Entries Tagged "air travel"

Page 42 of 46

Jamming Aircraft Navigation Near Nuclear Power Plants

The German government want to jam aircraft navigation equipment near nuclear power plants.

This certainly could help if terrorists want to fly an airplane into a nuclear power plant, but it feels like a movie-plot threat to me. On the other hand, this could make things significantly worse if an airplane flies near the nuclear power plant by accident. My guess is that the latter happens far more often than the former.

Posted on September 29, 2005 at 6:40 AMView Comments

Secure Flight News

The TSA is not going to use commercial databases in its initial roll-out of Secure Flight, its airline screening program that matches passengers with names on the Watch List and No-Fly List. I don’t believe for a minute that they’re shelving plans to use commercial data permanently, but at least they’re delaying the process.

In other news, the report (also available here, here, and here) of the Secure Flight Privacy/IT Working Group is public. I was a member of that group, but honestly, I didn’t do any writing for the report. I had given up on the process, sick of not being able to get any answers out of TSA, and believed that the report would end up in somebody’s desk drawer, never to be seen again. I was stunned when I learned that the ASAC made the report public.

There’s a lot of stuff in the report, but I’d like to quote the section that outlines the basic questions that the TSA was unable to answer:

The SFWG found that TSA has failed to answer certain key questions about Secure Flight: First and foremost, TSA has not articulated what the specific goals of Secure Flight are. Based on the limited test results presented to us, we cannot assess whether even the general goal of evaluating passengers for the risk they represent to aviation security is a realistic or feasible one or how TSA proposes to achieve it. We do not know how much or what kind of personal information the system will collect or how data from various sources will flow through the system.

Until TSA answers these questions, it is impossible to evaluate the potential privacy or security impact of the program, including:

  • Minimizing false positives and dealing with them when they occur.
  • Misuse of information in the system.
  • Inappropriate or illegal access by persons with and without permissions.
  • Preventing use of the system and information processed through it for purposes other than airline passenger screening.

The following broadly defined questions represent the critical issues we believe TSA must address before we or any other advisory body can effectively evaluate the privacy and security impact of Secure Flight on the public.

  1. What is the goal or goals of Secure Flight? The TSA is under a Congressional mandate to match domestic airline passenger lists against the consolidated terrorist watch list. TSA has failed to specify with consistency whether watch list matching is the only goal of Secure Flight at this stage. The Secure Flight Capabilities and Testing Overview, dated February 9, 2005 (a non-public document given to the SFWG), states in the Appendix that the program is not looking for unknown terrorists and has no intention of doing so. On June 29, 2005, Justin Oberman (Assistant Administrator, Secure Flight/Registered Traveler) testified to a Congressional committee that “Another goal proposed for Secure Flight is its use to establish “Mechanisms for…violent criminal data vetting.” Finally, TSA has never been forthcoming about whether it has an additional, implicit goal the tracking of terrorism suspects (whose presence on the terrorist watch list does not necessarily signify intention to commit violence on a flight).

    While the problem of failing to establish clear goals for Secure Flight at a given point in time may arise from not recognizing the difference between program definition and program evolution, it is clearly an issue the TSA must address if Secure Flight is to proceed.

  2. What is the architecture of the Secure Flight system? The Working Group received limited information about the technical architecture of Secure Flight and none about how software and hardware choices were made. We know very little about how data will be collected, transferred, analyzed, stored or deleted. Although we are charged with evaluating the privacy and security of the system, we saw no statements of privacy policies and procedures other than Privacy Act notices published in the Federal Register for Secure Flight testing. No data management plan either for the test phase or the program as implemented was provided or discussed.
  3. Will Secure Flight be linked to other TSA applications? Linkage with other screening programs (such as Registered Traveler, Transportation Worker Identification and Credentialing (TWIC), and Customs and Border Patrol systems like U.S.-VISIT) that may operate on the same platform as Secure Flight is another aspect of the architecture and security question. Unanswered questions remain about how Secure Flight will interact with other vetting programs operating on the same platform; how it will ensure that its policies on data collection, use and retention will be implemented and enforced on a platform that also operates programs with significantly different policies in these areas; and how it will interact with the vetting of passengers on international flights?
  4. How will commercial data sources be used? One of the most controversial elements of Secure Flight has been the possible uses of commercial data. TSA has never clearly defined two threshold issues: what it means by “commercial data” and how it might use commercial data sources in the implementation of Secure Flight. TSA has never clearly distinguished among various possible uses of commercial data, which all have different implications.

