Recently in Security: Airport Category

I flew through Amsterdam on the way back from IETF Maastricht and got the opportunity—well, maybe opportunity isn't quite the right word, since I think it was mandatory—to try out the new body scanners they've installed at Schiphol. (My understanding is that they're millimeter wave, but they could be backscatter x-ray.) Anyway, it's pretty straightforward: you walk into the portal, hold your hands up in a goofy position for 5-10 seconds, and then walk on through.

I did get to see what it is the security screeners see on their display for few seconds. Looks like the public reports were right and they really don't get to see much. The display was maybe 8" diagonal with a sort of stylized figure (including hair, so either it's someone else or it's really stylized) with boxes that apparently indicate stuff that was detected. As I understand it, what's going on here is that the real image is shown somewhere else and then some screener elsewhere points out the regions of interest for local handling.

Here's something I've been wondering about: how are those signals transmitted to/from the screening room? Is it wireless or wired? If wireless, what's the security? If wired, do the cables run through an area that's potentially user-accessible. Interestingly, I didn't walk through the magnetometer, which means that the scanner is the sole line of defense for anything you carry on your body. An attacker who could control this network could, it seems to me, suppress warnings from the remote screener and walk through carrying anything he wanted. (They don't really do a complete pat down in many cases.) Another possibility would be to remotely subvert either the screening consoles or the scanner itself. There's sure to be plenty of software in both. Finally—even with a wired network—would be to monitor RF emissions off that network, constituting a privacy threat.

Anyone want to loan me a scanner?

Sharon Weinberger has a fairly damning article in Nature on DHS's behavioral screening program, SPOT.

"No scientific evidence exists to support the detection or inference of future behaviour, including intent," declares a 2008 report prepared by the JASON defence advisory group. And the TSA had no business deploying SPOT across the nation's airports "without first validating the scientific basis for identifying suspicious passengers in an airport environment", stated a two-year review of the programme released on 20 May by the Government Accountability Office (GAO), the investigative arm of the US Congress.

[GAO report here]. Apparently, the program is based heavily on Paul Ekman's research on microexpressions (see the TV show "Lie to Me"). There's a bunch of unpersuasive stuff here, for instance:

Ekman's work has brought him cultural acclaim, ranging from a profile in bestselling book Blink -- by Malcolm Gladwell, a staff writer for The New Yorker magazine -- to a fictionalized TV show based on his work, called Lie to Me. But scientists have generally given him a chillier reception. His critics argue that most of his peer-reviewed studies on microexpressions were published decades ago, and much of his more recent writing on the subject has not been peer reviewed. Ekman maintains that this publishing strategy is deliberate -- that he no longer publishes all of the details of his work in the peer-reviewed literature because, he says, those papers are closely followed by scientists in countries such as Syria, Iran and China, which the United States views as a potential threat.

The data that Ekman has made available have not persuaded Charles Honts, a psychologist at Boise State University in Idaho who is an expert in the polygraph or 'lie detector'. Although he was trained on Ekman's coding system in the 1980s, Honts says, he has been unable to replicate Ekman's results on facial coding. David Raskin, a professor emeritus of psychology at the University of Utah in Salt Lake City, says he has had similar problems replicating Ekman's findings. "I have yet to see a comprehensive evaluation" of Ekman's work, he says.

...

A confounding problem is that the methodology used in SPOT, which is only partially based on Ekman's work, has never been subjected to controlled scientific tests. Nor is there much agreement as to what a fair test should entail. Controlled tests of deception detection typically involve people posing as would-be terrorists and attempting to make it through airport security. Yet Ekman calls this approach "totally bogus", because those playing the parts of 'terrorists' don't face the same stakes as a real terrorist -- and so are unlikely to show the same emotions. "I'm on the record opposed to that sort of testing," he says.

These seem like red flags to me: If we're going to base our defenses on a specific scientific theory about what it takes to detect deception, then it would be nice to have some concrete empirical evidence that the relevant techniques work. If we can't even agree on the terms of the test, then it's hard to see how to have confidence in the system.

We do have some data, though:

The TSA does track statistics. From the SPOT programme's first phase, from January 2006 through to November 2009, according to the agency, behaviour-detection officers referred more than 232,000 people for secondary screening, which involves closer inspection of bags and testing for explosives. The agency notes that the vast majority of those subjected to that extra inspection continued on their travels with no further delays. But 1,710 were arrested, which the TSA cites as evidence for the programme's effectiveness. Critics, however, note that these statistics mean that fewer than 1% of the referrals actually lead to an arrest, and those arrests are overwhelmingly for criminal activities, such as outstanding warrants, completely unrelated to terrorism.

