“What we obtain too cheap,” Thomas Paine famously wrote, “we esteem too lightly”—and it turns out that the converse holds true as well. It’s a well known and robustly confirmed finding of social psychology that people tend to ascribe greater value to things they had to pay a high cost to obtain. So, for instance, people who must endure some form of embarrassing or uncomfortable hazing process or initiation rite to join a group will report valuing their participation in that group much more highly than those admitted without any such requirement—which is one reason such rituals are all but ubiquitous in human societies as a way of creating commitment. Studies suggest that people are more likely to read automobile reviews after purchasing a new car than before—suggesting that people are sometimes less concerned with spending money in the most judicious fashion than with convincing themselves, after the fact, that they have done so. More morbidly, relatives of soldiers killed in action sometimes become much more fervent supporters of the war that cost them a loved one—because the thought that such a grave loss served no good purpose is too much to stomach.

I suspect that this phenomenon may help explain the dispiriting state of affairs described by an airline industry insider in an important Wired piece on airport security. The short version: we’ve spent some $56 billion on “enhancing” airport security over the past decade, with almost no actual security enhancement to show for it. We’re spending huge amounts of money and effort on burdensome passenger screening that doesn’t seem very effective, while neglecting other, far more vulnerable attack surfaces. It is, when you think about it, a somewhat strange priority given the abundance of highly vulnerable domestic targets. Reinforced cockpit doors and changed passenger behavior pretty much made a repeat of a 9/11-style suicide hijacking of a domestic flight infeasible—at negligible economic and privacy cost—long before we started installing Total Recall style naked-scanners, which makes explosives the real remaining risk. Yet the notable bombing attempts by passengers we’ve seen since 9/11 have (a) originated outside the United States, and (b) been foiled by alert passengers after the aspiring bomber slipped through the originating country’s formal screening process.

This shouldn’t be terribly surprising: when a terror group has already managed to get an operative into the United States, a domestic flight (that can’t be turned into a missile) would be one of the stupider, riskier targets to select, given the enormous array of much softer target options that would be available at that point, even assuming pre-9/11 airport security protocols. As far as I’m aware, the last time a passenger successfully detonated a bomb on a U.S. domestic flight was in 1962. This presents something of a puzzle: Why have we focused so disproportionately on this specific attack vector, at such disproportionate cost, when the terrorists themselves have not? Why haven’t we reallocated scarce resources to security measures (such as better screening of airline employees) that would provide greater security benefit at the margins? One possibility is that, having accustomed ourselves to submitting to the hassle and indignity of ever more aggressive passenger screening, we become more disposed to believe that these measures are necessary.

It’s become commonplace to refer to many aspects of airport screening—the removal of shoes, the transparent plastic baggies for your small allotment of shampoo—as “security theater.” Security guru Bruce Schneier coined the term to refer to security measures whose ritualistic purpose is to make passengers feel safer, even though they do almost nothing to actually increase safety. But on reflection, this seems wrong. It probably holds true in the immediate aftermath of a high-profile attack or disaster. Once the initial heightened fear subsides, however, these visible and elaborate security measures probably do more to increase our perception of risk than to assuage our fears. It is, after all, something of a cliche that hyperprotective parents tend to end up raising children who see the world as a more dangerous place. Overreacting to childhood illnesses is one reliable way of producing adult hypochondriacs down the road.

Security theater, then, isn’t only—or even primarily—about making us feel safer. It’s about making us feel we wouldn’t be safe without it. The more we submit to intrusive monitoring, the more convinced we become that the intrusions are an absolute necessity. To think otherwise is to face the demeaning possibility that we have been stripped, probed, and made to jump through hoops all this time for no good reason at all. The longer we pay the costs—in time, privacy, and dignity no less than tax dollars—the more convinced we become that we must be buying something worth the price. Hence, the Security Theater Cycle: the longer the ritual persists, the more normal it comes to seem, the more it serves as psychological proof of its own necessity.

The Security Theater Cycle is a post from Cato @ Liberty - Cato Institute Blog

TSA screeners and behavior detection officers may give you extra attention if you complain about security protocols (video at the jump). Former FBI agent Michael German sums up my feelings pretty well:

It’s circular reasoning where, you know, I’m going to ask someone to surrender their rights; if they refuse, that’s evidence that I need to take their rights away from them. And it’s simply inappropriate.

In related news, the GAO recently told Congress that the TSA’s Screening Passengers by Observation Technique (SPOT) is not scientifically grounded. The GAO testimony is available here.

