Entries Tagged "air travel"

Page 42 of 46

Hurricane Security and Airline Security Collide

Here’s a story (quote is from the second page) where airline security is actually doing harm:

Long lines and chaos snarled evacuees when they tried to catch flights out from two of Houston’s airports. After about 100 federal security screeners failed to report to work Thursday, scores of passengers missed flights and waited for hours at sparsely monitored X-ray machines and luggage conveyors. Transportation Security Administration officials were at a loss for an explanation and scrambled to send in a team of replacement workers from Cleveland.

This isn’t an easy call, but sometimes the smartest thing to do in an emergency is to suspend security rules. Unfortunately, sometimes the bad guys count on that.

If I were in charge, I would have let people onto the airplanes. The trade-off makes sense to me.

Posted on September 23, 2005 at 9:10 PMView Comments

Movie-Plot Threats

Wired.com just published an essay by me: “Terrorists Don’t Do Movie Plots.”

Sometimes it seems like the people in charge of homeland security spend too much time watching action movies. They defend against specific movie plots instead of against the broad threats of terrorism.

We all do it. Our imaginations run wild with detailed and specific threats. We imagine anthrax spread from crop dusters. Or a contaminated milk supply. Or terrorist scuba divers armed with almanacs. Before long, we’re envisioning an entire movie plot, without Bruce Willis saving the day. And we’re scared.

Psychologically, this all makes sense. Humans have good imaginations. Box cutters and shoe bombs conjure vivid mental images. “We must protect the Super Bowl” packs more emotional punch than the vague “we should defend ourselves against terrorism.”

The 9/11 terrorists used small pointy things to take over airplanes, so we ban small pointy things from airplanes. Richard Reid tried to hide a bomb in his shoes, so now we all have to take off our shoes. Recently, the Department of Homeland Security said that it might relax airplane security rules. It’s not that there’s a lessened risk of shoes, or that small pointy things are suddenly less dangerous. It’s that those movie plots no longer capture the imagination like they did in the months after 9/11, and everyone is beginning to see how silly (or pointless) they always were.

I’m now doing a bi-weekly column for them. I will post a link to the essays when they appear on the Wired.com site, and will reprint them in the next Crypto-Gram.

Posted on September 8, 2005 at 6:57 AMView Comments

Airline Security, Trade-offs, and Agenda

All security decisions are trade-offs, and smart security trade-offs are ones where the security you get is worth what you have to give up. This sounds simple, but it isn’t. There are differences between perceived risk and actual risk, differences between perceived security and actual security, and differences between perceived cost and actual cost. And beyond that, there are legitimate differences in trade-off analysis. Any complicated security decision affects multiple players, and each player evaluates the trade-off from his or her own perspective.

I call this “agenda,” and it is one of the central themes of Beyond Fear. It is clearly illustrated in the current debate about rescinding the prohibition against small pointy things on airplanes. The flight attendants are against the change. Reading their comments, you can clearly see their subjective agenda:

“As the front-line personnel with little or no effective security training or means of self defense, such weapons could prove fatal to our members,” Patricia A. Friend, international president of the Association of Flight Attendants, said in a letter to Edmund S. “Kip” Hawley, the new leader of the Transportation Security Administration. “They may not assist in breaking through a flightdeck door, but they could definitely lead to the deaths of flight attendants and passengers”….

The flight attendants, whose union represents 46,000 members, said that easing the ban on some prohibited items could pose a safety risk on board the aircraft and lead to incidents that terrorize passengers even if they do not involve a hijacking.

“Even a plane that is attacked and results in only a few deaths would seriously jeopardize the progress we have all made in restoring confidence of the flying public,” Friend said in her letter. “We urge you to reconsider allowing such dangerous items — which have no place in the cabin of an aircraft in the first place — to be introduced into our workplace.”

