With the Department of Homeland Security constantly spinning out new projects and programs (plus re-branded old ones) to investigate you, me, and the kitchen sink, it’s sometimes hard to keep up. But I was intrigued with a report that behvaior detection officers are getting another look from the Transportation Security Administration. Behavior detection is the unproven, and so far highly unsuccessful (Rittgers, Harper), program premised on the idea that telltale cues can reliably and cost-effectively indicate intent to do harm at airports.

But there’s a new behavior detection program already underway. Or is it interrogation?

Due to a bottleneck at the magnetometers in one concourse of the San Francisco airport (no strip-search machines!), I recently had the chance to briefly interview a Transportation Security Administration agent about a new security technique he was implementing. As each passenger reached him, he would begin to examine the traveler’s documentation and simultaneously ask the person’s last name. He confirmed to me that the purpose was to detect people who did not immediately, easily, and accurately respond. In thousands of interactions, he would quickly and naturally learn to detect obfuscation on the part of anyone carrying an ID that does not have the last name they usually use.

As a way of helping to confirm identity, it’s a straightforward and sensible technique. Almost everyone knows his or her last name, and quickly and easily repeats it. The average TSA agent with some level of experience will fluently detect people who do not quickly and easily repeat the name on the identity card they carry. The examination is done quickly. This epistemetric check (of a “something-you-know” identifier—see my book, Identity Crisis) occurs during the brief time that the documents are already getting visual examination.

Some people will not repeat their name consistent with custom, of course. The hard of hearing, speakers of foreign languages, people who are very nervous, people who have speech or other communication impediments, and another group of sufferers—recently married women—may exhibit “suspicious” failure to recite their recently changed surnames. Some of these anomalies TSA agents will quickly and easily dismiss as non-suspicious. Others they won’t, and in marginal cases they might use non-suspicious indicia like ethnicity or rudeness to adjudge someone “suspicious.”

The question whether these false positives are a problem depends on the sanction that attaches to suspicion. If a stutterer gets a gauntlet at the airport each time he or she fails to rattle off a name, the cost of the technique grows compared to the value of catching … not the small number of people who travel on false identification—the extremely small number of people who travel on false identification so as to menace air transportation.

We used this and closely related techniques, such as asking a person’s address or the DMV office where a license was issued, at the bar where I worked in college. It did pretty well to ferret out people carrying their older friends’ IDs. Part of the reason it worked well is because our expert doormen could quickly escalate to further inquiry, dismissing their own suspicions or denying entry to the bar very quickly. The cost of getting it wrong was to deny a person entry to the bar and sometimes possession of a license. These are relatively small costs to college students, unlike the many hours in time-costs to a traveler wrongly held up at the airport. According to my interview, suspicion generated this way at the airport requires a call to a supervisor, but I did not learn if secondary search is standard procedure, or if cases are handled some other way.

TSA agents are not doormen at bars, of course, and the subjects they are examining are not college kids out to get their drink on. These are government agents examining citizens, residents, and visitors to the United States as they travel for business and pleasure, often at high cost in dollars and time. The stakes are higher, and when the government uses a security technique like this, a layer of constitutional considerations joins the practical issues and security analysis.

I see three major legal issues with this new technique: Fourth Amendment search and seizure, the Fifth Amendment right against self-incrimination, and Due Process. When questioning joins an ID check at the airport, it’s a deepening of a search that is already constitutionally suspect. The Fifth Amendment issues are interesting because travelers are being asked to confess through their demeanor whether they are lying or telling the truth. It would seem to cross a Fifth Amendment line and the rule against forced self-incrimination. The Due Process issues are serious and fairly straightforward. When a TSA screener makes his or her judgment that a person is not responding consistent with custom and is therefore “suspicious,” these judgement calls allow the screeners to import their prejudices. Record-keeping about suspicion generated using this technique should determine whether administration of this epistemetric check violates constitutional due process in its application.

In its constant effort to ferret out terrorist attacks on air transportation, the TSA is mustering all its imagination. Its programs raise scores of risk management issues, they create constitutional problems, and they are a challenge to our tradition of constitutionally limited government. The threat that a person will use false identification to access a plane, defeating an otherwise working watch-list sytem, to execute some attack is utterly small. At what cost in dollars and American values do we attack that tiny threat?

The founding problem is the impetuous placement of federal government agents in the role of securing domestic passenger aviation. There are areas where government is integral to securing airports, airlines, and all the rest of the country—foreign intelligence and developing leads about criminal plots, for example—but the day-to-day responsibility for securing infrastructure like airports and airplanes should be the responsibility of its owners.

If the TSA were to go away, air security measures might be similar in many respects, but they would be conducted by organizations who must keep travelers happy and safe for their living. The TSA hasn’t anything like private airports’ and airlines’ incentives to balance security with convenience, privacy, cost-savings, and all other dimensions of a satisfactory travel experience. Asking people their names at airport security checkpoints is an interesting technique, and not an ineffective one, but it should probably be scrapped because it provides so little security at a relatively great cost.

Behavior Detection as Interrogation is a post from Cato @ Liberty - Cato Institute Blog

Last week, the D.C. Circuit Court of Appeals rejected a Fourth Amendment challenge to the Transportation Security Administration’s strip-search machine policies, but it found that the TSA violated the Administrative Procedure Act in rolling them out. Too bad that the court arrived at the Fourth Amendment issues before they were ripe.

The bulk of the decision was devoted to the TSA’s law violation in creating strip-search machine policies without doing a notice-and-comment rulemaking. That’s the procedure federal agencies are required to carry out when Congress has delegated them legislative authority. Congress did delegate such authority when it told the Department of Homeland Security to develop technologies that detect nonmetallic, chemical, biological, and radiological weapons in 2004′s Intelligence Reform and Terrorism Prevention Act.

“[T]he TSA has advanced no justification for having failed to conduct a notice-and-comment rulemaking,” the court wrote, adding that it expects the agency “to act promptly on remand to cure the defect in its promulgation.”

The TSA will likely spout “constantly changing threat environment” boilerplate to try and argue that it can avoid notice and comment under the APA’s “good cause” exception. An agency can skip notice and comment “when the agency for good cause finds . . . that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.”

But the threat environment is not “constantly changing” at the level of abstraction relevant for the strip-search machine policy—some people are out there who might try to get dangerous articles onto planes—and these machines will be in place for decades, if not permanently, under the TSA policy. They will affect the privacy and security of billions of air passenger journeys. Even if there were need for haste in rolling out the machines, nothing makes it uniquely difficult, or anything other than appropriate, for the TSA to engage in a public process to substantiate its actions.

When the TSA does a rulemaking, it will have to lay out its strip-search machine policies and—crucially—justify them. Notice-and-comment rules are subject to court review, and reversal if they are “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” That is a rather low standard, but it’s a higher standard than the agency has ever met before—none at all.

The TSA will have to exhibit how its risk management supports the installation and use of strip-search machines. How did the TSA do its asset characterization (summarizing the things it is protecting)? What are the vulnerabilities it assessed? How did it model threats and hazards (actors or things animated to do harm)? What are the likelihoods and consequences of various attacks? Risk assessment questions like these are all essential inputs into decisions about what to prioritize and how to respond.

Congress dictated detection of various harmful agents, a form of interdiction. (The other responses to risk are acceptance, prevention, and mitigation.) Given the array of choices available to it, how did the TSA select strip-search machines?

Crucially, how well do strip-search machines reach the risks identified in their risk assessment? This is a cost-benefit question. How much do strip-search machines cost to purchase, maintain, and operate? The costs denominated in dollars include money spent on buying the machines, configuring airports, and paying TSA salaries to operate the machines and process passengers. Such costs also include opportunity costs imposed on travelers when the time they spend at airports lengthens to accommodate extended security screening and variable delays. Yet more costs are denominated in lost privacy and dignity to the traveler. These are substantial, though hard to quantify.

Security benefits are also hard to quantify, but the agency should do so if it is to justify its policies as something better than random or intuitive reaction. DHS and TSA officials endlessly talk about risk and risk management, but they cannot honestly say they are doing risk management if they are not thinking these issues all the way through. I’ve offered a methodology for valuing security benefits, and security experts (as well as students) have analyzed the costs and benefits of homeland security programs. The TSA can do it too.

