Friday, December 16, 2005

Airline security a waste of money

Bruce Schneier has a terrific piece on airline security in his latest crypto-gram.

"Since 9/11, our nation has been obsessed with air-travel security. Terrorist attacks from the air have been the threat that looms largest in Americans' minds. As a result, we've wasted millions on misguided programs to separate the regular travelers from the suspected terrorists -- money that could have been spent to actually make us safer.

Consider CAPPS and its replacement, Secure Flight. These are programs to check travelers against the 30,000 to 40,000 names on the government's No-Fly list, and another 30,000 to 40,000 on its Selectee list.

They're bizarre lists: people -- names and aliases -- who are too dangerous to be allowed to fly under any circumstance, yet so innocent that they cannot be arrested, even under the draconian provisions of the Patriot Act. The Selectee list contains an equal number of travelers who must be searched extensively before they're allowed to fly. Who are these people, anyway?

The truth is, nobody knows. The lists come from the Terrorist Screening Database, a hodgepodge compiled in haste from a variety of sources, with no clear rules about who should be on it or how to get off it. The government is trying to clean up the lists, but -- garbage in, garbage out -- it's not having much success.

The program has been a complete failure...

I know quite a lot about this. I was a member of the government's Secure Flight Working Group on Privacy and Security. We looked at the TSA's program for matching airplane passengers with the terrorist watch list, and found a complete mess: poorly defined goals, incoherent design criteria, no clear system architecture, inadequate testing. (Our report was on the TSA website, but has recently been removed -- "refreshed" is the word the organization used -- and replaced with an "executive summary" (.doc) that contains none of the report's findings. The TSA did retain two (.doc) rebuttals (.doc), which read like products of the same outline and dismiss our findings by saying that we didn't have access to the requisite information.) Our conclusions match those in two (.pdf) reports (.pdf) by the Government Accountability Office and one (.pdf) by the DHS inspector general...

These programs are based on the dangerous myth that terrorists match a particular profile and that we can somehow pick terrorists out of a crowd if we only can identify everyone. That's simply not true."

If we take the billions we're spending on crazy programs like ID cards, children's databases, passenger screening programs like Secure Flight, passenger data disclosure between the EU and US, and spent them on more better trained police, child support professionals and intelligence officers and the resources they need to carry out effective intelligence gathering, investigation and action to prevent and respond to criminal acts, we'd be a lot better off. Even when governments are told by their own experts that these big technology schemes are worse than useless, they still press ahead not only ignoring reality but actively covering up. What you have here is what Diane Vaughan would call the "normalisation of deviance." Government evolves to a state where the process of ignoring or covering up inconvenient evidence is normalised, everyone must stay "on message" no matter how warped that message might be and we end up with vast unwieldy messes like the UK's coming ID card system or the EU database directive.

No comments: