Recently in Security: Airport Category

Check out this picture of the arrival escalator at SFO:

I'm not sure exactly what all these gizmos are, but they seem to be some sort of cameras. and one flashed at me as I was coming down the escalator to baggage claim. Note that even though I was coming in from Canada, these are positioned in domestic arrivals, so it's not just a matter of recording people entering the country. On the other hand, I didn't see any cameras on other levels, but maybe I just missed them.

P.S. Have you noticed how the new security measures that seem to be inevitably introduced after attacks, while perhaps not particularly effective, seem to line up pretty well with what the airlines wanted anyway? The rationale for the post-9/11 physical identification requirements is to support the no-fly list, but it also makes tickets non-transferable, which is good for airline revenues. Similarly, the airlines would prefer that people stayed in their seats (this makes beverage service, etc. easier) and brought less carryon, and tada, TSA delivers. OK, that's overstating things a bit; I don't really think TSA is deliberately designing security procedures to accomodate the airlines, but their policies, which are generally restrict passenger choices, have acted in a way that shifts the balance of power between the airlines and their customers in a way that the customers probably wouldn't have accepted if those policies weren't presented as security measures.

I flew back from Soviet Canuckistan last night and got to experience the new security measures firsthand. The high order bit is that nearly all carry-on baggage is banned. They make exceptions for a few things like women's purses, medicine, baby stuff, cameras, and laptops (allegedly no chargers but we saw exceptions) but even then you can't carry them in a significant bag: the security lines were full of people carrying their naked laptops. Luckily, Mrs. Guesswork was carrying some stuffable cloth bags which we were able to use as for our laptops, paperwork, a book, etc. My co-worker Derek wasn't as lucky, but the airline customer service rep did provide him with a substitute:

After you've checked all your valuable stuff, you get to go through security. The magnetometer and the bag x-ray are the same, but once you get through that, they hand-search all your stuff as well as giving you an extremely thorough pat-down, said pat-down extending to going through your wallet, presumably in order to verify that your money won't explode. All this was still quite a bit slower than the ordinary security screening, however. As reported previously, the FAs required you to stay in your seat for the last hour of the flight, but didn't try to stop you from having what remained of your stuff in your lap during that time.

As usual, TSA is being pretty uncommunicative about the rationale for the new restrictions. My impression based on Transport Canada's statement is that TSA required a whole bunch of new security restrictions including the hand searches and pat downs and that this created really long wait times at Canadian airports. So while restricting carry-on doesn't serve any real security purpose it does reduce the amount of searching that has to be done and therefore somewhat ameliorates the waiting time problem.

Obviously, keeping you in your seat for the last hour of the flight is pretty pointless. Even if terrorists can't blow themselves up from their seats, nothing stops them from detonating a bomb 61 minutes before landing. This just seems like fighting the last war.

On the other hand, doing really extensive searches of people probably does add some security value. This isn't to say that there's no way for someone to smuggle explosives onto the plane with the current level of screening, but this presumably does increase the required level of sophistication. On the other hand, it's a huge hassle for travelers—I never travel with checked luggage if I can avoid it, but the new restrictions more or less require you to check bags. As I said earlier, the cost/benefit analysis hasn't really changed since before the attempted attack. If it wasn't worth doing this level of searching a month ago, it isn't worth doing it now just because we're freaked out that someone finally tried the attack we knew would eventually come. And if it is worth doing now, then it was worth doing before so why weren't we doing it?

I can't see any reason to have different levels of screening for domestic and international flights. It's not like it's that much easier to lay your hands on explosives in Canada or Europe than in the US, so what stops a terrorist from flying to the US without any weapons or anything, getting explosives and then boarding a plane in the US? The added security is particularly silly on flights which originate in Vancouver and Toronto; ordinarily you clear customs and immigration in the US, so at least in theory terrorists might board the plane in say Frankfurt and not be apprehended until they arrive in San Francisco, at which point it's too late (of course, if the no-fly list actually worked, this would be less of an issue, but since it's actually pretty lame...). However, in many Canadian airports, including YVR and YYZ you clear immigration and customs in Canada (and this is done by TSA agents so there's no concern about not trusting foreigners) and when you land you just get off the plane. For flights from those airports, there's no meaningful distinction between domestic and international flights even if there would have been otherwise.