Watch in the rulemaking for the TSA to obfuscate, particularly in the area of threat, using claims to secrecy. “We can’t reveal what we know,” goes the argument. “You’ll have to accept our generalizations about the threat being ‘substantial,’ ‘ever-changing,’ and ‘growing.’” It’s an appeal to authority that works with much of the American public, but it is not one to which courts—a co-equal branch of the government—should so easily succumb.

If it sees it as necessary, the TSA should publish its methodology for assessing threats, then create a secret annex to the rulemaking record for court review containing the current state of threat under that methodology, and how the threat environment at the present time compares to threat over a relevant part of the recent past. A document that contains anecdotal evidence of threat is not a threat methodology. Only a way of thinking about threat that can be (and is) methodically applied over time is a methodology.

With this information in hand, a court would not only be ready to assess the TSA’s rule under the Administrative Procedure Act’s “arbitrary and capricious” standard. It would be ready to assess the reasonableness of the TSA’s strip-search machines and procedures under the Fourth Amendment.

Without that information, the D.C. Circuit plugged the strip-search machines into the strangely incoherent “administrative search” exception to the Fourth Amendment. In two pages of analysis (out of the opinion’s seventeen), the court found that strip-search machines are administrative “because the primary goal is not to determine whether any passenger has committed a crime but rather to protect the public from a terrorist attack.”

Come again?

It seems the court could have taken judicial notice that terrorist attacks are carried out through one or more criminal behaviors. People who have weapons or other dangerous articles at airport checkpoints are subject to arrest and prosecution. Crime control and public protection are one in the same, even in counterterrorism.

The “administrative search” exception to the Fourth Amendment seems to rest on the willingness of a court to abstract away the fact that individuals are prevented from proceeding where they would go (seized) while their persons, papers, and effects are rummaged (searched) for the purpose of discovering violations of the criminal laws. Earlier in the opinion, in fact, the court mocked the idea that the TSA might not “engage in ‘law enforcement, correctional, or intelligence activity.’” It surely does. This is not “administrative.” It’s criminal law enforcement.

Perhaps with a full record—a notice-and-comment rulemaking with a docket full of information and analysis—the D.C. Circuit and other courts will have the opportunity to revisit whether the TSA’s strip-search machine policies are constitutionally reasonble, or whether they’re unexamined reaction. Last week’s “loss” on the Fourth Amendment issue sets the stage for sounder thinking on the strip-search machine policy.

All of this would be obviated, of course, if airline security were restored to private hands.

Strip-Search Machines: A Loss Seeds the Win is a post from Cato @ Liberty - Cato Institute Blog

Federal officials blitzed Texas this week to fight a bill pending in Austin that would control TSA groping of air travelers in that state, reports Forbes’ “Not-So-Private Parts” blogger Kashmir Hill.

Federal government officials descended on the Capitol to hand out a letter … from the Texas U.S. Attorney letting senators know that if they passed the bill, the TSA would probably have to cancel all flights out of Texas. As much as they love their state, the idea of shutting down airports and trapping people in Texas was scary enough to get legislators to reconsider their support for the groping bill…

The federal government’s threat to shut down air travel is serious, but empty. As we’ve seen time and again with the REAL ID Act, the federal government does not have the political will to attack passenger air travel in the name of increasing surveillance and intrusion.

In fact, earlier this year, the Department of Homeland Security didn’t even bother to threaten any repurcussions for states before it once again pushed back a May 2011 (false) deadline for REAL ID compliance. (Previous instances noted here and here.) The REAL ID Act allows the federal government to refuse licenses and ID cards from non-complying states at airport checkpoints, but it’s just not going to happen.

The DHS announcement notes $175 million in spending on REAL ID so far. That waste continues to accrue so long as Congress appropriates money for the national ID program, which will never be implemented.

While we’re on the subject of empty threats from federal officials—and do see Julian Sanchez’s post hitting the same subject—it has been more than four years since then-Secretary of Homeland Security Michael Chertoff said about the REAL ID Act:

If we don’t get it done now, someone is going to be sitting around in three or four years explaining to the next 9/11 Commission why we didn’t do it.

Secretary Chertoff was wrong—factually wrong on the imminence and nature of the terror threat, and ethically wrong to tout terror threats in an attempt to defeat the will of our free people.