More Cato work on TSA screening here, here and here.

TSA: If You Object to Giving Up Your Rights, We Should Take a Closer Look at You is a post from Cato @ Liberty - Cato Institute Blog

Washington Post staff writers Anne Kornblut and Ashley Halsey cite “experts” six times in a story today about the nascent pendulum swing in airport security policy back toward government investigation of travelers.

“[M]ore than a dozen U.S. officials, lawmakers and experts interviewed said they would like to move to a system that relies more on passenger data than on airport checkpoint screening,” they write. “[I]f the security system were allowed to access even more — such as personal information collected by companies that do credit ratings — suspicious passengers would be more readily identified, experts say.”

Without irony, they cite these methods as a way of closing gaps in current airport security. But no system would be quite so gapped as a system of mass investigations. As I wrote recently with regard to the “Trusted Traveler” notion, which has the same provenance:

[P]recisely what biographical information assures that a person is “good”? (The proposal is for government action: it would be a violation of due process to keep the criteria secret and an equal protection violation to unfairly divide good and bad.) How do we know a person hasn’t gone bad from the time that their goodness was established?

Kornblut and Halsey have turned up what appears to be a new idea by citing only experts who have not thought through the weaknesses, due process issues, and privacy costs in identity-based security. Mass investigation of air travelers is rebranded dog food. We don’t need to run to the bowl and drive our snouts into it.

Continuing the canine analogy, note how much tail-chasing there is in airport security policy. Kornblut and Halsey write:

[P]assengers must surrender sharp objects (a response to the Sept. 11 attacks) and slip off their shoes (a response to the 2001 would-be shoe bomber). They must remove liquids from their bags (a result of a 2006 plot to blow up planes), and, as of a few weeks ago, they must submit to body scans or pat-downs (a process accelerated by the attempted airline bombing last Christmas Day).

Terrorists can throw new tactics at us endlessly, causing us each time to add billions more in spending and undercut our liberty and prosperity.

The reason for the tail-chasing is the formulation reported in a companion piece to the main story:

“The terrorists just have to get it right once. The people who are trying to stop them can get it right 99.9 percent of the time and then when something happens, people get upset and want to vote out of office the people they hold responsible.”

It’s nice to see this formulation racheted back to where terrorism threatens politicians. In other versions, the success of any attack has been treated as a threat to the whole nation—an “existential” threat, no less. But even as to politicians, it’s not a given of terrorism that “they only have to get it right once.” It’s only true if politicians (lie to us and) promise that terrorists will have zero successes, treating our nation as so fragile and weak that the fragile-America prophecy self-fulfills.

The alternative is to adopt a national mind-set of indomitability rather than fragility. It is risk acceptance when the costs of risk avoidance are too high.

Cato has hosted true experts on terrorism and counterterrorism at two significant conferences, one in January 2009 and another in January 2010. A good framework for re-thinking counterterrorism policy can be found in the Cato book, Terrorizing Ourselves: Why U.S. Counterterrorism Policy is Failing and How to Fix It.

Investigate All Air Travelers, Say Experts in Dog Food Rebranding is a post from Cato @ Liberty - Cato Institute Blog

In a humbly-toned USA Today opinion piece yesterday, Secretary of Homeland Security Janet Napolitano asked for the public’s cooperation with airline security measures the Transportation Security Administration has recently implemented. The TSA has come up with an invasive pairing: ”Advanced Imaging Technology,” also known as “strip-search machines” and, for those refusing, “enhanced” pat-downs which explore areas of the body typically reserved for one’s spouse or doctor.

Anecdotal reports suggest that the machines are being used to ogle women, and we are seeing disturbing images and videos of children being handled by strangers online. The public is increasingly agitated by the TSA’s latest amendment to the air travel ordeal, and a “National Opt-Out Day” is slated for next Wednesday, the biggest travel day of the year.

Twice, Secretary Napolitano notes that these measures are “risk-based” or “driven by . . . risk.” But has the Department of Homeland Security conducted the necessary risk management studies to validate these programs? A March 2010 Government Accountability Office report says:

[I]t remains unclear whether the AIT would have detected the weapon used in the December 2009 incident based on the preliminary information GAO has received. . . . In October 2009, GAO also recommended that TSA complete cost-benefit analyses for new passenger screening technologies. While TSA conducted a life-cycle cost estimate and an alternatives analysis for the AIT, it reported that it has not conducted a cost-benefit analysis of the original deployment strategy or the revised AIT deployment strategy, which proposes a more than twofold increase in the number of machines to be procured.

