Tag: strip-search machines

Slow and Steady Progress on TSA Strip-Search Policy

Having pled before the D.C. Circuit Court of Appeals that doing a notice-and-comment rulemaking on its strip-search machine policy is difficult and expensive, the Transportation Security Administration is dropping a cool quarter-billion dollars on new strip-search machines. That’s quite a fixation the TSA has, putting spending on new gadgets ahead of following the law.

But the writing is on the wall for the practice of putting travelers through strip-search machines and prison-style pat-downs at the government checkpoints in American airports.

On Tuesday, the D.C. Circuit ruled against a petition to have the court force TSA to move forward with taking public comments as required by law. The language of the order signals the court’s expectation, though, that the TSA will get this done, quoting the TSA’s language and, well, saying as much.

ORDERED that the petition for writ of mandamus be denied in light of the Government’s representation that “the process of finalizing the AIT Rulemaking documents so that the NPRM may be published is expected to be complete by or before the end of February 2013.” Accordingly, we expect that the NPRM will be published before the end of March 2013.

Generous court — it gave the TSA an extra month.

I imagine the folks at EPIC are preparing a filing for April 1st. No foolin’, there will be a public push to go along with it, as large or larger than the most recent.

The TSA knows it can only carry on so long in contempt of the law and the court. I expect the rulemaking documents will issue by midnight on March 31st, even if a special Sunday edition of the Federal Register has to be published to do it.

The court’s ruling is technically adverse to the petitioners, but it is better than a flat denial. The court was not going to cancel a policy that is arguably an important security measure. The best outcome was some kind of date certain with consequences for failure to act. The TSA delivered a date certain, which the court has adopted. Leaving the consequences unstated could embolden TSA to more contumacy, but I doubt it.

Once the rulemaking is in place, the strategy I laid out a year ago kicks in.

The TSA will have to exhibit how its risk management supports the installation and use of strip-search machines. How did the TSA do its asset characterization (summarizing the things it is protecting)? What are the vulnerabilities it assessed? How did it model threats and hazards (actors or things animated to do harm)? What are the likelihoods and consequences of various attacks? Risk assessment questions like these are all essential inputs into decisions about what to prioritize and how to respond.

When the insufficiency of its policymaking is shown, the policy will be ripe for review under the Administrative Procedure Act’s “arbitrary and capricious” standard and there will be a record sufficient to justify a Fourth Amendment challenge to the policy of prison-style searches of all American travelers.

Yes, the challenge to this policy is taking a long time, but pressing back on all fronts against the invasive, unneeded security state is a joy even when it requires patience.

Incoherent Politicians Lag Public Opinion on TSA

If you needed proof of politicians’ sensitivity to, and encouragement of, persistent terrorism fears, look no further than today’s hearing in the House Homeland Security Subcommittee on Transportation Security. It’s called “Eleven Years After 9/11 Can TSA Evolve To Meet the Next Terrorist Threat?” and it’s being used to feature—get this—a report arguing for a “smarter, leaner” Transportation Security Administration.

Could the signaling be more incoherent? The hearing suggests both that unknown horrors loom and that we should shrink the most visible federal security agency.

Lace up your shoes, America—we’re goin’ swimmin’!

Our federal politicians still can’t bring themselves to acknowledge that terrorism is a far smaller threat than we believed in the aftermath of the September 11, 2001, attacks, and that the threat has waned since then. (The risk of attack will never be zero, but terrorism is far down on the list of dangers Americans face.)

The good news is that the public’s loathing for the TSA is just as persistent as stated terrorism fears. This at least constrains congressional leaders to do make gestures toward controlling the TSA. Perhaps we’ll get a “smarter, leaner” overreaction to fear.

Public opprobrium is a constraint on the growth and intrusiveness of the TSA, so I was delighted to see a new project from the folks at We Won’t Fly. Their new project highlights the fact that the TSA has still failed to begin the process for taking public comments on the policy of using Advanced Imaging Technology (strip-search machines) at U.S. airports, even though the D.C. Circuit Court of Appeals ordered it more than a year ago.

The project is called TSAComment.com, and they’re collecting comments because the TSA won’t.

The purpose of TSAComment.com is to give a voice to everyone the TSA would like to silence. There are many legitimate health, privacy and security-related concerns with the TSA’s adoption of body scanning technology in US airports. The TSA deployed these expensive machines without holding a mandatory public review period. Even now they resist court orders to take public comments.

TSAComment.com has gotten nearly 100 comments since the site went up late yesterday, and they’re going to deliver those comments to TSA administrator John Pistole, Homeland Security secretary Janet Napolitano, and the media.

