Tag: TSA

Getting TSA to Look in the Mirror

If you travel by plane, you either hate the Transportation Security Administration, or will soon do so.  The TSA has unveiled a new security pat down which is about as close to a strip-search as you can get while still wearing clothes.

With a metal knee replacement I invariably set off the TSA metal detectors.  I can avoid a pat down by using the fancy new imaging machine where it is available.  But this machine images everything on the body, and that means everything.  The explicit nature of the pictures is reflected in the nick-name which I’m told TSA employees have applied to the machine.  Let your mind wander, but imagine a crude term about measuring the male genitalia.

The other alternative is to accept the pat down.  Until recently TSA employees used a hand-held wand to check for metal and did a limited hand check.  The new system eschews the wand and replaces it with searching hands climbing up the inside of the thighs – all the way up.

The only saving grace for me is when veterans do the check.  When they realize that I have an implant and go through the check weekly and sometimes daily, most of them take a more relaxed approach.  But the newer, and often more determined to do everything by the book, employees really mean it when they announce that they are about to check my thigh.

Like never before, the new procedure has set off public protests.  And anger could increase at Thanksgiving, when so many more people will be flying.  No one wants airplanes to be hijacked, but few people believe that the current system does much to safeguard us.  At least, much of what is done today looks to be “Security Theater,” meant to reassure rather than actually do improve security.

One possible alternative would be for airports to take back control of the process.  Reports the Washington Examiner:

[Rep. John] Mica, one of the authors of the original TSA bill, has recently written to the heads of more than 150 airports nationwide suggesting they opt out of TSA screening. “When the TSA was established, it was never envisioned that it would become a huge, unwieldy bureaucracy which was soon to grow to 67,000 employees,” Mica writes. “As TSA has grown larger, more impersonal, and administratively top-heavy, I believe it is important that airports across the country consider utilizing the opt-out provision provided by law.”

Private security personnel obviously could mimic the TSA’s worst practices.  But if there were multiple actors providing security services competition would encourage airports to look for improved techniques which would cost less, waste less time, and create less embarrassment.

The vast majority of the TSA personnel with whom I deal are polite and friendly.  Most actually are working, though it’s not clear their activities always benefit the public.  But they all seem to lack a sense of irony.

I enjoy wearing my Cato t-shirt with the P.J. O’Rourke quote about giving to power to government being like giving car keys and whiskey to a teenage boy.  I receive a lot of admiring comments on it–including from TSA employees.  Today it happened again, at Washington Dulles.  As I was waiting for my regular TSA-provided fondling experience down below.

It’s no knock on the individual employees to point out that the TSA as an agency is a perfect example of what P.J. was warning against.  Give Barack Obama & Co. this power and we are likely to lose our money, freedom, and dignity.

I’d like to believe we’ve entered a new political era in Washington, but I’ve worked through too many “new eras” to believe that this one is really new.  But a popular uprising about TSA de facto strip searches would be a good start.

‘Strip-or-Grope’ vs. Risk Management

In a humbly-toned USA Today opinion piece yesterday, Secretary of Homeland Security Janet Napolitano asked for the public’s cooperation with airline security measures the Transportation Security Administration has recently implemented. The TSA has come up with an invasive pairing: ”Advanced Imaging Technology,” also known as “strip-search machines” and, for those refusing, “enhanced” pat-downs which explore areas of the body typically reserved for one’s spouse or doctor.

Anecdotal reports suggest that the machines are being used to ogle women, and we are seeing disturbing images and videos of children being handled by strangers online. The public is increasingly agitated by the TSA’s latest amendment to the air travel ordeal, and a “National Opt-Out Day” is slated for next Wednesday, the biggest travel day of the year.

