Here’s an interesting security design problem. Suppose you’re in charge of airport security. At security checkpoints, everybody gets a primary search. Some people get a more intensive secondary search as a result of the primary search, if they set off the metal detector or behave suspiciously during the primary search. In addition, you can choose some extra people who get a secondary search even if they look clean on the primary search. We’ll say these people have been “selected.”
Suppose further that you’re given a list of people who pose a heightened risk to aviation. Some people may pose such a serious threat that we won’t let them fly at all. I’m not talking about them, just about people who pose a risk that is higher than average, but still low overall. When I say these people are “high-risk” I don’t mean that the risk is high in absolute terms.
Who should be selected for secondary search? The obvious answer is to select all of the high-risk people, and some small fraction of the ordinary people. This ensures that a high-risk person can’t fly without a secondary search. And to the extent that our secondary-searching people and resources would otherwise be idle, we might as well search some ordinary people. (Searching ordinary people at random is also a useful safeguard against abusive behavior by the searchers, by ensuring that influential people are occasionally searched.)
But that might not be the best strategy. Consider the problem faced by a terrorist leader who wants to get a group of henchmen and some contraband onto a plane in order to launch an attack. If he can tell which of his henchmen are on the high-risk list, then he’ll give the contraband to a henchman who isn’t on the list. If we always select people on the list, then he can easily detect which henchmen are on the list by having the henchmen fly (without contraband) and seeing who gets selected for a secondary search. Any henchman who doesn’t get selected is not on the high-risk list; and so that is the one who will carry the contraband through security next time, for the attack.
The problem here is that our adversary can probe the system, and use the results of those probes to predict our future behavior. We can mitigate this problem by being less predictable. If we decide that people on the high-risk list should be selected usually, but not always, then we can introduce some uncertainty into the adversary’s calculation, by forcing him to worry that a henchman who wasn’t selected the first time might still be on the high-risk list.
The more we reduce the probability of searching high-risk people, the more we increase the adversary’s uncertainty, which helps us. But we don’t want to reduce that probability too far – after all, if we trick the terrorist into giving the contraband to a high-risk henchman, we still want a high probability of selecting that henchman the second time. Depending on our assumptions, we can calculate the optimal probability of secondary search for high-risk people. That probability will often be less than 100%.
But now consider the politics of the situation. Imagine what would happen if (God forbid) a successful attack occurred, and if we learned afterward that one of the attackers had carried contraband through security, and that the authorities knew he posed a hightened risk but chose not to search him due to a deliberate strategy of not always searching known high-risk people. The recriminations would be awful. Even absent an attack, a strategy of not always searching is an easy target for investigative reporters or political opponents. Even if it’s the best strategy, it’s likely to be infeasible politically.
“Whom Should We Search at the Airport?”
I don’t think I understand Ed Felten’s predicament here. Can’t we solve the problem by, for instance, searching all the high-risk people, and an equal number of low-risk people? The terrorist leader will never be sure whether a particular henchman was …
When someone did the math, they naturally started out with a set of assumptions. If we do not equate “high risk” profile with “information leakage”, then the Carnival Booth results don’t apply.
A valid point against covert air marshals is that they’re a lot more expensive than searches, therefore we can afford fewer of them. But given any passenger searching at all, we can assume that an intelligent attacker will attempt to defeat a personal / carry-on bag search. Intuitively, I’m suggesting a non-linear payoff for an increase in resources devoted to passenger searches.
Consider another, and probably cheaper alternative to covert air marshals: Two to six digital cameras operated in SSTV-mode (cockpit, main aisle, plus); continuously broadcasting. At a ground center, some number of humans views some of the data some of the time. With independent camera systems, we can reduce the probababilty of simultaneous random (i.e. accidental) failure of all cameras on board a plane.
We can increase the attention given to a particular flight with much lower probability of information leakage than increased passenger screening.
The downside to a camera scheme is that observing a hi-jacking in progress gives us very few effective interventions: Send the air force. Are any other interventions possible with remote on-board observation capabilities?
Fwiw, a cockpit camera would aid the NTSB in accident investigations, so there’s a secondary payoff there.
“Seems to make sense”, but at the Carnival Booth link above you can see that when someone did the math, that didn’t turn out to be the case. It’s too easy for organized terrorists to game the system if there’s some “high risk” category of passengers defined, even if how it’s defined is not made public knowledge.
If certain individuals pose a greater risk than average, then it seems to make sense that more resources should be applied to mitigate that risk. General screening, without any discrimination, reduces the risk that an average group of passengers on a flight may include a capable attacker. Why do we assume that an increase in the resources devoted to mitigate general risk is the most effective way to mitigate a specific risk?
