Chairman Metcalfe, Ranking Member Josephs, and members of the committee:
Thank you for the opportunity to testify before you today. I am keenly interested in the subject matter of your hearing, and I hope that my testimony will shed some light on your deliberations.
My name is Jim Harper, and I am director of information policy studies at the Cato Institute in Washington, D.C. The Cato Institute is a non-profit research foundation dedicated to preserving the traditional American principles of limited government, individual liberty, free markets, and peace. In my role there, I study the unique problems in adapting law and policy to the information age, problems like privacy and security.
I also serve as a member of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, which advises the DHS Privacy Office and the Secretary of Homeland Security on privacy and related issues. The committee meets quarterly to examine the privacy consequences of homeland security programs, of which there are many.
My service on the DHS Privacy Committee convinced me some years ago that neither security nor privacy would be adequately protected in the United States until we got a handle on the terrorism problem. So for the last few years Cato colleagues of mine — experts in foreign policy and defense — and I have been conducting a project on strategic counterterrorism.
It began in the late summer of 2008, when we convened a group of more than thirty terrorism experts from around the country and world for a meeting in Chicago. Early in 2009, we assembled many of these experts for a two-day public conference in Washington, D.C. And we conducted another conference a year later, reviewing the counterterrorism policies of the current administration after its first year. Our edited volume of essays highlighting select issues in counterterrorism. It is called, Terrorizing Ourselves: Why U.S. Counterterrorism Policy is Failing and How to Fix It.
In addition to my professional duties, I maintain an online resource about federal legislation and spending called WashingtonWatch.com. I speak only for myself today and not for any of the organizations with which I am affiliated or for any colleague. I will highlight two points in my testimony today. One is to encourage you as state leaders to play the role that was prescribed for you in the U.S. Constitution. You are right to press for the interests of your constituents as you perceive them, and you are right not to be cowed by federal authority, even when that puts you in conflict with the federal government. The Constitution intends for you to do this.
Second, I will highlight defects in federal security policy that you can help remedy. The federal Department of Homeland Security has not done the risk management analysis that justifies its policies, including the use of “strip-search machines” as a primary screening tool and the intrusive pat-down “alternative.” You can have confidence that bills like H.R. 16 and H.B. 852 contribute to balance in the national conversation on security and privacy. Protecting your state’s residents against the overreaching that you perceive is well warranted.
Federal-State Relations: Legal Supremacy is Not
Sixteen years ago, one of the things that caused me to move to Washington, D.C. from my native California was the unrelenting growth of the federal government. Power has been accumulating at the federal level since the New Deal era, with unfortunate results for liberty and for governance generally. Election results in 1994 promised a change back toward a constitutional balance that would be better for our country. But it didn’t go all that well. I’m still stuck in Washington, D.C.
Our federal constitution is structured to keep power closer to the common sense that is available in state government, local government, and with the people themselves. Under the Constitution, the federal government is one of limited powers. Its powers are restricted to those listed, or “enumerated,” in the Constitution. Even when it acts under an enumerated power, the federal government must do so in ways that are “necessary and proper” to effectuating a federal power. I am delighted to speak to this particular committee, where I expect you recognize the value of setting policies in Pennsylvania that are appropriate for Pennsylvania, and that are consistent with the values of Pennsylvanians.
The federal power that arguably permits the federal Department of Homeland Security to operate security systems at airports is the Article I, Section 8 power to “provide for the common Defence.” When that language was written, warfare was not purely a formal state-on-state affair — indeed, it was non-state actors who fought the Revolutionary War against the English monarchy — but the power primarily went to defending against foreign governments’ attacks on the territory of the United States. It did not go to defending privately held infrastructure against criminality.
Politically motivated attacks on private infrastructure are perhaps in part a federal responsibility because of their political or geopolitical content. But they are also a state responsibility because they are properly perceived as criminal violence, which the Constitution leaves to the jurisdiction of the states. One of the most important recent federalism cases was U.S. v. Lopez,1 which held that a federal gun possession law — a criminal law — was not within the power of Congress to pass.