Ideally, in a week or two the panic response will die down, TSA will relax their restrictions and we'll go back to when we thought just having to take your shoes off was annoying. Reading the tea leaves, though (see, for instance, William Saletan's post here), I suspect that instead this will accelerate the deployment of whole body scanners as an alternative to the pat-downs. Ironically, Wikipedia reports that the first airport deployment of whole body scanners was in Schiphol, the airport where Umar Abdulmutallab (thanks to Wikipedia for the name) boarded; it would be interesting to know if he went through the scanners. Of course whole-body scanners don't let you scan carry-on luggage any faster, so it's hard to see how anything other than a lower level of paranoia will improve that.

Since some clown from Nigeria decided to try to blow up a 777, apparently the TSA has decided to give us some new security procedures. They're sooper secret, but apparently pretty cool:

TSA has a layered approach to security that allows us to surge resources as needed on a daily basis. We have the ability to quickly implement additional screening measures including explosive detection canine teams, law enforcement officers, gate screening, behavior detection and other measures both seen and unseen. Passengers should not expect to see the same thing at every airport.

Anyway, the new rules appear to apply to international flights into the US and include secondary screening for everyone, requiring passengers to stay in their seats for the final hour of the flight without any carry-on baggage in your lap, including laptops, pillows, and blankets. The other major restriction is restricting you to one carry-on bag. (There are rumors of a no electronics policy but that seems to be only sporadic). I just saw a report on Canadian TV about how much this is slowing things down in Canadian airports and I'm looking forward to experiencing it myself on Tuesday.

At least for me, it's pretty hard to see any rational connection between these restrictions and security (see here for the thread on the TSA blog where commenters express frustration and TSA doesn't even confirm that these restrictions are policy, let alone defend them). Certainly, if you were carrying a bomb you could set it off at any point during the flight. In fact, it's not clear to me that there is anything special about the last hour, except that I guess it's more likely to be over the US, for whatever that's worth. As for limiting you to one carryon, I suppose that's designed to minimize the number of bags they have to screen.

More to the point, it's not clear that any new security measures are required. Eventually someone was bound to try to blow up a bomb on a plane and someone eventually did. It's not like we didn't know that you could carry plastic explosive on your body through the magnetometer, so what exactly has changed that merits reassessing the method of screening, let alone the screening effectiveness/inconvenience tradeoff? I suppose one could argue that maybe this attack is potentially part of a coordinated effort and thus tightened security efforts are temporarily appropriate while we investigate if he had any collaborators, but if that's true at some point TSA should revert to their previous policies. I don't see any reason to keep them at this level indefinitely.

DHS has posted their new laptop border search policy. Actually, there are two policies, one for Customs and Border Protection (CBP) and one for Immigration and Customs Enforcement. Don't ask my why they're different. Here's the CBP policy.

An Officer may detain electronic devices, or copies of information contained therein, for a brief, reasonable period of time to perform a thorough border search. The search may take place on-site or at an off-site location, and is to be completed as expeditiously as possible. Unless extenuating circumstances exist, the detention of devices ordinarily should not exceed five (5) days.

5.3.1.1 Approval of and Time Frames for Detention. Supervisory approval is required for detaining electronic devices, or copies of information contained therein, for continuation of a border search after an individual's departure from the port or other location of detention. Port Director, Patrol Agent in Charge, or other equivalent level manager approval is required to extend any such detention beyond five (5) days. Extensions of detentions exceeding fifteen (15) days must be approved by the Director Field Operations, Chief Patrol Agent, Director, Air Operations, Director, Marine Operations, or other equivalent manager, and may be approved and re-approved in increments of no more than seven (7) days. Approvals for detention and any extension thereof shall be noted in appropriate CBP systems of records.

