, but I want to make a few observations before you go further. First, I'd like to point out that the concern you raised in your essay about the low base rate of terrorism has now fallen by the wayside. This is fine, of course, but I want those readers who thought the problem of false positives to be decisive to take note. You and I now appear to agree that the "false positive" of having to endure a secondary screening is no big deal.

BS:  Actually, the base rate fallacy is still important.  If 10% of all airline travelers were terrorists, you'd end up with a very different result.  In that case, even a mediocre profile would reduce successful attacks more than random screening.

SH:  Any further significance of base rate remains to be demonstrated. I'm simply pointing out that the significance you appeared to give it in your essay has not held up. We are not worried about the "false positive" of executing a secondary search on an innocent person who fits the profile.

Second, we should acknowledge that certain travelers fit the profile so well that they are obviously Muslim, and others stand a very good chance of being Muslim, and these facts can be discerned by any trained screener simply by looking. Certain costumes and behaviors constitute ideological performances -- which is to say, we can know what a person believes, or is likely to believe, by his appearance alone.

BS:  I don't believe this is true.  But, again, so what?  The question is not whether some people look more or less Muslim, the question is whether profiling on that characteristic makes security sense.

SH: You've said repeatedly that there is no such thing as "looking Muslim" -- but there is. And this is one instance of your denying that a channel of statistically relevant information is available to us. Given the levels of political correctness on this topic, I would not be surprised if the TSA followed suit and failed to search certain high-risk travelers for fear of offending them. I have heard stories of women in niqabs breezing through security. What percentage of niqab wearers -- or, more important, the men traveling with them -- hope for a global Caliphate or believe that martyrdom is a direct path to Paradise? It is surely high. It is rather like asking what percentage of skinheads wearing swastika tattoos and "White Pride Worldwide" T-shirts are racist and anti-Semitic. If we were in a global war against a cult of suicidal white supremacists, one would have to be crazy not to pay extra attention to this distinguished gentleman at the airport.

Needless to say, such people would be relentlessly profiled outside the airport, too (we call this "intelligence gathering"). However, I will grant you that some of the people we are worried about will take careful steps to appear non-ideological. I just want to point out that many aspiring martyrs don't bother to do this, and don't do a very good job of it when they do.

Again, I worry that political correctness can open up another pathway through security, allowing terrorists to hide in plain sight. If it ever became clear that we had a policy of not profiling, designed to assure everyone that we were non-racist and culturally sensitive, terrorists could safely assume that the TSA wouldn't oblige a Muslim woman to lift her veil if she didn't want to.

BS: Honestly, I don't care about the political correctness of this.  Profiling is bad security.  I understand that it intuitively seems obvious to you, and that your gut tells you it's better, but it's not.  And I am going to continue to explain why. 

To continue: to implement this system, you're going to have to make this profile explicit.  You're going to need a precise definition for B'.  And it needs to be a definition that can be taught to the TSA screeners, written down in the Standard Operating Procedures (SOP) manual found at every TSA checkpoint.  I believe that once you start trying to specify your profile exactly, it will either encompass so many people as to be useless, or leave out so many people as to be dangerous.  That is, I can't figure out how to get your error rate down.

SH: Well, we seem to be coming at this problem from opposite ends. As you know, in my first article, I spoke of "anti-profiling," by which I meant not flagrantly wasting everyone's time in a politically correct show of fairness. I'm told that Al Gore was once pulled aside for a random body search. Wasting a minute on the prospect that Al Gore has been recruited by al Qaeda is sheer lunacy.  I don't think that needs to be spelled out in the policy. Agents could be well-trained to look for the threat -- jihadists -- under all conceivable guises and then be trusted to use their discretion to ignore people who obviously pose no threat.

BS: It doesn't matter.  Call it profiling, call it anti-profiling.  In my analysis, all that matters is that you're dividing people into two buckets: one has an easier path through security and the other has a harder path.  The question I'm addressing is whether this system makes any sense.  And if you think about it, an anti-profiling system makes even less sense.  The smaller your "easier path" bucket is, the less efficiency gain you get.  And you still have to pay the full cost in security, money, and inefficiency, as I'll explain below.

In my initial rebuttal I listed Muslim terrorists who are ethnically African, Hispanic, Caribbean, and Asian.  There have been both male and female Muslim suicide bombers.  We know that Osama bin Laden was actively trying to recruit terrorists who would not look like your profile.  Khalid Sheikh Mohammed, in the testimony entered in the Moussaoui case, said he was planning a second wave attack after 9/11, but would use only Asians and Europeans for that because he assumed Arabs would be -- essentially -- profiled (see paragraphs numbered 77 and 79 on pp. 38 -- 39 of his testimony, which seems not to be on the Internet).