The Constitution’s Supremacy Clause gives the federal government the leading role when it is acting properly under an enumerated power. Proper federal laws preempt conflicting state laws. The federal government also has the “bully pulpit,” not only in the president’s access to media, but in the habit of the media and opinion leaders to look to Washington, D.C. for answers. But the federal government does not have a lock on political power.
You, as state representatives, are closer to the people of Pennsylvania. You understand their interests better than federal officials, far better than the unelected federal bureaucrats in Washington, D.C. who often presume to direct life in every dimension. The challenge to federal power in H.R. 16 and H.B. 852 are appropriate assertions of state power.
Unfortunately, the constitutional discussion above is not a prediction of how the Supreme Court would rule if a case were presented to it today. It will take several decades — if all goes well — for the courts to start recognizing and enforcing the limits on federal authority, especially in the area of security and counterterrorism.
The legal situation with regard to the Department of Homeland Security’s airport policies is also murky and changing. The TSA operates airport checkpoints under “security directives” that are not publicly available. (“Secret law” is, of course, repugnant to the Constitution and the rule of law.) Accordingly, my discussion of the legalities is tentative. It should not be taken as legal advice for travelers headed to the airport. Instead, it is my understanding of the legal situation for your use in determining how you might act as legislators.
When Congress created the Transportation Security Administration2 and later the Department of Homeland Security,3 it did not invest TSA agents with law enforcement officer status. They are not entitled to carry weapons or make arrests. Their police-style uniforms notwithstanding, TSA agents are civilians like you and me.
Because these are not law enforcement officers conducting legal searches, the fiction in operation at the airport is that travelers have consented to search as a condition of travel. Accordingly, on the two occasions when I have been directed to a “strip-search machine” at an airport and have declined that opportunity, I have told the TSA agent proposing to pat me down the extent of my consent to his search. (I do so politely and have not had a problem so far.)
If I am correct in my assessment of the legal situation at the airport, the scope of such a search can be defined in Pennsylvania law as H.B. 852 proposes to do. You are free to define other elements of the interaction, such as by dictating that “stranger” body searches like this must be immediately preceded by the oral granting of consent, for example. This would help educate Pennsylvanians about the legal environment at the airport so that they do not mistake an airport search for a mandatory search by law enforcement personnel.
The one caution I would suggest is that you do not outlaw private, consensual body searches. If people want to play “TSA Agent and Traveler” at home, they should be free to do so! A tighter version of the legislation might define the indecent body search offense as one in which contact is made with a stranger’s intimate areas.
The search that American travelers undergo at the airport is as intimate as what prisoners in American jail cells get. It is shocking that the federal government is willing to treat law-abiding citizens this way.
The reason for the legal fiction I referred to above is because this search practice would probably not pass Fourth Amendment muster. This searching is not limited to cases of reasonable suspicion, and it pushes exceptions to Fourth Amendment rules to the breaking point. The Department of Homeland Security has not shown this search to be reasonable and has not validated its policies with analysis to the extent it should. This leaves it up to you to defend the privacy and rights of Pennsylvanians.
DHS Has Not Justified the
It is very important to secure the country and travelers from terrorism, as well as all other threats. But the Department of Homeland Security has not done the work necessary to validate the use of “strip-search machines” or the invasive pat-down that is presented as an “alternative.” Risk management is something that DHS officials often speak about, but it is not something that they apparently used before instituting the “strip/grope” policy.
Since before my work with the DHS Privacy Committee and with my Cato Institute colleagues on counterterrorism policy, I have studied risk management and cost/benefit analysis a great deal. I will share with you my assessment of the strip/grope policy using those analytical tools.
Risk management is the identification, assessment, and prioritization of risks, followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events. It sounds complicated, but we are all risk managers, and we make decisions every day by balancing the risks we perceive against the things we want to achieve. In an area like air transportation, risk management requires more than common sense or “going with your gut,” of course. Risk management means thinking things all the way through.
A formal risk management effort will generally begin with an examination of the thing or process being protected. This is often called “asset characterization.” In airline security, the goal is fairly simple: ensuring that air passengers arrive safely at their destinations — specifically, by ensuring that nobody successfully brings down a plane.
