Tag: transportation security administration

Behavior Detection as Interrogation

With the Department of Homeland Security constantly spinning out new projects and programs (plus re-branded old ones) to investigate you, me, and the kitchen sink, it’s sometimes hard to keep up. But I was intrigued with a report that behvaior detection officers are getting another look from the Transportation Security Administration. Behavior detection is the unproven, and so far highly unsuccessful (Rittgers, Harper), program premised on the idea that telltale cues can reliably and cost-effectively indicate intent to do harm at airports.

But there’s a new behavior detection program already underway. Or is it interrogation?

Due to a bottleneck at the magnetometers in one concourse of the San Francisco airport (no strip-search machines!), I recently had the chance to briefly interview a Transportation Security Administration agent about a new security technique he was implementing. As each passenger reached him, he would begin to examine the traveler’s documentation and simultaneously ask the person’s last name. He confirmed to me that the purpose was to detect people who did not immediately, easily, and accurately respond. In thousands of interactions, he would quickly and naturally learn to detect obfuscation on the part of anyone carrying an ID that does not have the last name they usually use.

As a way of helping to confirm identity, it’s a straightforward and sensible technique. Almost everyone knows his or her last name, and quickly and easily repeats it. The average TSA agent with some level of experience will fluently detect people who do not quickly and easily repeat the name on the identity card they carry. The examination is done quickly. This epistemetric check (of a “something-you-know” identifier—see my book, Identity Crisis) occurs during the brief time that the documents are already getting visual examination.

Some people will not repeat their name consistent with custom, of course. The hard of hearing, speakers of foreign languages, people who are very nervous, people who have speech or other communication impediments, and another group of sufferers—recently married women—may exhibit “suspicious” failure to recite their recently changed surnames. Some of these anomalies TSA agents will quickly and easily dismiss as non-suspicious. Others they won’t, and in marginal cases they might use non-suspicious indicia like ethnicity or rudeness to adjudge someone “suspicious.”

The question whether these false positives are a problem depends on the sanction that attaches to suspicion. If a stutterer gets a gauntlet at the airport each time he or she fails to rattle off a name, the cost of the technique grows compared to the value of catching … not the small number of people who travel on false identification—the extremely small number of people who travel on false identification so as to menace air transportation.

We used this and closely related techniques, such as asking a person’s address or the DMV office where a license was issued, at the bar where I worked in college. It did pretty well to ferret out people carrying their older friends’ IDs. Part of the reason it worked well is because our expert doormen could quickly escalate to further inquiry, dismissing their own suspicions or denying entry to the bar very quickly. The cost of getting it wrong was to deny a person entry to the bar and sometimes possession of a license. These are relatively small costs to college students, unlike the many hours in time-costs to a traveler wrongly held up at the airport. According to my interview, suspicion generated this way at the airport requires a call to a supervisor, but I did not learn if secondary search is standard procedure, or if cases are handled some other way.

TSA agents are not doormen at bars, of course, and the subjects they are examining are not college kids out to get their drink on. These are government agents examining citizens, residents, and visitors to the United States as they travel for business and pleasure, often at high cost in dollars and time. The stakes are higher, and when the government uses a security technique like this, a layer of constitutional considerations joins the practical issues and security analysis.

I see three major legal issues with this new technique: Fourth Amendment search and seizure, the Fifth Amendment right against self-incrimination, and Due Process. When questioning joins an ID check at the airport, it’s a deepening of a search that is already constitutionally suspect. The Fifth Amendment issues are interesting because travelers are being asked to confess through their demeanor whether they are lying or telling the truth. It would seem to cross a Fifth Amendment line and the rule against forced self-incrimination. The Due Process issues are serious and fairly straightforward. When a TSA screener makes his or her judgment that a person is not responding consistent with custom and is therefore “suspicious,” these judgement calls allow the screeners to import their prejudices. Record-keeping about suspicion generated using this technique should determine whether administration of this epistemetric check violates constitutional due process in its application.

In its constant effort to ferret out terrorist attacks on air transportation, the TSA is mustering all its imagination. Its programs raise scores of risk management issues, they create constitutional problems, and they are a challenge to our tradition of constitutionally limited government. The threat that a person will use false identification to access a plane, defeating an otherwise working watch-list sytem, to execute some attack is utterly small. At what cost in dollars and American values do we attack that tiny threat?

