Educated Guesswork

« Name-Based Virtual Hosts with SSL | Main | Threat modelling color printer serial numbers »

November 22, 2004

How many terrorists are there?

John Kelsey responds to this news story on the cryptography mailing list:

>Currently, the federal government shares parts of the list with airlines,
>which are responsible for making sure suspected terrorists don't get on
>planes. People within the commercial aviation industry say the lists have
>the names of more than 100,000 people on them.

This is a goofy number. If there were 100,000 likely terrorists walking the
streets, we'd have buildings and planes and bus stops and restaurants blowing
up every day of the week. I'll bet you're risking your career if you ever take
someone off the watchlist who isn't a congressman or a member of the Saudi
royal family, but that it costs you nothing to add someone to the list. In
fact, I'll bet there are people whose performance evaluations note how many
people they added to the watchlist. This is what often seems to make
watchlists useless--eventually, your list of threats has expanded to include
Elvis Presley and John Lennon, and at that point, you're spending almost all
your time keeping an eye on (or harassing) random harmless bozos.

The point about incentives here is really important. A general problem with security systems is that the people responsible for providing security don't bear much of the cost of the security measures, but they tend to get hammered when a breach occurred (although come to think of it, nobody important seems to have lost their job over 9/11), so it's hard to get an efficient amount of security. You see this a lot in corporate IT environments, where the admins find it easier to just deny as many services as possible and claim "security".

That said, it's not entirely clear (at least to me) that an efficient system wouldn't mostly involve harassing a bunch of innocent people. The question is what the right balance of false positives and false negatives is. If each false positive costs you $.01 and each false negative costs you $3 billion, it's definitely worth erring on the false positive side...

Posted by ekr at November 22, 2004 6:02 PM | Filed under: