Entries Tagged "cost-benefit analysis"

Page 5 of 23

The Trouble with Airport Profiling

Why do otherwise rational people think it’s a good idea to profile people at airports? Recently, neuroscientist and best-selling author Sam Harris related a story of an elderly couple being given the twice-over by the TSA, pointed out how these two were obviously not a threat, and recommended that the TSA focus on the actual threat: “Muslims, or anyone who looks like he or she could conceivably be Muslim.”

This is a bad idea. It doesn’t make us any safer—and it actually puts us all at risk.

The right way to look at security is in terms of cost-benefit trade-offs. If adding profiling to airport checkpoints allowed us to detect more threats at a lower cost, than we should implement it. If it didn’t, we’d be foolish to do so. Sometimes profiling works. Consider a sheep in a meadow, happily munching on grass. When he spies a wolf, he’s going to judge that individual wolf based on a bunch of assumptions related to the past behavior of its species. In short, that sheep is going to profile…and then run away. This makes perfect sense, and is why evolution produced sheep—and other animals—that react this way. But this sort of profiling doesn’t work with humans at airports, for several reasons.

First, in the sheep’s case the profile is accurate, in that all wolves are out to eat sheep. Maybe a particular wolf isn’t hungry at the moment, but enough wolves are hungry enough of the time to justify the occasional false alarm. However, it isn’t true that almost all Muslims are out to blow up airplanes. In fact, almost none of them are. Post 9/11, we’ve had 2 Muslim terrorists on U.S airplanes: the shoe bomber and the underwear bomber. If you assume 0.8% (that’s one estimate of the percentage of Muslim Americans) of the 630 million annual airplane fliers are Muslim and triple it to account for others who look Semitic, then the chances any profiled flier will be a Muslim terrorist is 1 in 80 million. Add the 19 9/11 terrorists—arguably a singular event—that number drops to 1 in 8 million. Either way, because the number of actual terrorists is so low, almost everyone selected by the profile will be innocent. This is called the “base rate fallacy,” and dooms any type of broad terrorist profiling, including the TSA’s behavioral profiling.

Second, sheep can safely ignore animals that don’t look like the few predators they know. On the other hand, to assume that only Arab-appearing people are terrorists is dangerously naive. Muslims are black, white, Asian, and everything else—most Muslims are not Arab. Recent terrorists have been European, Asian, African, Hispanic, and Middle Eastern; male and female; young and old. Underwear bomber Umar Farouk Abdul Mutallab was Nigerian. Shoe bomber Richard Reid was British with a Jamaican father. One of the London subway bombers, Germaine Lindsay, was Afro-Caribbean. Dirty bomb suspect Jose Padilla was Hispanic-American. The 2002 Bali terrorists were Indonesian. Both Timothy McVeigh and the Unabomber were white Americans. The Chechen terrorists who blew up two Russian planes in 2004 were female. Focusing on a profile increases the risk that TSA agents will miss those who don’t match it.

Third, wolves can’t deliberately try to evade the profile. A wolf in sheep’s clothing is just a story, but humans are smart and adaptable enough to put the concept into practice. Once the TSA establishes a profile, terrorists will take steps to avoid it. The Chechens deliberately chose female suicide bombers because Russian security was less thorough with women. Al Qaeda has tried to recruit non-Muslims. And terrorists have given bombs to innocent—and innocent-looking—travelers. Randomized secondary screening is more effective, especially since the goal isn’t to catch every plot but to create enough uncertainty that terrorists don’t even try.

And fourth, sheep don’t care if they offend innocent wolves; the two species are never going to be friends. At airports, though, there is an enormous social and political cost to the millions of false alarms. Beyond the societal harms of deliberately harassing a minority group, singling out Muslims alienates the very people who are in the best position to discover and alert authorities about Muslim plots before the terrorists even get to the airport. This alone is reason enough not to profile.

I too am incensed—but not surprised—when the TSA singles out four-year old girls, children with cerebral palsy, pretty women, the elderly, and wheelchair users for humiliation, abuse, and sometimes theft. Any bureaucracy that processes 630 million people per year will generate stories like this. When people propose profiling, they are really asking for a security system that can apply judgment. Unfortunately, that’s really hard. Rules are easier to explain and train. Zero tolerance is easier to justify and defend. Judgment requires better-educated, more expert, and much-higher-paid screeners. And the personal career risks to a TSA agent of being wrong when exercising judgment far outweigh any benefits from being sensible.

