Recently in Security: Airport Category


August 23, 2011

On most of my recent flights I've noticed that the TSA isn't even using whole body imagers—they just have them roped off and send people through standard magnetometers. However, this weekend I flew back from Kauai through Lihue Airport (LIH) and they actually had their Rapiscan imagers active. However, as before they have a magnetometer line and a whole body scanner line and I was able to just select the magnetomer line. I was a little worried that because that was the longer line I would get redirected to the Rapiscan, but that never happened.

Of course after that, I had to get my back secondary checked because I had left a 6+ oz bottle of sunscreen in my bag. But it still didn't include any groping.


May 9, 2011

MSNBC (from Reuters) reports that Sen. Charles Schumer wants Amtrak to create a "no-ride" list for trains (þ Volokh):
Schumer, citing U.S. intelligence analysts, said attacks were also considered on Christmas and New Year's Day and following the president's State of the Union address.

He called on the U.S. Department of Homeland Security to expand the Secure Flight monitoring program, which cross-checks air travelers with the terror watch list in an attempt to prevent anyone on the "no-fly list" from boarding, for use on Amtrak.

Such a procedure would create an Amtrak "no-ride list" to keep suspected terrorists off the U.S. rail system, he said.

This is one of those situations where reasoning by analogy can lead you seriously astray. Airplanes are an unusual case not so much because they are uniquely vulnerable, but because they are uniquely secure. It's true that planes are relatively fragile in that a small amount of explosive can kill a lot of people, and that even small accidends tend to kill everyone. [This is only a partially unique property, though, so a full account of why planes are such an attractive target surely needs to involve some social and psychological factors.] However, they are also ordinarily well protected, so it's hard to get access to them to do damage. At least in theory planes are kept in secure conditions on the ground so it's hard to place a bomb, and obviously once they're in the air it takes something like a surface-to-air missile (or least good luck with a gun) to cause catastrophic damage. This means that if you want to attack a plane, it's very convenient to actually be on it, so it's at least arguably useful to keep suspected terrorists off the plane.

But this doesn't apply to trains, which are (a) not particularly well secured and (b) easily accessible when they are in transit, which means you need to secure hundreds of miles of track. This means that if you want to attack a train, you don't need to be on it, you just need to get access to the track and damage it at the right time. (See here for a list of train accidents). It's like these guys have never seen Bridge on the River Kwai.

Even if that weren't true, it's important to remember that while planes are already a limited-access type thing, trains often are not. Amtrak may do some kind of passenger identification there are lots of commuter trains (e.g., Caltrain) where that not only aren't passengers identified, you can get on the train without a ticket. Instead, the conductors just come by periodically and audit. Converting to a system where you actually checked ID for each passenger before they got on (and remember that something like 50-100 people might get on in 2 minutes on an open platform) seems like it would be prohibitively expensive. These trains don't carry as many people as some Amtrak trains, but they certainly have enough passengers that if you could kill a significant fraction of them it would be bad. And this doesn't even get into the question of subways. In general, train security is set at a level designed to deter fare evasion, not to protect the train itself.

Even if you think that airplane security is set at an appropriate level (which IMHO it probably isn't) this seems like a security measure which comes at a huge amount of cost and very little benefit.


April 12, 2011

I've done a whole pile of flights since my last update on airport whole body imagers. I've flown out of SFO a bunch of times and SJC once. Pretty much every time they've had whole body imagers of one type or another but each time they're only in some fraction of the lines (with the rest of the queues just having magnetometer), so you can pick a line that has the magnetometer. At some checkpoints they do have someone directing you to a specific line, but so far nobody has actually managed to direct me to the imager.

In other news, SJC's new Terminal B is really nice. Aside from just being generally modern, they now have power at something like half the seats (though they don't look that comfortable). (See here). Plus there's a Jamba Juice. Seems like a small thing but considering that your best breakfast option at SFO is an overpriced Peet's small things can matter.


January 3, 2011

Over the past few weeks I've flown three times through airports with the new whole body scanners (SFO terminal 3, SFO international, JFK terminal 2). JFK has the Rapiscan but they didn't seem to be using them at all—they were only in the priority line and a TSA agent was just standing in front of them. At both SFO security checkpoints, they had scanners (ProVisions at international, I don't remember in domestic) and they were using them. I'd been planning to actually decline the scan, but I didn't have to because in both cases they were only in some lines, so it was relatively easy to avoid them by picking which line you went into. At the international checkpoint, I actually had to cut across lines but nobody seemed to care.