This isn't a red herring.  There are known European-looking Muslim terrorists.  In Kip Hawley's book, he mentions by name specific Muslim terrorists who were 1) actively plotting against airplanes, and 2) ethnically European.  He writes about the Austrian Abdulrahman Hilal Hussein: "with his trim muscular build and light brown hair, Abdulrahman looked, talked, and acted like the other Austrian schoolchildren" and that he "resembled Nicholas Cage."  He writes about Fritz Gelowicz, a German who converted to Islam as a teenager: "A handsome boy, with light brown hair and fair skin, Fritz was indistinguishable from his peers in many ways."  I asked Hawley about profiling in a recent interview, and he said: "Profiling on the basis of LOOKS is terrible security.  AQ has hundreds, literally, of agents selected specifically because they don't look like young middle-eastern men."  When I pressed him, he added:  "AQ has trained hundreds of western operatives, including from North America, of all ages, colors, genders, whatever -- many of whom we know by real name, some only by nickname." Look at pictures of Eric Breininger, another German native.  Or Long Island altar boy Bryant Neal Vinas.  Taking the intelligence reports at face value, both of these people have undergone training at al Qaeda camps.

A profile that encompasses "anyone who could conceivably be Muslim" needs to include almost everyone.  Anything less and you're missing known Muslim airplane terrorist wannabes.

SH: It includes a lot of people, but I wouldn't say almost everyone.  In fact, I just flew out of San Jose this morning and witnessed a performance of security theater so masochistic and absurd that, given our ongoing discussion, it seemed too good to be true. If I hadn't known better, I would have thought I was being punked by the TSA.

The line at the back-scatter X-ray machines was moving so slowly that I opted for a full-body pat down. What was the hang up? There were five people in wheelchairs -- four of whom appeared to be World War II veterans -- who needed to be stripped of their shoes, coats, belts, etc. and forced to stand. They were followed by several old women from Mexico -- who will be at the top of my watch list should we ever go to war against the cult of Our Lady of Guadalupe, but who were (you could just bet your life on it) perfectly harmless at present. I can honestly say that, even with nefarious characters like you, me, Bryant Neal Vinas, and Nicholas Cage warranting a secondary screening, 90% of the people I saw at airport security this morning should have been waved through without a word.

Once again, I think you are underestimating a trained screener's ability to see that someone isn't at all likely to be a suicide bomber. But let's set this issue aside for the moment.

BS: Hawley specifically mentions wheelchairs in his book: "We know from al Qaeda training documents that terrorists are considering smuggling explosives in wheelchair wheels."  I'm not saying you should take everything in that book at face value, but think twice before dismissing something out of hand.

SH: I'm not claiming that there is something magically exculpatory about sitting in a wheelchair. But many people in wheelchairs are there for a reason -- like advanced age -- that makes them unlikely to be waging jihad. My point, once again, is that we are being both imprudent and impractical not to avail ourselves of all the information we can glean about the statistical likelihood that a person is a jihadist. But please continue with your analysis.

BS: Back to my analysis.

Of course, the relative threat of a passenger depends on his or her profile, and there's a lot of room for debate as to which marginal cases are more or less likely to be terrorists.  We could research the matter further.  We could debate the relative risks of Asian-looking Muslim terrorists versus Semitic-looking Muslim terrorists, or the ability of the people who have taken over from bin Ladin or KSH to recruit Western-looking Muslims.  If we had access to classified intelligence data, we could have a more informed debate.  We could discuss how easy it is for a European Muslim terrorist to look and behave like an old rancher from Texas.  Or a pretty blonde San Diegoan who talks about her Battlestar Galactica walk-on.  There'll be some right answer, although it's probably not knowable.  But all of this goes away if you don't profile.  It doesn't matter how effective al Qaeda leaders are at recruiting Muslims who don't fit the profile.  It doesn't matter what the intelligence says, or who's right and who's wrong.  By employing a simpler security system, the whole potential avenue of attack -- not meeting the profile -- disappears.

SH: All these concerns also go away if we don't screen anyone at all. We could have the same security on planes that we have on trains -- that is to say, none. We have to keep in mind the states of the world that we are comparing: one in which screeners intelligently focus on more likely threats, one in which they randomly screen people, including those who seem extraordinarily unlikely to be terrorists, and perhaps another condition in which no one receives a secondary screening at all.

BS: Not relevant.  We're only comparing profiling versus non-profiling, as I described above.  We're not analyzing absolute levels of security, and we're not comparing anything other than those two things.  Really, you have to be methodical with security analyses.  I'm going to keep going.

Non-Muslim-looking Muslims isn't the only source of error in your profiling system.  Your system requires TSA screeners to make the profiling decision, and that's going to be fraught with errors.  Can we really trust TSA agents to tell the difference between a Tibetan Buddhist and an Indonesian Muslim?  Or an American blonde surfer-dude and an Arab of similar age who used skin lightener and hair dye?  Or a Mennonite man and someone who grew his hair to look like one?  You say that terrorists will not look like "a family that looks like it just stepped out of a Ralph Lauren ad."  All that's required for someone to look like that is a credit card and access to ralphlauren.com; can we trust screeners not to focus on clothes?  Or facial hair.  Making ethnic judgments isn't easy, and there are going to be mistakes -- lots of mistakes.  And every mistake reduces security, especially since it's easy for terrorists to test for flaws by repeatedly going through airport security on trial runs.

