Entries Tagged "children"

Page 8 of 9

In Praise of Security Theater

While visiting some friends and their new baby in the hospital last week, I noticed an interesting bit of security. To prevent infant abduction, all babies had RFID tags attached to their ankles by a bracelet. There are sensors on the doors to the maternity ward, and if a baby passes through, an alarm goes off.

Infant abduction is rare, but still a risk. In the last 22 years, about 233 such abductions have occurred in the United States. About 4 million babies are born each year, which means that a baby has a 1-in-375,000 chance of being abducted. Compare this with the infant mortality rate in the U.S.—one in 145—and it becomes clear where the real risks are.

And the 1-in-375,000 chance is not today’s risk. Infant abduction rates have plummeted in recent years, mostly due to education programs at hospitals.

So why are hospitals bothering with RFID bracelets? I think they’re primarily to reassure the mothers. Many times during my friends’ stay at the hospital the doctors had to take the baby away for this or that test. Millions of years of evolution have forged a strong bond between new parents and new baby; the RFID bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.

Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they’re a cost-effective security measure or not. But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don’t feel secure, and you can feel secure even though you’re not really secure.

The RFID bracelets are what I’ve come to call security theater: security primarily designed to make you feel more secure. I’ve regularly maligned security theater as a waste, but it’s not always, and not entirely, so.

It’s only a waste if you consider the reality of security exclusively. There are times when people feel less secure than they actually are. In those cases—like with mothers and the threat of baby abduction—a palliative countermeasure that primarily increases the feeling of security is just what the doctor ordered.

Tamper-resistant packaging for over-the-counter drugs started to appear in the 1980s, in response to some highly publicized poisonings. As a countermeasure, it’s largely security theater. It’s easy to poison many foods and over-the-counter medicines right through the seal—with a syringe, for example—or to open and replace the seal well enough that an unwary consumer won’t detect it. But in the 1980s, there was a widespread fear of random poisonings in over-the-counter medicines, and tamper-resistant packaging brought people’s perceptions of the risk more in line with the actual risk: minimal.

Much of the post-9/11 security can be explained by this as well. I’ve often talked about the National Guard troops in airports right after the terrorist attacks, and the fact that they had no bullets in their guns. As a security countermeasure, it made little sense for them to be there. They didn’t have the training necessary to improve security at the checkpoints, or even to be another useful pair of eyes. But to reassure a jittery public that it’s OK to fly, it was probably the right thing to do.

Security theater also addresses the ancillary risk of lawsuits. Lawsuits are ultimately decided by juries, or settled because of the threat of jury trial, and juries are going to decide cases based on their feelings as well as the facts. It’s not enough for a hospital to point to infant abduction rates and rightly claim that RFID bracelets aren’t worth it; the other side is going to put a weeping mother on the stand and make an emotional argument. In these cases, security theater provides real security against the legal threat.

Like real security, security theater has a cost. It can cost money, time, concentration, freedoms and so on. It can come at the cost of reducing the things we can do. Most of the time security theater is a bad trade-off, because the costs far outweigh the benefits. But there are instances when a little bit of security theater makes sense.

We make smart security trade-offs—and by this I mean trade-offs for genuine security—when our feeling of security closely matches the reality. When the two are out of alignment, we get security wrong. Security theater is no substitute for security reality, but, used correctly, security theater can be a way of raising our feeling of security so that it more closely matches the reality of security. It makes us feel more secure handing our babies off to doctors and nurses, buying over-the-counter medicines, and flying on airplanes—closer to how secure we should feel if we had all the facts and did the math correctly.

Of course, too much security theater and our feeling of security becomes greater than the reality, which is also bad. And others—politicians, corporations and so on—can use security theater to make us feel more secure without doing the hard work of actually making us secure. That’s the usual way security theater is used, and why I so often malign it.

But to write off security theater completely is to ignore the feeling of security. And as long as people are involved with security trade-offs, that’s never going to work.

This essay appeared on Wired.com, and is dedicated to my new godson, Nicholas Quillen Perry.