The proper reaction to screening horror stories isn’t to subject only “those people” to it; it’s to subject no one to it. (Can anyone even explain what hypothetical terrorist plot could successfully evade normal security, but would be discovered during secondary screening?) Invasive TSA screening is nothing more than security theater. It doesn’t make us safer, and it’s not worth the cost. Even more strongly, security isn’t our society’s only value. Do we really want the full power of government to act out our stereotypes and prejudices? Have we Americans ever done something like this and not been ashamed later? This is what we have a Constitution for: to help us live up to our values and not down to our fears.

This essay previously appeared on Forbes.com and Sam Harris’s blog.

Posted on May 14, 2012 at 6:19 AMView Comments

TSA Behavioral Detection Statistics

Interesting data from the U.S. Government Accountability Office:

But congressional auditors have questions about other efficiencies as well, like having 3,000 “behavior detection” officers assigned to question passengers. The officers sidetracked 50,000 passengers in 2010, resulting in the arrests of 300 passengers, the GAO found. None turned out to be terrorists.

Yet in the same year, behavior detection teams apparently let at least 16 individuals allegedly involved in six subsequent terror plots slip through eight different airports. GAO said the individuals moved through protected airports on at least 23 different occasions.

I don’t believe the second paragraph. We haven’t had six terror plots between 2010 and today. And even if we did, how would the auditors know? But I’m sure the first paragraph is correct: the behavioral detection program is 0% effective at preventing terrorism.

The rest of the article is pretty depressing. The TSA refuses to back down on any of its security theater measures. At the same time, its budget is being cut and more people are flying. The result: longer waiting times at security.

Posted on April 20, 2012 at 6:19 AMView Comments

"Raise the Crime Rate"

I read this a couple of months ago, and I’m still not sure what I think about it. It’s definitely one of the most thought-provoking essays I’ve read this year.

According to government statistics, Americans are safer today than at any time in the last forty years. In 1990, there were 2,245 homicides in New York City. In 2010, there were 536, only 123 of which involved people who didn’t already know each other. The fear, once common, that walking around city parks late at night could get you mugged or murdered has been relegated to grandmothers; random murders, with few exceptions, simply don’t happen anymore.

When it comes to rape, the numbers look even better: from 1980 to 2005, the estimated number of sexual assaults in the US fell by 85 percent. Scholars attribute this stunning collapse to various factors, including advances in gender equality, the abortion of unwanted children, and the spread of internet pornography.

It shouldn’t surprise us that the country was more dangerous in 1990, at the height of the crack epidemic, than in 2006, at the height of the real estate bubble. What’s strange is that crime has continued to fall during the recession. On May 23, in what has become an annual ritual, the New York Times celebrated the latest such finding: in 2010, as America’s army of unemployed grew to 14 million, violent crime fell for the fourth year in a row, sinking to a level not seen since the early ’70s. This seemed odd. Crime and unemployment were supposed to rise in tandem­progressives have been harping on this point for centuries. Where had all the criminals gone?

Statistics are notoriously slippery, but the figures that suggest that violence has been disappearing in the United States contain a blind spot so large that to cite them uncritically, as the major papers do, is to collude in an epic con. Uncounted in the official tallies are the hundreds of thousands of crimes that take place in the country’s prison system, a vast and growing residential network whose forsaken tenants increasingly bear the brunt of America’s propensity for anger and violence.

Crime has not fallen in the United States—it’s been shifted. Just as Wall Street connived with regulators to transfer financial risk from spendthrift banks to careless home buyers, so have federal, state, and local legislatures succeeded in rerouting criminal risk away from urban centers and concentrating it in a proliferating web of hyperhells. The statistics touting the country’s crime-reduction miracle, when juxtaposed with those documenting the quantity of rape and assault that takes place each year within the correctional system, are exposed as not merely a lie, or even a damn lie—but as the single most shameful lie in American life.

The author argues that the only moral thing for the U.S. to do is to accept a slight rise in the crime rate while vastly reducing the number of people incarcerated.

While I might not agree with his conclusion—as I said above, I’m not sure whether I do or I don’t—it’s very much the sort of trade-off I talk about in Liars and Outliers. And Steven Pinker has an extensive argument about violent crime in modern society that he makes in The Better Angels of our Nature.