The flight attendants are not evaluating the security countermeasure from a global perspective. They’re not trying to figure out what the optimal level of risk is, what sort of trade-offs are acceptable, and what security countermeasures most efficiently achieve that trade-off. They’re looking at the trade-off from their perspective: they get more benefit from the countermeasure than the average flier because it’s their workplace, and the cost of the countermeasure is borne largely by the passengers.

There is nothing wrong with flight attendants evaluating airline security from their own agenda. I’d be surprised if they didn’t. But understanding agenda is essential to understanding how security decisions are made.

Posted on August 19, 2005 at 12:48 PMView Comments

Infants on the Terrorist Watch List

Imagine you’re in charge of airport security. You have a watch list of terrorist names, and you’re supposed to give anyone on that list extra scrutiny. One day someone shows up for a flight whose name is on that list. They’re an infant.

What do you do?

If you have even the slightest bit of sense, you realize that an infant can’t be a terrorist. So you let the infant through, knowing that it’s a false alarm. But if you have no flexibility in your job, if you have to follow the rules regardless of how stupid they are, if you have no authority to make your own decisions, then you detain the baby.

EDITED TO ADD: I know what the article says about the TSA rules:

The Transportation Security Administration, which administers the lists, instructs airlines not to deny boarding to children under 12 — or select them for extra security checks — even if their names match those on a list.

Whether the rules are being followed or ignored is besides my point. The screener is detaining babies because he thinks that’s what the rules require. He’s not permitted to exercise his own common sense.

Security works best when well-trained people have the authority to make decisions, not when poorly-trained people are slaves to the rules (whether real or imaginary). Rules provide CYA security, but not security against terrorism.

Posted on August 19, 2005 at 8:03 AMView Comments

Secure Flight News

According to Wired News, the DHS is looking for someone in Congress to sponsor a bill that eliminates congressional oversight over the Secure Flight program.

The bill would allow them to go ahead with the program regardless of GAO’s assessment. (Current law requires them to meet ten criteria set by Congress; the most recent GAO report said that they did not meet nine of them.) The bill would allow them to use commercial data even though they have not demonstrated its effectiveness. (The DHS funding bill passed by both the House and the Senate prohibits them from using commercial data during passenger screening, because there has been absolutely no test results showing that it is effective.)

In this new bill, all that would be required to go ahead with Secure Flight would be for Secretary Chertoff to say so:

Additionally, the proposed changes would permit Secure Flight to be rolled out to the nation’s airports after Homeland Security chief Michael Chertoff certifies the program will be effective and not overly invasive. The current bill requires independent congressional investigators to make that determination.

Looks like the DHS, being unable to comply with the law, is trying to change it. This is a rogue program that needs to be stopped.

In other news, the TSA has deleted about three million personal records it used for Secure Flight testing. This seems like a good idea, but it prevents people from knowing what data the government had on them — in violation of the Privacy Act.

Civil liberties activist Bill Scannell says it’s difficult to know whether TSA’s decision to destroy records so swiftly is a housecleaning effort or something else.

“Is the TSA just such an incredibly efficient organization that they’re getting rid of things that are no longer needed?” Scannell said. “Or is this a matter of the destruction of evidence?”

Scannell says it’s a fair question to ask in light of revelations that the TSA already violated the Privacy Act last year when it failed to fully disclose the scope of its testing for Secure Flight and its collection of commercial data on individuals.

My previous essay on Secure Flight is here.

Posted on August 15, 2005 at 9:43 AMView Comments

Orlando Airport's CLEAR Program

Orlando Airport is piloting a new pre-screening program called CLEAR. The idea is that you pay $80 a year and subject yourself to a background check, and then you can use a faster security line at airports.

I’ve already written about this idea, back when Steven Brill first started talking about it:

My primary security concerns surrounding this system stem from what it’s trying to do. In his writings and speaking, Brill is very careful to explain that these are not “trusted traveler cards.” He calls them “verified identity cards.” But the only purpose of his card is to divide people into two lines — a fast line and a slow line, a “search less” line and a “search more” line, or whatever….