According to the GAO, TSA officials are unsure whether "the SPOT program has ever resulted in the arrest of anyone who is a terrorist, or who was planning to engage in terrorist-related activity". The TSA has hired an independent contractor to assess SPOT. Ekman says he has been apprised of the initial findings, and that they look promising. But the results aren't expected until next year. "It'll be monumental either way," says Maccario.

This seems like something it would be easy to do controlled trials on: say you pick 200,000 random passengers and give them secondary screening (apparently also including a check for outstanding warrants), what fraction would you end up arresting? Even so, if TSA officials are "unsure" I think it's safe to assume that practically none of these arrests have been for anything terrorist-related. After all, if GAO comes asking about the success of your program, wouldn't you deliver the most convincing data you had? So, we're looking at a success rate of somewhere between 0 and (say) 1/20,000. That's not really very impressive.

Check out this picture of the arrival escalator at SFO:

I'm not sure exactly what all these gizmos are, but they seem to be some sort of cameras. and one flashed at me as I was coming down the escalator to baggage claim. Note that even though I was coming in from Canada, these are positioned in domestic arrivals, so it's not just a matter of recording people entering the country. On the other hand, I didn't see any cameras on other levels, but maybe I just missed them.

P.S. Have you noticed how the new security measures that seem to be inevitably introduced after attacks, while perhaps not particularly effective, seem to line up pretty well with what the airlines wanted anyway? The rationale for the post-9/11 physical identification requirements is to support the no-fly list, but it also makes tickets non-transferable, which is good for airline revenues. Similarly, the airlines would prefer that people stayed in their seats (this makes beverage service, etc. easier) and brought less carryon, and tada, TSA delivers. OK, that's overstating things a bit; I don't really think TSA is deliberately designing security procedures to accomodate the airlines, but their policies, which are generally restrict passenger choices, have acted in a way that shifts the balance of power between the airlines and their customers in a way that the customers probably wouldn't have accepted if those policies weren't presented as security measures.

I flew back from Soviet Canuckistan last night and got to experience the new security measures firsthand. The high order bit is that nearly all carry-on baggage is banned. They make exceptions for a few things like women's purses, medicine, baby stuff, cameras, and laptops (allegedly no chargers but we saw exceptions) but even then you can't carry them in a significant bag: the security lines were full of people carrying their naked laptops. Luckily, Mrs. Guesswork was carrying some stuffable cloth bags which we were able to use as for our laptops, paperwork, a book, etc. My co-worker Derek wasn't as lucky, but the airline customer service rep did provide him with a substitute:

After you've checked all your valuable stuff, you get to go through security. The magnetometer and the bag x-ray are the same, but once you get through that, they hand-search all your stuff as well as giving you an extremely thorough pat-down, said pat-down extending to going through your wallet, presumably in order to verify that your money won't explode. All this was still quite a bit slower than the ordinary security screening, however. As reported previously, the FAs required you to stay in your seat for the last hour of the flight, but didn't try to stop you from having what remained of your stuff in your lap during that time.

As usual, TSA is being pretty uncommunicative about the rationale for the new restrictions. My impression based on Transport Canada's statement is that TSA required a whole bunch of new security restrictions including the hand searches and pat downs and that this created really long wait times at Canadian airports. So while restricting carry-on doesn't serve any real security purpose it does reduce the amount of searching that has to be done and therefore somewhat ameliorates the waiting time problem.

Obviously, keeping you in your seat for the last hour of the flight is pretty pointless. Even if terrorists can't blow themselves up from their seats, nothing stops them from detonating a bomb 61 minutes before landing. This just seems like fighting the last war.

On the other hand, doing really extensive searches of people probably does add some security value. This isn't to say that there's no way for someone to smuggle explosives onto the plane with the current level of screening, but this presumably does increase the required level of sophistication. On the other hand, it's a huge hassle for travelers—I never travel with checked luggage if I can avoid it, but the new restrictions more or less require you to check bags. As I said earlier, the cost/benefit analysis hasn't really changed since before the attempted attack. If it wasn't worth doing this level of searching a month ago, it isn't worth doing it now just because we're freaked out that someone finally tried the attack we knew would eventually come. And if it is worth doing now, then it was worth doing before so why weren't we doing it?

I can't see any reason to have different levels of screening for domestic and international flights. It's not like it's that much easier to lay your hands on explosives in Canada or Europe than in the US, so what stops a terrorist from flying to the US without any weapons or anything, getting explosives and then boarding a plane in the US? The added security is particularly silly on flights which originate in Vancouver and Toronto; ordinarily you clear customs and immigration in the US, so at least in theory terrorists might board the plane in say Frankfurt and not be apprehended until they arrive in San Francisco, at which point it's too late (of course, if the no-fly list actually worked, this would be less of an issue, but since it's actually pretty lame...). However, in many Canadian airports, including YVR and YYZ you clear immigration and customs in Canada (and this is done by TSA agents so there's no concern about not trusting foreigners) and when you land you just get off the plane. For flights from those airports, there's no meaningful distinction between domestic and international flights even if there would have been otherwise.