With our stubborn insistence on freedom, the American people and state leaders have done a better job of assessing the threat environment than the Secretary of Homeland Security. As I said when I testified on this topic to the Pennsylvania legislature, state leaders should continue to recognize that they are as equipped, if not better equipped, than federal officials to judge what is right for their people. Counterterrorism and airport security are not an exception to that, though federal imperiousness in these areas remains at a high.

State Officials Needn’t Heed Feds’ Threats is a post from Cato @ Liberty - Cato Institute Blog

The fiscal 2012 Department of Homeland Security spending bill is starting to make its way through the process, and the House Appropriations Committee said in a release today that “the bill does not provide $76 million requested by the President for 275 additional advanced inspection technology (AIT) scanners nor the 535 staff requested to operate them.”

If the House committee’s approach carries the day, there won’t be 275 more strip-search machines in our nation’s airports. No word on whether the committee will defund the operations of existing strip-search machines.

Saving money and reducing privacy invasion? Sounds like a win-win.

House Approps Strips TSA of Strip-Search Funds is a post from Cato @ Liberty - Cato Institute Blog

Even while it was a rumor that President Obama would announce that Osama bin Laden had been killed, Americans began to digest the ramifications, asking, for example, “can I have my airport back please?”

Pleasing though it is to have in contemplation, the question is premature. Students of terrorism, such as those who attended our 2009 and 2010 counterterrorism conferences, know that the killing of bin Laden will have little direct effect on the network he spawned. Its indirect, discouraging effect on terrorism is something I mused about in an earlier post.

What about the effects on the rest of us, the people and actors in our great counterterrorism policymaking apparatus?

Osama bin Laden’s survival helped shore up the mystique of the terrorist supervillain, which has fed counterterrorism excess such as the Transportation Security Administration’s domestic airport security gauntlet. Now that bin Laden is gone, the public will be more willing to carefully balance security and privacy in our free country. By a small, but important margin, courts will be less willing to indulge extravagant government claims about threat and risk.

My friends in the national security bureaucracy may honestly perceive the contraction in their power as carelessness about a threat that they have dedicated their professional lives to combating, but the Declaration of Independence touts security only once, and freedom twice, in the phrase “life, liberty, and the pursuit of happiness.” The counterterrorism debate continues.

Can I Have My Airport Back Please? is a post from Cato @ Liberty - Cato Institute Blog

There is one thing you can take to the bank from TSA administrator John Pistole’s statement that he wants to shift to “risk-based” screening at airports: it hasn’t been risk-based up to now. That’s a welcome concession because, as I’ve said before, the DHS and its officials routinely mouth risk terminology, but rarely subject themselves to the rigor of actual risk analysis.

What Administrator Pistole envisions is nothing new. It’s the idea of checking the backgrounds of air travelers more deeply, attempting to determine which of them present less of a threat and which prevent more. That opens security holes that the risk-averse TSA is unlikely to actually tolerate, and it has significant privacy and Due Process consequences, including migration toward a national ID system. 

I wrote about one plan for a “trusted traveler”-type system recently. As the details of what Pistole envisions emerge, I’ll look forward to reviewing it.

The DHS Privacy Committee published a document several years ago that can help Pistole with developing an actual risk-based system and with managing its privacy consequences. The Privacy Committee itself exists to review programs like these, but has not been used for this purpose recently despite claims that it has.

If Pistole wants to shift to risk-based screening, he should require a full risk-based study of airport screening and publish it so that the public, commentators, and courts can compare the actual security benefits of the TSA’s policies with their costs in dollars, risk transfer, privacy, and constitutional values.

TSA’s Pistole Says ‘Risk-Based,’ Means ‘Privacy Invasive’ is a post from Cato @ Liberty - Cato Institute Blog

(HT: Techdirt) It is infuriating to watch the video Phil Mocek made while attempting to assert his legal rights at the airport. The good news is that he has been acquitted of the bogus charges brought against him, including disorderly conduct, concealing his identity, refusing to obey a police officer, and criminal trespass.

The video illustrates the knowledge, fortitude, and cool it takes to assert one’s rights. We owe our thanks to Mr. Mocek, who has helped to educate the TSA and society in general about the law that applies at the airport.