SH: I'm sorry -- I don't want to derail your analysis, because I really want to hear it -- but I think you continue to trivialize how difficult it is to recruit people for jihad who look completely off type, and who can behave completely off type while passing through security. And I think you denigrate the ability of trained screeners, or even ordinary people, to profile accurately. Human beings are better at detecting threats than you allow.

The example of successful recruitment that you link to in your essay is no example at all. As you know, the Hindawi affair was a case in which a Jordanian Muslim attempted to bomb an El Al flight by hiding 3 lbs of Semtex and a detonator in the luggage of his pregnant fiancé, who happened to be Irish. What was the real threat here? We have a Western woman who simply could not imagine that her Muslim fiancé was so radicalized that he would murder her and his own unborn child for a chance to blow up a plane full of Jews. The screeners for El Al are paid to imagine precisely this sort of thing. That is why they interview passengers.

Looking more closely at certain people who fit the profile of a jihadist does not mean we must ignore everyone else. As I've said, all bags should be screened and all people should have their travel documents checked and be behaviorally profiled. But, in many cases, excluding someone from further scrutiny requires little more than a glance. Half the families I see at the airport are obviously not waging jihad. If any of them were actually jihadists, expecting to blow themselves up in a couple of hours, they would be the best actors on earth.

BS:  Not half the families, all the families.  One hundred percent of the people you see at airports and everywhere else you look are not terrorists.  But one day, some TSA agent somewhere will see someone who is a terrorist.  And relying simply on whether or not he thinks that person looks like a terrorist is just a dumb risk to take.

SH:  Again, you seem to deny that it is possible to make statistically accurate judgments about other human beings. There are companies that can guess your favorite television shows by knowing little more than your age, gender, and zip code. This woman was apparently strip searched by the TSA. It is not hard to know that this was guaranteed to be a waste of time.

I don't mean to belabor the point, but I would recommend the following exercise to our readers: Go to a public place -- a restaurant, coffee shop, shopping mall, or an airport -- where you can unobtrusively watch people go about their business, and see how much you can know about them just by looking. Ask yourself, what are the chances that those 20-year-old girls in yoga pants, buying frappuccinos, are taxidermists? What about the guy in his 40s, deeply tanned as though he never goes indoors, with tattoos covering both arms -- what are the chances he's a cardiologist? If you do this, you will begin to feel that you know the answers to these questions. Of course, in a training scenario for airport screeners, the accuracy of such judgments could be tested.

I also want to remind you of the context in which our discussion began. I suggested that we admit that we are worried about Muslim jihadists and that we profile accordingly -- and I was immediately pilloried as a racist and a hate-monger. Many of my sternest critics hurled your name at me -- you being a prominent critic of profiling. Whether we can agree about the utility of profiling -- part of my motivation for debating you on this topic was to answer these background charges of bigotry. Most of my critics want to argue that we have an ethical obligation not to profile. Even you flirted with this position in your essay ("Do we really want the full power of government to act out our stereotypes and prejudices? Have we Americans ever done something like this and not been ashamed later? This is what we have a Constitution for: to help us live up to our values and not down to our fears.") So I think it is important to recall how emotionally charged the very notion of profiling is.

In my view, we are simply talking about maximizing our ability to detect those who intend to do us harm, while minimizing the material and social costs of doing this. It seems to me that the analogy to personal self-defense is pretty compelling: Imagine teaching a women's self-defense class and instructing your students that they have an ethical obligation not to profile their potential assailants. Of course, this advice is so obscenely at odds with what is prudent for women to do that no self-defense instructor would ever say such a thing. Any approach to women's self-defense that does not, at a minimum, teach them to profile men is pure delusion.

BS:  Men are 50% of the population; it changes the analysis completely.  The base rate really does matter.

SH:  Again, you are confused about the relevant base rate. Men are 50% of the population -- but how many men are rapists or murderers? One could argue that it is quite unfair for a woman to view all men as potential attackers (just as it's unfair to view all Muslims as potential jihadists) because almost none of them are. So this analogy maps onto the problem of finding terrorists pretty well. Almost everyone who fits the profile of a conceivable jihadist (you, me, the guy from Pakistan, but not Barbara Bush) will, of course, not be one.

With this in mind, just imagine hearing the following story from your wife or daughter:

"I did something today that I'm very ashamed of. I was on an elevator alone, and a man got on who made me uncomfortable, so I stepped off before the doors closed and took another lift. The truth is, I profiled him. He was black and also appeared to be homeless. It was an extremely nice building in a wealthy and very white part of town -- so he just didn't seem to belong there. He also made strange eye contact with me when he stepped onto the elevator, but that could have been because he felt out of place. The truth is, I just didn't like the feeling I got when I looked at him, and this feeling arose almost instantaneously. I know this makes me seem like a paranoid, racist, elitist profiler -- and I feel terrible about it."