Ideally, in a week or two the panic response will die down, TSA will relax their restrictions and we'll go back to when we thought just having to take your shoes off was annoying. Reading the tea leaves, though (see, for instance, William Saletan's post here), I suspect that instead this will accelerate the deployment of whole body scanners as an alternative to the pat-downs. Ironically, Wikipedia reports that the first airport deployment of whole body scanners was in Schiphol, the airport where Umar Abdulmutallab (thanks to Wikipedia for the name) boarded; it would be interesting to know if he went through the scanners. Of course whole-body scanners don't let you scan carry-on luggage any faster, so it's hard to see how anything other than a lower level of paranoia will improve that.

Since some clown from Nigeria decided to try to blow up a 777, apparently the TSA has decided to give us some new security procedures. They're sooper secret, but apparently pretty cool:

TSA has a layered approach to security that allows us to surge resources as needed on a daily basis. We have the ability to quickly implement additional screening measures including explosive detection canine teams, law enforcement officers, gate screening, behavior detection and other measures both seen and unseen. Passengers should not expect to see the same thing at every airport.

Anyway, the new rules appear to apply to international flights into the US and include secondary screening for everyone, requiring passengers to stay in their seats for the final hour of the flight without any carry-on baggage in your lap, including laptops, pillows, and blankets. The other major restriction is restricting you to one carry-on bag. (There are rumors of a no electronics policy but that seems to be only sporadic). I just saw a report on Canadian TV about how much this is slowing things down in Canadian airports and I'm looking forward to experiencing it myself on Tuesday.

At least for me, it's pretty hard to see any rational connection between these restrictions and security (see here for the thread on the TSA blog where commenters express frustration and TSA doesn't even confirm that these restrictions are policy, let alone defend them). Certainly, if you were carrying a bomb you could set it off at any point during the flight. In fact, it's not clear to me that there is anything special about the last hour, except that I guess it's more likely to be over the US, for whatever that's worth. As for limiting you to one carryon, I suppose that's designed to minimize the number of bags they have to screen.

More to the point, it's not clear that any new security measures are required. Eventually someone was bound to try to blow up a bomb on a plane and someone eventually did. It's not like we didn't know that you could carry plastic explosive on your body through the magnetometer, so what exactly has changed that merits reassessing the method of screening, let alone the screening effectiveness/inconvenience tradeoff? I suppose one could argue that maybe this attack is potentially part of a coordinated effort and thus tightened security efforts are temporarily appropriate while we investigate if he had any collaborators, but if that's true at some point TSA should revert to their previous policies. I don't see any reason to keep them at this level indefinitely.

DHS has posted their new laptop border search policy. Actually, there are two policies, one for Customs and Border Protection (CBP) and one for Immigration and Customs Enforcement. Don't ask my why they're different. Here's the CBP policy.

An Officer may detain electronic devices, or copies of information contained therein, for a brief, reasonable period of time to perform a thorough border search. The search may take place on-site or at an off-site location, and is to be completed as expeditiously as possible. Unless extenuating circumstances exist, the detention of devices ordinarily should not exceed five (5) days.

5.3.1.1 Approval of and Time Frames for Detention. Supervisory approval is required for detaining electronic devices, or copies of information contained therein, for continuation of a border search after an individual's departure from the port or other location of detention. Port Director, Patrol Agent in Charge, or other equivalent level manager approval is required to extend any such detention beyond five (5) days. Extensions of detentions exceeding fifteen (15) days must be approved by the Director Field Operations, Chief Patrol Agent, Director, Air Operations, Director, Marine Operations, or other equivalent manager, and may be approved and re-approved in increments of no more than seven (7) days. Approvals for detention and any extension thereof shall be noted in appropriate CBP systems of records.

And here's the ICE policy:

Special Agents are to complete the search of detained electronic devices, or copies of information therefrom, in a reasonable time given the facts and circumstances of the particular search. Searches are generally to be completed within 30 calendar days of Border Searches of Electronic Devices the date of detention, unless circumstances exist that warrant more time. Such circumstances must be documented in the appropriate ICE systems. Any detention exceeding 30 calendar days must be approved by a Group Supervisor or equivalent, and approved again every 15 calendar days thereafter, and the specific justification for additional time documented in the appropriate ICE systems.