If you actually want to get value from a security measure you need to ensure that people can't just bypass it. Consider the case of a terrorist carrying some device which won't show up on the magnetometer but will show up on the whole body imager; you just choose the line with the magnetometer.

Now, most likely the TSA is just getting started up here and eventually they will actually have scanners in every line and make everyone use them. After all, presumably they're not planning to have a bunch of scanners whose only purpose is be something for TSA screeners to lean against. What I'm curious about is whether at SFO TSA will give you the enhanced pat down if you refuse the body scan, since you could have evaded it easily without coming to their attention just by picking the right line.


November 13, 2010

You may have heard that the TSA is moving to ubiquitous use of whole body scanners for security screening. They won't actually make you go through the scanner, but as Jeff Goldberg reports, patdown they're offering isn't a lot of fun:

At BWI, I told the officer who directed me to the back-scatter that I preferred a pat-down. I did this in order to see how effective the manual search would be. When I made this request, a number of TSA officers, to my surprise, began laughing. I asked why. One of them -- the one who would eventually conduct my pat-down -- said that the rules were changing shortly, and that I would soon understand why the back-scatter was preferable to the manual search. I asked him if the new guidelines included a cavity search. "No way. You think Congress would allow that?"

I answered, "If you're a terrorist, you're going to hide your weapons n your anus or your vagina." He blushed when I said "vagina."

"Yes, but starting tomorrow, we're going to start searching your crotchal area" -- this is the word he used, "crotchal" -- and you're not going to like it."

"What am I not going to like?" I asked.

"We have to search up your thighs and between your legs until we meet resistance," he explained.

"Resistance?" I asked.

"Your testicles," he explained.

'That's funny," I said, "because 'The Resistance' is the actual name I've given to my testicles."

One gets the impression from his report that it's being made less fun than strictly necessary. After all, once you've paid a zillion dollars for a bunch of gee whiz technology you want to use it.

I was planning to opt for the patdown next time I went through security anyway, but then I read this letter from UCSFSF Citizen). You should read the whole thing, but this is the really scary part:

Unlike other scanners, these new devices operate at relatively low beam energies (28keV). The majority of their energy is delivered to the skin and the underlying tissue. Thus, while the dose would be safe if it were distributed throughout the volume of the entire body, the dose to the skin may be dangerously high.

The X-ray dose from these devices has often been compared in the media to the cosmic ray exposure inherent to airplane travel or that of a chest X-ray. However, this comparison is very misleading: both the air travel cosmic ray exposure and chest X- rays have much higher X-ray energies and the health consequences are appropriately understood in terms of the whole body volume dose. In contrast, these new airport scanners are largely depositing their energy into the skin and immediately adjacent tissue, and since this is such a small fraction of body weight/vol, possibly by one to two orders of magnitude, the real dose to the skin is now high.

In addition, it appears that real independent safety data do not exist. A search, ultimately finding top FDA radiation physics staff, suggests that the relevant radiation quantity, the Flux [photons per unit area and time (because this is a scanning device)] has not been characterized. Instead an indirect test (Air Kerma) was made that emphasized the whole body exposure value, and thus it appears that the danger is low when compared to cosmic rays during airplane travel and a chest X-ray dose.

In summary, if the key data (flux-integrated photons per unit values) were available, it would be straightforward to accurately model the dose being deposited in the skin and adjacent tissues using available computer codes, which would resolve the potential concerns over radiation damage.

That's sure encouraging. And of course that's just assuming that the machines are functioning as designed. The authors of the letter go on:

Moreover, there are a number of 'red flags' related to the hardware itself. Because this device can scan a human in a few seconds, the X-ray beam is very intense. Any glitch in power at any point in the hardware (or more importantly in software) that stops the device could cause an intense radiation dose to a single spot on the skin. Who will oversee problems with overall dose after repair or software problems?

Surely that could never happen.