IOW, if the passengers on flight fit a higher than average risk profile, perhaps it would make more sense to allocate a (covert) air marshal to that flight, rather than increase the passenger screening.
Scary how cheaply the Terrorists have won, isn’t it?
Read “The Art of War” by Sun Tzu. It is over 1000 years old, and Osama obviously studied it.
“Use your enemies strength against them.”
America is killing itself, and only a few people and places, such as this site, seem to notice, and fewer still are upset that the whole American culture and value system is being shifted to a nanny police state.
I’ve seen the huge number of adverts up on the TV over christmas, trying desperately to get the tourists to come back to America. Everyone I know who can afford to fly to the States doesn’t want to, even though the cost of a flight is so low due to the weakness of the dollar ($2 to the pound! Wow!)
It isn’t the terrorists, it is the hassle. I’m from that radical little state that supported the US going into Iraq (I mean really supported, not was bribed) Yes, the UK, and, oddly, I still need to get a visa to visit, I’m still going to get shit at the airport, I’m just as likely to get stopped for looking shifty or not looking shifty, as my ex-boss from Iran. (ok, not that likely, he gets stopped every(!) time he goes to visit his family in CA! Yes, every year. Yet he still works for a UK defence firm in a security cleared job. Proto-terrorist or loving father? He wears slip-ons to fly.)
America needs to realise that it is a funny kind of war, and that invading places isn’t going to help, and nor are watch lists and elint on every US person. It needs a fundamental change in the American attitude. Simple respect for others would be the place to start. Not invading a country to stop people being locked away without trial for years, and tortured pointlessly, then locking people away and torturing them pointlessly, and then claiming it is somehow different.
Little things like that.
And to think I nearly moved over there!
Intelligent discussion of security threats and responses! You people must not work for the government.
Whatever countermeasures you design, be sure to design them for not just airplanes, but trains, buses, cruise ships, and federal buildings. DHS is already applying ITS intrusive and useless measures there, largely without statutory authorization. But a provision slipped into the 9/11 Intelligence Reform bill has legitimized several of the current measures, and invited DHS to propose new areas where your ability to travel and assemble will be restricted by arbitrary and largely secret rules, procedures, and “enemies lists”. See Section 4701 (legitimizing “Watch lists for passengers aboard vessels”) and Section 7220 (legitimizing “Identification Standards” for entry onto airplanes).
The Feds are very likely to refuse to allow you to travel AT ALL, two years from now, unless your state adopts new Federal standards for driver’s licenses (and you get a new license). Section 7212 requires this. The Feds can’t force the states to do anything, but until people value and uphold their constitutional right to travel (independent of any stinkin’ badges) the Feds can hold the people of the state hostage until the state relents.
Here is the 9/11 law you’ll find those Sections in.
That’s not true. Consider the case where the pilot is the terrorist.
As Dan Wallach has correctly identified, the change in passenger mindset has made a 9/11 style attack much more difficult. To pull it off, you either need to get the hijackers into a barricaded cockpit (which is why a sealed cockpit might not be such a good idea) or figure out a way to disable all the passengers.
Dan gets it right again when he worries more about other types of attacks. There are so many targets out there that it is completely infeasible to protect them all. About the only thing that can be done is to find out about it before it happens – in other words, domestic intelligence.
Any “high risk list” depends on reliable matching people waiting to board against names (or other forms of identification) on the list. Fake IDs completely defeat such schemes, at some cost (both monetary, and additional illegal acts which increase their risk of getting caught) to the terrorists.
Likewise, any profiling scheme depends on collecting *accurate* data about the people waiting to board the plane. Anything not derived directly from the person standing in front of the security officer is subject to fraud.
For example, if passengers can print their own boarding pass at home, and the “extra scrutiny” indication is clearly identifiable, how hard would it be for a terrorist to take the image of the boarding pass and photoshop out the indication before printing it?
So the question is, is the additional effort the terrorists have to expend to defeat such measures big enough to justify the costs of such measures?
Other websites of interest to people concerned with security include Bruce Schneier’s Schneier on Security, and news summary site Stupid Security.
If you read these site or Bruce Schneier’s book Beyond Fear, you will quickly discover why things like credit checks are a bad idea. The problem is that they assume that past behavior is good predictor of future behavior. This is not true for a terrorist. Especially a suicidal terrorist.
The whole idea of a “watch list” is a terribly unfunny joke. It is ineffective security theatre.
TS describes two possible threats: (A) use the airplane itself as a weapon and (B) more traditional hijackings. The big thing that has changed, post 9/11, is that the general population is aware of type-A attacks. If somebody should attempt to hijack a plane, whether intending to use the plane as a weapon or not, most passengers will simply assume that they’re dead anyway, and will resist. Any small group of hijackers, even if equipped with firearms, won’t be able to maintain effective control over the plane.
