Entries Tagged "behavioral detection"

Page 4 of 4

Behavioral Profiling Nabs Warren Jeffs

This is interesting:

A paper license tag, a salad and stories that didn’t make sense pricked the suspicions of a state trooper who stopped the car of a wanted fugitive polygamist in Las Vegas.

But it was the pumping carotid artery in the neck of Warren Steed Jeffs that convinced Nevada Highway Patrolman Eddie Dutchover that he had cornered someone big.

This is behavioral profiling done right, and it reminds me of the Diana Dean story. (Here’s another example of behavioral profiling done right, and here is an article by Malcolm Gladwell on profiling and generalizations.)

Behavioral profiling is tough to do well. It requires intelligent and well-trained officers. Done badly, it quickly defaults to racial profiling. But done well, it’ll do far more to keep us safe than object profiling (e.g., banning liquids on aircraft).

Posted on August 31, 2006 at 1:11 PMView Comments

Behavioral Profiling

I’ve long been a fan of behavioral profiling, as opposed to racial profiling. The U.S. has been testing such a program. While there are legitimate fears that this could end up being racial profiling in disguise, I think this kind of thing is the right idea. (Although I am less impressed with this kind of thing.)

EDITED TO ADD (8/18): Funny cartoon on profiling.

There’s a moral here. Profiling is something we all do, and we do it because—for the most part—it works. But when you’re dealing with an intelligent adversary, as opposed to the cat, you invite that adversary to deliberately try to subvert your profiling system. The effectiveness of any profiling system is directly related to how likely it will be subverted.

Posted on August 18, 2006 at 1:21 PMView Comments

Good Example of Smart Profiling

In Beyond Fear, I wrote about profiling (reprinted here). I talked a lot about how smart behavioral-based profiling is much more effective than dumb characteristic-based profiling, and how well-trained people are much better than computers.

The story I used was about how U.S. customs agent Diana Dean caught Ahmed Ressam in 1999. Here’s another story:

An England football shirt gave away a Senegalese man attempting to enter Cyprus on a forged French passport, police on the Mediterranean island said on Monday.

Suspicions were aroused when the man appeared at a checkpoint supervising crossings from the Turkish Cypriot north to the Greek Cypriot south of the divided island, wearing the England shirt and presenting a French passport.

“Being a football fan, the officer found it highly unlikely that a Frenchman would want to wear an England football jersey,” a police source said.

“That was his first suspicion prior to the proper check on the passport, which turned out to be a fake,” said the source.

That’s just not the kind of thing you’re going to get a computer to pick up on, at least not until artificial intelligence actually produces a working brain.

Posted on July 27, 2006 at 12:46 PMView Comments

Smart Profiling from the DHS

About time:

Here’s how it works: Select TSA employees will be trained to identify suspicious individuals who raise red flags by exhibiting unusual or anxious behavior, which can be as simple as changes in mannerisms, excessive sweating on a cool day, or changes in the pitch of a person’s voice. Racial or ethnic factors are not a criterion for singling out people, TSA officials say. Those who are identified as suspicious will be examined more thoroughly; for some, the agency will bring in local police to conduct face-to-face interviews and perhaps run the person’s name against national criminal databases and determine whether any threat exists. If such inquiries turn up other issues countries with terrorist connections, police officers can pursue the questioning or alert Federal counterterrorism agents. And of course the full retinue of baggage x-rays, magnetometers and other checks for weapons will continue.

Posted on May 23, 2006 at 6:20 AMView Comments

Profiling

There is a great discussion about profiling going on in the comments to the previous post. To help, here is what I wrote on the subject in Beyond Fear (pp. 133-7):

Good security has people in charge. People are resilient. People can improvise. People can be creative. People can develop on-the-spot solutions. People can detect attackers who cheat, and can attempt to maintain security despite the cheating. People can detect passive failures and attempt to recover. People are the strongest point in a security process. When a security system succeeds in the face of a new or coordinated or devastating attack, it’s usually due to the efforts of people.

On 14 December 1999, Ahmed Ressam tried to enter the U.S. by ferryboat from Victoria Island, British Columbia. In the trunk of his car, he had a suitcase bomb. His plan was to drive to Los Angeles International Airport, put his suitcase on a luggage cart in the terminal, set the timer, and then leave. The plan would have worked had someone not been vigilant.