EDITED TO ADD: This essay has been translated into Portuguese.

Posted on January 25, 2007 at 5:50 AMView Comments

ID Cards to Stop Bullying

No, really:

“Introducing photo ID cards will help bring an end to bullying over use of ‘cash free’ cards for school meals, will assist with access to school bus services and, ultimately, can be used to add security to school examinations,” he said.

“SSTA members report frequently that young people are bullied into handing over their cards for school meals to others, thus leaving them without their meal entitlement.

“With non-identified cards this will remain a problem. If photo ID is introduced widely, then the problem will dramatically reduce.”

He said that introducing such a system would also help prepare young people for “the realities of identity management in the 21st Century”.

I agree with this:

However, Green MSP Patrick Harvie said the suggestion was troubling.

“We should be preparing young people for the reality of defending their privacy and civil liberties against ever-more intrusive government systems,” he argued.

“We’ve heard proposals for airport-style scanners and random drug testing in schools, fingerprinting is already in place in some schools. There’s a risk of creating environments which feel more like penal institutions than places of learning.

“These ID cards will do absolutely nothing to address the causes of bullying. Instead they will teach the next generation that an ID card culture is ‘normal’, and that they should have to prove their entitlement to services.”

It’s important that schools teach the right lessons, and “we’re all living in a surveillance society, and we should just get used to it” is not the right lesson.

Posted on January 4, 2007 at 6:17 AMView Comments

Cybercrime Hype Alert

It seems to be the season for cybercrime hype. First, we have this article from CNN, which seems to have no actual news:

Computer hackers will open a new front in the multi-billion pound “cyberwar” in 2007, targeting mobile phones, instant messaging and community Web sites such as MySpace, security experts predict.

As people grow wise to email scams, criminal gangs will find new ways to commit online fraud, sell fake goods or steal corporate secrets.

And next, this article, which claims that criminal organizations are paying student members to get IT degrees:

The most successful cyber crime gangs were based on partnerships between those with the criminals skills and contacts and those with the technical ability, said Mr Day.

“Traditional criminals have the ability to move funds and use all of the background they have,” he said, “but they don’t have the technical expertise.”

As the number of criminal gangs looking to move into cyber crime expanded, it got harder to recruit skilled hackers, said Mr Day. This has led criminals to target university students all around the world.

“Some students are being sponsored through their IT degree,” said Mr Day. Once qualified, the graduates go to work for the criminal gangs.

[…]

The aura of rebellion the name conjured up helped criminals ensnare children as young as 14, suggested the study.

By trawling websites, bulletin boards and chat rooms that offer hacking tools, cracks or passwords for pirated software, criminal recruiters gather information about potential targets.

Once identified, young hackers are drawn in by being rewarded for carrying out low-level tasks such as using a network of hijacked home computers, a botnet, to send out spam.

The low risk of being caught and the relatively high-rewards on offer helped the criminal gangs to paint an attractive picture of a cyber criminal’s life, said Mr Day.

As youngsters are drawn in the stakes are raised and they are told to undertake increasingly risky jobs.

Criminals targeting children—that’s sure to peg anyone’s hype-meter.

To be sure, I don’t want to minimize the threat of cybercrime. Nor do I want to minimize the threat of organized cybercrime. There are more and more criminals prowling the net, and more and more cybercrime has gone up the food chain—to large organized crime syndicates. Cybercrime is big business, and it’s getting bigger.

But I’m not sure if stories like these help or hurt.

Posted on December 14, 2006 at 2:36 PMView Comments

Bulletproof Textbooks

You can’t make this stuff up:

A retired veteran and candidate for Oklahoma State School Superintendent says he wants to make schools safer by creating bulletproof textbooks.

Bill Crozier says the books could give students and teachers a fighting chance if there’s a shooting at their school.

Can you just imagine the movie-plot scenarios going through his head? Does he really think this is a smart way to spend security dollars?

I just shake my head in wonder….