I’ve seen no documentation that the strip-search machines, the invasive pat-downs, or their combination have been subjected to any thorough risk analysis. The DHS has mouthed risk terminology for years now, but evidence is scant that it has ever subjected itself to such rigor.

Risk Management

A formal risk management effort will generally begin with an examination of the thing or process being protected. This is often called “asset characterization.” In airline security, the goal is fairly simple: ensuring that air passengers arrive safely at their destinations. Specifically, ensuring that nobody successfully brings down a plane.

The next step in risk management is to identify and assess risks, often called “risk characterization” or “risk assessment.” The vocabulary of risk assessment is not settled, but there are a few key concepts that go into it:

• Vulnerability is weakness or exposure that could prevent an objective from being reached. Vulnerabilities are common, and having a vulnerability does not damn an enterprise. The importance of vulnerabilities depend on other factors.
• Threat is some kind of actor or entity that might prevent an objective from being reached. When the threat is a conscious actor, we say that it “exploits” a vulnerability. When the threat is some environmental or physical force, it is often called a “hazard.” As with vulnerability, the existence of a threat is not significant in and of itself. A threat’s importance and contribution to risk turns on a number of factors.
• Likelihood is the chance that a vulnerability left open to a threat will materialize as an unwanted event or development that frustrates the safety, soundness, or security objective. Knowing the likelihood that a threat will materialize is part of what allows risk managers to apportion their responses.
• Consequence is the significance of loss or impediment to objectives should the threat materialize. Consequences can range from very low to very high. As with likelihood, gauging consequence allows risk managers to focus on the most significant risks.

Analyzing vulnerabilities and threats permits risk managers to make rough calculations about likelihood and consequence. This process will float the most significant risks to the surface. Though these factors are often difficult to measure, a simple formula guides risk assessment:

Likelihood x Consequence = Risk

Events with a high likelihood and consequence should be addressed first, and with the most assets. Those are the highest risks.

The most common error I see in risk management is the propensity to attack vulnerabilities rather than risks. A bomber’s attempt to take down a plane by concealing explosives in his undergarments last year exposed a vulnerability. It is possible to sneak a small quantity of explosive through conventional security systems, though not necessarily the needed detonator and not necessarily enough explosive material to take down a plane.

But this says nothing about the likelihood of this happening again—or of being successful. In hundreds of millions of enplanements each year, this attack has manifested itself once. And it failed. The TSA effort is going after a vulnerability—of that there is no doubt—but it is arguable whether or not it is addressing a significant risk.

After risk assessment, the next step in risk management is choosing responses.

Though the concepts and terminology are not settled in this area either, there are four general ways to respond to risk:

• Acceptance – Acceptance of a threat is a rational alternative that is often chosen when the threat has low probability, low consequence, or both.
• Prevention – Prevention is the alteration of the target or its circumstances to diminish the risk of the bad thing happening.
• Interdiction – Interdiction is any confrontation with, or influence exerted on, a threat to eliminate or limit its movement toward causing harm.
• Mitigation – Mitigation is preparation so that, in the event of the bad thing happening, its consequences are reduced.

In its operation, the strip-search/grope combo is an interdiction against any who may try to carry dangerous articles on planes. As to the air transportation system, it might also be conceived of as a preventive measure.

The next analytical lens to look through is benefit-cost analysis, or trade-offs. The goal is to allay risk in a cost-effective way, spending the least amount of money, and incurring the least costs overall, per unit of benefit.

Security Benefits

Security systems involve difficult and complex balancing among many different interests and values. The easiest, by far, is comparing the dollar costs of security measures against the dollar benefits. This is analysis that GAO says the TSA has not done.

But if it were done, on the benefit side of the equation, you have that it reveals most articles a person might try to sneak onto a plane. There are at least two important limitations on the benefit. First, there is an open question as to whether the strip-search machine would successfully detect lower-density material like the explosive PETN. If it doesn’t, it’s utility against underpants bombing relies on potential attackers’ ignorance of that to deter their attempts. Second, the benefit of the strip-search/grope is not what it achieves from a basline of zero, but the marginal security improvement in provides over alternatives like the status quo magnetometer and random pat-downs.