Ressam had to clear customs before boarding the ferry. He had fake ID, in the name of Benni Antoine Noris, and the computer cleared him based on this ID. He was allowed to go through after a routine check of his car’s trunk, even though he was wanted by the Canadian police. On the other side of the Strait of Juan de Fuca, at Port Angeles, Washington, Ressam was approached by U.S. customs agent Diana Dean, who asked some routine questions and then decided that he looked suspicious. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean’s own words, he was acting “hinky.” More questioning—there was no one else crossing the border, so two other agents got involved—and more hinky behavior. Ressam’s car was eventually searched, and he was finally discovered and captured. It wasn’t any one thing that tipped Dean off; it was everything encompassed in the slang term “hinky.” But the system worked. The reason there wasn’t a bombing at LAX around Christmas in 1999 was because a knowledgeable person was in charge of security and paying attention.

There’s a dirty word for what Dean did that chilly afternoon in December, and it’s profiling. Everyone does it all the time. When you see someone lurking in a dark alley and change your direction to avoid him, you’re profiling. When a storeowner sees someone furtively looking around as she fiddles inside her jacket, that storeowner is profiling. People profile based on someone’s dress, mannerisms, tone of voice … and yes, also on their race and ethnicity. When you see someone running toward you on the street with a bloody ax, you don’t know for sure that he’s a crazed ax murderer. Perhaps he’s a butcher who’s actually running after the person next to you to give her the change she forgot. But you’re going to make a guess one way or another. That guess is an example of profiling.

To profile is to generalize. It’s taking characteristics of a population and applying them to an individual. People naturally have an intuition about other people based on different characteristics. Sometimes that intuition is right and sometimes it’s wrong, but it’s still a person’s first reaction. How good this intuition is as a countermeasure depends on two things: how accurate the intuition is and how effective it is when it becomes institutionalized or when the profile characteristics become commonplace.

One of the ways profiling becomes institutionalized is through computerization. Instead of Diana Dean looking someone over, a computer looks the profile over and gives it some sort of rating. Generally profiles with high ratings are further evaluated by people, although sometimes countermeasures kick in based on the computerized profile alone. This is, of course, more brittle. The computer can profile based only on simple, easy-to-assign characteristics: age, race, credit history, job history, et cetera. Computers don’t get hinky feelings. Computers also can’t adapt the way people can.

Profiling works better if the characteristics profiled are accurate. If erratic driving is a good indication that the driver is intoxicated, then that’s a good characteristic for a police officer to use to determine who he’s going to pull over. If furtively looking around a store or wearing a coat on a hot day is a good indication that the person is a shoplifter, then those are good characteristics for a store owner to pay attention to. But if wearing baggy trousers isn’t a good indication that the person is a shoplifter, then the store owner is going to spend a lot of time paying undue attention to honest people with lousy fashion sense.

In common parlance, the term “profiling” doesn’t refer to these characteristics. It refers to profiling based on characteristics like race and ethnicity, and institutionalized profiling based on those characteristics alone. During World War II, the U.S. rounded up over 100,000 people of Japanese origin who lived on the West Coast and locked them in camps (prisons, really). That was an example of profiling. Israeli border guards spend a lot more time scrutinizing Arab men than Israeli women; that’s another example of profiling. In many U.S. communities, police have been known to stop and question people of color driving around in wealthy white neighborhoods (commonly referred to as “DWB”—Driving While Black). In all of these cases you might possibly be able to argue some security benefit, but the trade-offs are enormous: Honest people who fit the profile can get annoyed, or harassed, or arrested, when they’re assumed to be attackers.

For democratic governments, this is a major problem. It’s just wrong to segregate people into “more likely to be attackers” and “less likely to be attackers” based on race or ethnicity. It’s wrong for the police to pull a car over just because its black occupants are driving in a rich white neighborhood. It’s discrimination.

But people make bad security trade-offs when they’re scared, which is why we saw Japanese internment camps during World War II, and why there is so much discrimination against Arabs in the U.S. going on today. That doesn’t make it right, and it doesn’t make it effective security. Writing about the Japanese internment, for example, a 1983 commission reported that the causes of the incarceration were rooted in “race prejudice, war hysteria, and a failure of political leadership.” But just because something is wrong doesn’t mean that people won’t continue to do it.

Ethics aside, institutionalized profiling fails because real attackers are so rare: Active failures will be much more common than passive failures. The great majority of people who fit the profile will be innocent. At the same time, some real attackers are going to deliberately try to sneak past the profile. During World War II, a Japanese American saboteur could try to evade imprisonment by pretending to be Chinese. Similarly, an Arab terrorist could dye his hair blond, practice an American accent, and so on.