    Possible uses of commercial data sometimes described by TSA include: (1) identity verification or authentication; (2) reducing false positives by augmenting passenger records indicating a possible match with data that could help distinguish an innocent passenger from someone on a watch list; (3) reducing false negatives by augmenting all passenger records with data that could suggest a match that would otherwise have been missed; (4) identifying sleepers, which itself includes: (a) identifying false identities; and (b) identifying behaviors indicative of terrorist activity. A fifth possibility has not been discussed by TSA: using commercial data to augment watch list entries to improve their fidelity. Assuming that identity verification is part of Secure Flight, what are the consequences if an identity cannot be verified with a certain level of assurance?

    It is important to note that TSA never presented the SFWG with the results of its commercial data tests. Until these test results are available and have been independently analyzed, commercial data should not be utilized in the Secure Flight program.

  5. Which matching algorithms work best? TSA never presented the SFWG with test results showing the effectiveness of algorithms used to match passenger names to a watch list. One goal of bringing watch list matching inside the government was to ensure that the best available matching technology was used uniformly. The SFWG saw no evidence that TSA compared different products and competing solutions. As a threshold matter, TSA did not describe to the SFWG its criteria for determining how the optimal matching solution would be determined. There are obvious and probably not-so-obvious tradeoffs between false positives and false negatives, but TSA did not explain how it reconciled these concerns.
  6. What is the oversight structure and policy for Secure Flight? TSA has not produced a comprehensive policy document for Secure Flight that defines oversight or governance responsibilities.

The members of the working group, and the signatories to the report, are Martin Abrams, Linda Ackerman, James Dempsey, Edward Felten, Daniel Gallington, Lauren Gelman, Steven Lilenthal, Anna Slomovic, and myself.

My previous posts about Secure Flight, and my involvement in the working group, are here, here, here, here, here, and here.

And in case you think things have gotten better, there’s a new story about how the no-fly list cost a pilot his job:

Cape Air pilot Robert Gray said he feels like he’s living a nightmare. Two months after he sued the federal government for refusing to let him take flight training courses so he could fly larger planes, he said yesterday, his situation has only worsened.

When Gray showed up for work a couple of weeks ago, he said Cape Air told him the government had placed him on its no-fly list, making it impossible for him to do his job. Gray, a Belfast native and British citizen, said the government still won’t tell him why it thinks he’s a threat.

“I haven’t been involved in any kind of terrorism, and I never committed any crime,” said Gray, 35, of West Yarmouth. He said he has never been arrested and can’t imagine what kind of secret information the government is relying on to destroy his life.

Remember what the no-fly list is. It’s a list of people who are so dangerous that they can’t be allowed to board an airplane under any circumstances, yet so innocent that they can’t be arrested—even under the provisions of the PATRIOT Act.

EDITED TO ADD: The U.S. Department of Justice Inspector General released a report last month on Secure Flight, basically concluding that the costs were out of control, and that the TSA didn’t know how much the program would cost in the future.

Here’s an article about some of the horrible problems people who have mistakenly found themselves on the no-fly list have had to endure. And another on what you can do if you find yourself on a list.

EDITED TO ADD: EPIC has received a bunch of documents about continued problems with false positives.

Posted on September 26, 2005 at 7:14 AMView Comments

Hurricane Security and Airline Security Collide

Here’s a story (quote is from the second page) where airline security is actually doing harm:

Long lines and chaos snarled evacuees when they tried to catch flights out from two of Houston’s airports. After about 100 federal security screeners failed to report to work Thursday, scores of passengers missed flights and waited for hours at sparsely monitored X-ray machines and luggage conveyors. Transportation Security Administration officials were at a loss for an explanation and scrambled to send in a team of replacement workers from Cleveland.

This isn’t an easy call, but sometimes the smartest thing to do in an emergency is to suspend security rules. Unfortunately, sometimes the bad guys count on that.

If I were in charge, I would have let people onto the airplanes. The trade-off makes sense to me.

