August 4, 2015

avatar

Airport Scanners: How Privacy Risk Leads to Security Risk

Debates about privacy and security tend to assume that the two are in opposition, so that improving privacy tends to degrade security, and vice versa. But often the two go hand in hand so that privacy enhances security. A good example comes from the airport scanner study I wrote about yesterday.

One of the failure scenarios discussed in that study involves tampering with a computer that handles a scanned body image. The researchers showed that anyone who can tamper with the computer on which images are viewed can carry any contraband they like through the scanner without detection, by reprogramming the system to display an innocuous image when it sees a distinctive pattern presented by the attacker, such as a geometric pattern in lead tape on the attacker’s undershirt.

Tampering is a problem in all security checkpoint technologies, but it is a bigger risk for the body scanners than it was for the previous generation of magnetometers (metal detectors). The reason is that the magnetometers’ critical hardware is in a highly visible public place (the public part of the checkpoint) where tampering is likely to be noticed, but the scanners’ viewing computer is tucked away in a private, screened area set apart from the checkpoint—the kind of place where an intruder or a rogue employee can more easily mess around with a computer without being noticed.

Why the difference? The reason is that the scanner collects sensitive private body images, unlike the magnetometer. So the scanner has to be in a non-observable place. The scanner’s privacy drawbacks create security drawbacks.

You could try to cope with the risk of computer tampering by pointing a surveillance camera at the viewing area, but now you’re introducing the risk that naked body images will be picked up by the surveillance camera. The surest way to protect the system from tampering has to start by reducing the system’s privacy impact.

Comments

  1. While security and privacy don’t have to be in opposite, and many times aren’t, the scenario you describe here is exactly an example of when security and privacy *are* in opposite.

    In order to increase privacy a critical component is placed in an harder to monitor area thereby damaging security. Giving up the privacy concerns, and putting everything in the public area of the checkpoint, would have removed the security problem. It’s a very clear case of privacy-vs-security tradeoff.

    What you’re, rightly, suggesting is that finding a *different* way to reduce the privacy concerns may have alleviated the security concerns that were caused in order to *increase* privacy.
    It’s not a case where “privacy enhances security”, it’s a case where privacy and security are at a tradeoff but maybe don’t have to be.

    • No, this case is not one where privacy and security are tradeoffs. No one is more secure because of these machines [as proved by people time and time again have gotten past security with all sorts of contraband] and no one is certainly any more private. We lost both security and privacy with these machines.

      • The issue (both in my comment and in the original post) wasn’t with actual tradeoffs, but with the perception of tradeoffs. A lot of “security theater” things don’t really improve security, but while they are presented as if they improve security they justify a damage to privacy by a privacy/security tradeoff.

        With a starting point of “the devices don’t improve security” there isn’t any discussion on whether in this case security and privacy are in opposite or go hand in hand, because there is no security involved. So an attempt to show that in this case security and privacy go hand in hand does so under the assumption of (either a real, or the perceived one that drives the usage of the machines) security gains from using the machine.

        My point wasn’t that there is indeed a security gain from the machines. My point was that if there is a security gain then the given example is one in which security and privacy are in opposite, and not one where they go hand in hand. The security gains/damages I responded to where ones presented in the original post.

  2. Yet another interesting observation Ed. I Agree that privacy and security are not opposites, in fact I would argue that most of the time they are identical counterparts needed for true freedom.

    That is the more freedom the more true security that exists and vice versa (but not the more perceived security which actually decreases freedom), and the more freedom that exists the more privacy will follow. Now that may sound like a lot of hog wash.

    But, I want to play a different angle of observation. And that is again in psychology to which you do not seem to have studied. Nor, apparently most of the populace.

    Here’s my take on the new machines. We “presume” that there is an invasion of privacy in this instance, because in this country we expect that our genitals will not be viewed by other persons; and the use of such machines is in essence making our genitals exposed to our so called “security” personnel and/or others which invades our perceived privacy.

    To reduce the factor of that “invasion of privacy” it was decided to put the imaging computers and screens in a private place. And that the person viewing the images could would also not be allowed to see the face attached to the image–to provide some sort of anonymity. Sensible ONLY from the perspective of an invasion of privacy. You are right that increases the risk of tampering; thus reducing the security effectiveness.

    You put forth the idea at the end that we should reduce the privacy impact of the systems; presumably (my guess) that you mean it should not display nude images. Well, here is another way to reduce the privacy impact. Change our culture’s perspective of nudity.

    Ever been to a nudist beach. I somehow think those people would not worry about their so called privacy at an airport, and the use of those machines, nor even the dissemination of such pictures from those machines.

    Suppose our culture viewed nudity differently. Suppose no one was worried about the “privacy” of his/her genitals. Then there would be no need to separate the computer systems, and thus increase the risk. You could use such screens within the open and no one would worry about it. For that matter, could just have everyone disrobe completely.

    Now, now, am I NOT proposing we conduct strip searches of everyone at an airport. But, I am using that observation of culture’s perception as an argument and counterargument to my own perspective.

    Again freedom and security are tightly linked and not in opposition. I postulate that we would be MORE SECURE if we abolished the TSA completely. Stopped with all of the so called safety checkpoints. Such freedom would give us better security; it would also give us better privacy. How would it give us better security? That is a diatribe for another day. But, in short. The terrorists won the very day they put the fear in us to the point that we voluntarily gave up our freedoms all in the name of security; and in turn they caused us ALL to be less secure (and even less private).

    • P.S. “but the scanners’ viewing computer is tucked away in a private, screened area set apart from the checkpoint” and “You could try to cope with the risk of computer tampering by pointing a surveillance camera at the viewing area, but now you’re introducing the risk that naked body images will be picked up by the surveillance camera.”

      If you are going to follow that line of reasoning, the easiest solution is simply put the computer in the public area (next to the screening device at the checkpoint), and the monitor that displays the images on the other side of the wall. Composite, VGA, DVI, HDMI, co-ax and any other type of cable that sends images can easily be put through a wall; and most can extend a pretty good distance to boot.

      Risk of tampering isn’t my concern. Use of the scanners isn’t my concern either (I literally couldn’t care less if the world sees my willy). Loss of freedom is my concern.