Profiling can also blind you to threats outside the profile. If U.S. border guards stop and search everyone who’s young, Arab, and male, they’re not going to have the time to stop and search all sorts of other people, no matter how hinky they might be acting. On the other hand, if the attackers are of a single race or ethnicity, profiling is more likely to work (although the ethics are still questionable). It makes real security sense for El Al to spend more time investigating young Arab males than it does for them to investigate Israeli families. In Vietnam, American soldiers never knew which local civilians were really combatants; sometimes killing all of them was the security solution they chose.

If a lot of this discussion is abhorrent, as it probably should be, it’s the trade-offs in your head talking. It’s perfectly reasonable to decide not to implement a countermeasure not because it doesn’t work, but because the trade-offs are too great. Locking up every Arab-looking person will reduce the potential for Muslim terrorism, but no reasonable person would suggest it. (It’s an example of “winning the battle but losing the war.”) In the U.S., there are laws that prohibit police profiling by characteristics like ethnicity, because we believe that such security measures are wrong (and not simply because we believe them to be ineffective).

Still, no matter how much a government makes it illegal, profiling does occur. It occurs at an individual level, at the level of Diana Dean deciding which cars to wave through and which ones to investigate further. She profiled Ressam based on his mannerisms and his answers to her questions. He was Algerian, and she certainly noticed that. However, this was before 9/11, and the reports of the incident clearly indicate that she thought he was a drug smuggler; ethnicity probably wasn’t a key profiling factor in this case. In fact, this is one of the most interesting aspects of the story. That intuitive sense that something was amiss worked beautifully, even though everybody made a wrong assumption about what was wrong. Human intuition detected a completely unexpected kind of attack. Humans will beat computers at hinkiness-detection for many decades to come.

And done correctly, this intuition-based sort of profiling can be an excellent security countermeasure. Dean needed to have the training and the experience to profile accurately and properly, without stepping over the line and profiling illegally. The trick here is to make sure perceptions of risk match the actual risks. If those responsible for security profile based on superstition and wrong-headed intuition, or by blindly following a computerized profiling system, profiling won’t work at all. And even worse, it actually can reduce security by blinding people to the real threats. Institutionalized profiling can ossify a mind, and a person’s mind is the most important security countermeasure we have.

A couple of other points (not from the book):

  • Whenever you design a security system with two ways through—an easy way and a hard way—you invite the attacker to take the easy way. Profile for young Arab males, and you’ll get terrorists that are old non-Arab females. This paper looks at the security effectiveness of profiling versus random searching.
  • If we are going to increase security against terrorism, the young Arab males living in our country are precisely the people we want on our side. Discriminating against them in the name of security is not going to make them more likely to help.
  • Despite what many people think, terrorism is not confined to young Arab males. Shoe-bomber Richard Reid was British. Germaine Lindsay, one of the 7/7 London bombers, was Afro-Caribbean. Here are some more examples:

    In 1986, a 32-year-old Irish woman, pregnant at the time, was about to board an El Al flight from London to Tel Aviv when El Al security agents discovered an explosive device hidden in the false bottom of her bag. The woman’s boyfriend—the father of her unborn child—had hidden the bomb.

    In 1987, a 70-year-old man and a 25-year-old woman—neither of whom were Middle Eastern—posed as father and daughter and brought a bomb aboard a Korean Air flight from Baghdad to Thailand. En route to Bangkok, the bomb exploded, killing all on board.

    In 1999, men dressed as businessmen (and one dressed as a Catholic priest) turned out to be terrorist hijackers, who forced an Avianca flight to divert to an airstrip in Colombia, where some passengers were held as hostages for more than a year-and-half.

    The 2002 Bali terrorists were Indonesian. The Chechnyan terrorists who downed the Russian planes were women. Timothy McVeigh and the Unabomber were Americans. The Basque terrorists are Basque, and Irish terrorists are Irish. Tha Tamil Tigers are Sri Lankan.

    And many Muslims are not Arabs. Even worse, almost everyone who is Arab is not a terrorist—many people who look Arab are not even Muslims. So not only are there an large number of false negatives—terrorists who don’t meet the profile—but there an enormous number of false positives: innocents that do meet the profile.