Twice, Secretary Napolitano notes that these measures are “risk-based” or “driven by … risk.” But has the Department of Homeland Security conducted the necessary risk management studies to validate these programs? A March 2010 Government Accountability Office report says:

[I]t remains unclear whether the AIT would have detected the weapon used in the December 2009 incident based on the preliminary information GAO has received… . In October 2009, GAO also recommended that TSA complete cost-benefit analyses for new passenger screening technologies. While TSA conducted a life-cycle cost estimate and an alternatives analysis for the AIT, it reported that it has not conducted a cost-benefit analysis of the original deployment strategy or the revised AIT deployment strategy, which proposes a more than twofold increase in the number of machines to be procured.

I’ve seen no documentation that the strip-search machines, the invasive pat-downs, or their combination have been subjected to any thorough risk analysis. The DHS has mouthed risk terminology for years now, but evidence is scant that it has ever subjected itself to such rigor.

Risk Management

A formal risk management effort will generally begin with an examination of the thing or process being protected. This is often called “asset characterization.” In airline security, the goal is fairly simple: ensuring that air passengers arrive safely at their destinations. Specifically, ensuring that nobody successfully brings down a plane.

The next step in risk management is to identify and assess risks, often called “risk characterization” or “risk assessment.” The vocabulary of risk assessment is not settled, but there are a few key concepts that go into it:

  • Vulnerability is weakness or exposure that could prevent an objective from being reached. Vulnerabilities are common, and having a vulnerability does not damn an enterprise. The importance of vulnerabilities depend on other factors.
  • Threat is some kind of actor or entity that might prevent an objective from being reached. When the threat is a conscious actor, we say that it “exploits” a vulnerability. When the threat is some environmental or physical force, it is often called a “hazard.” As with vulnerability, the existence of a threat is not significant in and of itself. A threat’s importance and contribution to risk turns on a number of factors.
  • Likelihood is the chance that a vulnerability left open to a threat will materialize as an unwanted event or development that frustrates the safety, soundness, or security objective. Knowing the likelihood that a threat will materialize is part of what allows risk managers to apportion their responses.
  • Consequence is the significance of loss or impediment to objectives should the threat materialize. Consequences can range from very low to very high. As with likelihood, gauging consequence allows risk managers to focus on the most significant risks.

Analyzing vulnerabilities and threats permits risk managers to make rough calculations about likelihood and consequence. This process will float the most significant risks to the surface. Though these factors are often difficult to measure, a simple formula guides risk assessment:

Likelihood x Consequence = Risk

Events with a high likelihood and consequence should be addressed first, and with the most assets. Those are the highest risks.

The most common error I see in risk management is the propensity to attack vulnerabilities rather than risks. A bomber’s attempt to take down a plane by concealing explosives in his undergarments last year exposed a vulnerability. It is possible to sneak a small quantity of explosive through conventional security systems, though not necessarily the needed detonator and not necessarily enough explosive material to take down a plane.

But this says nothing about the likelihood of this happening again—or of being successful. In hundreds of millions of enplanements each year, this attack has manifested itself once. And it failed. The TSA effort is going after a vulnerability—of that there is no doubt—but it is arguable whether or not it is addressing a significant risk.

After risk assessment, the next step in risk management is choosing responses.

Though the concepts and terminology are not settled in this area either, there are four general ways to respond to risk:

  • Acceptance – Acceptance of a threat is a rational alternative that is often chosen when the threat has low probability, low consequence, or both.
  • Prevention – Prevention is the alteration of the target or its circumstances to diminish the risk of the bad thing happening.
  • Interdiction – Interdiction is any confrontation with, or influence exerted on, a threat to eliminate or limit its movement toward causing harm.
  • Mitigation – Mitigation is preparation so that, in the event of the bad thing happening, its consequences are reduced.

In its operation, the strip-search/grope combo is an interdiction against any who may try to carry dangerous articles on planes. As to the air transportation system, it might also be conceived of as a preventive measure.

The next analytical lens to look through is benefit-cost analysis, or trade-offs. The goal is to allay risk in a cost-effective way, spending the least amount of money, and incurring the least costs overall, per unit of benefit.

