IP: Airline Security Regulations and Biometrics in Airports: CRYPTO-GRAM SPECIAL ISSUE, September 30, 2001

[David Farber <dave () farber net>]

>                  CRYPTO-GRAM
>
>               September 30, 2001
>
>               by Bruce Schneier
>                Founder and CTO
>       Counterpane Internet Security, Inc.
>            schneier () counterpane com
>          <http://www.counterpane.com>
>
>
> A free monthly newsletter providing summaries, analyses, insights, and 
> commentaries on computer and network security.
>
> Back issues are available at 
> <http://www.counterpane.com/crypto-gram.html>.  To subscribe, visit 
> <http://www.counterpane.com/crypto-gram.html> or send a blank message to 
> crypto-gram-subscribe () chaparraltree com.
>
> Copyright (c) 2001 by Counterpane Internet Security, Inc.
>
>
> ** *** ***** ******* *********** *************
>
> This is a special issue of Crypto-Gram, devoted to the September 11 
> terrorist attacks and their aftermath.
>
> Please distribute this issue widely.
>
> In this issue:
>      The Attacks
>      Airline Security Regulations
>      Biometrics in Airports
>      Diagnosing Intelligence Failures
>      Regulating Cryptography
>      Terrorists and Steganography
>      News
>      Protecting Privacy and Liberty
>      How to Help
>
>
> ** *** ***** ******* *********** *************