And here's the ICE policy:

Special Agents are to complete the search of detained electronic devices, or copies of information therefrom, in a reasonable time given the facts and circumstances of the particular search. Searches are generally to be completed within 30 calendar days of Border Searches of Electronic Devices the date of detention, unless circumstances exist that warrant more time. Such circumstances must be documented in the appropriate ICE systems. Any detention exceeding 30 calendar days must be approved by a Group Supervisor or equivalent, and approved again every 15 calendar days thereafter, and the specific justification for additional time documented in the appropriate ICE systems.

I've argued before that there isn't a very good analogy between ordinary border searches and electronic searches. I'm not surprised that that's not an opinion that's been taken onboard by the feds; after all, this is a convenient excuse to rummage through people's data. Nevertheless, it's frustrating that DHS still doesn't seem very interested in minimizing the impact on travellers. Having your laptop detained by DHS for 5 days, let alone 30, is a pretty large impact on your average business traveler; I would say that my average business trip is no more than a week long, so one could easily imagine that you would be denied access to your device for the entire duration of your stay in the US. A much lower impact procedure would simply be to image the traveler's hard drive and then send them on their way. It's certainly true that this means that DHS has a copy of all your data, but presumably if they have your computer for a week they could have taken an image in any case, so having them just take an image in front of you seems dominant

There is some text in these policies about that, but as far as I can tell it's basically at the discretion of the Special Agent. I would far rather see there be a hard requirement that absent some probable cause for believing there is extra data not present on the hard drive, any search default to a copy. It's important to remember here (again) that laptop searches aren't like drug searches: a laptop isn't a good way of carrying contraband into the country; rather people who are otherwise bad actors might happen to have evidence of their bad actions on their laptops. So, keeping the laptop itself from entering the country isn't anywhere near as important, especially if you're not detaining the traveller.

It's also worth noting that CBP seems to do surprisingly few such searches:

Between Oct. 1, 2008, and Aug. 11, 2009, CBP encountered more than 221 million travelers at U.S. ports of entry. Approximately 1,000 laptop searches were performed in these instances--of those, just 46 were in-depth.

It's hard to know what to make of that. On the one hand, one could say "the overall imposition to travelers is low". On the other hand, one could say that this can't be that valuable an investigative tool if they only use it 46 times in 9 months. I'd be interested to know how many arrests came out of those 46 searches.

Clear Registered Traveler is shutting down. Born out of post-9/11 paranoia, as I've mentioned before, Clear never added much security value, and eventually it became not much more than a way to pay $200 to avoid having to wait in line with everyone else (remember: you eventually went through the same security controls). Of course, that didn't necessarily mean that it wasn't worth it, but seeing as anyone who travels enough to really benefit from bypassing the security line probably has elite status and can bypass a lot of lines anyway. In all the times I went through SFO, I don't think I ever saw anyone use the Clear line.

In response to concerns about H5N1, there have been proposals to adopt (and some adoptions) of body temperature scanners to detect people with the flu. Apparently they're not difficult to defeat:

HANOI (Reuters) - Many sick passengers who flew to Ho Chi Minh City in southern Vietnam took fever reducers to cheat temperature scanners at the airport, leading to the discovery of several infected cases later, state media reported at the weekend.

Nguyen Van Chau, head of Ho Chi Minh City's Health Department, was quoted in state-run Tien Phong (Vanguard) daily as saying "a series of passengers" took fever reducers three hours before arrival.

"That's why when they passed through the airport, the body temperature scanners skipped them," Chau said.

Why does this not surprise me?

Bruce Schneier links to this article about a plane between France and Mexico being diverted because a passenger on board was on the US no-fly list and the plane would have gone over the US. I agree with Bruce that the no-fly list is basically stupid, but once you accept its premises this strikes me as not entirely crazy. If your concern is that someone is going to hijack the plane and crash it into a building, then he doesn't even have to land to do that, just get close enough to the target that it's hard to know what's up and divert him. So, with that reasoning I can see why you would think that it was undesirable to even let him into US airspace. Moreover, it has the side benefit of letting TSA look like they're really trying hard to keep you safe, while (mostly) only inconveniencing foreigners. What's the downside from their perspective?