Security Benefits

Security systems involve difficult and complex balancing among many different interests and values. The easiest, by far, is comparing the dollar costs of security measures against the dollar benefits. This is analysis that GAO says the TSA has not done.

But if it were done, on the benefit side of the equation, you have that it reveals most articles a person might try to sneak onto a plane. There are at least two important limitations on the benefit. First, there is an open question as to whether the strip-search machine would successfully detect lower-density material like the explosive PETN. If it doesn’t, it’s utility against underpants bombing relies on potential attackers’ ignorance of that to deter their attempts. Second, the benefit of the strip-search/grope is not what it achieves from a basline of zero, but the marginal security improvement in provides over alternatives like the status quo magnetometer and random pat-downs.

How do you reduce security benefit to something measurable? It’s difficult, but I’ve been mulling a methodology for valuing security against rare attacks in which you assume a motivated attacker that would eventually succeed. By approximating the amount of damage the attack might do and how long it would take to defeat the security measure, one can roughly estimate its value.

Say, for example, that a particular attack might cause one million dollars in damage. Delaying it for a year is worth $50,000 at a 5% interest rate. Delaying for a month an attack that would cause $10 billion in damage is worth about $42 million. It is best to assume that any major attack will happen only once, as it will produce responses that prevent it happening twice. (The 9/11 “commandeering” attack on air travel is an instructive example. By late morning on September 11, 2001, passengers and crew recognized that cooperation with hijackers contributed to the deadliness of attacks rather than saving their lives. They spontaneously changed the security practice to meet the new threat, and the 9/11 attacks permanently changed the posture of air passengers toward hijackers, along with hardened cockpit doors bringing the chance of another commandeering attack on air travel very close to nil.)

Of course, one must consider “risk transfer.” That’s the shifting of risks from one target to another—say, from planes to buildings. (An organization like the Department of Homeland Security would regard this as lowering the benefit of a security measure, while an airline would be indifferent to it—unless it owned the building…) There is also the creation of new risks, such as the possible health effects of the strip-search machines. Which brings us to the cost side of the ledger….

Costs

On the cost side of the ledger, the easy stuff to measure includes the hundreds of millions or billions of dollars that must be spent on strip-search machines themselves. As much or more money will be spent on an ongoing basis to operate the machines. My observation is that it takes three people to operate one strip-search machine: a guide, an analyst to review the image, and a person to do the secondary pat-down which occurs regularly (though it would occur less over time). On a nationwide scale, this is hundreds of millions of dollars per year spent on TSA employees.

The value of travelers’ time is also important. This hasn’t received much discussion, but as more and more strip-search machines come into use, there will be more discussion of how much time they consume compared to magnetometers.

Reviewing tape of TSA checkpoints reveals that passing through the machines takes at least seven seconds per passenger. Variations in the time it takes to traverse the security checkpoint require all travelers to increase the amount of time they spend at the airport as a cushion against the risk of missing flights, which can cost many hours per incident. If each of 350 million trips in a year results in an additional minute at the airport to accommodate the vagaries of the strip/grope, five to six million person hours at the airport will be wasted, a cost of $145 million per year if we value travelers’ time at  $25 per hour.

It is more difficult is to balance interests like privacy and dignity against security benefits. A CBS News poll released yesterday says that four out of five Americans support the use of “ ‘full-body’ digital x-ray machines to electronically screen passengers.”

It’s an antiseptic description that strangely emphasizes computing. (X-rays are neither digital nor electronic, though the data the x-ray machines collect is digital and its processing is done with electronics.) The question doesn’t capture people’s feelings about images of their own denuded bodies being observed by a government official as a condition of travel. And, of course, it doesn’t capture feelings about the intimate pat-down alternative.

The amount of public reporting and discussion suggests that public opinion is not solidly on the side of the strip/grope. A hearing in the Senate tomorrow is also evidence that the security procedures do not comport with the American people’s rough judgment that the costs of these security measures are justified by their benefits.