Posted on April 11, 2012 at 1:25 PMView Comments

The Sudafed Security Trade-Off

This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine:

Now, personally, I sincerely doubt that the pharmaceutical industry has reliable estimates of how many of their purchasers actually have colds—or that they would share data indicating that half of their revenues came from meth cooks. But let’s say this is accurate: half of all pseudoephedrine is sold to meth labs. That still wouldn’t mean that manufacturers of cold medicines are making “hundreds of millions of dollars a year” off of the stuff—not in the sense that they end up hundreds of millions of dollars richer. The margins on off-patent medicines are not high, and in retail, 50% or more of the cost of the product is retailer and distributor markup*. Then there’s the costs of manufacturing.

But this is sort of a side issue. What really bothers me is the way that Humphreys—and others who show up in the comments—regard the rather extraordinary cost of making PSE prescription-only as too trivial to mention.

Let’s return to those 15 million cold sufferers. Assume that on average, they want one box a year. That’s going to require a visit to the doctor. At an average copay of $20, their costs alone would be $300 million a year, but of course, the health care system is also paying a substantial amount for the doctor’s visit. The average reimbursement from private insurance is $130; for Medicare, it’s about $60. Medicaid pays less, but that’s why people on Medicaid have such a hard time finding a doctor. So average those two together, and add the copays, and you’ve got at least $1.5 billion in direct costs to obtain a simple decongestant. But that doesn’t include the hassle and possibly lost wages for the doctor’s visits. Nor the possible secondary effects of putting more demands on an already none-too-plentiful supply of primary care physicians.

I like seeing the debate framed as a security trade-off.

Posted on February 15, 2012 at 7:09 AMView Comments

RFID Tags Protecting Hotel Towels

The stealing of hotel towels isn’t a big problem in the scheme of world problems, but it can be expensive for hotels. Sure, we have moral prohibitions against stealing—that’ll prevent most people from stealing the towels. Many hotels put their name or logo on the towels. That works as a reputational societal security system; most people don’t want their friends to see obviously stolen hotel towels in their bathrooms. Sometimes, though, this has the opposite effect: making towels and other items into souvenirs of the hotel and thus more desirable to steal. It’s against the law to steal hotel towels, of course, but with the exception of large-scale thefts, the crime will never be prosecuted. (This might be different in third world countries. In 2010, someone was sentenced to three months in jail for stealing two towels from a Nigerian hotel.) The result is that more towels are stolen than hotels want. And for expensive resort hotels, those towels are expensive to replace.

The only thing left for hotels to do is take security into their own hands. One system that has become increasingly common is to set prices for towels and other items—this is particularly common with bathrobes—and charge the guest for them if they disappear from the rooms. This works with some things, but it’s too easy for the hotel to lose track of how many towels a guest has in his room, especially if piles of them are available at the pool.

A more recent system, still not widespread, is to embed washable RFID chips into the towels and track them that way. The one data point I have for this is an anonymous Hawaii hotel that claims they’ve reduced towel theft from 4,000 a month to 750, saving $16,000 in replacement costs monthly.

Assuming the RFID tags are relatively inexpensive and don’t wear out too quickly, that’s a pretty good security trade-off.

Posted on May 11, 2011 at 11:01 AMView Comments

Counterterrorism Security Cost-Benefit Analysis

Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security,” by John Mueller and Mark Stewart:

Abstract:The cumulative increase in expenditures on US domestic homeland security over the decade since 9/11 exceeds one trillion dollars. It is clearly time to examine these massive expenditures applying risk assessment and cost-benefit approaches that have been standard for decades. Thus far, officials do not seem to have done so and have engaged in various forms of probability neglect by focusing on worst case scenarios; adding, rather than multiplying, the probabilities; assessing relative, rather than absolute, risk; and inflating terrorist capacities and the importance of potential terrorist targets. We find that enhanced expenditures have been excessive: to be deemed cost-effective in analyses that substantially bias the consideration toward the opposite conclusion, they would have to deter, prevent, foil, or protect against 1,667 otherwise successful Times-Square type attacks per year, or more than four per day. Although there are emotional and political pressures on the terrorism issue, this does not relieve politicians and bureaucrats of the fundamental responsibility of informing the public of the limited risk that terrorism presents and of seeking to expend funds wisely. Moreover, political concerns may be over-wrought: restrained reaction has often proved to be entirely acceptable politically.