Perhaps he can further the educational process by bringing an action under 42 U.S.C. §1983 for violation of his civil rights under color of law. The Transporation Security Administration’s training programs might improve, or Congress might pay attention to the constitutional black hole they have created in airports—if it costs enough to threaten their earmark money.

Man Acquitted of Crimes Associated with Asserting His Rights is a post from Cato @ Liberty - Cato Institute Blog

It’s fascinating to watch a member of Congress use a tragedy like Gabrielle Giffords’ shooting to seek advantage over us common folk. On Fox News Sunday this week, Representative James Clyburn (D-SC) suggested that Members of Congress should get special treatment at airports.

Airports are some of the safest places anyone can be. Don’t use your imagination—think about it: Airports teem with security personnel and security-conscious citizens. Because their travel schedules are generally unannounced, members of Congress are not any more exposed while traveling than during their other public movements. There is some risk—we know too well because of this weekend’s tragedy—when elected officials make announced public appearances, but that small risk is something they should generally continue to accept lest they fall even further out of touch with constituents.

It is vitally important that members of Congress experience air travel as the rest of us do. If they don’t, they will continue to impose its burdens on us without getting the valuable feedback of first-hand experience.

Rep. Clyburn Wants Special Treatment at Airports is a post from Cato @ Liberty - Cato Institute Blog

The holiday travel season this year revealed some of the real defects in the Transportation Security Administration’s new policy of subjecting select travelers to the “option” of going through airport strip-search machines or being subjected to an intrusive pat-down more akin to a groping. Anecdotes continue to come forth, including the recent story of a rape victim who was arrested at an airport in Austin, TX after refusing to let a TSA agent feel her breasts.

Meanwhile, the Department of Homeland Security is working on the “next big thing”: body-scanning everywhere. This “privacy impact assessment” from DHS’s Science and Technology Directorate details a plan to use millimeter wave—a technology in strip-search machines—along with other techniques, to examine people from a distance, not just at the airport but anywhere DHS wants.

With time to observe TSA procedures this holiday season, I’ve noticed that it takes a very long time to get people through strip-search machines. In Milwaukee, the machines were cordoned off and out of use the Monday after Christmas Day because they needed to get people through. Watch for privacy concerns and sheer inefficiency to join up when TSA pushes forward with universal strip/grope requirements.

And the issue looks poised to grow in the new year. Republican ascendancy in the House coincides with their increasing agitation about this government security excess.

I’ll be speaking at an event next Thursday, January 6th, called ”The Stripping of Freedom: A Careful Scan of TSA Security Procedures.” It’s hosted by the Electronic Privacy Information Center (EPIC) at the Carnegie Institute for Science in Washington, DC.

EPIC recently wrote a letter asking Homeland Security Secretary Janet Napolitano to task the DHS Privacy Committee (or “DPIAC,” on which I serve) with studying the impact of the body scanner program on individuals’ constitutional and statutory rights:

The TSA’s deployment of body scanners as the primary screening technique in American airports has raised widespread public concerns about the protection of privacy. It is difficult to imagine that there is a higher priority issue for the DPIAC in 2011 than a comprehensive review of the TSA airport body scanner program.

Will the Secretary ask her expert panel for a thorough documented review? Wait and see.

Whatever happens there, privacy concerns with DHS programs will be big in 2011.

Prediction: DHS Programs Will Create Privacy Concerns in 2011 is a post from Cato @ Liberty - Cato Institute Blog

There is a natural appeal to “trusted traveler” programs. We all see ourselves as trustworthy, and getting into such a program might improve our experience at the airport. This video captures the notion—and some of the difficulties—entertainingly.

I would fly on a plane even knowing that Jimmy Johnson had brought a machete on board. But what level of trust should attach to a Super Bowl ring?

Dave Meggett helped the New York Giants win Super Bowl XXV. He was sentenced to 30 years in prison last month after being convicted of criminal sexual misconduct and burglary. Super Bowl MVP Ray Lewis was charged with murder in 2000, avoiding trial by agreeing to testify against others. The point is not to beat up on the NFL, but to beat up on the idea that you can trust a large-scale “trusted traveler” program.