November 5, 2010

Flying With Fish reports that the TSA will be restricting toner cartridges (þ Matthew Kaufman):
This coming Monday, the 8th of November, the Transportation Security Administration (TSA) expects to announce that it will prohibit airline passengers from flying with printer ink and toner cartridges, sized at 16oz by volume or larger. This will be Security Directive (SD) 1554-10-05.

As of this evening, the TSA appears to be working on the exact wording of prohibiting these items, however prohibiting printer cartridges poses a few challenges ... mainly that generally printer cartridges do not have their ink or toner volume readily listed on the cartridge its self.

This feels like classic fighting the last war. As far as I can tell there's not much special about printer cartridges. Here's FWF's source:

Now that the global security community is aware of printer cartridges as a potential way to conceal explosives anyone seeking to stay out of the line of sight of security forces will move onto a new item to conceal their weapons. If I was on the front line of aviation security I would suggest seriously looking at desktop hard drives, portable DVD players or home video game consoles. These are all items with enough internal space to pack an explosive in addition to providing the ability to camouflage the trigger wiring harness. Under normal circumstances these items may not catch a second glance, but you have to wonder what kind of person checks a desktop hard drive, portable DVD player or home video game console given the likelihood of damage or theft.

Moreover, if you're going to carry the bomb in carry-on, there's no requirement that the explosive and the triggering mechanism even be in the same package, since you can assemble them in place. All you need is the ability to pack the explosives into something that will pass the x-ray machine (or alternately you can probably walk them through the magnetometer; ever see a "wine rack"?) and then some other place to conceal the triggering mechanism. It seems like it shouldn't be too hard to make it look like some other piece of consumer electronics. Note that since you can separate the trigger mechanism from the explosive, you can have two different people bring them through security, thus arousing even less suspicion (and potentially bearing more scrutiny if you get secondary screening).

It's possible, of course, that for some reason printer toner is really hard to distinguish from explosives using the kind of detection apparatus we have available. In that case, it might possibly make sense to restrict toner (whether in cartridge form or not). However, printer toner is a carbon/plastic compound, so it seems like it would probably show up a lot like any other kind of plastic under X-ray, nitrogen scanning, etc. Even if toner is hard to distinguish from explosives, it doesn't make much sense to restrict it unless it's somehow uniquely hard to distinguish.

Assuming this report is correct, it will be interesting to see what rationale TSA provides.


August 18, 2010

I flew through Amsterdam on the way back from IETF Maastricht and got the opportunity—well, maybe opportunity isn't quite the right word, since I think it was mandatory—to try out the new body scanners they've installed at Schiphol. (My understanding is that they're millimeter wave, but they could be backscatter x-ray.) Anyway, it's pretty straightforward: you walk into the portal, hold your hands up in a goofy position for 5-10 seconds, and then walk on through.

I did get to see what it is the security screeners see on their display for few seconds. Looks like the public reports were right and they really don't get to see much. The display was maybe 8" diagonal with a sort of stylized figure (including hair, so either it's someone else or it's really stylized) with boxes that apparently indicate stuff that was detected. As I understand it, what's going on here is that the real image is shown somewhere else and then some screener elsewhere points out the regions of interest for local handling.

Here's something I've been wondering about: how are those signals transmitted to/from the screening room? Is it wireless or wired? If wireless, what's the security? If wired, do the cables run through an area that's potentially user-accessible. Interestingly, I didn't walk through the magnetometer, which means that the scanner is the sole line of defense for anything you carry on your body. An attacker who could control this network could, it seems to me, suppress warnings from the remote screener and walk through carrying anything he wanted. (They don't really do a complete pat down in many cases.) Another possibility would be to remotely subvert either the screening consoles or the scanner itself. There's sure to be plenty of software in both. Finally—even with a wired network—would be to monitor RF emissions off that network, constituting a privacy threat.

Anyone want to loan me a scanner?