My own view is that the strip/grope is security excess. If I had my way, I would choose the airlines and airports that do not go to this extreme. I do not get to have my way, and neither do you if you prefer a different security/privacy mix, because we all must use the same security system. That’s why I wrote five years ago that the TSA should be abolished and responsibility for security restored to airlines and airports. Their experimentation could blend security with privacy, convenience, and comfort, improving the travel experience overall while restoring liberty to American travelers.

Strip-Search Machines on the International Scene

This week, Secretary of Homeland Security Janet Napolitano is pressing countries around the world to use “strip-search machines,” low-power x-ray and radio wave scanning devices that reveal what is underneath travelers’ clothes. The machines provide a small margin of security at a high risk to privacy.

And those privacy risks are manifesting themselves overseas. On AllAfrica.com, news service This Day reports on how strip-search machines have been used to peep at travelers as nudes in Lagos, Nigeria:

[D]uring off-peak periods, the aviation security officials, who are trained on the use of the scanners, usually stroll from the cubicle located in a hidden corner on the right side of the screening area where the 3D full-body scanner monitors are located. They do so to catch a glimpse of some of the passengers entering the machine and immediately go back to view the naked images, in order to match the faces with the images since the faces are blurred on the monitors while passengers are inside the machine.

The report notes that one of the “conventional scanners”—a magnetometer, most likely—was put out of service to corral people into the strip-search machine.

Italy has abandoned strip-search machines after a six-month test, due both to privacy issues and “because they are slow.” This is the sleeper issue that may soon wake as more machines show up in our airports: Strip-search machines take a very long time compared to magnetometers.

There are more than half a billion enplanements in the United States each year. If each traveler is delayed by 10 seconds, strip-search machines would waste nearly 1.4 million hours of Americans’ time directly—much more if you include the schedule-padding that all fliers would have to practice to avert strip-search machine delays.

The margin of security provided by these machines is small. In an interview on Fox’s local affiliate in D.C. last night, I said, “If we go down the strip-search machine route, there’s going to be more methods of concealment, and we certainly don’t want the TSA looking there.”

Hopefully, my poor grammar distracts you from the full import of that line.

Strip-Search Images Stored

The Transportation Security Administration will be sure to point out that it was not them—it was the U.S. Marshals Service—that kept ”tens of thousands of images recorded with a millimeter wave system at the security checkpoint of a single Florida courthouse,” according to Declan McCullagh of C|Net news.

The TSA has taken pains to make sure that their use of strip-search machines does not produce compromising images of the traveling public, but rules are made to be broken. How do you protect privacy in the use of a technology that is fundamentally designed to invade privacy?

Stop ‘n’ Frisk Databases

Via Adam Serwer, New York governor David A. Paterson is expected to sign a bill today doing away with data collection on people the police stop and question, but who have done nothing wrong.

The Transportation Security Adminstration’s “SPOT” program—recently the subject of a scathing Government Accountability Office critique—does similar data collection about innocent people.

From late May 2004 through August 2008, “behavior detection officers” referred 152,000 travelers to secondary inspection at airports. Of those, TSA agents referred 14,000 people to law enforcement, which resulted in approximately 1,100 arrests. None had links to terrorism or any threat to aviation.

The data TSA collects “when observed behaviors exceed certain thresholds”—that is, when a traveler garners TSA suspicion—includes:

  • first, middle, and last names
  • aliases and nicknames
  • home and business addresses and phone numbers
  • employer information
  • identification numbers such as Social Security Number, drivers license number or passport number
  • date and place of birth
  • languages spoken
  • nationality
  • age
  • sex
  • race
  • height and weight
  • eye color
  • hair color, style and length
  • facial hair, scars, tattoos and piercings, clothing (including colors and patterns) and eyewear
  • purpose for travel and contact information
  • photographs of any prohibited items, associated carry-on bags, and boarding documents
  • identifying information for traveling companion.