Posted on September 23, 2005 at 9:10 PMView Comments

Movie-Plot Threats

Wired.com just published an essay by me: “Terrorists Don’t Do Movie Plots.”

Sometimes it seems like the people in charge of homeland security spend too much time watching action movies. They defend against specific movie plots instead of against the broad threats of terrorism.

We all do it. Our imaginations run wild with detailed and specific threats. We imagine anthrax spread from crop dusters. Or a contaminated milk supply. Or terrorist scuba divers armed with almanacs. Before long, we’re envisioning an entire movie plot, without Bruce Willis saving the day. And we’re scared.

Psychologically, this all makes sense. Humans have good imaginations. Box cutters and shoe bombs conjure vivid mental images. “We must protect the Super Bowl” packs more emotional punch than the vague “we should defend ourselves against terrorism.”

The 9/11 terrorists used small pointy things to take over airplanes, so we ban small pointy things from airplanes. Richard Reid tried to hide a bomb in his shoes, so now we all have to take off our shoes. Recently, the Department of Homeland Security said that it might relax airplane security rules. It’s not that there’s a lessened risk of shoes, or that small pointy things are suddenly less dangerous. It’s that those movie plots no longer capture the imagination like they did in the months after 9/11, and everyone is beginning to see how silly (or pointless) they always were.

I’m now doing a bi-weekly column for them. I will post a link to the essays when they appear on the Wired.com site, and will reprint them in the next Crypto-Gram.

Posted on September 8, 2005 at 6:57 AMView Comments

Airline Security, Trade-offs, and Agenda

All security decisions are trade-offs, and smart security trade-offs are ones where the security you get is worth what you have to give up. This sounds simple, but it isn’t. There are differences between perceived risk and actual risk, differences between perceived security and actual security, and differences between perceived cost and actual cost. And beyond that, there are legitimate differences in trade-off analysis. Any complicated security decision affects multiple players, and each player evaluates the trade-off from his or her own perspective.

I call this “agenda,” and it is one of the central themes of Beyond Fear. It is clearly illustrated in the current debate about rescinding the prohibition against small pointy things on airplanes. The flight attendants are against the change. Reading their comments, you can clearly see their subjective agenda:

“As the front-line personnel with little or no effective security training or means of self defense, such weapons could prove fatal to our members,” Patricia A. Friend, international president of the Association of Flight Attendants, said in a letter to Edmund S. “Kip” Hawley, the new leader of the Transportation Security Administration. “They may not assist in breaking through a flightdeck door, but they could definitely lead to the deaths of flight attendants and passengers”….

The flight attendants, whose union represents 46,000 members, said that easing the ban on some prohibited items could pose a safety risk on board the aircraft and lead to incidents that terrorize passengers even if they do not involve a hijacking.

“Even a plane that is attacked and results in only a few deaths would seriously jeopardize the progress we have all made in restoring confidence of the flying public,” Friend said in her letter. “We urge you to reconsider allowing such dangerous items—which have no place in the cabin of an aircraft in the first place—to be introduced into our workplace.”

The flight attendants are not evaluating the security countermeasure from a global perspective. They’re not trying to figure out what the optimal level of risk is, what sort of trade-offs are acceptable, and what security countermeasures most efficiently achieve that trade-off. They’re looking at the trade-off from their perspective: they get more benefit from the countermeasure than the average flier because it’s their workplace, and the cost of the countermeasure is borne largely by the passengers.

There is nothing wrong with flight attendants evaluating airline security from their own agenda. I’d be surprised if they didn’t. But understanding agenda is essential to understanding how security decisions are made.

Posted on August 19, 2005 at 12:48 PMView Comments

Infants on the Terrorist Watch List

Imagine you’re in charge of airport security. You have a watch list of terrorist names, and you’re supposed to give anyone on that list extra scrutiny. One day someone shows up for a flight whose name is on that list. They’re an infant.

What do you do?

If you have even the slightest bit of sense, you realize that an infant can’t be a terrorist. So you let the infant through, knowing that it’s a false alarm. But if you have no flexibility in your job, if you have to follow the rules regardless of how stupid they are, if you have no authority to make your own decisions, then you detain the baby.