The reality is that the existence of the card creates a third, and very dangerous, category: bad guys with the card. Timothy McVeigh would have been able to get one of these cards. The DC sniper and the Unabomber would have been able to get this card. Any terrorist mole who hasn’t done anything yet and is being saved for something big would be able to get this card. Some of the 9/11 terrorists would have been able to get this card. These are people who are deemed trustworthy by the system even though they are not.

And even worse, the system lets terrorists test the system beforehand. Imagine you’re in a terrorist cell. Twelve of you apply for the card, but only four of you get it. Those four not only have a card that lets them go through the easy line at security checkpoints; they also know that they’re not on any terrorist watch lists. Which four do you think will be going on the mission? By “pre-approving” trust, you’re building a system that is easier to exploit.

Nothing in this program is different from what I wrote about last year. According to their website:

Your Membership will be continuously reviewed by TSA’s ongoing Security Threat Assessment Process. If your security status changes, your Membership will be immediately deactivated and you will receive a notification email of your status change as well as a refund of the unused portion of your annual enrollment fee.

Think about it. For $80 a year, any potential terrorist can be automatically notified if the Department of Homeland Security is on to him. Such a deal.

Posted on August 8, 2005 at 8:03 AMView Comments

Secure Flight

Last Friday the GAO issued a new report on Secure Flight. It’s couched in friendly language, but it’s not good:

During the course of our ongoing review of the Secure Flight program, we found that TSA did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act. In particular, the public was not made fully aware of, nor had the opportunity to comment on, TSA’s use of personal information drawn from commercial sources to test aspects of the Secure Flight program. In September 2004 and November 2004, TSA issued privacy notices in the Federal Register that included descriptions of how such information would be used. However, these notices did not fully inform the public before testing began about the procedures that TSA and its contractors would follow for collecting, using, and storing commercial data. In addition, the scope of the data used during commercial data testing was not fully disclosed in the notices. Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public. As a result of TSA’s actions, the public did not receive the full protections of the Privacy Act.

Get that? The TSA violated federal law when it secretly expanded Secure Flight’s use of commercial data about passengers. It also lied to Congress and the public about it.

Much of this isn’t new. Last month we learned that:

The federal agency in charge of aviation security revealed that it bought and is storing commercial data about some passengers — even though officials said they wouldn’t do it and Congress told them not to.

Secure Flight is a disaster in every way. The TSA has been operating with complete disregard for the law or Congress. It has lied to pretty much everyone. And it is turning Secure Flight from a simple program to match airline passengers against terrorist watch lists into a complex program that compiles dossiers on passengers in order to give them some kind of score indicating the likelihood that they are a terrorist.

Which is exactly what it was not supposed to do in the first place.

Let’s review:

For those who have not been following along, Secure Flight is the follow-on to CAPPS-I. (CAPPS stands for Computer Assisted Passenger Pre-Screening.) CAPPS-I has been in place since 1997, and is a simple system to match airplane passengers to a terrorist watch list. A follow-on system, CAPPS-II, was proposed last year. That complicated system would have given every traveler a risk score based on information in government and commercial databases. There was a huge public outcry over the invasiveness of the system, and it was cancelled over the summer. Secure Flight is the new follow-on system to CAPPS-I.

EPIC has more background information.

Back in January, Secure Flight was intended to just be a more efficient system of matching airline passengers with terrorist watch lists.

I am on a working group that is looking at the security and privacy implications of Secure Flight. Before joining the group I signed an NDA agreeing not to disclose any information learned within the group, and to not talk about deliberations within the group. But there’s no reason to believe that the TSA is lying to us any less than they’re lying to Congress, and there’s nothing I learned within the working group that I wish I could talk about. Everything I say here comes from public documents.

In January I gave some general conclusions about Secure Flight. These have not changed.

One, assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement — in almost every way — over what is currently in place. (And by this I mean the matching program, not any potential uses of commercial or other third-party data.)

Two, the security system surrounding Secure Flight is riddled with security holes. There are security problems with false IDs, ID verification, the ability to fly on someone else’s ticket, airline procedures, etc.

Three, the urge to use this system for other things will be irresistible. It’s just too easy to say: “As long as you’ve got this system that watches out for terrorists, how about also looking for this list of drug dealers…and by the way, we’ve got the Super Bowl to worry about too.” Once Secure Flight gets built, all it’ll take is a new law and we’ll have a nationwide security checkpoint system.

And four, a program of matching airline passengers with names on terrorism watch lists is not making us appreciably safer, and is a lousy way to spend our security dollars.

What has changed is the scope of Secure Flight. First, it started using data from commercial sources, like Acxiom. (The details are even worse.) Technically, they’re testing the use of commercial data, but it’s still a violation. Even the DHS started investigating:

The Department of Homeland Security’s top privacy official said Wednesday that she is investigating whether the agency’s airline passenger screening program has violated federal privacy laws by failing to properly disclose its mission.

The privacy officer, Nuala O’Connor Kelly, said the review will focus on whether the program’s use of commercial databases and other details were properly disclosed to the public.

The TSA’s response to being caught violating their own Privacy Act statements? Revise them:

According to previous official notices, TSA had said it would not store commercial data about airline passengers.

The Privacy Act of 1974 prohibits the government from keeping a secret database. It also requires agencies to make official statements on the impact of their record keeping on privacy.

The TSA revealed its use of commercial data in a revised Privacy Act statement to be published in the Federal Register on Wednesday.

TSA spokesman Mark Hatfield said the program was being developed with a commitment to privacy, and that it was routine to change Privacy Act statements during testing.

Actually, it’s not. And it’s better to change the Privacy Act statement before violating the old one. Changing it after the fact just looks bad.

The point of Secure Flight match airline passengers against lists of suspected terrorists. But the vast majority of people flagged by this list simply have the same name, or a similar name, as the suspected terrorist: Ted Kennedy and Cat Stevens are two famous examples. The question is whether combining commercial data with the PNR (Passenger Name Record) supplied by the airline could reduce this false-positive problem. Maybe knowing the passenger’s address, or phone number, or date of birth, could reduce false positives. Or maybe not; it depends what data is on the terrorist lists. In any case, it’s certainly a smart thing to test.

But using commercial data has serious privacy implications, which is why Congress mandated all sorts of rules surrounding the TSA testing of commercial data — and more rules before it could deploy a final system — rules that the TSA has decided it can ignore completely.

Commercial data had another use under CAPPS-II In that now-dead program, every passenger would be subjected to a computerized background check to determine their “risk” to airline safety. The system would assign a risk score based on commercial data: their credit rating, how recently they moved, what kind of job they had, etc. This capability was removed from Secure Flight, but now it’s back:

The government will try to determine whether commercial data can be used to detect terrorist “sleeper cells” when it checks airline passengers against watch lists, the official running the project says….

Justin Oberman, in charge of Secure Flight at TSA, said the agency intends to do more testing of commercial data to see if it will help identify known or suspected terrorists not on the watch lists.

“We are trying to use commercial data to verify the identities of people who fly because we are not going to rely on the watch list,” he said. “If we just rise and fall on the watch list, it’s not adequate.”

Also this Congressional hearing (emphasis mine):

THOMPSON: There are a couple of questions I’d like to get answered in my mind about Secure Flight. Would Secure Flight pick up a person with strong community roots but who is in a terrorist sleeper cell or would a person have to be a known terrorist in order for Secure Flight to pick him up?

OBERMAN: Let me answer that this way: It will identify people who are known or suspected terrorists contained in the terrorist screening database, and it ought to be able to identify people who may not be on the watch list. It ought to be able to do that. We’re not in a position today to say that it does, but we think it’s absolutely critical that it be able to do that.