The next step in risk management is to identify and assess risks, often called “risk characterization” or “risk assessment.” The vocabulary of risk assessment is not settled, but there are a few key concepts that go into it:
- Vulnerability is weakness or exposure that could prevent an objective from being reached. Vulnerabilities are common, and having a vulnerability does not damn an enterprise. The importance of vulnerabilities depend on other factors.
- Threat is some kind of actor or entity that might prevent an objective from being reached. When the threat is a conscious actor, we say that it “exploits” a vulnerability. When the threat is some environmental or physical force, it is often called a “hazard.” As with vulnerability, the existence of a threat is not significant in and of itself. A threat’s importance turns on other factors.
- Likelihood is the chance that a vulnerability left open to a threat will materialize as an unwanted event, a development that frustrates the safety, soundness, or security objective. Knowing the likelihood that a threat will materialize is part of what allows risk managers to apportion their responses.
- Consequence is the significance of loss or the impediment to objectives should the threat materialize. Consequences can range from very low to very high. As with likelihood, gauging consequence allows risk managers to focus on the most significant risks.
Analyzing vulnerabilities and threats permits risk managers to make rough calculations about likelihood and consequence. This process will float the most significant risks to the surface. Though these factors are often difficult to measure, a simple formula guides risk assessment:
Events with a high likelihood and consequence should be addressed first, and with the most assets. Those are the highest risks. Events with low likelihood can wait, or they can even be ignored.
The most common error I see in risk management is the propensity to address vulnerabilities rather than full-fledged risks. In late 2009, a bomber’s attempt to take down a plane by concealing explosives in his undergarments exposed a vulnerability. It is possible to sneak a small quantity of explosive through conventional security systems, though not necessarily the needed detonator and not necessarily enough explosive material to take down a plane.
But this says nothing about the likelihood of this happening again — or of it being successful. In hundreds of millions of enplanements each year, this attack has manifested itself once. And it failed. The TSA effort is going after a vulnerability — of that there is no doubt — but it is arguable whether or not it is addressing a significant risk.
After risk assessment, the next step in risk management is choosing responses. Though the concepts and terminology are not settled in this area either, there are four general ways to respond to risk:
- Acceptance – Acceptance of a threat is a rational alternative that is often chosen when the threat has low probability, low consequence, or both.
- Prevention – Prevention is the alteration of the target or its circumstances to diminish the risk of the bad thing happening.
- Interdiction – Interdiction is any confrontation with, or influence exerted on, a threat to eliminate or limit its movement toward causing harm.
- Mitigation – Mitigation is preparation so that, in the event of the bad thing happening, its consequences are reduced.
In its operation, the strip-search/grope combination is an interdiction against any who may try to carry dangerous articles on planes. As to the air transportation system, it might also be conceived of as a preventive measure.
The next analytical lens to look through is benefit-cost analysis, or trade-offs. The goal is to allay risk in a cost-effective way, spending the least amount of money, and incurring the least costs overall, per unit of benefit.
Security systems involve difficult and complex balancing among many different interests and values. The easiest, by far, is comparing the dollar costs of security measures against the dollar benefits. This is analysis that U.S. Government Accountability Office says the TSA has not done. A March 2010 GAO report says:
[I]t remains unclear whether the AIT [strip-search machine] would have detected the weapon used in the December 2009 incident based on the preliminary information GAO has received… . In October 2009, GAO also recommended that TSA complete costbenefit analyses for new passenger screening technologies. While TSA conducted a lifecycle cost estimate and an alternatives analysis for the AIT, it reported that it has not conducted a cost-benefit analysis of the original deployment strategy or the revised AIT deployment strategy, which proposes a more than twofold increase in the number of machines to be procured.4
If DHS did a cost-benefit analysis, the fact that these machines reveal most articles a person might try to sneak onto a plane appears on the benefit side of the equation. And that is an important benefit.
There are at least two important limitations on the benefit. First, there is an open question as to whether the strip-search machine would successfully detect lower-density material like the explosive PETN. If it does not, the machine’s utility against underpants bombing relies on potential attackers’ ignorance of that to deter their attempts. Second, the benefit of the strip-search/grope is not what it achieves from a baseline of zero, but the marginal security improvement in provides over alternatives like the status quo magnetometer and random pat-downs.