Is there a husband or father on earth who would want to dignify this guilt? This woman did precisely the right thing -- even with a low base rate of rapists and killers in the male population. And I would hope any woman would follow her example. In my view, her behavior does not even slightly convict her of racial bias, or a failure of compassion for the homeless, or any other sin. Political correctness -- not wanting to appear racist or elitist in cases like this -- has gotten women raped (we know this because we can talk to the victims) and probably killed (we can only assume). It is simply a fact that even untrained people are very good at making nearly instantaneous threat assessments -- and a failure to trust these judgments raises one's risk of being the victim of a violent crime. You seem to assume that even highly trained screeners would completely lack this ability.

I'm not suggesting that we should continually judge strangers on the basis of crude stereotypes. But people take in a vast amount of information about one another whenever they meet -- dozens of variables get amplified or diminished in importance due to context. A young, white male with a shaved head and boots looks one way entering a cancer ward and another way loitering in the parking lot of a synagogue. Anyone who is determined to throw out all surface information of this kind, and just treat everyone the same, is not using his head.

BS:  What you described above is behavioral profiling, and very different from what we're discussing here.  I wrote about this sort of thing in my book, Beyond Fear, in the context of terrorism.  (See also this essay, about "looking hinky.")  And you are continually conflating the existence of a correlation with building a security system based on that correlation.  One does not automatically imply the other.

SH:  Sorry, but your purified notion of "behavioral profiling" is a fiction. You are attempting to divide that which cannot be divided. The fact that the man was black in the elevator example was relevant (as it increased the statistical likelihood that he didn't have an apartment in that building); the fact that the bald man in the synagogue parking lot was white was also relevant (making it at least conceivable that he was a neo-Nazi skinhead). I am simply arguing that tossing out statistically relevant information is a bad idea -- especially when your life depends on it. And what you call "behavioral profiling" simply can't take place in isolation from these sources of information.

BS:  Actually, it's not.  The two are very different.  Yes, they are often used together.  Yes, people can be trained to focus on one and not the other.  Yes, they can work in conjunction with each other and they can work in opposition to each other. But they are different.

SH:  The whole purpose of my previous articles was to suggest that we should have well-trained screeners who can use their discretion to spend less time focusing on the least threatening people -- and that focusing on them purely for the sake of appearing fair could well get many people killed. I wrote the articles I would want to have written in the event that we have another terrorist incident involving a jihadist on an airplane. Of course, if a plane gets blown up by someone who looked and acted like Betty White, I will issue a public apology.

BS: Yes, you will, if someone whom you believe doesn't meet the terrorist profile commits a terrorist act -- and that list includes the "hundreds of western operatives, including from North America, of all ages, colors, genders, whatever" that Kip Hawley said U.S. intelligence is specifically following.  If a plane is blown up by someone who doesn't look like a Muslim jihadist, your entire profiling system failed.  I'm making a simplicity argument.  My proposed security system, which does not profile ethnically, has no such requirement. It is resilient to mistakes in my analysis.

This point is important.  We can debate the details.  We can run experiments with TSA agents and images on a computer screen.  We can collect data by hiring people who meet the profile and get them to try to fool TSA agents.  But as a security engineer, I'd rather build a system that doesn't require us to figure out who's right; the simpler system of not profiling makes the whole issue disappear.

We could also instruct screeners to err on the side of caution, and include any questionable cases in the profile, but then we're back to a profile that encompasses so many people as not to be worth the bother.

There are more sources of error.  Your system actually requires two judgment decisions: both the passenger being screened, and the screening anomaly being ignored or cleared.  You specifically said that some anomalies would be checked all the time, and some would not.  If the full-body scanner image clearly showed a gun-shaped object strapped to the leg of a passenger, presumably that would be checked in every case.  But what about something that looks mostly like a gun?  Or sort of like a gun?  Or just a large blob of something?  At some point, your system is going to allow a non-profiled person through but further check the profiled person.  Luggage is the same.  An obvious bomb will be checked in all cases.  But something that might be a bomb will be let through in some cases but not others.  A large knife will be confiscated in all cases, but a small knife only from those who meet the profile.  Someone who sets off the metal detector is a harder call; there's no information for the screener to go by other than the beep.

And I'm just considering the simplest case, where there are only two possible designations for individuals: in the profile or out.  We can imagine something even more complicated: we check out obvious guns for everyone, probable guns only for those who are on the edge case of the profile, and possible guns only for those who definitely meet the profile.

Remember, this all has to be in the screener's procedure manual.  It's not something that can be invented on the fly.  The result will be an extraordinarily complex system, as we consider all of the possible cases.  And the more complicated the system, the easier it is to make mistakes.  Your proposed profiling system increases insecurity simply by existing.