Having some weakness is not fatal to the trusted traveler idea. A trusted traveler program might reduce costs and inconveniences without reducing risks by a greater amount. Indeed, it might make sense to trust all travelers more than the TSA does under its strip/grope policy.

In a recent, less entertaining post, I argued that the TSA shouldn’t do “trusted traveler.” Airlines should be free to implement trusted traveler systems, winning the rewards for getting it right and paying the costs for getting it wrong.

The Appeal of Trusted Traveler is a post from Cato @ Liberty - Cato Institute Blog

Libertarians often debate whether conservatives or liberals are more friendly to liberty. We often fall back on the idea that conservatives tend to support economic liberties but not civil liberties, while liberals support civil liberties but not economic liberties — though this old bromide hardly accounts for the economic policies of President Bush or the war-on-drugs-and-terror-and-Iraq policies of President Obama.

Score one for the conservatives in the surging outrage over the Transportation Security Administration’s new policy of body scanners and intimate pat-downs. You gotta figure you’ve gone too far in the violation of civil liberties when you’ve lost Rick Santorum, George Will, Kathleen Parker, and Charles Krauthammer. (Gene Healy points out that conservatives are reaping what they sowed.)

Meanwhile, where are the liberals outraged at this government intrusiveness? Where is Paul Krugman? Where is Arianna? Where is Frank Rich? Where is the New Republic? Oh sure, civil libertarians like Glenn Greenwald have criticized TSA excesses. But mainstream liberals have rallied around the Department of Homeland Security and its naked pictures: Dana Milbank channels John (“phantoms of lost liberty”) Ashcroft: “Republicans are providing the comfort [to our enemies]. They are objecting loudly to new airport security measures.” Ruth Marcus: “Don’t touch my junk? Grow up, America.” Eugene Robinson: “Be patient with the TSA.” Amitai Etzioni in the New Republic: “In defense of the ‘virtual strip-search.’” And finally, the editors of the New York Times: ”attacks are purely partisan and ideological.”

Could this just be a matter of viewing everything through a partisan lens? Liberals rally around the DHS of President Obama and Secretary Napolitano, while conservatives criticize it? Maybe. And although Slate refers to the opponents of body-scanning as “paranoid zealots,” that term would certainly seem to apply to apply to Mark Ames and Yasha Levine of the Nation, who stomp their feet, get red in the face, and declare every privacy advocate from John Tyner (“don’t touch my junk”) on to be “astroturf” tools of “Washington Lobbyists and Koch-Funded Libertarians.” (Glenn Greenwald took the article apart line by line.)

Most Americans want to be protected from terrorism and also to avoid unnecessary intrusions on liberty, privacy, and commerce. Security issues can be complex. A case can be made for the TSA’s new procedures. But it’s striking to see how many conservatives think the TSA has gone too far, and how dismissive — even contemptuous — liberals are of rising concerns about liberty and privacy.

Conservatives, Liberals, and the TSA is a post from Cato @ Liberty - Cato Institute Blog

Musing on the latest abuses of the Transportation Security Administration, George F. Will recalls a column by the late William F. Buckley Jr. Faced with disastrous service on a commuter railroad, Buckley wrote, “In a more virile age, I thought, the passengers would have seized the conductor and strapped him down on a seat over the radiator to share the fate of his patrons.” But he had “nonchalantly walked down the gauntlet of eighty sweating American freemen, and not one of them had asked him to explain why the passengers in that car had been consigned to suffer.”

Buckley went on:

Every year, whether the Republican or the Democratic Party is in office, more and more power drains away from the individual to feed vast reservoirs in far-off places; and we have less and less say about the shape of events which shape our future. From this alienation of personal power comes the sense of resignation with which we accept the political dispensations of a powerful government whose hold upon us continues to increase.

And here’s the part that sent me looking for the anti-depressants: Buckley wrote this jeremiad in 1961.

Why I Took an Anti-Depressant is a post from Cato @ Liberty - Cato Institute Blog

A new post on the TSA blog gets the logic behind the strip/grope combination correct.

[I]f you’re selected for AIT and choose to opt-out, we still need to check you for non-metallic threats. That’s why a pat-down is required. If you refuse both, you can’t fly.