<snip>

>        Airline Security Regulations
>
>
>
> Computer security experts have a lot of expertise that can be applied to 
> the real world.  First and foremost, we have well-developed senses of what 
> security looks like.  We can tell the difference between real security and 
> snake oil.  And the new airport security rules, put in place after 
> September 11, look and smell a whole lot like snake oil.
>
> All the warning signs are there: new and unproven security measures, no 
> real threat analysis, unsubstantiated security claims.  The ban on cutting 
> instruments is a perfect example.  It's a knee-jerk reaction: the 
> terrorists used small knives and box cutters, so we must ban them.  And 
> nail clippers, nail files, cigarette lighters, scissors (even small ones), 
> tweezers, etc.  But why isn't anyone asking the real questions: what is 
> the threat, and how does turning an airplane into a kindergarten classroom 
> reduce the threat?  If the threat is hijacking, then the countermeasure 
> doesn't protect against all the myriad of ways people can subdue the pilot 
> and crew.  Hasn't anyone heard of karate?  Or broken bottles?  Think about 
> hiding small blades inside luggage.  Or composite knives that don't show 
> up on metal detectors.
>
> Parked cars now must be 300 feet from airport gates.  Why?  What security 
> problem does this solve?  Why doesn't the same problem imply that 
> passenger drop-off and pick-up should also be that far away?  Curbside 
> check-in has been eliminated.  What's the threat that this security 
> measure has solved?  Why, if the new threat is hijacking, are we suddenly 
> worried about bombs?
>
> The rule limiting concourse access to ticketed passengers is another one 
> that confuses me.  What exactly is the threat here?  Hijackers have to be 
> on the planes they're trying to hijack to carry out their attack, so they 
> have to have tickets.  And anyone can call Priceline.com and "name their 
> own price" for concourse access.
>
> Increased inspections -- of luggage, airplanes, airports -- seem like a 
> good idea, although it's far from perfect.  The biggest problem here is 
> that the inspectors are poorly paid and, for the most part, poorly 
> educated and trained.  Other problems include the myriad ways to bypass 
> the checkpoints -- numerous studies have found all sorts of violations -- 
> and the impossibility of effectively inspecting everybody while 
> maintaining the required throughput.  Unidentified armed guards on select 
> flights is another mildly effective idea: it's a small deterrent, because 
> you never know if one is on the flight you want to hijack.
>
> Positive bag matching -- ensuring that a piece of luggage does not get 
> loaded on the plane unless its owner boards the plane -- is actually a 
> good security measure, but assumes that bombers have self-preservation as 
> a guiding force.  It is completely useless against suicide bombers.
>
> The worst security measure of them all is the photo ID requirement.  This 
> solves no security problem I can think of.  It doesn't even identify 
> people; any high school student can tell you how to get a fake ID.  The 
> requirement for this invasive and ineffective security measure is secret; 
> the FAA won't send you the written regulations if you ask.  Airlines are 
> actually more stringent about this than the FAA requires, because the 
> "security" measure solves a business problem for them.
>
> The real point of photo ID requirements is to prevent people from 
> reselling tickets.  Nonrefundable tickets used to be regularly advertised 
> in the newspaper classifieds.  Ads would read something like "Round trip, 
> Boston to Chicago, 11/22 - 11/30, female, $50."  Since the airlines didn't 
> check ID but could notice gender, any female could buy the ticket and fly 
> the route.  Now this doesn't work.  The airlines love this; they solved a 
> problem of theirs, and got to blame the solution on FAA security requirements.
>
> Airline security measures are primarily designed to give the appearance of 
> good security rather than the actuality.  This makes sense, once you 
> realize that the airlines' goal isn't so much to make the planes hard to 
> hijack, as to make the passengers willing to fly.  Of course airlines 
> would prefer it if all their flights were perfectly safe, but actual 
> hijackings and bombings are rare events and they know it.
>
> This is not to say that all airport security is useless, and that we'd be 
> better off doing nothing.  All security measures have benefits, and all 
> have costs: money, inconvenience, etc.  I would like to see some rational 
> analysis of the costs and benefits, so we can get the most security for 
> the resources we have.
>
> One basic snake-oil warning sign is the use of self-invented security 
> measures, instead of expert-analyzed and time-tested ones.  The closest 
> the airlines have to experienced and expert analysis is El Al.  Since 1948 
> they have been operating in and out of the most heavily terroristic areas 
> of the planet, with phenomenal success.  They implement some pretty heavy 
> security measures.  One thing they do is have reinforced, locked doors 
> between their airplanes' cockpit and the passenger section.  (Notice that 
> this security measure is 1) expensive, and 2) not immediately perceptible 
> to the passenger.)  Another thing they do is place all cargo in 
> decompression chambers before takeoff, to trigger bombs set to sense 
> altitude.  (Again, this is 1) expensive, and 2) imperceptible, so 
> unattractive to American airlines.)  Some of the things El Al does are so 
> intrusive as to be unconstitutional in the U.S., but they let you take 
> your pocketknife on board with you.
>
> Airline security:
> <http://www.time.com/time/covers/1101010924/bsecurity.html>
> <http://www.accessatlanta.com/ajc/terrorism/atlanta/0925gun.html>
>
> FAA on new security rules:
> <http://www.faa.gov/apa/faq/pr_faq.htm>
>
> A report on the rules' effectiveness:
> <http://www.boston.com/dailyglobe2/266/nation/Passengers_say_banned_items_ha 
> ve_eluded_airport_monitors+.shtml>
>
> El Al's security measures:
> <http://news.excite.com/news/ap/010912/18/israel-safe-aviation>
> <http://news.excite.com/news/r/010914/07/international-attack-israel-elal-dc>