June 6, 2010

Sharon Weinberger has a fairly damning article in Nature on DHS's behavioral screening program, SPOT.
"No scientific evidence exists to support the detection or inference of future behaviour, including intent," declares a 2008 report prepared by the JASON defence advisory group. And the TSA had no business deploying SPOT across the nation's airports "without first validating the scientific basis for identifying suspicious passengers in an airport environment", stated a two-year review of the programme released on 20 May by the Government Accountability Office (GAO), the investigative arm of the US Congress.
[GAO report here]. Apparently, the program is based heavily on Paul Ekman's research on microexpressions (see the TV show "Lie to Me"). There's a bunch of unpersuasive stuff here, for instance:
Ekman's work has brought him cultural acclaim, ranging from a profile in bestselling book Blink -- by Malcolm Gladwell, a staff writer for The New Yorker magazine -- to a fictionalized TV show based on his work, called Lie to Me. But scientists have generally given him a chillier reception. His critics argue that most of his peer-reviewed studies on microexpressions were published decades ago, and much of his more recent writing on the subject has not been peer reviewed. Ekman maintains that this publishing strategy is deliberate -- that he no longer publishes all of the details of his work in the peer-reviewed literature because, he says, those papers are closely followed by scientists in countries such as Syria, Iran and China, which the United States views as a potential threat.

The data that Ekman has made available have not persuaded Charles Honts, a psychologist at Boise State University in Idaho who is an expert in the polygraph or 'lie detector'. Although he was trained on Ekman's coding system in the 1980s, Honts says, he has been unable to replicate Ekman's results on facial coding. David Raskin, a professor emeritus of psychology at the University of Utah in Salt Lake City, says he has had similar problems replicating Ekman's findings. "I have yet to see a comprehensive evaluation" of Ekman's work, he says.


A confounding problem is that the methodology used in SPOT, which is only partially based on Ekman's work, has never been subjected to controlled scientific tests. Nor is there much agreement as to what a fair test should entail. Controlled tests of deception detection typically involve people posing as would-be terrorists and attempting to make it through airport security. Yet Ekman calls this approach "totally bogus", because those playing the parts of 'terrorists' don't face the same stakes as a real terrorist -- and so are unlikely to show the same emotions. "I'm on the record opposed to that sort of testing," he says.

These seem like red flags to me: If we're going to base our defenses on a specific scientific theory about what it takes to detect deception, then it would be nice to have some concrete empirical evidence that the relevant techniques work. If we can't even agree on the terms of the test, then it's hard to see how to have confidence in the system.

We do have some data, though:

The TSA does track statistics. From the SPOT programme's first phase, from January 2006 through to November 2009, according to the agency, behaviour-detection officers referred more than 232,000 people for secondary screening, which involves closer inspection of bags and testing for explosives. The agency notes that the vast majority of those subjected to that extra inspection continued on their travels with no further delays. But 1,710 were arrested, which the TSA cites as evidence for the programme's effectiveness. Critics, however, note that these statistics mean that fewer than 1% of the referrals actually lead to an arrest, and those arrests are overwhelmingly for criminal activities, such as outstanding warrants, completely unrelated to terrorism.

According to the GAO, TSA officials are unsure whether "the SPOT program has ever resulted in the arrest of anyone who is a terrorist, or who was planning to engage in terrorist-related activity". The TSA has hired an independent contractor to assess SPOT. Ekman says he has been apprised of the initial findings, and that they look promising. But the results aren't expected until next year. "It'll be monumental either way," says Maccario.

This seems like something it would be easy to do controlled trials on: say you pick 200,000 random passengers and give them secondary screening (apparently also including a check for outstanding warrants), what fraction would you end up arresting? Even so, if TSA officials are "unsure" I think it's safe to assume that practically none of these arrests have been for anything terrorist-related. After all, if GAO comes asking about the success of your program, wouldn't you deliver the most convincing data you had? So, we're looking at a success rate of somewhere between 0 and (say) 1/20,000. That's not really very impressive.


January 5, 2010

Check out this picture of the arrival escalator at SFO:

I'm not sure exactly what all these gizmos are, but they seem to be some sort of cameras. and one flashed at me as I was coming down the escalator to baggage claim. Note that even though I was coming in from Canada, these are positioned in domestic arrivals, so it's not just a matter of recording people entering the country. On the other hand, I didn't see any cameras on other levels, but maybe I just missed them.