Personally, I’m far more concerned about terrorist attacks on other elements of critical infrastructure, particularly oil and gas pipelines. Those are all over the place and have relatively little physical security to protect them.
It would seem Ed is really concluding that high-risk lists are a bad idea, since they can be derived by the adversary by experimentation fairly easily. Since these things probably cost a lot to implement and are probably not very accurate anyway, this would seem an excellent result. Get rid of them.
On the other hand, I disagree about what Ed and other posters say about plane safety. There are basically two kinds of attacks: (A) the ones that use the plane as a weapon to kill many people and (B) the ones that might kill people on the plane (maybe all).
The real danger is A-type attacks, which can be completely prevented by making un-hijackable planes, e.g. sealed cockpits.
The problem with B-type attacks is that they deter people from using airplanes. The worst case here is bombs. Bombs are best found with those sniffer devices, right? Not searching… Searching is for hand-to-hand weapons. Now, post-9/11, how likely is a terrorist to succeed at hand-to-hand combat in an aircraft. Close to zero. So searching is just plain stupid, especially when they take my mustache scissors — I am 190lb athletic male. I am likely more dangerous unarmed than with those scissors.
Phew, sorry about the rant…
Ed,
The political problem is easy to solve in our two party system. You simply make both parties accountable for the decision. In practice, these types of decisions and bargains are made every day by security oversight committees.
So you should feel free to suggest better alternatives for security. It’s the criticism of these decisions that gets stonewalled.
Visa can determine in real time that a specific purchase is outside my usual pattern and call my home to determine if my card is being misused. Why can’t airline passengers voluntarily submit to a check of the commercial data linked to the credit card account they use to purchase their airline ticket to determine their level of security risk? It should be relatively easy to develop a security score from the mass of information — purchase records, longevity at home addresses, employers. Most passengers would be scored as negligible risk and nearly all of these could bypass security. Those who prefer not to have their credit records inspected, could submit to rigorous screening. (At check in, airline personnel routinely inspect picture IDs and could verify that the credit card used was that of the passenger.)
Perhaps someone will complain that this is discriminatory in some way. On the other hand, an isolated incident of terrorism has caused an enormous inconvenience to millions of travelers at a huge economic cost. Let’s face it: the terrorists have won! With a little common sense, we can foil the terrorists and resist a terrorist-imposed change to our lifestyle.
Well, it might be a good start to search all of the ground staff, maintenance workers, caterers, etc. Also, given the amazing amounts of theft out of baggage, they should be searched both coming and going. Quis Custodiet Ipsos Custodes?
This past summer I flew 3 one way flights with stay overs of more than a day at each leg. Only on the last leg was I flagged for extra security. It was clearly marked on my ticket. What is interesting is that on this leg I was traveling with my wife and then 4 month old son. We had 6 bags between us. The ticket agent gave us each our tickets, and then assigned all six bags to my wife who was not flagged. Now I am assuming that the bags might also have been up for extra scrutiny and he did me a favor by checking them all to my, non-flagged, wife. Interesting though possibly meaningless.
Good post and john’s observation about the fact that the goverment is not serious about security is all to correct. I refer to it as Kabuki Security.
“Even if it’s the best strategy, it’s likely to be infeasible politically.”
This observation, combined with the way “homeland security” funds have been distributed, tells me the government isn’t really serious about security. At all.
Adam, what happens when they carry a bomb onto the plane? No air marshall, locked door, or “kill zone” is going to protect a thought out plan including a bomb (and no, the shoe bomb was not well thought out).
Ed, the extreme here is to follow the model of El Al, and search everyone. Yes, there is an inhibitive cost, but it makes it a lot harder for anyone to smuggle anything onto the plane.
I had an interesting experience with this and it suggests to me that individual airports in fact adjust their screening rules “on-the-fly.” I am white, male, and extraordinarly average in appearance — I’ve never thought I might fit any sort of profile that might conceivably apply to a terrorist.
I went through security at an airport in the Northeast with a big carry-on bag that contained a bunch of clothes, but also an extensive 35mm camera setup and some other electronic equipment (cellphone, charger) and some hobbyist modeling stuff (little Testors paint bottles, brushes.) I was flagged at what seemed like random and my carry-on was extensively searched. It took about five minutes, and I had to pass my shoes through the x-ray machine.
An hour and a half later, because my flight was delayed, I decided to trek back through the terminal to have a cigarette outside (at the time I was looking at several more hours in the airport, and I was getting edgy because sadly, I still smoke.)
I left the carry-on bag with a nice person in the terminal with whom I had struck up a conversation over the intervening hour and a half. (Yes! I trusted my camera to this stranger — maybe stupid, but I didn’t think so at the time.)