EDITED TO ADD: I know what the article says about the TSA rules:

The Transportation Security Administration, which administers the lists, instructs airlines not to deny boarding to children under 12—or select them for extra security checks—even if their names match those on a list.

Whether the rules are being followed or ignored is besides my point. The screener is detaining babies because he thinks that’s what the rules require. He’s not permitted to exercise his own common sense.

Security works best when well-trained people have the authority to make decisions, not when poorly-trained people are slaves to the rules (whether real or imaginary). Rules provide CYA security, but not security against terrorism.

Posted on August 19, 2005 at 8:03 AMView Comments

Secure Flight News

According to Wired News, the DHS is looking for someone in Congress to sponsor a bill that eliminates congressional oversight over the Secure Flight program.

The bill would allow them to go ahead with the program regardless of GAO’s assessment. (Current law requires them to meet ten criteria set by Congress; the most recent GAO report said that they did not meet nine of them.) The bill would allow them to use commercial data even though they have not demonstrated its effectiveness. (The DHS funding bill passed by both the House and the Senate prohibits them from using commercial data during passenger screening, because there has been absolutely no test results showing that it is effective.)

In this new bill, all that would be required to go ahead with Secure Flight would be for Secretary Chertoff to say so:

Additionally, the proposed changes would permit Secure Flight to be rolled out to the nation’s airports after Homeland Security chief Michael Chertoff certifies the program will be effective and not overly invasive. The current bill requires independent congressional investigators to make that determination.

Looks like the DHS, being unable to comply with the law, is trying to change it. This is a rogue program that needs to be stopped.

In other news, the TSA has deleted about three million personal records it used for Secure Flight testing. This seems like a good idea, but it prevents people from knowing what data the government had on them—in violation of the Privacy Act.

Civil liberties activist Bill Scannell says it’s difficult to know whether TSA’s decision to destroy records so swiftly is a housecleaning effort or something else.

“Is the TSA just such an incredibly efficient organization that they’re getting rid of things that are no longer needed?” Scannell said. “Or is this a matter of the destruction of evidence?”

Scannell says it’s a fair question to ask in light of revelations that the TSA already violated the Privacy Act last year when it failed to fully disclose the scope of its testing for Secure Flight and its collection of commercial data on individuals.

My previous essay on Secure Flight is here.

Posted on August 15, 2005 at 9:43 AMView Comments

Orlando Airport's CLEAR Program

Orlando Airport is piloting a new pre-screening program called CLEAR. The idea is that you pay $80 a year and subject yourself to a background check, and then you can use a faster security line at airports.

I’ve already written about this idea, back when Steven Brill first started talking about it:

My primary security concerns surrounding this system stem from what it’s trying to do. In his writings and speaking, Brill is very careful to explain that these are not “trusted traveler cards.” He calls them “verified identity cards.” But the only purpose of his card is to divide people into two lines—a fast line and a slow line, a “search less” line and a “search more” line, or whatever….

The reality is that the existence of the card creates a third, and very dangerous, category: bad guys with the card. Timothy McVeigh would have been able to get one of these cards. The DC sniper and the Unabomber would have been able to get this card. Any terrorist mole who hasn’t done anything yet and is being saved for something big would be able to get this card. Some of the 9/11 terrorists would have been able to get this card. These are people who are deemed trustworthy by the system even though they are not.

And even worse, the system lets terrorists test the system beforehand. Imagine you’re in a terrorist cell. Twelve of you apply for the card, but only four of you get it. Those four not only have a card that lets them go through the easy line at security checkpoints; they also know that they’re not on any terrorist watch lists. Which four do you think will be going on the mission? By “pre-approving” trust, you’re building a system that is easier to exploit.

Nothing in this program is different from what I wrote about last year. According to their website:

Your Membership will be continuously reviewed by TSA’s ongoing Security Threat Assessment Process. If your security status changes, your Membership will be immediately deactivated and you will receive a notification email of your status change as well as a refund of the unused portion of your annual enrollment fee.

Think about it. For $80 a year, any potential terrorist can be automatically notified if the Department of Homeland Security is on to him. Such a deal.

Posted on August 8, 2005 at 8:03 AMView Comments

1 40 41 42 43 44 46

Sidebar photo of Bruce Schneier by Joe MacInnis.