22 April 1999

To: cypherpunks@cyberpass.net
From: daw@cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.cypherpunks
Subject: CDR: Re: FAA's new air passenger surveillance system
Date: 20 Apr 1999 20:14:24 -0700

In article <19990420140743.DXRW2718@alaptop.hotwired.com>,
Declan McCullagh  <declan@well.com> wrote:
>                      Tourist or Terrorist?
>                      by Declan McCullagh (declan@wired.com)
>                      3:00 a.m.  20.Apr.99.PDT
>                      WASHINGTON -- A US$2.8-billion monitoring system
>                      championed by Vice President Gore will
>                      use computer profiles to single out airline
>                      passengers for investigation and scrutiny.

Thanks for forwarding this.

I've actually done a fair amount of research into the FAA's photo ID
security requirements, and what I've learned has really depressed me.

What most people don't know is that the FAA regulations which require
airlines to ask for photo ID don't apply if you aren't checking luggage.
(Caveats: Only applies to domestic flights.  And a few airlines have
stricter regulations than what's required by law.  I last checked about
6 months ago; if the policy has changed since then, all bets are off.)

However, there's an education problem -- many airline employees don't
know this, and in practice you will have a hard time convincing them.
Sadly, I think the FAA is complicit in this problem -- when I called them,
they (reluctantly) confirmed over the phone that this is indeed their
policy once I volunteered that I knew about it, but flat out refused to
confirm it in written form (!), saying that this information only goes
to those with a need-to-know.

But leaving that aside, what's far worse (to my mind) is that most of
these invasive "security" procedures are of dubious effectiveness.  In
all honesty, I think they would be unlikely to slow down a motivated
adversary much.

For kicks, I've done some investigation and testing, and here is some
analysis on their effectiveness [1]:

1. Hand-searching carry-on luggage for selectees:
easily bypassed.

     (Anecdote: Whem I fly as a selectee, the usual procedure is that they
      search my luggage at the gate in advance, then let me roam before
      boarding.  This does not require much thought to bypass: show up early,
      stash your bag in a public locker before the search, then retrieve it

     (Anecdote: Once, rather than searching my bags immediately, the
      checkin agent put a sticker on ticket that was supposed to alert
      the gate agent not to let me on the plane without searching my bag.
      I was truly impressed: I thought for once their hand-search procedure
      was going to be effective.  When I got to the gate, the gate agent
      stared at the sticker for about 30 seconds, clearly not sure what it
      meant, then finally looked at me and waved me through, without the
      search.  Maybe it was just a fluke, but I'm skeptical.)

2. Photo ID requirements:
      (I assume I don't need to mention that if teenagers find it easy to
       obtain fake IDs, presumably would-be terrorists can also get one.)

3. Profiling:
I am very skeptical.
      (Suppose I have an ID under a false name.  I use it to get a credit
       card under that name, then buy a suit and a round-trip ticket in

       first class.  How is the profiling going to pick me out of the
       crowd of business travelers??)

4. Random bag searches as you pass through the metal detectors:
probably not very reliable, though surely they help a little.
     (Anecdote: When the security guard at the X-ray detector asked if he
      could search my bag (a random suspicion-less search), I played dumb
      and asked "Do I have to?".  He said, warmly, "Oh, are you late for
      your flight?".  When I nodded yes, he let me go without searching.
      Friendly guy!)
     (Anecdote: One FAA document had to advise security guards to not pick
      just small bags for the "random" searches.  Turns out that some
      guards were avoiding the big bags because they took more effort to

5. The metal detectors & X-ray machines entering the gate:
actually a pretty good defense, but they can be defeated without too
much effort.
      (Simple attack: carry a big bulky "laptop" that actually contains
       a pound of nasty explosives.  This is pretty hard for the good
       guys to stop with current procedures, sadly...)
      (Anecdote: Ever wonder how they get the beer and other supplies into
       the bars and restaurant near the gate?  Lucky Green tells an
       eye-opening story about the time he saw them wheeling these kegs of
       beer around the metal detectors as the guards waved them on.  When
       you realize that these are opaque containers that block X-rays, it
       is clear that pretty much anything could potentially be transported
       past the security perimeter in a keg, no questions asked, if you can
       position yourself as the beer-supplier.)

6. Positive bag matching.
PBM is seems like it must be a pretty good defense, if you assume the
terrorist doesn't want to die from his own bomb, and if you apply it to
every passenger, although even then, it still can be defeated.
      (The attack that seems hard to prevent: The terrorist finds a flight
       with a stopover, boards with a bomb in his carry-on luggage, then gets
       off the plane at the intermediate destination (leaving his carry-ons
       up in the overhead compartment) and never re-boards.)
      (Another weakness: In practice, it's only applied to fliers that "hit"
       in the profile, so adversaries actually have two ways to defeat PBM:
       avoid the profile, or play the stopover trick mentioned above.)

Notice how the most privacy-invasive security techniques (ID checks,
profiling, hand-searches, etc.) are also the ones that are the least likely
to be effective in practice?

It seems the ineffective techniques (photo ID checks, etc.) are there
just to reassure the flying public that the FAA "is doing something",
i.e. perception management (normally called "pulling the wool over your
eyes") rather than real security.  Sadly, it's exactly their privacy-invasive
nature which makes these techniques work well for perception management,
so I don't think we'll be rid of this problem soon.

Another big problem the good guys have is transitive trust.  If you pass
security in Podunk Airport and fly to JF Kennedy, you can then wander around
the "secure" area and get on another flight from JFK to SFO, without ever
going through security in JFK -- and if Podunk Air is lax about security,
you can use them to bypass the strict security in JFK.  In other words, the
security of the US airport system is only as strong as its weakest link.

I don't envy the position of those responsible for aviation security; if
the goal truly is to prevent terrorist attacks (not just to project a false
sense of security, as the cynics would suggest), they have a very hard
problem on their hands.

However, I fear that the FAA has struck a terrible balance in their current
aviation security policy: it is not strict enough to offer real defense, but
just harsh enough to invade our privacy -- we give up some of our freedom
when flying, and in return, all we get is "security procedures" that don't
actually do much to protect us.  All this is surely old hat for the grizzled
cypherpunk, but depressing nonetheless.

Footnote 1.

  Normally I would be a little reluctant to post this kind of detailed
  information on weaknesses in the aviation security infrastructure --
  while I value my privacy and freedom to travel, the last thing I want to
  happen is for someone to go bomb a plane after reading this post (no
  matter how unlikely that may be in practice).
  Nonetheless, if we as a society are going to make an informed policy
  decision, we can't kid ourselves.  We live in a democracy, and the public
  needs to know the flat honest truth.
  It's one thing to sacrifice some privacy if you gain a lot of security
  in return.  It's another thing entirely to needlessly sacrifice freedom
  if we gain absolutely no security in return.  And I think the evidence
  shows that we have gained nothing in return for the extra restrictions
  on our freedom to travel.  The real terrorists surely know this; the flying
  public deserves to know, too.

See also "Terrorism and Drug Trafficking: Testing Status and Views on Operational Viability of Pulsed Fast Neutron Analysis Technology." GGD-99-54. 15 pp. plus 2 appendices (3 pp.) April 13, 1999: http://www.gao.gov/new.items/gg99054.pdf (85K)