If you fly much, you've probably heard of Clear, those kiosks near airport security which let you zip through security faster. The way that Clear works is that you sign up, give them some biographical data and biometrics, and of course pay them a bunch of money. They do some kind of background check (unclear how much they actually do) and then issue you a "Clear card", a smart card with your biometrics on it. Then when you go to the airport you present your card, they verify your biometrics, and if everything checks out you get to bypass the security line and go right through the x-ray and magnetometer. As far as I can tell, then, you're just paying $199/year to go to the front of the security line.

The natural question is: if you're just paying to cut in line but you go through the same security screening, what's the purpose of the background check and the biometrics? One could argue, I suppose, that once you know that people were OK, you could give them lighter security screening, but as far as I know that's not what happens: TSA only has two security modes: normal and aggressive (SSSS), but it's fairly easy to avoid aggressive mode with a boarding pass printer, so it's not like you need any system this heavyweight to securely exempt people from random selection. The cynical might argue that the purpose is to protect Clear's ability to extract money from you by preventing you from giving your card to someone else. On the other hand, you don't really need a thumbprint, let alone an irisprint, to stop that. A photo would be plenty. And of course the background check is totally unnecessary.

I suspect that the real reason here is that Clear was originally conceived as a bypass system where you would be able to get lighter (or perhaps no) screening, and in that context the background check made sense. That didn't work out, but the initial security theatre stuck around. After all, how would you explain that it was somehow no longer needed?

Three stories about the TSA's name-based security scheme this week.

• A muslim airline pilot (an American Gulf War I veteran who converted) has lost his flight priviliges because he is on "some TSA list" and is suing
• James Robinson, an airline pilot and retired National Guard Brigadier General says he get hassled whenever he tries to fly

  But there's one problem: James Robinson, the pilot, has difficulty even getting to his plane because his name is on the government's terrorist "watch list."

  That means he can't use an airport kiosk to check in; he can't do it online; he can't do it curbside. Instead, like thousands of Americans whose names match a name or alias used by a suspected terrorist on the list, he must go to the ticket counter and have an agent verify that he is James Robinson, the pilot, and not James Robinson, the terrorist.

  "Shocking's a good word; frustrating," Robinson -- the pilot -- said. "I'm carrying a weapon, flying a multimillion-dollar jet with passengers, but I'm still screened as, you know, on the terrorist watch list."

  ...

  But although the list is clearly bloated with misidentifications by every official's account, CNN has learned that it may also be ineffective. Numerous people, including all three Robinsons, have figured out that there are ways not to get flagged by the watch list.

  Denise Robinson says she tells the skycaps her son is on the list, tips heavily and is given boarding passes. And booking her son as "J. Pierce Robinson" also has let the family bypass the watch list hassle.

  Capt. James Robinson said he has learned that "Jim Robinson" and "J.K. Robinson" are not on the list.

• The 9th Circuit has ruled that people have a right to sue to get off the no-fly list.

Maybe I'm not cynical enough, but I find the TSA's behavior vis-a-vis the watch list to be somewhat confusing. Here you've got a system that's clearly very inconvenient for a large number of apparently innocent people (even the low range estimates of the size of the watch list are 400,000 people) is trivial to bypass, and really has no evidence that it's useful at all. And rather than somehow quietly roll it back, TSA's response has been to dig in and make it extremely difficult for people on the list. Moreover, they threaten the airlines even for telling people they are on the list. Ordinarily, one can explain the TSA's behavior by recourse to Schneier's "security theater" model, and maybe it's just the circles I travel in, but I don't get the sense that the general public somehow believes this works. And even if they do, would they really be annoyed to hear that Capt. Robinson is slipping through the cracks? Actually, now that I've said that, there is a beyond cynical rationale here for why TSA is so intransigent about removing people: they like it when it comes out that some 10-year old kid is on the watch list. Sure, people realize it's nuts, but that's the evidence that TSA is doing everything it can; they care so much about your security that they'll even stop grandma from flying.