How do you reduce security benefit to something measurable? It’s difficult, but I’ve been mulling a methodology for valuing security against rare attacks in which you assume a motivated attacker that would eventually succeed. By approximating the amount of damage the attack might do and how long it would take to defeat the security measure, one can roughly estimate its value.
Say, for example, that a particular attack might cause one million dollars in damage. Delaying it for a year is worth $50,000 at a 5% interest rate. Delaying for a month an attack that would cause $10 billion in damage is worth about $42 million. It is best to assume that any major attack will happen only once, as it will produce responses that prevent it happening twice.5
Of course, one must consider “risk transfer.” That’s the shifting of risks from one target to another — say, from planes to buildings. (An organization like the Department of Homeland Security would regard this as lowering the benefit of a security measure, while an airline would be indifferent to it — unless it owned the building…) There is also the creation of new risks, such as the possible health effects of the strip-search machines. This brings us to the cost side of the ledger.
On the cost side of the ledger, the easy things to measure includes the hundreds of millions or billions of dollars that must be spent on strip-search machines themselves. As much or more money will be spent on an ongoing basis to operate the machines. My observation is that it takes three people to operate one strip-search machine: a guide, an analyst to review the image, and a person to do the secondary pat-down which occurs regularly (though it would occur less over time). On a nationwide scale, this is hundreds of millions of dollars per year spent on TSA employees.
The value of travelers’ time is also important. This hasn’t received much discussion, but as more and more strip-search machines come into use, there will be more discussion of how much time they consume compared to magnetometers.
Reviewing tape of TSA checkpoints reveals that passing through the machines takes at least seven seconds per passenger. Variations in the time it takes to traverse the security checkpoint require all travelers to increase the amount of time they spend at the airport as a cushion against the risk of missing flights, which can cost many hours per occurence. If each of 350 million trips in a year results in an additional minute at the airport to accommodate the vagaries of the strip/grope, five to six million person hours at the airport will be wasted, a cost of $145 million per year if we value travelers’ time at $25 per hour.
It is more difficult is to balance interests like privacy and dignity against security benefits. The legislation we are discussing in the hearing today is evidence that the security procedures do not comport with the American people’s sense of privacy. If the airport strip/grope does not survive a dollars-to-dollars cost/benefit analysis, and if it also violates privacy, this is an inappropriate policy. What you do to reduce its privacy costs and right the balance is well worth considering.
My own view is that the strip/grope is security excess. If I had my way, I would choose the airlines and airports that do not go to this extreme. I do not get to have my way, and neither do you if you prefer a different security/privacy mix, because the federal government has commandeered airline security from the airports and airlines who should properly have responsibility for it.
The TSA should be abolished and responsibility for security restored to airlines and airports. Their experimentation could blend security with privacy, convenience, and comfort, improving the travel experience overall while restoring liberty to American travelers. In the meantime, your effort to provide a counterweight to federal overreaching in this area is a welcome protection for Pennsylvanians and an example for state leaders across the nation to emulate.
1 514 U.S. 549 (1995).
2 Congress created the TSA within the Department of Transportation in the Aviation and Transportation Security Act, Pub.L. No. 107-71 (Nov. 19, 2001).
3 Congress created the Department of Homeland Security, transferring the TSA to that new agency, in the Homeland Security Act of 2002, Pub.L. No. 107-296 (Nov. 25, 2002).
4 United States Government Accountability Office, “TSA Is Increasing Procurement and Deployment of the Advanced Imaging Technology, but Challenges to This Effort and Other Areas of Aviation Security Remain,” GAO-10-484T (Mar. 17, 2010) http://www.gao.gov/new.items/d10484t.pdf
5 The 9/11 “commandeering” attack on air travel is an instructive example. By late morning on September 11, 2001, passengers and crew recognized that cooperation with hijackers contributed to the deadliness of attacks rather than saving their lives. They spontaneously changed the security practice to meet the new threat, and the 9/11 attacks permanently changed the posture of air passengers toward hijackers, along with hardened cockpit doors bringing the chance of another commandeering attack on air travel very close to nil.