I've argued before that there isn't a very good analogy between ordinary border searches and electronic searches. I'm not surprised that that's not an opinion that's been taken onboard by the feds; after all, this is a convenient excuse to rummage through people's data. Nevertheless, it's frustrating that DHS still doesn't seem very interested in minimizing the impact on travellers. Having your laptop detained by DHS for 5 days, let alone 30, is a pretty large impact on your average business traveler; I would say that my average business trip is no more than a week long, so one could easily imagine that you would be denied access to your device for the entire duration of your stay in the US. A much lower impact procedure would simply be to image the traveler's hard drive and then send them on their way. It's certainly true that this means that DHS has a copy of all your data, but presumably if they have your computer for a week they could have taken an image in any case, so having them just take an image in front of you seems dominant

There is some text in these policies about that, but as far as I can tell it's basically at the discretion of the Special Agent. I would far rather see there be a hard requirement that absent some probable cause for believing there is extra data not present on the hard drive, any search default to a copy. It's important to remember here (again) that laptop searches aren't like drug searches: a laptop isn't a good way of carrying contraband into the country; rather people who are otherwise bad actors might happen to have evidence of their bad actions on their laptops. So, keeping the laptop itself from entering the country isn't anywhere near as important, especially if you're not detaining the traveller.

It's also worth noting that CBP seems to do surprisingly few such searches:

Between Oct. 1, 2008, and Aug. 11, 2009, CBP encountered more than 221 million travelers at U.S. ports of entry. Approximately 1,000 laptop searches were performed in these instances--of those, just 46 were in-depth.

It's hard to know what to make of that. On the one hand, one could say "the overall imposition to travelers is low". On the other hand, one could say that this can't be that valuable an investigative tool if they only use it 46 times in 9 months. I'd be interested to know how many arrests came out of those 46 searches.

Clear Registered Traveler is shutting down. Born out of post-9/11 paranoia, as I've mentioned before, Clear never added much security value, and eventually it became not much more than a way to pay $200 to avoid having to wait in line with everyone else (remember: you eventually went through the same security controls). Of course, that didn't necessarily mean that it wasn't worth it, but seeing as anyone who travels enough to really benefit from bypassing the security line probably has elite status and can bypass a lot of lines anyway. In all the times I went through SFO, I don't think I ever saw anyone use the Clear line.

In response to concerns about H5N1, there have been proposals to adopt (and some adoptions) of body temperature scanners to detect people with the flu. Apparently they're not difficult to defeat:

HANOI (Reuters) - Many sick passengers who flew to Ho Chi Minh City in southern Vietnam took fever reducers to cheat temperature scanners at the airport, leading to the discovery of several infected cases later, state media reported at the weekend.

Nguyen Van Chau, head of Ho Chi Minh City's Health Department, was quoted in state-run Tien Phong (Vanguard) daily as saying "a series of passengers" took fever reducers three hours before arrival.

"That's why when they passed through the airport, the body temperature scanners skipped them," Chau said.

Why does this not surprise me?

Bruce Schneier links to this article about a plane between France and Mexico being diverted because a passenger on board was on the US no-fly list and the plane would have gone over the US. I agree with Bruce that the no-fly list is basically stupid, but once you accept its premises this strikes me as not entirely crazy. If your concern is that someone is going to hijack the plane and crash it into a building, then he doesn't even have to land to do that, just get close enough to the target that it's hard to know what's up and divert him. So, with that reasoning I can see why you would think that it was undesirable to even let him into US airspace. Moreover, it has the side benefit of letting TSA look like they're really trying hard to keep you safe, while (mostly) only inconveniencing foreigners. What's the downside from their perspective?

If you fly much, you've probably heard of Clear, those kiosks near airport security which let you zip through security faster. The way that Clear works is that you sign up, give them some biographical data and biometrics, and of course pay them a bunch of money. They do some kind of background check (unclear how much they actually do) and then issue you a "Clear card", a smart card with your biometrics on it. Then when you go to the airport you present your card, they verify your biometrics, and if everything checks out you get to bypass the security line and go right through the x-ray and magnetometer. As far as I can tell, then, you're just paying $199/year to go to the front of the security line.

The natural question is: if you're just paying to cut in line but you go through the same security screening, what's the purpose of the background check and the biometrics? One could argue, I suppose, that once you know that people were OK, you could give them lighter security screening, but as far as I know that's not what happens: TSA only has two security modes: normal and aggressive (SSSS), but it's fairly easy to avoid aggressive mode with a boarding pass printer, so it's not like you need any system this heavyweight to securely exempt people from random selection. The cynical might argue that the purpose is to protect Clear's ability to extract money from you by preventing you from giving your card to someone else. On the other hand, you don't really need a thumbprint, let alone an irisprint, to stop that. A photo would be plenty. And of course the background check is totally unnecessary.

I suspect that the real reason here is that Clear was originally conceived as a bypass system where you would be able to get lighter (or perhaps no) screening, and in that context the background check made sense. That didn't work out, but the initial security theatre stuck around. After all, how would you explain that it was somehow no longer needed?