Posted on July 22, 2005 at 3:12 PMView Comments

Security Notes from All Over: Israeli Airport Security Questioning

In both Secrets and Lies and Beyond Fear, I discuss a key difference between attackers and defenders: the ability to concentrate resources. The defender must defend against all possible attacks, while the attacker can concentrate his forces on one particular avenue of attack. This precept is fundamental to a lot of security, and can be seen very clearly in counterterrorism. A country is in the position of the interior; it must defend itself against all possible terrorist attacks: airplane terrorism, chemical bombs, threats at the ports, threats through the mails, lone lunatics with automatic weapons, assassinations, etc, etc, etc. The terrorist just needs to find one weak spot in the defenses, and exploit that. This concentration versus diffusion of resources is one reason why the defender’s job is so much harder than the attackers.

This same principle guides security questioning at the Ben Gurion Airport in Israel. In this example, the attacker is the security screener and the defender is the terrorist. (It’s important to remember that “attacker” and “defender” are not moral labels, but tactical ones. Sometimes the defenders are the good guys and the attackers are the bad guys. In this case, the bad guy is trying to defend his cover story against the good guy who is attacking it.)

Security is impressively tight at the airport, and includes a potentially lengthy interview by a trained security screener. The screener asks each passenger questions, trying to determine if he’s a security risk. But instead of asking different questions—where do you live, what do you do for a living, where were you born—the screener asks questions that follow a storyline: “Where are you going? Who do you know there? How did you meet him? What were you doing there?” And so on.

See the ability to concentrate resources? The defender—the terrorist trying to sneak aboard the airplane—needs a cover story sufficiently broad to be able to respond to any line of questioning. So he might memorize the answers to several hundred questions. The attacker—the security screener—could ask questions scattershot, but instead concentrates his questioning along one particular line. The theory is that eventually the defender will reach the end of his memorized story, and that the attacker will then notice the subtle changes in the defender as he starts to make up answers.

Posted on December 14, 2004 at 9:26 AMView Comments

Behavioral Assessment Profiling

On Dec. 14, 1999, Ahmed Ressam tried to enter the United States from Canada at Port Angeles, Wash. He had a suitcase bomb in the trunk of his car. A US customs agent, Diana Dean, questioned him at the border. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean’s own words, he was acting “hinky.” Ressam’s car was eventually searched, and he was arrested.

It wasn’t any one thing that tipped Dean off; it was everything encompassed in the slang term “hinky.” But it worked. The reason there wasn’t a bombing at Los Angeles International Airport around Christmas 1999 was because a trained, knowledgeable security person was paying attention.

This is “behavioral assessment” profiling. It’s what customs agents do at borders all the time. It’s what the Israeli police do to protect their airport and airplanes. And it’s a new pilot program in the United States at Boston’s Logan Airport. Behavioral profiling is dangerous because it’s easy to abuse, but it’s also the best thing we can do to improve the security of our air passenger system.

Behavioral profiling is not the same as computerized passenger profiling. The latter has been in place for years. It’s a secret system, and it’s a mess. Sometimes airlines decided who would undergo secondary screening, and they would choose people based on ticket purchase, frequent-flyer status, and similarity to names on government watch lists. CAPPS-2 was to follow, evaluating people based on government and commercial databases and assigning a “risk” score. This system was scrapped after public outcry, but another profiling system called Secure Flight will debut next year. Again, details are secret.

The problem with computerized passenger profiling is that it simply doesn’t work. Terrorists don’t fit a profile and cannot be plucked out of crowds by computers. Terrorists are European, Asian, African, Hispanic, and Middle Eastern, male and female, young and old. Richard Reid, the shoe bomber, was British with a Jamaican father. Jose Padilla, arrested in Chicago in 2002 as a “dirty bomb” suspect, was a Hispanic-American. Timothy McVeigh was a white American. So was the Unabomber, who once taught mathematics at the University of California, Berkeley. The Chechens who blew up two Russian planes last August were female. Recent reports indicate that Al Qaeda is recruiting Europeans for further attacks on the United States.

Terrorists can buy plane tickets—either one way or round trip—with cash or credit cards. Mohamed Atta, the leader of the 9/11 plot, had a frequent-flyer gold card. They are a surprisingly diverse group of people, and any computer profiling system will just make it easier for those who don’t meet the profile.

Behavioral assessment profiling is different. It cuts through all of those superficial profiling characteristics and centers on the person. State police are trained as screeners in order to look for suspicious conduct such as furtiveness or undue anxiety. Already at Logan Airport, the program has caught 20 people who were either in the country illegally or had outstanding warrants of one kind or another.

Earlier this month the ACLU of Massachusetts filed a lawsuit challenging the constitutionality of behavioral assessment profiling. The lawsuit is unlikely to succeed; the principle of “implied consent” that has been used to uphold the legality of passenger and baggage screening will almost certainly be applied in this case as well.