How do you reduce security benefit to something measurable? It’s difficult, but I’ve been mulling a methodology for valuing security against rare attacks in which you assume a motivated attacker that would eventually succeed. By approximating the amount of damage the attack might do and how long it would take to defeat the security measure, one can roughly estimate its value.

Say, for example, that a particular attack might cause one million dollars in damage. Delaying it for a year is worth $50,000 at a 5% interest rate. Delaying for a month an attack that would cause $10 billion in damage is worth about $42 million. It is best to assume that any major attack will happen only once, as it will produce responses that prevent it happening twice. (The 9/11 “commandeering” attack on air travel is an instructive example. By late morning on September 11, 2001, passengers and crew recognized that cooperation with hijackers contributed to the deadliness of attacks rather than saving their lives. They spontaneously changed the security practice to meet the new threat, and the 9/11 attacks permanently changed the posture of air passengers toward hijackers, along with hardened cockpit doors bringing the chance of another commandeering attack on air travel very close to nil.)

Of course, one must consider “risk transfer.” That’s the shifting of risks from one target to another—say, from planes to buildings. (An organization like the Department of Homeland Security would regard this as lowering the benefit of a security measure, while an airline would be indifferent to it—unless it owned the building…) There is also the creation of new risks, such as the possible health effects of the strip-search machines. Which brings us to the cost side of the ledger….

Costs

On the cost side of the ledger, the easy stuff to measure includes the hundreds of millions or billions of dollars that must be spent on strip-search machines themselves. As much or more money will be spent on an ongoing basis to operate the machines. My observation is that it takes three people to operate one strip-search machine: a guide, an analyst to review the image, and a person to do the secondary pat-down which occurs regularly (though it would occur less over time). On a nationwide scale, this is hundreds of millions of dollars per year spent on TSA employees.

The value of travelers’ time is also important. This hasn’t received much discussion, but as more and more strip-search machines come into use, there will be more discussion of how much time they consume compared to magnetometers.

Reviewing tape of TSA checkpoints reveals that passing through the machines takes at least seven seconds per passenger. Variations in the time it takes to traverse the security checkpoint require all travelers to increase the amount of time they spend at the airport as a cushion against the risk of missing flights, which can cost many hours per incident. If each of 350 million trips in a year results in an additional minute at the airport to accommodate the vagaries of the strip/grope, five to six million person hours at the airport will be wasted, a cost of $145 million per year if we value travelers’ time at  $25 per hour.

It is more difficult is to balance interests like privacy and dignity against security benefits. A CBS News poll released yesterday says that four out of five Americans support the use of “‘full-body’ digital x-ray machines to electronically screen passengers.”

It’s an antiseptic description that strangely emphasizes computing. (X-rays are neither digital nor electronic, though the data the x-ray machines collect is digital and its processing is done with electronics.) The question doesn’t capture people’s feelings about images of their own denuded bodies being observed by a government official as a condition of travel. And, of course, it doesn’t capture feelings about the intimate pat-down alternative.

The amount of public reporting and discussion suggests that public opinion is not solidly on the side of the strip/grope. A hearing in the Senate tomorrow is also evidence that the security procedures do not comport with the American people’s rough judgment that the costs of these security measures are justified by their benefits.

My own view is that the strip/grope is security excess. If I had my way, I would choose the airlines and airports that do not go to this extreme. I do not get to have my way, and neither do you if you prefer a different security/privacy mix, because we all must use the same security system. That’s why I wrote five years ago that the TSA should be abolished and responsibility for security restored to airlines and airports. Their experimentation could blend security with privacy, convenience, and comfort, improving the travel experience overall while restoring liberty to American travelers.

‘Strip-or-Grope’ vs. Risk Management is a post from Cato @ Liberty - Cato Institute Blog

European criticisms of U.S. airline security match those of many U.S. travelers, so the recent volley of complaints from the other side of the pond are unremarkable. The most interesting tidbit from this news story is that British pilots are part of the chorus.

There’s a chance that it was some organizational spokesperson whose interests diverge from the actual men and women who fly planes. But if you want to choose a group to trust on airline security, it’s the group with local knowledge and a genuine stake in the outcome. That’s not any security agency. That’s pilots.

Local Knowledge and a Stake in the Outcome is a post from Cato @ Liberty - Cato Institute Blog

The TSA is exceeding its authority.

At what point does an airport search step over the line?

How about when they start going through your checks, and the police call your husband, suspicious you were clearing out the bank account?