And so we are conducting this test of commercially available data to get at that exact issue.: Very difficult to do, generally. It’s particularly difficult to do when you have a system that transports 1.8 million people a day on 30,000 flights at 450 airports. That is a very high bar to get over.

It’s also very difficult to do with a threat described just like you described it, which is somebody who has sort of burrowed themselves into society and is not readily apparent to us when they’re walking through the airport. And so I cannot stress enough how important we think it is that it be able to have that functionality. And that’s precisely the reason we have been conducting this ommercial data test, why we’ve extended the testing period and why we’re very hopeful that the results will prove fruitful to us so that we can then come up here, brief them to you and explain to you why we need to include that in the system.

My fear is that TSA has already decided that they’re going to use commercial data, regardless of any test results. And once you have commercial data, why not build a dossier on every passenger and give them a risk score? So we’re back to CAPPS-II, the very system Congress killed last summer. Actually, we’re very close to TIA (Total/Terrorism Information Awareness), that vast spy-on-everyone data-mining program that Congress killed in 2003 because it was just too invasive.

Secure Flight is a mess in lots of other ways, too. A March GAO report said that Secure Flight had not met nine out of the ten conditions mandated by Congress before TSA could spend money on implementing the program. (If you haven’t read this report, it’s pretty scathing.) The redress problem — helping people who cannot fly because they share a name with a terrorist — is not getting any better. And Secure Flight is behind schedule and over budget.

It’s also a rogue program that is operating in flagrant disregard for the law. It can’t be killed completely; the Intelligence Reform and Terrorism Prevention Act of 2004 mandates that TSA implement a program of passenger prescreening. And until we have Secure Flight, airlines will still be matching passenger names with terrorist watch lists under the CAPPS-I program. But it needs some serious public scrutiny.

EDITED TO ADD: Anita Ramasastry’s commentary is worth reading.

Posted on July 24, 2005 at 9:10 PMView Comments

Anti-Missile Defenses for Commercial Aircraft

In yet another “movie-plot threat” defense, the U.S. government is starting to test anti-missile lasers on commercial aircraft.

It could take years before passenger planes carry protection against missiles, a weapon terrorists might use to shoot down jets and cause economic havoc in the airline industry. The tests will help the nation’s leaders decide if they should install laser systems on all 6,800 aircraft in the U.S. airline fleet at a cost of at least $6 billion.

“Yes, it will cost money, but it’s the same cost as an aircraft entertainment system,” Kubricky says.

I think the airline industry is missing something here. If they linked the anti-missile lasers with the in-seat entertainment systems, cross-country flights would be much more exciting.

Posted on July 21, 2005 at 8:58 AMView Comments

Security Risks of Airplane WiFi

I’ve already written about the stupidity of worrying about cell phones on airplanes. Now the Department of Homeland Security is worried about broadband Internet.

Federal law enforcement officials, fearful that terrorists will exploit emerging in-flight broadband services to remotely activate bombs or coordinate hijackings, are asking regulators for the power to begin eavesdropping on any passenger’s internet use within 10 minutes of obtaining court authorization.

In joint comments filed with the FCC last Tuesday, the Justice Department, the FBI and the Department of Homeland Security warned that a terrorist could use on-board internet access to communicate with confederates on other planes, on the ground or in different sections of the same plane — all from the comfort of an aisle seat.

“There is a short window of opportunity in which action can be taken to thwart a suicidal terrorist hijacking or remedy other crisis situations on board an aircraft, and law enforcement needs to maximize its ability to respond to these potentially lethal situations,” the filing reads.

Terrorists never use SSH, after all. (I suppose that’s the next thing the DHS is going to try to ban.)

Posted on July 14, 2005 at 12:02 PMView Comments

1 40 41 42 43 44 46

Sidebar photo of Bruce Schneier by Joe MacInnis.