Those are the security costs.  There are also monetary costs.  You want a system that has "well-trained screeners who can use their discretion to spend less time focusing on the least threatening people."  That's a system where TSA agents have to use their judgment about whether to implement secondary screening, based both on their assessment of whether the passenger meets the profile and their assessment on how potentially dangerous the primary screening anomaly is.  This requires a smarter and better-trained TSA agent than the current caliber of agent, and that's expensive.

There are many reasons why employees are forced to substitute procedures for judgment, but the important one for this discussion is that it allows the employer to hire a cheaper employee.  This is true across all industries, including the TSA.  If you implement a system where TSA agents are going to make threat judgments of every passenger and every screening anomaly, you're going to need to hire a better class of TSA agent (which means you're going to have to pay them more) and you're going to need to train them better (which means you're going to have to spend money on that).  Implementing this profiling system will require substantial additional personnel costs.

There's also the start-up costs of creating the procedure manual for this system, but the ongoing costs will dominate.  You said, "A dollar spent on a toddler whose family does not stand a chance of having rigged him to explode is a dollar wasted (i.e., not spent elsewhere)."  With this system, you're going to spend far more than a dollar in not wasting that dollar

There's another cost that's partly monetary and partly in efficiency.  When implementing any human-based system, the interests of the people operating the system often don't precisely coincide with the interests of those designing it.  This is the principal-agent problem, and it manifests itself in your profiling system as the TSA agent who thinks "If I wave this person through without checking out the anomaly and he turns out to be a terrorist, it's my ass on the line."  Because the cost to the agent of a false positive is zero but the cost of missing a real attacker is his entire career, screeners will naturally tend towards ignoring the profile and instead fully checking everyone. And the screener's supervisor is unlikely to tell him, "Hey you need to ignore the next old lady that beeps," because if he's wrong then it's his ass on the line.  The phenomenon is more general than security; discretionary systems tend to gravitate towards zero-tolerance systems because "following procedure" is a reasonable defense against being blamed for failure.  You can counteract this tendency by paying even more for even more intelligent screeners, and paying even more for more training, but otherwise, it will reduce the efficiency gains that are the primary purported benefit of your system.

SH:  Do you think positive incentives would have the same effect? What if screeners won a million dollars every time they caught a real terrorist? I'm guessing they would focus on more likely suspects.

BS:  Rewards can be a great motivational tool, but you have to be careful what you motivate.  Remember, we don't want screeners to focus on what they believe the threat is.  We want them to focus on the actual threat.

SH: Again, I would argue that a screener's beliefs and reality can converge more than you allow.

BS: I'm not done.  There is another, more explicit, reduction in efficiency inherent to your profiling system.  You're expecting TSA agents to make these profiling decisions, and that takes time and attention.  Moreover, your decisions will often require coordination between different TSA agents doing different jobs.  The TSA agent who sees the anomaly resulting from the full-body scan is not the same agent who is looking at the passenger.  The agent who notices the small knife or something that might be a bomb in scanned luggage is not the same person who is looking at the passenger who owns that piece of luggage.  This procedure will cost time; there's no way to avoid it.  You have to pay for it with either money (more screeners) or security (screeners who are making these decisions aren't doing something else instead).

So far, this analysis has assumed that the correlation between airplane terrorist and Muslim is one.  Of course, it isn't.  It's high, but it's not one.  You might not want to discuss Timothy McVeigh and the Unabomber, but both are examples of non-Muslim terrorists.  Anders Behring Breivik in Norway massacred 77 and wounded 242 people; it's not much of a stretch to think of him as a potential airplane suicide terrorist.  In 2010, non-Muslim Andrew Joseph Stack, who looks as American as they come, flew a small airplane into a building in a suicidal terror attack.

Again, we can argue about the exact correlation between terrorist and Muslim.  Perhaps you think it's higher than I do.  Perhaps someone with access to classified intelligence thinks it's even higher, or even lower.  And again, if we don't ethnically profiling, then it doesn't matter who is right and who is wrong.  The simplification removes the issue entirely.

I've done my cost-benefit analysis of profiling based on looking Muslim, and it's seriously lopsided.  On the benefit side, we have increased efficiency as screeners ignore some primary-screening anomalies for people who don't meet the profile.  On the cost side, we have decreased security resulting from our imperfect profile of Muslims, decreased security resulting from our ignoring of non-Muslim terrorist threats, decreased security resulting in errors in implementing the system, increased cost due to replacing procedures with judgment, decreased efficiency (or possibly increased cost) because of the principal-agent problem, and decreased efficiency as screeners make their profiling judgments.  Additionally, your system is vulnerable to mistakes in your estimation of the proper profile.  If you've made any mistakes, or if the profile changes with time and you don't realize it, your system becomes even worse.