This kind of thing was supposed to stop after the TSA revised its policies a year ago. The revision came in the wake of the unconstitutional seizure of Campaign for Liberty staffer Steven Bierfeldt for carrying cash donations (prompting a lawsuit from the ACLU). A federal judge had already determined that fake passports found on an airline passenger were inadmissible in court.

The TSA is not a law enforcement agency. TSA screeners aren’t supposed to search for anything beyond weapons and explosives. Or, as TSA policy currently reads, “Screening may not be conducted to detect evidence of crimes unrelated to transportation security.”

Kathy Parker, a business support manager for a large bank, was flying with a deposit slip and several checks made out to her and her husband. TSA screeners suspected she was skipping town in the midst of a “divorce situation.”

Two Philadelphia police officers joined at least four TSA officers who had gathered around her. After conferring with the TSA screeners, one of the Philadelphia officers told her he was there because her checks were numbered sequentially, which she says they were not.

“It’s an indication you’ve embezzled these checks,” she says the police officer told her. He also told her she appeared nervous. She hadn’t before that moment, she says.

She protested when the officer started to walk away with the checks. “That’s my money,” she remembers saying. The officer’s reply? “It’s not your money.”

Glad to see that we’re in good hands, and that no one has lost focus on the aviation security mission at TSA. Read the whole thing.

TSA on the Prowl for Embezzlers is a post from Cato @ Liberty - Cato Institute Blog

Via the Identity Project’s “Papers, Please” web site, and despite my colleague David Rittgers’ excellent post from yesterday, I note last week’s utterly damning Government Accountability Office report on the SPOT program. “SPOT” stands for “Screening Passengers by Observation Techniques.” In the program “BDO’s,” or “Behavior Detection Officers,” observe travelers in airports, pulling them out of line if a secret list of behaviors signal that they’re a likely threat.

The thing is:

TSA deployed SPOT nationwide before first determining whether there was a scientifically valid basis for using behavior and appearance indicators as a means for reliably identifying passengers as potential threats in airports. … TSA state[s] that no other large-scale U.S. or international screening program incorporating behavior- and appearance-based indicators has ever been rigorously scientifically validated. While TSA deployed SPOT on the basis of some risk-related factors, such as threat information and airport passenger volume, it did not use a comprehensive risk assessment to guide its strategy of selectively deploying SPOT to 161 of the nation’s 457 TSA-regulated airports. TSA also expanded the SPOT program over the last 3 years without the benefit of a cost-benefit analysis of SPOT.

The Israeli airline El Al uses behavior detection, counters the TSA—as did DHS Secretary Janet Napolitano when I asked her about this report at a meeting of the DHS Privacy Committee Tuesday.

The GAO report notes that El Al’s processes, which are different from the TSA’s, have not been scientifically validated. As of 2008, El Al had 34 aircraft, operating out of one hub airport, Ben-Gurion International. There are 457 TSA-regulated airports in the United States. In 2008, El Al had passenger boardings of about 3.6 million; one U.S. airline, Southwest, flew about 102 million passengers that year.

From late May 2004 through August 2008, BDOs referred 152,000 travelers to secondary inspection. Of those, TSA agents referred 14,000 people to law enforcement, which resulted in approximately 1,100 arrests. TSA officials did not identify any direct links to terrorism or any threat to aviation in these cases. GAO noted its inability to determine if this is a better arrest rate than would occur under random screenings.

GAO also determined that at least 16 individuals allegedly involved in terrorism plots have moved at least 23 different times through eight airports where the SPOT program has been implemented. SPOT caught none of them.

The Government Accountability Office is a master of understatement, leaving conclusions for readers to draw. Mine is that the $1.2 billion in planned spending on the program over the next five years will be a wasteful producer of civil liberties violations.

GAO’s Damning Report on ‘SPOT’ is a post from Cato @ Liberty - Cato Institute Blog

Bruce Schneier has a typically good essay on the use of “worst-cases” as a substitute for real analysis. I noticed conspicuous use of “worst-case” in early reporting on the oil spill in the Gulf. It conveniently gins up attention for media outlets keen on getting audience.

There’s a certain blindness that comes from worst-case thinking. An extension of the precautionary principle, it involves imagining the worst possible outcome and then acting as if it were a certainty. It substitutes imagination for thinking, speculation for risk analysis and fear for reason. It fosters powerlessness and vulnerability and magnifies social paralysis. And it makes us more vulnerable to the effects of terrorism.

