22 April 1999
To: cypherpunks@cyberpass.net From: daw@cs.berkeley.edu (David Wagner) Newsgroups: isaac.lists.cypherpunks Subject: CDR: Re: FAA's new air passenger surveillance system Date: 20 Apr 1999 20:14:24 -0700 In article <19990420140743.DXRW2718@alaptop.hotwired.com>, Declan McCullagh <declan@well.com> wrote: > Tourist or Terrorist? > by Declan McCullagh (declan@wired.com) > > 3:00 a.m. 20.Apr.99.PDT > WASHINGTON -- A US$2.8-billion monitoring system > championed by Vice President Gore will > use computer profiles to single out airline > passengers for investigation and scrutiny. Thanks for forwarding this. I've actually done a fair amount of research into the FAA's photo ID security requirements, and what I've learned has really depressed me. What most people don't know is that the FAA regulations which require airlines to ask for photo ID don't apply if you aren't checking luggage. (Caveats: Only applies to domestic flights. And a few airlines have stricter regulations than what's required by law. I last checked about 6 months ago; if the policy has changed since then, all bets are off.) However, there's an education problem -- many airline employees don't know this, and in practice you will have a hard time convincing them. Sadly, I think the FAA is complicit in this problem -- when I called them, they (reluctantly) confirmed over the phone that this is indeed their policy once I volunteered that I knew about it, but flat out refused to confirm it in written form (!), saying that this information only goes to those with a need-to-know. But leaving that aside, what's far worse (to my mind) is that most of these invasive "security" procedures are of dubious effectiveness. In all honesty, I think they would be unlikely to slow down a motivated adversary much. For kicks, I've done some investigation and testing, and here is some analysis on their effectiveness [1]: 1. Hand-searching carry-on luggage for selectees: easily bypassed. (Anecdote: Whem I fly as a selectee, the usual procedure is that they search my luggage at the gate in advance, then let me roam before boarding. This does not require much thought to bypass: show up early, stash your bag in a public locker before the search, then retrieve it afterwards.) (Anecdote: Once, rather than searching my bags immediately, the checkin agent put a sticker on ticket that was supposed to alert the gate agent not to let me on the plane without searching my bag. I was truly impressed: I thought for once their hand-search procedure was going to be effective. When I got to the gate, the gate agent stared at the sticker for about 30 seconds, clearly not sure what it meant, then finally looked at me and waved me through, without the search. Maybe it was just a fluke, but I'm skeptical.) 2. Photo ID requirements: laughable. (I assume I don't need to mention that if teenagers find it easy to obtain fake IDs, presumably would-be terrorists can also get one.) 3. Profiling: I am very skeptical. (Suppose I have an ID under a false name. I use it to get a credit card under that name, then buy a suit and a round-trip ticket in first class. How is the profiling going to pick me out of the crowd of business travelers??) 4. Random bag searches as you pass through the metal detectors: probably not very reliable, though surely they help a little. (Anecdote: When the security guard at the X-ray detector asked if he could search my bag (a random suspicion-less search), I played dumb and asked "Do I have to?". He said, warmly, "Oh, are you late for your flight?". When I nodded yes, he let me go without searching. Friendly guy!) (Anecdote: One FAA document had to advise security guards to not pick just small bags for the "random" searches. Turns out that some guards were avoiding the big bags because they took more effort to search.) 5. The metal detectors & X-ray machines entering the gate: actually a pretty good defense, but they can be defeated without too much effort. (Simple attack: carry a big bulky "laptop" that actually contains a pound of nasty explosives. This is pretty hard for the good guys to stop with current procedures, sadly...) (Anecdote: Ever wonder how they get the beer and other supplies into the bars and restaurant near the gate? Lucky Green tells an eye-opening story about the time he saw them wheeling these kegs of beer around the metal detectors as the guards waved them on. When you realize that these are opaque containers that block X-rays, it is clear that pretty much anything could potentially be transported past the security perimeter in a keg, no questions asked, if you can position yourself as the beer-supplier.) 6. Positive bag matching. PBM is seems like it must be a pretty good defense, if you assume the terrorist doesn't want to die from his own bomb, and if you apply it to every passenger, although even then, it still can be defeated. (The attack that seems hard to prevent: The terrorist finds a flight with a stopover, boards with a bomb in his carry-on luggage, then gets off the plane at the intermediate destination (leaving his carry-ons up in the overhead compartment) and never re-boards.) (Another weakness: In practice, it's only applied to fliers that "hit" in the profile, so adversaries actually have two ways to defeat PBM: avoid the profile, or play the stopover trick mentioned above.) Notice how the most privacy-invasive security techniques (ID checks, profiling, hand-searches, etc.) are also the ones that are the least likely to be effective in practice? It seems the ineffective techniques (photo ID checks, etc.) are there just to reassure the flying public that the FAA "is doing something", i.e. perception management (normally called "pulling the wool over your eyes") rather than real security. Sadly, it's exactly their privacy-invasive nature which makes these techniques work well for perception management, so I don't think we'll be rid of this problem soon. Another big problem the good guys have is transitive trust. If you pass security in Podunk Airport and fly to JF Kennedy, you can then wander around the "secure" area and get on another flight from JFK to SFO, without ever going through security in JFK -- and if Podunk Air is lax about security, you can use them to bypass the strict security in JFK. In other words, the security of the US airport system is only as strong as its weakest link. I don't envy the position of those responsible for aviation security; if the goal truly is to prevent terrorist attacks (not just to project a false sense of security, as the cynics would suggest), they have a very hard problem on their hands. However, I fear that the FAA has struck a terrible balance in their current aviation security policy: it is not strict enough to offer real defense, but just harsh enough to invade our privacy -- we give up some of our freedom when flying, and in return, all we get is "security procedures" that don't actually do much to protect us. All this is surely old hat for the grizzled cypherpunk, but depressing nonetheless. Footnote 1. Normally I would be a little reluctant to post this kind of detailed information on weaknesses in the aviation security infrastructure -- while I value my privacy and freedom to travel, the last thing I want to happen is for someone to go bomb a plane after reading this post (no matter how unlikely that may be in practice). Nonetheless, if we as a society are going to make an informed policy decision, we can't kid ourselves. We live in a democracy, and the public needs to know the flat honest truth. It's one thing to sacrifice some privacy if you gain a lot of security in return. It's another thing entirely to needlessly sacrifice freedom if we gain absolutely no security in return. And I think the evidence shows that we have gained nothing in return for the extra restrictions on our freedom to travel. The real terrorists surely know this; the flying public deserves to know, too.
See also "Terrorism and Drug Trafficking: Testing Status and Views on Operational Viability of Pulsed Fast Neutron Analysis Technology." GGD-99-54. 15 pp. plus 2 appendices (3 pp.) April 13, 1999: http://www.gao.gov/new.items/gg99054.pdf (85K)