Of course I had to pass back through security with my boarding pass a second time, but only with my jacket and cigarette lighter and wristwatch. I was not searched a second time, but perhaps (?) the TSA people manning the security checkpoint remembered me.
FWIW, it made me think that the well-run and competent airport security operations are adjusting their screening calls adaptively. The second time through the checkpoint, it was nice not to have to take off my shoes.
Adam: Redesigning airplanes may help, but only against certain kinds of attacks. I think of that as a complementary approach.
Cypherpunk: I agree that a continuum of risk levels is better than just two levels. But I don’t think it will turn out that the optimal search probability is proportional to an individual’s risk level.
The correct solution is to select search victims randomly, using a probability distribution weighted by estimated likelihood of being a terrorist. If all you have is two levels (high risk/low risk) then you estimate how much more likely the high risk people are to be carrying contraband, and make them that much more likely to be selected for search. If they were, say, 5 times more likely to be bad guys than the general public, you’d search 5 high risk people for one low risk.
Unfortunately, I think that if you polled the American public today, the biggest uproar would be that there could be any henchmen who aren’t on the high-risk list. If (God forbid) a successful attack occurred, one of the main questions would be: was the attacker on the high-risk list, and if not, why not?
Your analysis suggests that if we could greatly reduce the false negative rate, then screening all high risk passengers might make more sense, because the mastermind would have a hard time finding unmarked accomplices.
Of course, your readers will probably know that reducing the false negative rate will most likely greatly increase the false positive rate and screening costs. However, this message doesn’t seem to have gotten through to the American Public. More and more resources seem to be diverted to address the false negative rate problem, with the tacit approval of most of America. Our Congress seems to find it politically infeasible to explain to the American Public that a false negative rate of zero is unachievable unless possibly we hand over the reins of government to Saddam Hussein.
The right solution is fewer secondary searches, and more secure airplanes. There are numerous ways to make airplanes safer, including better doors for the cockpits, armed pilots, air marshals, or even a “pilot’s zone” (a locked stretch of corridor leading to the cockpit, with food, restroom, no access during flight, and maybe an air marshal with shoot to kill authorization.)
Other useful techniques include searching at the gate, rather than far from it.
Each of these has a cost, but so does the current system. We ought to be thinking innovatively and creatively about ways to attack and defend aircraft, rather than classifying the criteria and the threats, and pretending anyone who challenges the TSA is with the terrorists.
If we’re going to search the high-risk crowd frequently enough to havea good chance of catching the henchman on the second trip, then we’re going to have to be searching the high-risk crowd fairly often. If this is true, than the terrorist leader could fairly easily determine who was on the high-risk list and who was not by having each henchman take several trips and check how frequently each was searched. If we are going to search high-risk passengers frequently enough to make a difference in finding the contra-band, it would not be that difficult to determine who was high-risk and who was not with a fairly small number of trip.s
Ed:
You are, of course, correct.
The solution (assuming one can identify high-risk passengers at all) is to ensure that adequate searching resources are always available to randomly search a sufficiently high portion of the non-high risk population to make the Carnival Booth mechanism fail.
Politically, the use of these “extra” searchers can be played as a means of minimizing traveller inconvenience.
Felten: It happened at Logan last week so sadly not fixed. Along the same lines, I usually check in online the night before flights. The night before I tried to check in and the system said I would have to wait until I got to the airport. I figured the flight was full and they weren’t going to honor my seat assignment. But when I checked the plane map there were still several seats showing available. I wonder if they pre-select you for secondary search that far in advance. I figured that it was random as people checked in. But if you are checking in on-line the night before I guess it would have to pick you then. So maybe the henchmen would know 24 hours in advance when the airline doesn’t allow you to check in online that you have been pre-selected.
When my wife and daughter travelled by themselves recently, they were marked for “special security”. I watched as they went through, and noted that at least 80% (24 out of 30 that I watched) were women; half of them were women with small children. I’ve since watched the lines 3 more times, and each time the same was true: 80%+ women. Not sure what kind of criteria, game, meta-game or meta-meta-game would lead to that result…we *certainly* aren’t selecting high-risk individuals…
Anonymous: The boarding-pass marks you describe are a clear security vulnerability. I assumed in my original post that problems like this would be fixed.
What I think is interesting is that your boarding pass notifies officials that you need a secondary search. So if a henchman knows where to look on the boarding pass to see if he will be selected for a secondary search, wouldn’t he just pass his contraband on to one of his mates who doesn’t have the secondary search code?
Over the holidays, my boarding pass contained the secondary search code. TSA officials were more than glad to tell me that it was the code for the secondary search when I asked why I was being diverted to a special line. Silly me, I thought I was getting to go through the shorter line because I was a Airline Club member.