Posted on November 3, 2006 at 12:11 PMView Comments

MySpace Increases Security

According to CNN:

Besides the contact restrictions, all users—not just those 14 and 15—will have the option to make only partial profiles available to those not already on their friends list.

All users also will get an option to prevent contact from people outside their age group. Currently, they may only choose to require that a person know their e-mail or last name first; that will remain an option to those 16 and over, even as it becomes mandatory for those younger.

MySpace also will beef up its ad-targeting technology, so that it can avoid displaying gambling and other adult-themed ads on minors’ profile pages and target special public-service announcements to them.

Honestly, this all sounds a lot more like cover-your-ass security than real security: MySpace securing itself from lawsuits.

“Safety experts” seem to agree that it won’t improve security much.

Posted on June 26, 2006 at 8:20 AMView Comments

Child-Repellent Sounds

I’ve already written about merchants using classical music to discourage loitering. Young people don’t like the music, so they don’t stick around.

Here’s a new twist: high-frequency noise that children and teenagers can hear but adults can’t:

The results were almost instantaneous. It was as if someone had used anti-teenager spray around the entrance, the way you might spray your sofas to keep pets off. Where disaffected youths used to congregate, now there is no one.

At first, members of the usual crowd tried to gather as normal, repeatedly going inside the store with their fingers in their ears and “begging me to turn it off,” Gough said. But he held firm and neatly avoided possible aggressive confrontations: “I told them it was to keep birds away because of the bird flu epidemic.”

At least he didn’t claim it was an anti-terrorism security measure.

Posted on December 6, 2005 at 7:46 AMView Comments

The Kutztown 13

Thirteen Pennsylvania high-school kids—Kutztown 13—are being charged with felonies:

They’re being called the Kutztown 13—a group of high schoolers charged with felonies for bypassing security with school-issued laptops, downloading forbidden internet goodies and using monitoring software to spy on district administrators.

The students, their families and outraged supporters say authorities are overreacting, punishing the kids not for any heinous behavior—no malicious acts are alleged—but rather because they outsmarted the district’s technology workers….

The trouble began last fall after the district issued some 600 Apple iBook laptops to every student at the high school about 50 miles northwest of Philadelphia. The computers were loaded with a filtering program that limited Internet access. They also had software that let administrators see what students were viewing on their screens.

But those barriers proved easily surmountable: The administrative password that allowed students to reconfigure computers and obtain unrestricted Internet access was easy to obtain. A shortened version of the school’s street address, the password was taped to the backs of the computers.

The password got passed around and students began downloading such forbidden programs as the popular iChat instant-messaging tool.

At least one student viewed pornography. Some students also turned off the remote monitoring function and turned the tables on their elders_ using it to view administrators’ own computer screens.

There’s more to the story, though. Here’s some good commentary on the issue:

What the parents don’t mention—but the school did in a press release—is that it wasn’t as if the school came down with the Hammer of God out of nowhere.

These kids were caught and punished for doing this stuff, and their parents informed.

Over and over.

Quoth the release:

“Unfortunately, after repeated warnings and disciplinary actions, a few students continued to misuse the school-issued laptops to varying degrees. The disciplinary actions included detentions, in-school suspensions, loss of Internet access, and loss of computer privileges. After each disciplinary action, parents received either written notification or telephone calls.”

What was the parents’ reaction those disciplinary actions? Some of them complained that—despite signing a document agreeing to the acceptable use policy—the kids should be able to do whatever they wanted to with the free machines.

“We signed it, but we didn’t mean it”?

Yes, the kids should be punished. No, a felony comviction is not the way to punish them.

The problem is that the punishment doesn’t fit the crime. Breaking the rules is what kids do. Society needs to deal with that, yes, but it needs to deal with that in a way that doesn’t ruin lives. Deterrence is critical if we are to ever have a lawful society on the internet, but deterrence has to come from rational prosecution. This simply isn’t rational.

EDITED TO ADD (2 Sep): It seems that charges have been dropped.

Posted on August 22, 2005 at 6:56 AMView Comments

1 6 7 8 9

Sidebar photo of Bruce Schneier by Joe MacInnis.