>
> More thoughts on this topic:
> <http://slate.msn.com/HeyWait/01-09-17/HeyWait.asp>
> <http://www.tnr.com/100101/easterbrook100101.html>
> <http://www.tisc2001.com/newsletters/317.html>
>
> Two secret FAA documents on photo ID requirement, in text and GIF:
> <http://www.cs.berkeley.edu/~daw/faa/guid/guid.txt>
> <http://www.cs.berkeley.edu/~daw/faa/guid/guid.html>
> <http://www.cs.berkeley.edu/~daw/faa/id/id.txt>
> <http://www.cs.berkeley.edu/~daw/faa/id/id.html>
>
> Passenger profiling:
> <http://www.latimes.com/news/nationworld/nation/la-091501profile.story>
>
> A CATO Institute report: "The Cost of Antiterrorist Rhetoric," written 
> well before September 11:
> <http://www.cato.org/pubs/regulation/reg19n4e.html>
>
> I don't know if this is a good idea, but at least someone is thinking 
> about the problem:
> <http://www.zdnet.com/anchordesk/stories/story/0,10738,2812283,00.html>
>
>
> ** *** ***** ******* *********** *************
>
>             Biometrics in Airports
>
>
>
> You have to admit, it sounds like a good idea.  Put cameras throughout 
> airports and other public congregation areas, and have automatic 
> face-recognition software continuously scan the crowd for suspected 
> terrorists.  When the software finds one, it alerts the authorities, who 
> swoop down and arrest the bastards.  Voila, we're safe once again.
>
> Reality is a lot more complicated; it always is.  Biometrics is an 
> effective authentication tool, and I've written about it before.  There 
> are three basic kinds of authentication: something you know (password, PIN 
> code, secret handshake), something you have (door key, physical ticket 
> into a concert, signet ring), and something you are (biometrics).  Good 
> security uses at least two different authentication types: an ATM card and 
> a PIN code, computer access using both a password and a fingerprint 
> reader, a security badge that includes a picture that a guard looks 
> at.  Implemented properly, biometrics can be an effective part of an 
> access control system.
>
> I think it would be a great addition to airport security: identifying 
> airline and airport personnel such as pilots, maintenance workers, 
> etc.  That's a problem biometrics can help solve.  Using biometrics to 
> pick terrorists out of crowds is a different kettle of fish.
>
> In the first case (employee identification), the biometric system has a 
> straightforward problem: does this biometric belong to the person it 
> claims to belong to?  In the latter case (picking terrorists out of 
> crowds), the system needs to solve a much harder problem: does this 
> biometric belong to anyone in this large database of people?  The 
> difficulty of the latter problem increases the complexity of the 
> identification, and leads to identification failures.
>
> Setting up the system is different for the two applications.  In the first 
> case, you can unambiguously know the reference biometric belongs to the 
> correct person.  In the latter case, you need to continually worry about 
> the integrity of the biometric database.  What happens if someone is 
> wrongfully included in the database?  What kind of right of appeal does he 
> have?
>
> Getting reference biometrics is different, too.  In the first case, you 
> can initialize the system with a known, good biometric.  If the biometric 
> is face recognition, you can take good pictures of new employees when they 
> are hired and enter them into the system.  Terrorists are unlikely to pose 
> for photo shoots.  You might have a grainy picture of a terrorist, taken 
> five years ago from 1000 yards away when he had a beard.  Not nearly as useful.
>
> But even if all these technical problems were magically solved, it's still 
> very difficult to make this kind of system work.  The hardest problem is 
> the false alarms.  To explain why, I'm going to have to digress into 
> statistics and explain the base rate fallacy.
>
> Suppose this magically effective face-recognition software is 99.99 
> percent accurate.  That is, if someone is a terrorist, there is a 99.99 
> percent chance that the software indicates "terrorist," and if someone is 
> not a terrorist, there is a 99.99 percent chance that the software 
> indicates "non-terrorist."  Assume that one in ten million flyers, on 
> average, is a terrorist.  Is the software any good?
>
> No.  The software will generate 1000 false alarms for every one real 
> terrorist.  And every false alarm still means that all the security people 
> go through all of their security procedures.  Because the population of 
> non-terrorists is so much larger than the number of terrorists, the test 
> is useless.  This result is counterintuitive and surprising, but it is 
> correct.  The false alarms in this kind of system render it mostly 
> useless.  It's "The Boy Who Cried Wolf" increased 1000-fold.
>
> I say mostly useless, because it would have some positive effect.  Once in 
> a while, the system would correctly finger a frequent-flyer 
> terrorist.  But it's a system that has enormous costs: money to install, 
> manpower to run, inconvenience to the millions of people incorrectly 
> identified, successful lawsuits by some of those people, and a continued 
> erosion of our civil liberties.  And all the false alarms will inevitably 
> lead those managing the system to distrust its results, leading to 
> sloppiness and potentially costly mistakes.  Ubiquitous harvesting of 
> biometrics might sound like a good idea, but I just don't think it's worth it.
>
> Phil Agre on face-recognition biometrics:
> <http://dlis.gseis.ucla.edu/people/pagre/bar-code.html>
>
> My original essay on biometrics:
> <http://www.counterpane.com/crypto-gram-9808.html#biometrics>
>
> Face recognition useless in airports:
> <http://www.theregister.co.uk/content/4/21916.html>
> According to a DARPA study, to detect 90 per cent of terrorists we'd need 
> to raise an alarm for one in every three people passing through the airport.
>
> A company that is pushing this idea:
> <http://www.theregister.co.uk/content/6/21882.html>
>
> A version of this article was published here:
> <http://www.extremetech.com/article/0,3396,s%253D1024%2526a%253D15070,00.asp>

<snip>



For archives see: http://www.interesting-people.org/