Worst-case thinking—the failure to manage risk through analysis of costs and benefits—is what makes airline security such an expensive nightmare, for example. Schneier concludes:

When someone is proposing a change, the onus should be on them to justify it over the status quo. But worst case thinking is a way of looking at the world that exaggerates the rare and unusual and gives the rare much more credence than it deserves. It isn’t really a principle; it’s a cheap trick to justify what you already believe. It lets lazy or biased people make what seem to be cogent arguments without understanding the whole issue.

It’s not too long for you to read the whole thing.

Are You Substituting Worst-Case Thinking for Reason? is a post from Cato @ Liberty - Cato Institute Blog

Since they were announced recently, I’ve been working to make sense of new security procedures that TSA is applying to flights coming into the U.S.

“These new measures utilize real-time, threat-based intelligence along with multiple, random layers of security, both seen and unseen, to more effectively mitigate evolving terrorist threats,” says Secretary Napolitano.

That reveals essentially nothing of what they are, of course. Indeed, “For security reasons, the specific details of the directives are not public.”

But we in the public aren’t so many potted plants. We need to know what they are, both because our freedoms are at stake and because our tax money will be spent on these measures.

Let’s start at the beginning, with identity-based screening and watch-listing in general. A recent report in the New York Times sums it up nicely:

The watch list is actually a succession of lists, beginning with the Terrorist Identities Datamart Environment, or TIDE, a centralized database of potential suspects.  . . . [A]bout 10,000 names come in daily through intelligence reports, but . . . a large percentage are dismissed because they are based on “some combination of circular reporting, poison pens, mistaken identities, lies and so forth.”

Analysts at the counterterrorism center then work with the Terrorist Screening Center of the F.B.I. to add names to what is called the consolidated watch list, which may have any number of consequences for those on it, like questioning by the police during a traffic stop or additional screening crossing the border. That list, in turn, has various subsets, including the no-fly list and the selectee list, which requires passengers to undergo extra screening.

The consolidated list has the names of more than 400,000 people, about 97 percent of them foreigners, while the no-fly and selectee lists have about 6,000 and 20,000, respectively.

After the December 25, 2009 attempted bombing of a Northwest Airlines flight from Amsterdam into Detroit, TSA quickly established, then quickly lifted, an oppressive set of rules for travelers, including bans on blankets and on moving about the cabin during the latter stages of flights. In the day or two after a new attempt, security excesses of this kind are forgivable.

But TSA also established identity-based security rules of similar provenance and greater persistence, subjecting people from fourteen countries, mostly Muslim-dominated, to special security screening. This was ham-handed reaction, increasing security against the unlikely follow-on attacker by a tiny margin while driving wedges between the U.S. and people well positioned to help our security efforts.

Former DHS official Stewart Baker recently discussed the change to this policy on the Volokh Conspiracy blog:

The 14-country approach wasn’t a long-term solution.  So some time in January or February, with little fanfare, TSA seems to have begun doing something much more significant.  It borrowed a page from the Customs and Border Protection playbook, looking at all passengers on a flight, running intelligence checks on all of them, and then telling the airlines to give extra screening to the ones that looked risky.

Mark Ambinder lauded the new policy on the Atlantic blog, describing it thusly:

The new policy, for the first time, makes use of actual, vetted intelligence. In addition to the existing names on the “No Fly” and “Selectee” lists, the government will now provide unclassified descriptive information to domestic and international airlines and to foreign governments on a near-real time basis.

Likely, the change is, or is very much like, applying a Customs and Border Patrol program called ATS-P (Automated Targeting System – Passenger) to air travel screening.

“[ATS-P] compares Passenger Name Record (PNR) and information in [various] databases against lookouts and patterns of suspicious activity identified by analysts based upon past investigations and intelligence,” says this Congressional Research Service report.

“It was through application of the ATS-P that CBP officers at the National Targeting Center selected Umar Farouk Abdulmutallab, who attempted to detonate an explosive device on board Northwest Flight 253 on December 25, 2009, for further questioning upon his arrival at the Detroit Metropolitan Wayne County Airport.”

Is using ATS-P or something like it an improvement in the way airline security is being done? It probably is.