Posted on April 6, 2011 at 6:03 AMView Comments

Julian Sanchez on Balancing Privacy and Security

From a blog post:

In my own area of study, the familiar trope of “balancing privacy and security” is a source of constant frustration to privacy advocates, because while there are clearly sometimes tradeoffs between the two, it often seems that the zero-sum rhetoric of “balancing” leads people to view them as always in conflict. This is, I suspect, the source of much of the psychological appeal of “security theater”: If we implicitly think of privacy and security as balanced on a scale, a loss of privacy is ipso facto a gain in security. It sounds silly when stated explicitly, but the power of frames is precisely that they shape our thinking without being stated explicitly.

I’ve written about the false trade-off between security and privacy.

Posted on February 11, 2011 at 12:48 PMView Comments

REAL-ID Implementation

According to this study, REAL-ID has not only been cheaper to implement than the states estimated, but also helpful in reducing fraud.

States are finding that implementation of the 2005 REAL ID Act is much easier and less expensive than previously thought, and is a significant factor in reducing fraud. In cases like Indiana, REAL ID has significantly improved customer satisfaction, resulting in that state receiving AAMVA’s “customer satisfaction” award of the year. This is not just a win-win for national and economic security, but a win (less expensive) -win (doable) -win (fraud reduction) -win (improved customer satisfaction) for federal and state governments as well as individuals.

Moreover, 11 states are already in full compliance, well ahead of the May 2011 deadline for the 18 benchmarks. Another eight are close behind. Some states, like Delaware and Maryland, have achieved REAL ID compliance within a year. Washington State refuses REAL ID compliance, but has already implemented the most difficult benchmarks.

Perhaps most astonishing is that from the cost numbers currently available, it looks like implementation of the 18 REAL ID benchmarks in all the states may end up costing somewhere between $350 million and $750 million, significantly less than the $1 billion projected by those still seeking to change the law.

Legal presence is being checked in all but two states, up 28 states from 2006. Only Washington and New Mexico still do not require legal presence to obtain a license, but Washington so significantly upgraded its license issuance in 2010 that the fraudulent attempts to garner licenses in that state are now significantly reduced. Every state is now checking Social Security numbers.

This might be the first government IT project ever that came in under initial cost estimates. Perhaps the reason is that the states did not want to implement REAL-ID in 2005, so they overstated the costs.

As to fraud reduction—I’m not so sure. As the difficulty of getting a fraudulent ID increases, so does its value. I think we’ll have to wait a while longer and see how criminals adapt.

EDITED TO ADD (2/11): CATO’s Jim Harper argues that this report does not show that implementing the national ID program envisioned in the national ID law is a cost-effective success. It only assesses compliance with certain DHS-invented “benchmarks” related to REAL ID, and does so in a way that skews the results.

Posted on January 25, 2011 at 6:16 AMView Comments

Cost-Benefit Analysis of Full-Body Scanners

Research paper from Mark Stewart and John Mueller:

The Transportation Security Administration (TSA) has been deploying Advanced Imaging Technologies (AIT) that are full-body scanners to inspect a passenger’s body for concealed weapons, explosives, and other prohibited items. The terrorist threat that AITs are primarily dedicated to is preventing the downing of a commercial airliner by an IED (Improvised Explosive Device) smuggled on board by a passenger. The cost of this technology will reach $1.2 billion per year by 2014. The paper develops a cost-benefit analysis of AITs for passenger screening at U.S. airports. The analysis considered threat probability, risk reduction, losses, and costs of security measures in the estimation of costs and benefits. Since there is uncertainty and variability of these parameters, three alternate probability (uncertainty) models were used to characterise risk reduction and losses. Economic losses were assumed to vary from $2-50 billion, and risk reduction from 5-10%. Monte-Carlo simulation methods were used to propagate these uncertainties in the calculation of benefits, and the minimum attack probability necessary for AITs to be cost-effective was calculated. It was found that, based on mean results, more than one attack every two years would need to originate from U.S. airports for AITs to pass a cost-benefit analysis. In other words, to be cost-effective, AITs every two years would have to disrupt more than one attack effort with body-borne explosives that otherwise would have been successful despite other security measures, terrorist incompetence and amateurishness, and the technical difficulties in setting off a bomb sufficiently destructive to down an airliner. The attack probability needs to exceed 160-330% per year to be 90% certain that AITs are cost-effective.

EDITED TO ADD (1/26): Response from one of the paper’s authors.

Posted on January 20, 2011 at 1:39 PMView Comments

1 3 4 5 6 7 23

Sidebar photo of Bruce Schneier by Joe MacInnis.