The D.C. Circuit Court did require TSA to explain why it has not carried out a notice-and-comment rulemaking on the strip-search machine policy, and assumedly it will rule before too long.

Getting the TSA to act within the law is important not only because it is essential to have the rule of law, but because the legal procedures TSA is required to follow will require it to balance the costs and benefits of its security measures articulately and carefully. Which is to say that security policy will be removed somewhat from the political realm and our incoherent politicians and moved more toward the more rational, deliberative worlds of law and risk management.

Hope springs eternal, anyway…

There could be no better tribute to the victims of 9/11 than by continuing to live free in our great country. I won’t shrink from that goal. The people at TSAComment do not shrink from that goal. And hopefully you won’t either.

TSA Should Follow the Law

A year ago this coming Sunday, the U.S. Court of Appeals for the D.C. Circuit ordered the Transportation Security Administration to do a notice-and-comment rulemaking on its use of Advanced Imaging Technology (aka “body-scanners” or “strip-search machines”) for primary screening at airports. (The alternative for those who refuse such treatment: a prison-style pat-down.) It was a very important ruling, for reasons I discussed in a post back then. The TSA was supposed to publish its policy in the Federal Register, take comments from the public, and issue a final rule that responds to public input.

So far, it hasn’t done any of those things.

The reason for the delay, stated in a filing with the court last year, was the complexity and expense of doing a rulemaking in this area. But CEI’s Ryan Radia, at work on a legal brief in the case, notes that the TSA has devoted substantial resources to the PreCheck program during this time, rolling it out to additional airports. How can an agency pour resources into its latest greatest project yet claim poverty when it comes to complying with the law?

So on Monday, I started a petition on Whitehouse.gov. It says the president should “Require the Transportation Security Administration to Follow the Law!

By the end of the day yesterday, the petition had garnered the 150 signatures needed to get it published on Whitehouse.gov. The petition says:

Defying the court, the TSA has not satisfied public concerns about privacy, about costs and delays, security weaknesses, and the potential health effects of these machines. If the government is going to “body-scan” Americans at U.S. airports, President Obama should force the TSA to begin the public process the court ordered.

That’s not a huge request. Getting 25,000 signatures requires the administration to supply a response, according to the White House’s petition rules.

The response we want is legal compliance. The public deserves to know where the administration stands on freedom to travel, and the rule of law. While TSA agents bark orders at American travelers, should the agency itself be allowed to flout one of the highest courts in the land? If the petition gets enough signatures, we’ll find out.

Signing the petition requires an email for confirmation, but it does not sign you up for any mailing list unless you volunteer for that. If you’re quite concerned about sharing an email, you can create a throwaway email on AOL or Yahoo! and use it once.

Please pass the word about the petition. If it gets to 25,000 people, the Obama administration will owe the public a response. I’ll report on it, and whether or not it’s satisfactory, right here.

New Underwear Bomb, New Threat Information

It’s a good bet that news of a new thwarted underwear bomber will underlie more than one argument for the strip-search machines American travelers encounter even at the domestic terminals of our airports. According to the AP:

The plot involved an upgrade of the underwear bomb that failed to detonate aboard a jetliner over Detroit on Christmas 2009. This new bomb was also designed to be used in a passenger’s underwear, but this time al-Qaida developed a more refined detonation system, U.S. officials said. … The would-be suicide bomber, based in Yemen, had not yet picked a target or bought his plane tickets when the CIA stepped in and seized the bomb, officials said.

Reading this, you’ve been reminded of the fact that, somewhere in a remote Middle Eastern backwater, someone would like to bomb an aircraft flying into the United States. For many, this will induce a bout of probability neglect, making it very hard to process the upshot of this news: This type of attack, which was already very unlikely to succeed, has been made even less likely to succeed.

How did it become less likely to succeed? Let’s use the Transportation Security Administration’s layered security concept to examine things.

In December 2009, the underwear bomber (well—he failed: the “underwear bomb plotter”), managed to get a deformed bomb onto a plane. It was so deformed that he could not cause it to explode. Instead, he burned himself while other passengers subdued him. In the TSA’s formulation, the plot was foiled by the last security layer (it’s hard to read in the graphic): passengers.

(This is not actually the last security layer. The design of planes to withstand shocks to the fuselage is a preventive against downings that small smuggled bombs will have a hard time overcoming.)

The latest news has it that an updated underwear bomb was seized in Yemen by the CIA. That’s the first layer of security in the TSA’s graphic. Intelligence—the first layer.

(This is not actually the first security layer. A benign, phlegmatic foreign policy would produce fewer people worldwide wishing to do the United States harm and more people intolerant of those who do.)