This same basic analysis also holds true to random versus profiled secondary screening.  Using the example of swabbing luggage randomly for explosive residue versus swabbing luggage of profiled people, there's no efficiency benefit (screeners are performing the same number of swab tests) but a potential security benefit (the tests are being performed only on those who meet the profile).  There are still the security risks resulting from an imperfect Muslim profile and the potential existence of non-Muslim terrorists.  There are still the security risks from profiling errors.  There is still the monetary cost of replacing procedures with judgments, the efficiency or monetary cost of the principal-agent problem, and the efficiency cost of making those judgments.

The difference is that the benefit isn't very much.  The point of a mandatory screening procedure, like looking for guns, is to ensure that no one has a gun.  The point of a random procedure is to inject enough uncertainty into the system that terrorists can't build a plot around getting through the security system.  Replacing a random procedure with a profiled procedure increases the likelihood that someone who meets the profile will get caught, while at the same time decreasing the likelihood that someone who doesn't meet the profile will get caught.  The result is less uncertainty on the part of the terrorist, and therefore less overall security.

SH: I share your concern about the risk that some people could successfully game the system -- but I still think we can exclude people who (effectively) pose zero risk. Needless to say, no system that we can live with (and afford) will be guaranteed to catch every terrorist.

And everything you have said about airport security would seem to apply to profiling in the course of gathering intelligence out in the world. Should we infiltrate the Sunni mosque or the Hindu ashram? Shall we flip a coin to introduce some randomness into this decision process? If we keep profiling mosques, won't the jihadists just game the system by devoting themselves to yoga full time? Again, your argument seems to rest on a profound skepticism about our ability to ever know what we are looking for -- along with a very high opinion of the enemy's ability to recruit NFL cheerleaders.

BS: It might seem to apply to all of those things, but that doesn't mean a careful analysis will yield the same conclusion.  Just because in this case it doesn't make sense to build a security system based on your correlation doesn't mean it doesn't make sense in every case.  Sometimes we do flip coins to introduce randomness into security systems.  Sometimes the bad guys can't game the profile as easily as others.  The lesson is not to rely on your intuition, but to perform a detailed security analysis to answer these questions.

In the profiling case, the mathematically optimal strategy is a combination of profiling and random sampling.  But, really, this is simply too complicated to implement in any practical way at a security checkpoint.  Given the choice between profiling and random sampling, random wins.

This analysis is not "a litany of concerns about profiling that are (in my view) easily answered."  It's what happens when you take an idea for a security system and try to implement it in practice.  It's the real world.

SH: Well, actually, the paper you cite seems to support my intuitions pretty well. As you know, I'm not recommending "strong profiling" -- and using "square-root biased sampling" seems to be another way of saying that we should profile, but we should keep the profile pretty broad; we should notice the differences between people, but we shouldn't be overly impressed by those differences (i.e., we should be using the square-root of the prior probability that a person is a terrorist, rather than the probability itself). This research advocates that secondary screenings be "distributed broadly, although not uniformly, over the population." That sounds pretty good to me.

It's not altogether clear to me what assumptions have been built into this model. And I do not doubt that adding a layer of random screening to a base of profiling would increase security. I continue to believe, however, that certain people can be definitely excluded from the search space -- Betty White -- thereby raising our odds of catching real terrorists.

BS: The paper supports some of your intuitions about how useful your correlation is, but doesn't speak at all to the efficacy of building a security system around that correlation.  That's what I have been trying to make explicit: just because a correlation exists doesn't mean that it is smart security to use it as a mechanism for dividing people into two categories and subjecting those categories to different levels of security.

I agree that the result is perverse.  I agree that, on the face of it, it makes no sense to screen someone who looks and acts like Betty White, or those four wheelchair-using World War II veterans at San Jose Airport.  But it results in better security.  By "obviously wasting their time," security screeners are in fact both saving time and improving security.

SH: Well, that's not how I read the research you provided. There are many people for whom I would set the prior probability of their being a jihadist at (effectively) zero. Granted, the probability for any one person who fits the broader profile will be pretty low. But for certain people, I would put the probability higher than you might expect. And if we change the question slightly to encompass intelligence gathering -- "What are the chances that this person knows a few jihadists" -- something like strong profiling begins to look pretty reasonable.

The paper you cite doesn't describe the condition of knowing that the threat is coming from a single group. I continue to believe that anyone we can definitely exclude from that group (e.g., Betty White) shouldn't capture any of our resources.

BS: And I believe that is because you are discounting the costs in money, efficiency, and security of implementing a system where they do not capture any resources.  I say that if it costs you $2 plus ten seconds plus some additional security risk to save $1, then you should waste the $1, and move on.

Also, there is nothing in these analyses about political correctness, or fear of offending Muslims.  You can perform the same basic analysis on fraudulent credit card transactions.  You can perform it on Internet packets being screened by an intrusion detection system before entering your network. 