GAO’s Damning Report on ‘SPOT’

Via the Identity Project’s “Papers, Please” web site, and despite my colleague David Rittgers’ excellent post from yesterday, I note last week’s utterly damning Government Accountability Office report on the SPOT program. “SPOT” stands for “Screening Passengers by Observation Techniques.” In the program “BDO’s,” or “Behavior Detection Officers,” observe travelers in airports, pulling them out of line if a secret list of behaviors signal that they’re a likely threat.

The thing is:

TSA deployed SPOT nationwide before first determining whether there was a scientifically valid basis for using behavior and appearance indicators as a means for reliably identifying passengers as potential threats in airports. … TSA state[s] that no other large-scale U.S. or international screening program incorporating behavior- and appearance-based indicators has ever been rigorously scientifically validated. While TSA deployed SPOT on the basis of some risk-related factors, such as threat information and airport passenger volume, it did not use a comprehensive risk assessment to guide its strategy of selectively deploying SPOT to 161 of the nation’s 457 TSA-regulated airports. TSA also expanded the SPOT program over the last 3 years without the benefit of a cost-benefit analysis of SPOT.

The Israeli airline El Al uses behavior detection, counters the TSA—as did DHS Secretary Janet Napolitano when I asked her about this report at a meeting of the DHS Privacy Committee Tuesday.

The GAO report notes that El Al’s processes, which are different from the TSA’s, have not been scientifically validated. As of 2008, El Al had 34 aircraft, operating out of one hub airport, Ben-Gurion International. There are 457 TSA-regulated airports in the United States. In 2008, El Al had passenger boardings of about 3.6 million; one U.S. airline, Southwest, flew about 102 million passengers that year.

From late May 2004 through August 2008, BDOs referred 152,000 travelers to secondary inspection. Of those, TSA agents referred 14,000 people to law enforcement, which resulted in approximately 1,100 arrests. TSA officials did not identify any direct links to terrorism or any threat to aviation in these cases. GAO noted its inability to determine if this is a better arrest rate than would occur under random screenings.

GAO also determined that at least 16 individuals allegedly involved in terrorism plots have moved at least 23 different times through eight airports where the SPOT program has been implemented. SPOT caught none of them.

The Government Accountability Office is a master of understatement, leaving conclusions for readers to draw. Mine is that the $1.2 billion in planned spending on the program over the next five years will be a wasteful producer of civil liberties violations.

TSA Behavioral Screening

Behavioral screening is a useful tool in deterring and preventing terrorist attacks. As I noted in this piece at Politico, a border patrol agent successfully used behavioral screening to stop the would-be Millennium Bomber. She noticed something “hinky” about a man driving south across the Canadian border. That “hinky” – fidgety and nervous behavior when asked routine customs questions – exposed a car full of explosives intended for the passenger terminal of Los Angeles International Airport.

Two items from the USA Today travel section highlight some mixed results with TSA behavioral screening. Today’s edition reports that behavioral screening, applied by Behavioral Detection Officers (BDOs) missed at least 16 people later linked to terror plots. On the other side of the equation, false positives can impose burdens on those who are nervous or upset for reasons other than terrorism aspirations.

The TSA Blog defended the program: “If you’re one of those travelers that gets frazzled easily (not hard to do at airports), you have no reason to worry. BDOs set a baseline based on the normal airport behavior and look for behaviors that go above that baseline. So if you’re stressing about missing a flight, that’s not a guaranteed visit from the BDOs.”

That would be reassuring if yesterday’s travel section hadn’t revealed that TSA screeners are keeping a list of those who get upset at intrusive screening procedures. “Airline passengers who get frustrated and kick a wall, throw a suitcase or make a pithy comment to a screener could find themselves in a little-known Homeland Security database.”

Of course, we can take comfort from the words of a TSA screener to security expert Bruce Schneier. “This isn’t the sort of job that rewards competence, you know.”