The founding problem is the impetuous placement of federal government agents in the role of securing domestic passenger aviation. There are areas where government is integral to securing airports, airlines, and all the rest of the country—foreign intelligence and developing leads about criminal plots, for example—but the day-to-day responsibility for securing infrastructure like airports and airplanes should be the responsibility of its owners.

If the TSA were to go away, air security measures might be similar in many respects, but they would be conducted by organizations who must keep travelers happy and safe for their living. The TSA hasn’t anything like private airports’ and airlines’ incentives to balance security with convenience, privacy, cost-savings, and all other dimensions of a satisfactory travel experience. Asking people their names at airport security checkpoints is an interesting technique, and not an ineffective one, but it should probably be scrapped because it provides so little security at a relatively great cost.

Strip-Search Machines: A Loss Seeds the Win

Last week, the D.C. Circuit Court of Appeals rejected a Fourth Amendment challenge to the Transportation Security Administration’s strip-search machine policies, but it found that the TSA violated the Administrative Procedure Act in rolling them out. Too bad that the court arrived at the Fourth Amendment issues before they were ripe.

The bulk of the decision was devoted to the TSA’s law violation in creating strip-search machine policies without doing a notice-and-comment rulemaking. That’s the procedure federal agencies are required to carry out when Congress has delegated them legislative authority. Congress did delegate such authority when it told the Department of Homeland Security to develop technologies that detect nonmetallic, chemical, biological, and radiological weapons in 2004’s Intelligence Reform and Terrorism Prevention Act.

“[T]he TSA has advanced no justification for having failed to conduct a notice-and-comment rulemaking,” the court wrote, adding that it expects the agency “to act promptly on remand to cure the defect in its promulgation.”

The TSA will likely spout “constantly changing threat environment” boilerplate to try and argue that it can avoid notice and comment under the APA’s “good cause” exception. An agency can skip notice and comment “when the agency for good cause finds … that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.”

But the threat environment is not “constantly changing” at the level of abstraction relevant for the strip-search machine policy—some people are out there who might try to get dangerous articles onto planes—and these machines will be in place for decades, if not permanently, under the TSA policy. They will affect the privacy and security of billions of air passenger journeys. Even if there were need for haste in rolling out the machines, nothing makes it uniquely difficult, or anything other than appropriate, for the TSA to engage in a public process to substantiate its actions.

When the TSA does a rulemaking, it will have to lay out its strip-search machine policies and—crucially—justify them. Notice-and-comment rules are subject to court review, and reversal if they are “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” That is a rather low standard, but it’s a higher standard than the agency has ever met before—none at all.

The TSA will have to exhibit how its risk management supports the installation and use of strip-search machines. How did the TSA do its asset characterization (summarizing the things it is protecting)? What are the vulnerabilities it assessed? How did it model threats and hazards (actors or things animated to do harm)? What are the likelihoods and consequences of various attacks? Risk assessment questions like these are all essential inputs into decisions about what to prioritize and how to respond.

Congress dictated detection of various harmful agents, a form of interdiction. (The other responses to risk are acceptance, prevention, and mitigation.) Given the array of choices available to it, how did the TSA select strip-search machines?

Crucially, how well do strip-search machines reach the risks identified in their risk assessment? This is a cost-benefit question. How much do strip-search machines cost to purchase, maintain, and operate? The costs denominated in dollars include money spent on buying the machines, configuring airports, and paying TSA salaries to operate the machines and process passengers. Such costs also include opportunity costs imposed on travelers when the time they spend at airports lengthens to accommodate extended security screening and variable delays. Yet more costs are denominated in lost privacy and dignity to the traveler. These are substantial, though hard to quantify.

Security benefits are also hard to quantify, but the agency should do so if it is to justify its policies as something better than random or intuitive reaction. DHS and TSA officials endlessly talk about risk and risk management, but they cannot honestly say they are doing risk management if they are not thinking these issues all the way through. I’ve offered a methodology for valuing security benefits, and security experts (as well as students) have analyzed the costs and benefits of homeland security programs. The TSA can do it too.

