Friday, July 19, 2013

Randomized TSA screening is stupid

Cyber-pundit Bruce Schneier has a post saying that automated randomized screening by the TSA is a good idea. He's wrong; it's a stupid idea.

Most airport screening is for smuggling, not terrorism. Countries automate the process to stop corruption, so that airport security can't shake down passengers for money. None of this applies to stopping terrorism in the United States.

The reason randomized screening stops smugglers is that it changes the risk/reward ratio. It's not worth smuggling a $1-million of diamonds through the airport given a 5% chance of them getting confiscated. It's not worth smuggling $100 of cocaine through the airport if there is a 5% chance of going to jail. It stops professional smugglers, those who do it repeatedly, because it means they'll eventually get caught.

This math works in the opposite manner for terrorists. Their goal is to die in fiery crash. A 5% chance of getting caught means a 5% chance of living. For some weapons, like guns, they aren't likely to even go to jail, as a thousand people a year accidentally bring weapons on the plane without severe consequences. For other weapons, like C4 packed in a Koran, the press generated from the attempted terrorist attack will be nearly as good as a successful attack. In any case, if their first minion gets stopped in a randomized search, the terrorist organization will just send a second one.

Thus, in the words of Bruce Schneier, randomized screening is just security theater. It has little deterrent effect on terrorists.

Schneier says that the automation is good because it's free from bias or profiling. But that's not "security" speaking but "left-wing populism". Bias and profiling is good from a security perspective. Focusing your attention on mid-eastern males is more secure. Punishing white grandmothers because you feel guilty about the unfairness of profiling is just stupid.

Certainly, profiling is bad for society as a whole. It's bad for crime, for example. If young black men believe they are going to jail anyway, fairly or unfairly, regardless of what they do, they are more likely to commit crime (as John Adams once pointed out). The more we treat an ethnic minority differently, the less they will assimilate, and the more likely they are their children will want to rebel. That government does profiling in some cases sanctions intolerable bigotry in others. Whatever your politics, there are good reasons to avoid profiling.

But just because profiling is bad in general doesn't detract from its value in the narrow case of "airport security". Automating selection certainly fixes the societal problem, but by destroying any usefulness selective screening has in stopping terrorists in the first place. Therefore, the correct solution is to get rid of selective screening altogether, not automate it to assuage your guilt.



Update: The ever awesome Sergey Bratus points to this NYTimes article that says, and I'm not making this up:
"If terrorists learn that elderly white women from Iowa are exempt from screening, that’s exactly whom they will recruit."
I think we have such a fear of being called "bigots" that we'll pretend to believe the plausibility of this statement (h/t Marsh Ray). We should just replace profiling with other security techniques, or simply live with the increased risk, not discard logic because we dislike the practice.



Update: Bruce Schneier responds, characterizing my argument as "profiling makes sense". No, my argument is "random selection doesn't make sense" -- regardless of the efficacy of profiling. I only mention profiling because I believe political correctness encourages people to thing wrongly about random selection. The correct policy is to stop the invasive screening, either from profiling or random selection.

6 comments:

Peter Maxwell said...

'Schneier says that the automation is good because it's free from bias or profiling. But that's not "security" speaking but "left-wing populism". Bias and profiling is good from a security perspective. Focusing your attention on mid-eastern males is more secure.'

Bias is not good at all from a security perspective: it presupposes you can profile the threat, when you actually cannot. In the past fifty years we've had everything from groups like Baader-Meinhof/Red Army Faction to the IRA to lone terrorists like Ted Kaczynski. Doing a quick internet search shows even airplane attacks are certainly not limited to the Islamic male stereotype, e.g. Korean Air Flight 858 or Avianca Flight 203.

Profiling is useless because as soon as your adversary can determine your profile parameters, they can bypass it. It doesn't need to be a granny that terrorists try to sent through airport security, a white female would be more than enough to defeat profiling.

As far as being left-wing popularism, I think you'll find left-wing governments with just a much of a zeal for ethnic profiling as right-wing ones... it still harms society though.


'Therefore, the correct solution is to get rid of selective screening altogether, not automate it to assuage your guilt.'

That's potentially the solution, it doesn't seem to work particularly well. However, trying to maintain that randomised screening is to assuage guilt is naive because profiling perpetuates a number of bad security assumptions and, worse, a wider concept that terrorists must be Muslim... which is frankly a load of mince.






Anonymous said...

You must certainly be aware that when the French sought to limit the FLN, they targeted males. In response, the FLN used women to carry out what was perhaps their most successful attacks. Just like the Maginot Line, if ones defenses are obvious an enemy will simply go around.

Peter Maxwell said...


As it would happen, there is currently in the news an example which supports my earlier argument that profiling is ineffective: a man in a wheel-chair has detonated an explosive device in an airport, http://timesofindia.indiatimes.com/world/china/Man-in-wheelchair-detonates-bomb-at-Beijing-international-airport/articleshow/21192324.cms

Although it doesn't seem like he'd went through security, it does still demonstrate that threats aren't going to nicely conform to a profile.



Richard Steven Hack said...

"It's not worth smuggling a $1-million of diamonds through the airport given a 5% chance of them getting confiscated."

Oh, yes, it is - unless you can't afford to tick off your buyer because he'll shoot you. Otherwise, that's a go. I'd take that chance any day for a million bucks - especially if I were a pro at smuggling. Anyone can hide diamonds in a completely undetectable manner.

$100 worth of cocaine is not worth getting caught for - but anyone smuggling that little is an idiot anyway who doesn't make such calculations. Not to mention it's hard to conceal cocaine from a dog.

Randomized inspection may remove bias but it's stupid because it's unlikely to catch anyone except by chance. It's definitely not going to catch pros. Like most "security theater" it's only going to catch the incompetents.

Of course, there are a LOT of incompetent terrorists.

But profiling Muslims for security reasons is dumb, too. The negative effects are more important than the potential of actually capturing a terrorist. And even from a security standpoint, if you profile Muslims at airports - the terrorists simply won't use airports, they'll change targets. Or they'll change the method of attack from trying to down planes to blowing up the airport itself.

There are only TWO ways to stop terrorism:

1) Counterintelligence and infiltration of groups. This only works if the group is small.

2) Change your policies so the motivation for terrorism goes away.

The US could do this overnight and Al Qaeda would forget the US exists. Just stop supporting the Arab dictatorships and stop supporting Israel and stop killing Arabs in bleeding batches for the benefit of the US military-industrial complex, the oil companies, the banks who finance them, the neocons, and Israel.

The only terrorists left that would be a threat to the US would be home-grown ones - who can be dealt with by ordinary law enforcement and intelligence methods.

"Mass security" of ANY kind is not security. It's security theater.

Anonymous said...

I have a hunch that all four who've commented so far came here straight via the link on schneier.com. Well, so have I, but I mostly agree with Errata Security and disagree with the critics. Worst of all is RSH: "The US could do this overnight and Al Qaeda would forget the US exists. Just stop supporting the Arab dictatorships and stop supporting Israel... " It's a pipe dream. Endearingly naive... for a child to say but not for an adult. It is also megalomaniacal because it implies that we have the power to change our enemies' motivations. Mostly, we do not. As we would find out after having thrown Israel under the bus.

Profiling is not targeting only Muslim-looking airline passengers for extra scrutiny, it's far more subtle and complex than that. I willingly and gladly submit to the probing questions and manual inspection of every item of my luggage when flying El Al. I know it's necessary and effective. Contrariwise, just the thought of flying in the U.S. again turns my stomach. Having my private parts felt up by some drooling creep in a TSA uniform... no thanks!

Not profiling travelers that fit into one of the many "more likely than others to be a terrorist" (again, this is much more complex than "does he look Muslim") boxes is stupid. It is one major reason for the all-encompassing surveillance state, the Prism, Tempora and all the other insanely broad schemes to spy on everyone.

Face it, most terrorist attacks in the coming decades are going to come from Muslims. Let's stop hiding our heads in the sand and conduct ourselves accordingly.

decius said...

A few comments.

First, your post assumes that terrorist minions are disposable - if one gets caught they just send another one. The fact is that Al'Queda does not have endless ranks of minions to send to their deaths and if they did, obviously, random screening would not work. Minions take a lot of work to identify, recruit, train, and deploy. In fact, much of the risk comes from "self radicalized" lone wolfs who are not actually a part of an organized group and thus have a rank depth of one.

Second, terrorist attacks that are thwarted do not have the same impact as attacks that are successful. They have some impact, but it isn't as significant. In particular, if security services are successful at thwarting an attack it does not have nearly the media impact of attacks that are successful or almost successful as people can rationalize that the system effectively prevented the attack from occurring. For example, the attack on the boston marathon has had a bigger media impact than surgically implanted IEDs or the plot to attack cargo planes.

Given these factors, it is rational for a terrorist organization to avoid random security checks.

Furthermore, I think your comment on profiling is based on the assumption that terrorist organizations cannot recruit people who do not fit your profile. It may be more difficult to recruit people who don't fit your profile, but don't assume that it is impossible or that it hasn't happened.