Now, it is not all 100%, unalloyed good security news. As the AP report says:

The FBI is examining the latest bomb to see whether it could have passed through airport security and brought down an airplane, officials said. They said the device did not contain metal, meaning it probably could have passed through an airport metal detector. But it was not clear whether new body scanners used in many airports would have detected it.

There may be an innovation in underwear bombs that make them easier to smuggle on to planes. At its best, this innovation may render the body scanners useless against them. (Again, watch for arguments that, despite their impotence, this news makes body scanners all the more essential. A news report yesterday said that new vulnerabilities in the machines have been unearthed by government investigators.)

On balance, I think this news shows just how much the threat is diminished. Innovations in bomb-making, happening on the far outskirts of modern society, are being thwarted at their source, long before they begin the journey through the many other security layers that protect aviation and air travelers. You may continue to move about the country even more confident of your safety than you did before. I’m hopping on a plane again Friday morning, and I will be just as polite and cheerful as ever in declining to go through the strip-search machines.

Viral Video Strips Down Strip-Search Machines

The TSA’s response yesterday to a video challenging strip-search machines was so weak that it acts as a virtual confession to the fact that objects can be snuck through them.

In the video, TSA strip-search objector Jonathan Corbett demonstrates how he put containers in his clothes along his sides where they would appear the same as the background in TSA’s displays. TSA doesn’t refute that it can be done or that Corbett did it in his demonstration. More at Wired’s Threat Level blog.

More than six months ago, the D.C. Circuit Court of Appeals required the Transportation Security Administration to commence a rulemaking to justify its strip-search machine/prison-style pat-down policy. TSA has not done so. The result is that the agency still does not have a sturdy security system in place at airports. It’s expensive, inconvenient, error-prone, and privacy-invasive.

Making airline security once again the responsibility of airlines and airports would vastly improve the situation, because these actors are naturally inclined to blend security, cost-control, and convenience with customer service and comforts, including privacy.

I have a slight difference with Corbett’s characterization of the problem. The weakness of body scanners does not put the public at great danger. The chance of anyone exploiting this vulnerability and smuggling a bomb on board a domestic U.S. flight is very low. The problem is that these machines impose huge costs in dollars and privacy that do not foreclose a significant risk any better than the traditional magnetometer.

Corbett is right when he urges people to “demand of your legislators and presidential candidates that they get rid of this eight billion-dollar-a-year waste known as the TSA and privatize airport security.”

Should a Congress that Doesn’t Understand Math Regulate Cybersecurity?

There’s a delicious irony in some of the testimony on cybersecurity that the Senate Homeland Security and Governmental Affairs Committee will hear today (starting at 2:30 Eastern — it’s unclear from the hearing’s page whether it will be live-streamed). Former National Security Agency general counsel Stewart Baker flubs a basic mathematical concept.

If Congress credits his testimony, is it really equipped to regulate the Internet in the name of “cybersecurity”?

Baker’s written testimony (not yet posted) says, stirringly, “Our vulnerabilities, and their consequences, are growing at an exponential rate.” He’s stirring cake batter, though. Here’s why.

Exponential growth occurs when the growth rate of the value of a mathematical function is proportional to the function’s current value. It’s nicely illustrated with rabbits. If in week one you have two rabbits, and in week two you have four, you can expect eight rabbits in week three and sixteen in week four. That’s exponential growth. The number of rabbits each week dictates the number of rabbits the following week. By the end of the year, the earth will be covered in rabbits. (The Internet provides us an exponents calculator, you see. Try calculating 2^52.)

The vulnerabilities of computers, networks, and data may be growing. But such vulnerabilities are not a function of the number of transistors that can be placed on an integrated circuit. Baker is riffing on Moore’s Law, which describes long-term exponential growth in computing power.

Instead, vulnerabilities will generally be a function of the number of implementations of information technology. A new protocol may open one or more vulnerabilities. A new piece of software may have one or more vulnerabilities. A new chip design may have one or more vulnerabilities. Interactions between various protocols and pieces of hardware and software may create vulnerabilities. And so on. At worst, in some fields of information technology, there might be something like cubic growth in vulnerabilities, but it’s doubtful that such a trend could last.

Why? Because vulnerabilities are also regularly closing. Protocols get ironed out. Software bugs get patched. Bad chip designs get fixed.

There’s another dimension along which vulnerabilities are also probably growing. This would be a function of the “quantity” of information technology out there. If there are 10,000 instances of a given piece of software in use out there with a vulnerability, that’s 10,000 vulnerabilities. If there are 100,000 instances of it, that’s 10 times more vulnerabilities—but that’s still linear growth, not exponential growth. The number of vulnerabilities grows in direct proportion to the number of instances of the technology.