Watch in the rulemaking for the TSA to obfuscate, particularly in the area of threat, using claims to secrecy. “We can’t reveal what we know,” goes the argument. “You’ll have to accept our generalizations about the threat being ‘substantial,’ ‘ever-changing,’ and ‘growing.’” It’s an appeal to authority that works with much of the American public, but it is not one to which courts—a co-equal branch of the government—should so easily succumb.

If it sees it as necessary, the TSA should publish its methodology for assessing threats, then create a secret annex to the rulemaking record for court review containing the current state of threat under that methodology, and how the threat environment at the present time compares to threat over a relevant part of the recent past. A document that contains anecdotal evidence of threat is not a threat methodology. Only a way of thinking about threat that can be (and is) methodically applied over time is a methodology.

With this information in hand, a court would not only be ready to assess the TSA’s rule under the Administrative Procedure Act’s “arbitrary and capricious” standard. It would be ready to assess the reasonableness of the TSA’s strip-search machines and procedures under the Fourth Amendment.

Without that information, the D.C. Circuit plugged the strip-search machines into the strangely incoherent “administrative search” exception to the Fourth Amendment. In two pages of analysis (out of the opinion’s seventeen), the court found that strip-search machines are administrative “because the primary goal is not to determine whether any passenger has committed a crime but rather to protect the public from a terrorist attack.”

Come again?

It seems the court could have taken judicial notice that terrorist attacks are carried out through one or more criminal behaviors. People who have weapons or other dangerous articles at airport checkpoints are subject to arrest and prosecution. Crime control and public protection are one in the same, even in counterterrorism.

The “administrative search” exception to the Fourth Amendment seems to rest on the willingness of a court to abstract away the fact that individuals are prevented from proceeding where they would go (seized) while their persons, papers, and effects are rummaged (searched) for the purpose of discovering violations of the criminal laws. Earlier in the opinion, in fact, the court mocked the idea that the TSA might not “engage in ‘law enforcement, correctional, or intelligence activity.’” It surely does. This is not “administrative.” It’s criminal law enforcement.

Perhaps with a full record—a notice-and-comment rulemaking with a docket full of information and analysis—the D.C. Circuit and other courts will have the opportunity to revisit whether the TSA’s strip-search machine policies are constitutionally reasonble, or whether they’re unexamined reaction. Last week’s “loss” on the Fourth Amendment issue sets the stage for sounder thinking on the strip-search machine policy.

All of this would be obviated, of course, if airline security were restored to private hands.

State Officials Needn’t Heed Feds’ Threats

Federal officials blitzed Texas this week to fight a bill pending in Austin that would control TSA groping of air travelers in that state, reports Forbes’ “Not-So-Private Parts” blogger Kashmir Hill.

Federal government officials descended on the Capitol to hand out a letter … from the Texas U.S. Attorney letting senators know that if they passed the bill, the TSA would probably have to cancel all flights out of Texas. As much as they love their state, the idea of shutting down airports and trapping people in Texas was scary enough to get legislators to reconsider their support for the groping bill…

The federal government’s threat to shut down air travel is serious, but empty. As we’ve seen time and again with the REAL ID Act, the federal government does not have the political will to attack passenger air travel in the name of increasing surveillance and intrusion.

In fact, earlier this year, the Department of Homeland Security didn’t even bother to threaten any repurcussions for states before it once again pushed back a May 2011 (false) deadline for REAL ID compliance. (Previous instances noted here and here.) The REAL ID Act allows the federal government to refuse licenses and ID cards from non-complying states at airport checkpoints, but it’s just not going to happen.

The DHS announcement notes $175 million in spending on REAL ID so far. That waste continues to accrue so long as Congress appropriates money for the national ID program, which will never be implemented.

While we’re on the subject of empty threats from federal officials—and do see Julian Sanchez’s post hitting the same subject—it has been more than four years since then-Secretary of Homeland Security Michael Chertoff said about the REAL ID Act:

If we don’t get it done now, someone is going to be sitting around in three or four years explaining to the next 9/11 Commission why we didn’t do it.

Secretary Chertoff was wrong—factually wrong on the imminence and nature of the terror threat, and ethically wrong to tout terror threats in an attempt to defeat the will of our free people.