P.S. Have you noticed how the new security measures that seem to be inevitably introduced after attacks, while perhaps not particularly effective, seem to line up pretty well with what the airlines wanted anyway? The rationale for the post-9/11 physical identification requirements is to support the no-fly list, but it also makes tickets non-transferable, which is good for airline revenues. Similarly, the airlines would prefer that people stayed in their seats (this makes beverage service, etc. easier) and brought less carryon, and tada, TSA delivers. OK, that's overstating things a bit; I don't really think TSA is deliberately designing security procedures to accomodate the airlines, but their policies, which are generally restrict passenger choices, have acted in a way that shifts the balance of power between the airlines and their customers in a way that the customers probably wouldn't have accepted if those policies weren't presented as security measures.


December 30, 2009

I flew back from Soviet Canuckistan last night and got to experience the new security measures firsthand. The high order bit is that nearly all carry-on baggage is banned. They make exceptions for a few things like women's purses, medicine, baby stuff, cameras, and laptops (allegedly no chargers but we saw exceptions) but even then you can't carry them in a significant bag: the security lines were full of people carrying their naked laptops. Luckily, Mrs. Guesswork was carrying some stuffable cloth bags which we were able to use as for our laptops, paperwork, a book, etc. My co-worker Derek wasn't as lucky, but the airline customer service rep did provide him with a substitute:

After you've checked all your valuable stuff, you get to go through security. The magnetometer and the bag x-ray are the same, but once you get through that, they hand-search all your stuff as well as giving you an extremely thorough pat-down, said pat-down extending to going through your wallet, presumably in order to verify that your money won't explode. All this was still quite a bit slower than the ordinary security screening, however. As reported previously, the FAs required you to stay in your seat for the last hour of the flight, but didn't try to stop you from having what remained of your stuff in your lap during that time.

As usual, TSA is being pretty uncommunicative about the rationale for the new restrictions. My impression based on Transport Canada's statement is that TSA required a whole bunch of new security restrictions including the hand searches and pat downs and that this created really long wait times at Canadian airports. So while restricting carry-on doesn't serve any real security purpose it does reduce the amount of searching that has to be done and therefore somewhat ameliorates the waiting time problem.

Obviously, keeping you in your seat for the last hour of the flight is pretty pointless. Even if terrorists can't blow themselves up from their seats, nothing stops them from detonating a bomb 61 minutes before landing. This just seems like fighting the last war.

On the other hand, doing really extensive searches of people probably does add some security value. This isn't to say that there's no way for someone to smuggle explosives onto the plane with the current level of screening, but this presumably does increase the required level of sophistication. On the other hand, it's a huge hassle for travelers—I never travel with checked luggage if I can avoid it, but the new restrictions more or less require you to check bags. As I said earlier, the cost/benefit analysis hasn't really changed since before the attempted attack. If it wasn't worth doing this level of searching a month ago, it isn't worth doing it now just because we're freaked out that someone finally tried the attack we knew would eventually come. And if it is worth doing now, then it was worth doing before so why weren't we doing it?

I can't see any reason to have different levels of screening for domestic and international flights. It's not like it's that much easier to lay your hands on explosives in Canada or Europe than in the US, so what stops a terrorist from flying to the US without any weapons or anything, getting explosives and then boarding a plane in the US? The added security is particularly silly on flights which originate in Vancouver and Toronto; ordinarily you clear customs and immigration in the US, so at least in theory terrorists might board the plane in say Frankfurt and not be apprehended until they arrive in San Francisco, at which point it's too late (of course, if the no-fly list actually worked, this would be less of an issue, but since it's actually pretty lame...). However, in many Canadian airports, including YVR and YYZ you clear immigration and customs in Canada (and this is done by TSA agents so there's no concern about not trusting foreigners) and when you land you just get off the plane. For flights from those airports, there's no meaningful distinction between domestic and international flights even if there would have been otherwise.

Ideally, in a week or two the panic response will die down, TSA will relax their restrictions and we'll go back to when we thought just having to take your shoes off was annoying. Reading the tea leaves, though (see, for instance, William Saletan's post here), I suspect that instead this will accelerate the deployment of whole body scanners as an alternative to the pat-downs. Ironically, Wikipedia reports that the first airport deployment of whole body scanners was in Schiphol, the airport where Umar Abdulmutallab (thanks to Wikipedia for the name) boarded; it would be interesting to know if he went through the scanners. Of course whole-body scanners don't let you scan carry-on luggage any faster, so it's hard to see how anything other than a lower level of paranoia will improve that.