Ignore the downward pressure on vulnerabilities, though, and put growth in the number of vulnerabilities together with the growth in the propogation of vulnerabilities. Don’t you have exponential growth? No. You still have linear growth. The growth in vulnerability from new implementations of information technology and new instances of that technology multiply. Across technologies, they sum. They don’t act as exponents to one another.

Baker uses “vulnerability” and “threat” interchangeably, but careful thinkers about risk wouldn’t do this, I don’t think. Vulnerability is the existence of weakness. Threat is someone or something animated to exploit it (a “hazard” if that thing is inanimate). Vulnerabilities don’t really matter, in fact, if there isn’t anyone to exploit them. Do you worry about the number of hairs on your body being a source of pain? No, because nobody is going to come along and pluck them all. You need to have a threat vector, or vulnerability is just idle worry.

Now, threats can multiply quickly online. When exploits to some vulnerabilities are devised, their creators can propogate them quickly to others, such as “script kiddies” who will run such exploits everywhere they can. Hence, the significance of the “zero-day threat” and the importance of patching software promptly.

As to consequence, Baker cites examples of recent hacks on HBGary, RSA, Verisign, and DigiNotar, as well as weakness in industrial control systems. This says nothing about growth rates, much less how the number of hacks in the last year forms the basis for more in the next. If some hacks allow other hacks to be implemented, that, again, would be a multiplier, not an exponent. (Generally, these most worrisome hacks can’t be executed by script kiddes, so they are not soaring in numerosity. You know what happens to consequential hacks that do soar in numerosity? They’re foreclosed by patches.)

Vulnerability and threat analyses are inputs into determinations about the likelihood of bad things happening. The next step is to multiply that likelihood against consequence. The product is a sense of how important a given risk is. That’s risk assessment.

But Baker isn’t terribly interested in acute risk management. During his years as Assistant Secretary for Policy at the Department of Homeland Security, the agency didn’t do the risk management work that would validate or invalidate the strip-search machine/intrusive pat-down policy (and it still hasn’t, despite a court order). The bill he’s testifying in support of wouldn’t manage cybersecurity risks terribly well, either, for reasons I’ll articulate in a forthcoming post.

Do your representatives in Congress get the math involved here? Do they know the difference between exponential growth and linear growth? Do they “get” risk management? Chances are they don’t. They may even parrot the “statistic” that Baker is putting forth. How well equipped do you suppose a body like that is for telling you how to do your cybersecurity?

“You could use it at a specific event. You could use it at a shooting-prone location…”

That’s NYPD Commissioner Ray Kelly touting a new technology called “terahertz imaging detection” to a local news outlet.

Terahertz radiation is electromagnetic waves at the high end of the infrared band, just below the microwave band. The waves can penetrate a wide variety of non-conducting materials, such as clothing, paper, cardboard, wood, masonry, plastic, and ceramics, but they can’t penetrate metal or water. Thus, directing terahertz radiation at a person and capturing the waves that bounce off them can reveal what is under their clothes without the discomfort and danger of going “hands-on” in a search for weapons. Many materials have unique spectral “fingerprints” in the terahertz range, so terahertz imaging can be tuned to reveal only certain materials. (In case you’re wondering, I got this information off the top of my head…)

Will the machines be tuned to display only particular materials? Or will they display images of breasts, buttocks, and crotches? The TSA’s “strip-search machines” got the moniker they have because they did the latter—until the agency tardily re-configured them.

Then there’s the flip-side of not going “hands-on.” Terahertz imaging detection doesn’t natively reveal to the person being searched that law enforcement has picked him or her out for scrutiny. A pat-down certainly lets the individual know he or she is being searched, positioning one to observe and challenge one’s treatment as a suspect. Terahertz imaging lacks this natural—if insufficient—check on abuse.

So terahertz imaging is not just a “hi-tech pat-down.” Its potential takes what would be a pat-down and makes it into a secret, but intimate, visual examination—a surreptitious strip-search. Pat-downs and secret strip-searches are very different things, and it is not necessarily reasonable, where a pat-down might be called for, to use terahertz imaging.

And that brings us to the fundamental problem with Commissioner Kelly’s proffer to use this technology at a “specific event” or at a “shooting-prone location.” These contexts do not create the individualized suspicion that Fourth Amendment law demands when government agents are going to examine intimate details of a person’s body and concealed possessions.

It is certainly possible to devise a terahertz imaging device and a set of use protocols that are constitutional and appropriate for routine, domestic law enforcement, but Commissioner Kelly hasn’t thought of one, and I can’t either.

Consider the dollar costs and potential health effects of terahertz imaging detection, it might just be that the pat-downs pass muster far better than the high-tech gadgetry.