Jayson Ahern from TSA has posted a defense of their laptop border search policy:

First, it's important to note that for more than 200 years, the federal government has been granted the authority to prevent dangerous people and things from entering the United States. Our security measures at the border are rooted in this fundamental fact, and our ability to achieve our border mission would be hampered if we did not apply the same search authorities to electronic media that we have long-applied to physical objects--including documents, photographs, film and other graphic material. Indeed, there are numerous laws that apply to such material at the border including laws regarding intellectual property rights, technical data that can be imported or exported only under state department license and child pornography.

In the 21st century, terrorists and criminals increasingly use laptops and other electronic media to transport illicit materials that were traditionally concealed in bags, containers, notebooks and paper documents. Making full use of our search authorities with respect to items like notebooks and backpacks, while failing to do so with respect to laptops and other devices, would ensure that terrorists and criminals receive less scrutiny at our borders just as their use of technology is becoming more sophisticated.

This result would be ironic given that this same technology actually enables terrorists and criminals to move large amounts of information across the border via laptops and other electronic devices. At the end of the day, we have a responsibility to search items -- electronic or otherwise -- that are being transported across our borders and that could potentially be used to harm our nation's citizens or that are otherwise contrary to law.

It seems to me that this fails to recognize a number of important respects in which your laptop is different from physical objects like documents, photographs, etc.

First, unlike drugs or currency, you don't need to actually carry information across the border in order to bring it into the country. For starters, you just put it on some Web site (GMail, any file sharing site, etc.) and download it once you've entered the country. Standard encryption tools easily suffice to hide the data from interception by the authorities. You don't even need special software; you can use SSL to contact the site. If you're using GMail, Google will even serve you ads relevant to your interest: "Get your discount surface-to-air missiles here." Of course, if you don't want this, you can PGP encrypt your data with some static key you memorize. Even if for some reason you can't figure out how to operate GMail, you can just copy the data onto a CDROM and ship it to yourself. Even if customs can search them—and I interpret this policy as saying they can't search USMail—as a practical matter it's trivial to hide your in digital music or digital video, so even if they do search your mail it's unlikely you'll get caught.

Second, even if you have to bring the data across with you, Digital data is trivial to hide. For instance, a 2G flash memory chip is about 10x10x2 mm. I can think of lots of ways to hide a chip like that in your gear: for instance in a chip-style cash card. Even if you can't contrive to hide this somewhere in your gear, remember that customs needs a much higher level of suspicion to do a body cavity search, so you can simply swallow the chip to bring it across the border. Basically, you can't stop a dedicated attacker from smuggling even large quantities of digital data across the border.

Ahern talks about preventing "dangerous people and things from entering the United States", but this conflates two different issues. For the reasons above, it's not really possible to stop "dangerous" digital data from entering the US. Now, you might be able to stop dangerous people from entering the US if they were stupid enough to forget to erase incriminating data from their laptops and you catch them during your search, but now that it's public knowledge that CBP is searching laptops, we would expect competent terrorists or child pornographers to take note of that, so you should mostly expect to catch the incompetent, and more likely average people who are carrying contraband.

The third way in which laptops are different is that taking your laptop away is extremely invasive. Even if we ignore the arguments (which have already been aired extensively) about how much it compromises your privacy to have all the stuff on your laptop exposed, having your laptop taken away from you is incredibly inconvenient, as anyone who's ever had a hard drive crash can tell you. As I understand the policy, CBP claims that they can just take your equipment indefinitely. Without arguing about whether they're legally allowed to, it should be noted that they could just image the hard drive. This isn't quite as good since they don't get to do a complete search—you could be hiding your flash chips on the motherboard somewhere—but given the ease with which you can hide your media (see above), this seems like it's good enough to catch the stupid people.