There are other security concerns when you look at the geopolitical context, though.  Profiling Muslims fosters an "us vs. them" thinking that simply isn't accurate when talking about terrorism.  I have always thought that the "war on terror" metaphor was actively harmful to security because it raised the terrorists to the level of equal combatant.  In a war, there are sides, and there is winning.  I much prefer the crime metaphor.  There are no opposing sides in crime; there are the few criminals and the rest of us.  There criminals don't "win."  Maybe they get away with it for a while, but eventually they're caught. 

"Us vs. them" thinking has two basic costs.  One, it establishes that worldview in the minds of "us": the non-profiled.  We saw this after 9/11, in the assaults and discriminations against innocent Americans who happened to be Muslim.  And two, it establishes the same worldview in the minds of "them": Muslims.  This increases anti-American sentiment among Muslims.  This reduces our security, less because it creates terrorists -- although I'm sure it is one of the things that pushes a marginal terrorist over the line -- and more that a higher anti-American sentiment in the Muslim community is a more fertile ground for terrorist groups to recruit and operate.  Making sure the vast majority of Muslims who are not terrorists are part of the "us" fighting terror, just as the vast majority of honest citizens work together in fighting crime, is a security benefit. 

Like many of the other things we've discussed here, we can debate how big the costs and benefits I just described are, or we can simplify our system and stop worrying about it.

One final cost.  Security isn't the only thing we're trying to optimize; there are other values at stake here.  There's a reason profiling is often against the law, and that's because it is contrary to our country's values.  Sometimes we might have to set aside those values, but not for this.

SH: I agree that we should be wary of "us vs. them" thinking. However, we must be honest about the where this is coming from in the present case -- it comes from the reflexive, religious solidarity that many Muslims feel for their fellow Muslims, simply because they are Muslims. And this religious solidarity makes the model of fighting "crime" currently inapplicable. Ordinary bank robbers and murderers are not united by an ideology that they are aggressively seeking to spread -- and are spreading, in a hundred countries. They don't have large networks of support and a larger population of people who sympathize with their basic motives, if not their methods. We do not have charitable foundations and academic departments devoted to promulgating a sympathetic understanding of bank robbery and murder.

You wrote in your essay, "Beyond the societal harms of deliberately harassing a minority group, singling out Muslims alienates the very people who are in the best position to discover and alert authorities about Muslim plots before the terrorists even get to the airport." This is quite true. But it is just another way of saying that we need Muslims to help profile within their own community, because only they can effectively do this. And yet you seem to believe that pretending that the Muslim community deserves no special scrutiny is the best way to ensure this cooperation. What if being honest with the Muslim community worked better?

BS:  I have argued that, at airport security checkpoints, profiling based on "Muslim, anyone who could conceivably be Muslim" does not make security sense.  It costs us more, reduces efficiency at security checkpoints, and decreases security.  I am not making any generalizations, and I am certainly not conflating investigation and intelligence -- following specific people who are out to do the world harm -- with profiling a specific ethnic group.

SH: You have repeatedly questioned the relevance and wisdom of focusing on Muslims, and in ways that clearly have wider implications. You claim that however we profile, we will be subjecting vast numbers of innocent people to scrutiny, which comes at an unacceptable social and political cost; and there is no way to accurately profile anyway, because terrorists come in every size, shape, and color, and can change their tactics to evade all but a truly random screening. These concerns do not magically disappear once we leave the airport -- nor do your conclusions about the importance of base rate. When you say, as you did a few moments ago -- "Security isn't the only thing we're trying to optimize; there are other values at stake here.  There's a reason profiling is often against the law, and that's because it is contrary to our country's values.  Sometimes we might have to set aside those values, but not for this." -- it is hard to believe that you are thinking only about airport security. 

BS:  Agreed, but those other security aspects are not relevant here.  In this analysis I am only considering airport security.  Actually, I am only considering passenger security checkpoints at airports.  Pieces of my analysis are applicable elsewhere, of course, but don't carelessly generalize security results without a complete analysis.

SH: Well, as I said in my second essay on this topic, I find it very strange that many people erupt in sanctimonious outrage at the idea of profiling at the airport, while cheerfully admitting the necessity of "gathering intelligence" out in the world. You surely know what intelligence work entails. Perhaps others don't. The violations of people's privacy and trust that arise in the course of looking for jihadists outside the airport, while occasionally covert, tend to be far more invasive and (one would imagine) offensive than the sort of profiling we are talking about at the airport.

I share your concern about not alienating the Muslim community. But we desperately need moderate Muslims to stop pretending that Islam is just like every other religion at this moment in history. As bad as Christianity and Judaism have been in the past (and may yet be again), only Muslims reliably work themselves into a killing rage over the mistreatment of a book; only Muslims murder their critics and apostates; only Muslims can be counted upon to riot by the tens of thousands over cartoons; and only Islam, with its doctrines of jihad and martyrdom, is perfectly suited to spawn a global death cult of suicidal terrorists.