A watch-list works by comparing the names of travelers to the names of people that intelligence has deemed concerning. To simplify, the logic looks like something like this:

If first name=”Cat” (or variants) and last name=”Stevens”, then *flag!*

Using intelligence directly just broadens the identifiers you use, so the comparison (again simplified) might look something like this:

If biography contains “traveled in Yemen” or “Nigerian student” or “consorted with extremists”, then *flag!*

The ability to flag a potential terrorist with identifiers beyond name is a potential improvement. Such a screening system would be more flexible than one that used purely name-based matching. But using more identifiers isn’t automatically better.

The goal—unchanged—is to minimize both false positives and false negatives—that is, people flagged as potential terrorists who are not terrorists, and people not flagged as terrorists who are terrorists. A certain number of false positives are acceptable if that avoids false negatives, but a huge number of false positives will just waste resources relative to the margin of security the screening system creates. Given the overall paucity of terrorists—which is otherwise a good thing—it’s very easy to waste resources on screening.

I used the name “Cat Stevens” above because it’s one of several well known examples of logic that caused false positives. Utterly simplistic identifiers like “traveled in Yemen” will also increase false positives dramatically. More subtle combinations of identifiers and logic can do better. The questions are how far they increase false positives, and whether the logic is built on enough information to produce true positives.

So far as we know, ATS-P has never flagged a terrorist before it flagged the underwear bomber. DHS officials tried once to spin up a case in which ATS-P flagged someone who was involved in an Iraq car-bombing after being excluded from the U.S. However, I believe, as I suggested two years ago, that ATS-P flagged him as a likely visa overstayer and not as a terror threat. He may not have been a terror threat when flagged, as some reports have it that he descended into terrorism after being excluded from the U.S. This makes the incident at best an example of luck rather than skill. That I know of, nobody with knowledge of the incident has ever disputed my theory, which I think they would have done if they could.

The fact that ATS-P flagged one terrorist is poor evidence that it will “work” going forward. The program “working” in this case means that it finds true terrorists without flagging an unacceptable/overly costly number of non-terrorists.

Of course, different people are willing to accept different levels of cost to exclude terrorists from airplanes. I think I have come up with a good way to measure the benefits of screening systems like this so that costs and benefits can be compared, and the conversation can be focused.

Assume a motivated attacker that would eventually succeed. By approximating the amount of damage the attack might do and how long it would take to defeat the security measure, one can roughly estimate its value.

Say, for example, that a particular attack might cause one million dollars in damage. Delaying it for a year is worth $50,000 at a 5% interest rate. Delaying for a month an attack that would cause $10 billion in damage is worth about $42 million.

(I think it is fair to assume that any major attack will happen only once, as it will produce responses that prevent it happening twice. The devastating “commandeering” attack on air travel and infrastructure is instructive. The 9/11 attacks permanently changed the posture of air passengers toward hijackers, and subsequent hardening of cockpit doors has brought the chance of another commandeering attack very close to nil.)

A significant weakness of identity-based screening (which “intelligence-based” screening—if there’s a difference—shares) is that it is testable. A person may learn if he or she is flagged for extra scrutiny simply by traveling a few times. A person who passes through airport security six times in a two-month period and does not receive extra scrutiny can be confident enough on the seventh trip that he or she will not be specially screened. If a person does receive special scrutiny on test runs, that’s notice of being in a suspect category, so someone else should carry out a planned attack.

(“We’ll make traveling often a ground for suspicion!” might go the answer. “False positives,” my rejoinder.)

Assuming that it takes two months more than it otherwise would to recruit and clear a clean-skin terrorist, as Al Qaeda and Al Qaeda franchises have done, the dollar value of screening is $125 million. That is the amount saved (at a 5% interest rate) by delaying for one month an attack costing $15 billion (a RAND corporation estimate of the total cost of a downed airliner, public reactions included).

Let’s say that the agility of having non-name identifiers does improve screening and causes it to take three months rather than two to find a candidate who can pass through the screen. Ignoring the costs of additional false positives (though they could be very high), the value of screening rises to $187.5 million.

(There is plenty of room to push and pull on all these assumptions. I welcome comments on both the assumptions and the logic of using the time-value of delayed attacks to quantify the benefits of security programs.)

A January 2009 study entitled, “Just How Much Does That Cost, Anyway? An Analysis of the Financial Costs and Benefits of the ‘No-Fly’ List,” put the amount expended on “no-fly” listing up to that time at between $300 million and $966 million, with a medium estimate of $536 million. The study estimated yearly costs at between $51 and $161 million, with a medium estimate of $89 million.