But the ACLU has it wrong. Behavioral assessment profiling isn’t the problem. Abuse of behavioral profiling is the problem, and the ACLU has correctly identified where it can go wrong. If policemen fall back on naive profiling by race, ethnicity, age, gender—characteristics not relevant to security—they’re little better than a computer. Instead of “driving while black,” the police will face accusations of harassing people for the infraction of “flying while Arab.” Their actions will increase racial tensions and make them less likely to notice the real threats. And we’ll all be less safe as a result.

Behavioral assessment profiling isn’t a “silver bullet.” It needs to be part of a layered security system, one that includes passenger baggage screening, airport employee screening, and random security checks. It’s best implemented not by police but by specially trained federal officers. These officers could be deployed at airports, sports stadiums, political conventions—anywhere terrorism is a risk because the target is attractive. Done properly, this is the best thing to happen to air passenger security since reinforcing the cockpit door.

This article originally appeared in the Boston Globe.

Posted on November 24, 2004 at 9:33 AMView Comments

World Series Security

The World Series is no stranger to security. Fans try to sneak into the ballpark without tickets, or with counterfeit tickets. Often foods and alcohol are prohibited from being brought into the ballpark, to enforce the monopoly of the high-priced concessions. Violence is always a risk: both small fights and larger-scale riots that result from fans from both teams being in such close proximity—like the one that almost happened during the sixth game of the AL series.

Today, the new risk is terrorism. Security at the Olympics cost $1.5 billion. $50 million each was spent at the Democratic and Republican conventions. There has been no public statement about the security bill for the World Series, but it’s reasonable to assume it will be impressive.

In our fervor to defend ourselves, it’s important that we spend our money wisely. Much of what people think of as security against terrorism doesn’t actually make us safer. Even in a world of high-tech security, the most important solution is the guy watching to keep beer bottles from being thrown onto the field.

Generally, security measures that defend specific targets are wasteful, because they can be avoided simply by switching targets. If we completely defend the World Series from attack, and the terrorists bomb a crowded shopping mall instead, little has been gained.

Even so, some high-profile locations, like national monuments and symbolic buildings, and some high-profile events, like political conventions and championship sporting events, warrant additional security. What additional measures make sense?

ID checks don’t make sense. Everyone has an ID. Even the 9/11 terrorists had IDs. What we want is to somehow check intention; is the person going to do something bad? But we can’t do that, so we check IDs instead. It’s a complete waste of time and money, and does absolutely nothing to make us safer.

Automatic face recognition systems don’t work. Computers that automatically pick terrorists out of crowds are a great movie plot device, but doesn’t work in the real world. We don’t have a comprehensive photographic database of known terrorists. Even worse, the face recognition technology is so faulty that it often can’t make the matches even when we do have decent photographs. We tried it at the 2001 Super Bowl; it was a failure.

Airport-like attendee screening doesn’t work. The terrorists who took over the Russian school sneaked their weapons in long before their attack. And screening fans is only a small part of the solution. There are simply too many people, vehicles, and supplies moving in and out of a ballpark regularly. This kind of security failed at the Olympics, as reporters proved again and again that they could sneak all sorts of things into the stadiums undetected.

What does work is people: smart security officials watching the crowds. It’s called “behavior recognition,�? and it requires trained personnel looking for suspicious behavior. Does someone look out of place? Is he nervous, and not watching the game? Is he not cheering, hissing, booing, and waving like a sports fan would?

This is what good policemen do all the time. It’s what Israeli airport security does. It works because instead of relying on checkpoints that can be bypassed, it relies on the human ability to notice something that just doesn’t feel right. It’s intuition, and it’s far more effective than computerized security solutions.

Will this result in perfect security? Of course not. No security measures are guaranteed; all we can do is reduce the odds. And the best way to do that is to pay attention. A few hundred plainclothes policemen, walking around the stadium and watching for anything suspicious, will provide more security against terrorism than almost anything else we can reasonably do.

And the best thing about policemen is that they’re adaptable. They can deal with terrorist threats, and they can deal with more common security issues, too.

Most of the threats at the World Series have nothing to do with terrorism; unruly or violent fans are a much more common problem. And more likely than a complex 9/11-like plot is a lone terrorist with a gun, a bomb, or something that will cause panic. But luckily, the security measures ballparks have already put in place to protect against the former also help protect against the latter.

Originally published by UPI.

Posted on October 25, 2004 at 6:31 PMView Comments

1 2 3 4

Sidebar photo of Bruce Schneier by Joe MacInnis.