We need moderate Muslims to admit that some of their coreligionists currently pose a danger to civil society unlike any other on the religious landscape. One would think this might be easy, as the effects of Muslim barbarism have so far been visited mostly on Muslims themselves. In fact, we need more people like Asra Nomani, whom you singled out for criticism as an otherwise intelligent person who mistakenly favors profiling. It seems to me that you have lost the plot here: Nomani has taken a remarkably courageous stand for honest self-criticism, in a community that tends to be violently opposed to it. This is yet another reason why I don't think we can discuss the issue of profiling at the airport in isolation from our other efforts to combat the forces of jihad. Admitting that we know what we are looking for -- Muslim extremists rather than generic terrorists -- could oblige the Muslim community to truly come to terms with the problem.

BS:  I'm not going to speak of Nomani's motivations.  This is a matter of security engineering, and in that context she is just another person with no security expertise applying her intuition to the problem. 

SH:  It seems to me that we have run out of steam, Bruce.

BS:  We're 13,000 words in; I'm not even sure we have any readers left.

SH:  If that's true, the terrorists really have won. I'm happy to give you the last word, but I hope you will address one point, in addition to saying anything else you might want to say, or linking to articles or books you have written if our readers want to follow up. It is still not clear to me what you actually recommend -- nor is it clear why your views about profiling, if true, wouldn't extend to all intelligence work, or even to immigration. Should we issue visas to people at random, or should we pay more attention to those applying from Yemen, Pakistan, and Somalia? For those seeking to immigrate from Canada, should we give more scrutiny to Arabs or to Inuit? I don't see how you can pull the brakes once this train has left the station. The base rate of terrorism is low everywhere and on all occasions. And, yes, we have an ethical commitment to treating people fairly, wherever possible. But it seems to me that you have made far too much of these facts at the airport -- and, given your reasoning, they should vitiate our commitment to targeted security on every other front. Rather than fly drones over Yemen, we should let them drift with the wind and rain down missiles at random.

You've admitted that profiling plus randomness is the best algorithm, but you think it's too complicated to implement at the airport; elsewhere you've conceded that the Israelis are masters at behavioral profiling, but you've indicated that we cannot hope to emulate their approach because it would be too expensive. At various other points you have hinted that we should just return to pre-9/11 security and stop worrying. What do you think we should do?

BS:  Let's quickly review.  The topic of this exchange, and the topic I've tried to stick to, is whether it makes sense to implement a two-tiered security system at airports, where "Muslims, or anyone who could conceivably be Muslim" get a higher tier of security and everyone else gets a lower tier.  I have concluded that it does not, for the following reasons.  One, the only benefit is efficiency.  Two, the result is lower security because 1) not all Muslims can be identified by appearance, 2) screeners will make mistakes in implementing whatever profiling system you have in mind, and 3) not all terrorists are Muslim.  Three, there are substantial monetary costs in implementing this system, in setting the system up, in administering it across all airports, and in paying for TSA screeners who can implement it.  And four, there is an inefficiency in operating the system that isn't there if screeners treat everyone the same way.  Conclusion: airport profiling based on this ethnic and religious characteristic does not make sense.

And while you've objected to bits and pieces of this, the only argument you have made for this profiling system is that it's common sense.

I agree that it might be unclear why my "view about profiling, if true, wouldn't extend to all intelligence work, or even to immigration."  This stuff is hard, and security -- especially complex technological security -- is often unclear.  One of the principles I most hoped to explain in this dialog is that intuition and common sense are poor guides to security trade-offs.  What might seem to be a good idea often is not, and what seems to be a bad idea sometimes is.  Beware of security by intuition and of security by emotion.  Beware of generalizations.  Beware of seemingly unrelated complexity.

And, of course, beware of complexity in general.

Your final question is a good one.  I have written extensively about what I think should be done about airport security and terrorism in general, and I invite readers to read some of those essays. To anyone still reading, I invite you to read this and this.

Security is all about cost-benefit analyses: how can we get the most security for our money, convenience, freedoms, liberties, and so on.  A lot of what we've implemented in our efforts to combat terrorism fail that analysis.  In general, I am opposed to security measures that require us to guess the plot correctly , because it is so easy for terrorists to change tactics or target.  This is really what your profiling system is: it's a guess about who the next terrorist is going to be.  If I had to pick someone to make that guess, I would pick Kip Hawley over you, but I would much rather build a security system that doesn't require guessing at all.  In general, I am in favor of security measures that are effective regardless of the plot: intelligence, investigation, and emergency response.  This means to focus less on specific terrorist tactics -- shoes, liquids, etc. -- and more on the broad threat, but also to focus more on specific terrorist targets -- airports and airplanes -- than on the broad threat.

But perhaps most importantly, we should refuse to be terrorized.  Terrorism isn't really a crime against people or property; it's a crime against our minds.  If we are terrorized, then the terrorists win even if their plots fail.  If we refuse to be terrorized, then the terrorists lose even if their plots succeed.

Peace out.

earlier essay: The Trouble with Airport Profiling
later essay: The Vulnerabilities Market and the Future of Security
categories: Airline Travel, Terrorism, Theory of Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..