The new screening procedures, whose contours are largely speculative, may improve air security by some margin. Their additional costs are probably unknown to anyone yet as false positive rates have yet to be determined, and the system has yet to be calibrated. Under the generous assumption that this change makes it 50% harder to defeat the screening system, the value of screening rises, mitigating the ongoing loss that identity-based screening appears to bring to our overall welfare.

Hey, if you’ve read this far, you’ll probably go one or two more paragraphs…

It’s worth noting how the practice of “security by obscurity” degrades the capacity of outside critics to contribute to the improvement of homeland security programs. Keeping the contours of this system secret requires people like me to guess at what it is and how it works, so my assessment of its strengths and weaknesses is necessarily degraded. As usual, Bruce Schneier has smart things to say on security by obscurity, building on security principles generated over more than 125 years in the field of cryptography.

DHS could tell the public a great deal more about what it is doing. There is no good reason for the security bureaucracy to insist on going mano a mano against terrorism, turning away the many resources of the broader society. The margin of information the United States’ enemies might access would be more than made up for by the strength our security programs would gain from independent criticism and testing.

Making Sense of New TSA Procedures is a post from Cato @ Liberty - Cato Institute Blog

The Transportation Safety Administration long has made air travel as unpleasant as possible without obvious regard to the impact on safety.  Thankfully, the TSA recently dropped the inane procedure of asking to see your boarding pass as you passed through the checkpoint — a few feet away from where you entered the security line, at which point you had shown both your boarding pass and ID. 

However, there are proposals afoot in Congress to set new carry-on luggage restrictions, to be enforced by the TSA, even though they would do nothing to enhance security.  An inch either way on the heighth or width of a bag wouldn’t help any terrorists intent on taking over an airplane.  But the proposed restrictions would inconvenience travelers and allow the airlines to fob off on government what should be their own responsibility for setting luggage standards. 

TSA also has restarted ad hoc inspections of boarding passengers.  At least flights as well as passengers are targeted randomly.  After 9/11 the TSA conducted secondary inspections for every flight.  The process suggested that the initial inspections were unreliable, delayed passengers, and led experienced flyers to game the process.  It was critical to try to hit the front of the line while the inspectors were busy bothering someone else.  There was no full-proof system, but I learned that being first or second in line was particularly dangerous.

Finally TSA dropped the practice.  And, as far as I am aware, no planes were hijacked or terrorist acts committed as a result.  But TSA recently restarted the inspections, though on a random basis.

I had to remember my old lessons last week, when I ran into the routine on my return home from a trip during which I addressed students about liberty.  Luckily I was able to get on board, rather than get stuck as TSA personnel pawed through bags already screened at the security check point.

There’s no fool-proof way to ensure security for air travel.  Unfortunately, it’s a lot easier to inconvenience passengers while only looking like one is ensuring airline security.

Making Airline Travel as Unpleasant as Possible is a post from Cato @ Liberty - Cato Institute Blog

A federal judge just threw out three fake passports discovered by a Transportation Security Agency (TSA) screener, holding that the search exceeded the TSA’s aviation security mission. (H/T Bruce Schneier)

This is long overdue; the TSA has moved beyond its original mandate and is now conducting searches for “contraband.” The search for anything that seems suspicious can quickly turn into an inquisition at the security checkpoint. Campaign for Liberty staffer Steven Bierfeldt experienced this at the St. Louis airport, and is now suing to prevent future searches beyond what is necessary for aviation security.

The invasive searches don’t add much to airline security anyway. Just as GAO investigators consistently defeat security at federal buildings, TSA screeners often fail to find fake explosives on security test teams.

As Bruce Schneier points out in his excellent book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, the two effective changes in airline security since September 11, 2001 have been (1) hardening of cockpit doors; and (2) airline passengers will resist because they know that their hijackers are playing for keeps.

Schneier spoke at Cato’s two-day conference on counterterrorism in January. Video at the link.

TSA Search Overturned is a post from Cato @ Liberty - Cato Institute Blog

The Philadelphia Inquirer asks why the TSA didn’t catch Bonnie Sweeten absconding to Orlando at the airport after faking her own and her daughter’s abduction.

The TSA and FBI are right: it’s not airport security’s job to look for people like Bonnie Sweeten. But they will quickly agree to make it part of their mission when newspapers and Members of Congress start to say they should. This is how a nominal airline security program transmogrifies into a general law enforcement checkpoint, and the noose tightens on your right to travel.

It Is a Checkpoint, After All is a post from Cato @ Liberty - Cato Institute Blog