With our stubborn insistence on freedom, the American people and state leaders have done a better job of assessing the threat environment than the Secretary of Homeland Security. As I said when I testified on this topic to the Pennsylvania legislature, state leaders should continue to recognize that they are as equipped, if not better equipped, than federal officials to judge what is right for their people. Counterterrorism and airport security are not an exception to that, though federal imperiousness in these areas remains at a high.

House Approps Strips TSA of Strip-Search Funds

The fiscal 2012 Department of Homeland Security spending bill is starting to make its way through the process, and the House Appropriations Committee said in a release today that “the bill does not provide $76 million requested by the President for 275 additional advanced inspection technology (AIT) scanners nor the 535 staff requested to operate them.”

If the House committee’s approach carries the day, there won’t be 275 more strip-search machines in our nation’s airports. No word on whether the committee will defund the operations of existing strip-search machines.

Saving money and reducing privacy invasion? Sounds like a win-win.

Can I Have My Airport Back Please?

Even while it was a rumor that President Obama would announce that Osama bin Laden had been killed, Americans began to digest the ramifications, asking, for example, “can I have my airport back please?”

Pleasing though it is to have in contemplation, the question is premature. Students of terrorism, such as those who attended our 2009 and 2010 counterterrorism conferences, know that the killing of bin Laden will have little direct effect on the network he spawned. Its indirect, discouraging effect on terrorism is something I mused about in an earlier post.

What about the effects on the rest of us, the people and actors in our great counterterrorism policymaking apparatus?

Osama bin Laden’s survival helped shore up the mystique of the terrorist supervillain, which has fed counterterrorism excess such as the Transportation Security Administration’s domestic airport security gauntlet. Now that bin Laden is gone, the public will be more willing to carefully balance security and privacy in our free country. By a small, but important margin, courts will be less willing to indulge extravagant government claims about threat and risk.

My friends in the national security bureaucracy may honestly perceive the contraction in their power as carelessness about a threat that they have dedicated their professional lives to combating, but the Declaration of Independence touts security only once, and freedom twice, in the phrase “life, liberty, and the pursuit of happiness.” The counterterrorism debate continues.

TSA’s Pistole Says ‘Risk-Based,’ Means ‘Privacy Invasive’

There is one thing you can take to the bank from TSA administrator John Pistole’s statement that he wants to shift to “risk-based” screening at airports: it hasn’t been risk-based up to now. That’s a welcome concession because, as I’ve said before, the DHS and its officials routinely mouth risk terminology, but rarely subject themselves to the rigor of actual risk analysis.

What Administrator Pistole envisions is nothing new. It’s the idea of checking the backgrounds of air travelers more deeply, attempting to determine which of them present less of a threat and which prevent more. That opens security holes that the risk-averse TSA is unlikely to actually tolerate, and it has significant privacy and Due Process consequences, including migration toward a national ID system. 

I wrote about one plan for a “trusted traveler”-type system recently. As the details of what Pistole envisions emerge, I’ll look forward to reviewing it.

The DHS Privacy Committee published a document several years ago that can help Pistole with developing an actual risk-based system and with managing its privacy consequences. The Privacy Committee itself exists to review programs like these, but has not been used for this purpose recently despite claims that it has.

If Pistole wants to shift to risk-based screening, he should require a full risk-based study of airport screening and publish it so that the public, commentators, and courts can compare the actual security benefits of the TSA’s policies with their costs in dollars, risk transfer, privacy, and constitutional values.

Man Acquitted of Crimes Associated with Asserting His Rights

(HT: Techdirt) It is infuriating to watch the video Phil Mocek made while attempting to assert his legal rights at the airport. The good news is that he has been acquitted of the bogus charges brought against him, including disorderly conduct, concealing his identity, refusing to obey a police officer, and criminal trespass.

The video illustrates the knowledge, fortitude, and cool it takes to assert one’s rights. We owe our thanks to Mr. Mocek, who has helped to educate the TSA and society in general about the law that applies at the airport.

Perhaps he can further the educational process by bringing an action under 42 U.S.C. §1983 for violation of his civil rights under color of law. The Transporation Security Administration’s training programs might improve, or Congress might pay attention to the constitutional black hole they have created in airports—if it costs enough to threaten their earmark money.