Any alternative allows someone concealing something to decline the strip-search machine, decline the intimate pat-down, and leave the airport, returning another day in hopes of not being selected for the strip-search machine. The TSA reserves the right to fine you $11,000 for declining these searches.

So the question is joined: Should the TSA be able to condition air travel on you permitting someone to look at or touch your genitals?

I’ve argued that the strip/grope is security excess not validated by risk management. It’s akin to a regulation that fails the “arbitrary and capricious” standard in adminstrative law. But the TSA is not so constrained.

The Security Logic Clarifies the Question is a post from Cato @ Liberty - Cato Institute Blog

In a humbly-toned USA Today opinion piece yesterday, Secretary of Homeland Security Janet Napolitano asked for the public’s cooperation with airline security measures the Transportation Security Administration has recently implemented. The TSA has come up with an invasive pairing: ”Advanced Imaging Technology,” also known as “strip-search machines” and, for those refusing, “enhanced” pat-downs which explore areas of the body typically reserved for one’s spouse or doctor.

Anecdotal reports suggest that the machines are being used to ogle women, and we are seeing disturbing images and videos of children being handled by strangers online. The public is increasingly agitated by the TSA’s latest amendment to the air travel ordeal, and a “National Opt-Out Day” is slated for next Wednesday, the biggest travel day of the year.

Twice, Secretary Napolitano notes that these measures are “risk-based” or “driven by . . . risk.” But has the Department of Homeland Security conducted the necessary risk management studies to validate these programs? A March 2010 Government Accountability Office report says:

[I]t remains unclear whether the AIT would have detected the weapon used in the December 2009 incident based on the preliminary information GAO has received. . . . In October 2009, GAO also recommended that TSA complete cost-benefit analyses for new passenger screening technologies. While TSA conducted a life-cycle cost estimate and an alternatives analysis for the AIT, it reported that it has not conducted a cost-benefit analysis of the original deployment strategy or the revised AIT deployment strategy, which proposes a more than twofold increase in the number of machines to be procured.

I’ve seen no documentation that the strip-search machines, the invasive pat-downs, or their combination have been subjected to any thorough risk analysis. The DHS has mouthed risk terminology for years now, but evidence is scant that it has ever subjected itself to such rigor.

Risk Management

A formal risk management effort will generally begin with an examination of the thing or process being protected. This is often called “asset characterization.” In airline security, the goal is fairly simple: ensuring that air passengers arrive safely at their destinations. Specifically, ensuring that nobody successfully brings down a plane.

The next step in risk management is to identify and assess risks, often called “risk characterization” or “risk assessment.” The vocabulary of risk assessment is not settled, but there are a few key concepts that go into it:

• Vulnerability is weakness or exposure that could prevent an objective from being reached. Vulnerabilities are common, and having a vulnerability does not damn an enterprise. The importance of vulnerabilities depend on other factors.
• Threat is some kind of actor or entity that might prevent an objective from being reached. When the threat is a conscious actor, we say that it “exploits” a vulnerability. When the threat is some environmental or physical force, it is often called a “hazard.” As with vulnerability, the existence of a threat is not significant in and of itself. A threat’s importance and contribution to risk turns on a number of factors.
• Likelihood is the chance that a vulnerability left open to a threat will materialize as an unwanted event or development that frustrates the safety, soundness, or security objective. Knowing the likelihood that a threat will materialize is part of what allows risk managers to apportion their responses.
• Consequence is the significance of loss or impediment to objectives should the threat materialize. Consequences can range from very low to very high. As with likelihood, gauging consequence allows risk managers to focus on the most significant risks.

Analyzing vulnerabilities and threats permits risk managers to make rough calculations about likelihood and consequence. This process will float the most significant risks to the surface. Though these factors are often difficult to measure, a simple formula guides risk assessment:

Likelihood x Consequence = Risk

Events with a high likelihood and consequence should be addressed first, and with the most assets. Those are the highest risks.

The most common error I see in risk management is the propensity to attack vulnerabilities rather than risks. A bomber’s attempt to take down a plane by concealing explosives in his undergarments last year exposed a vulnerability. It is possible to sneak a small quantity of explosive through conventional security systems, though not necessarily the needed detonator and not necessarily enough explosive material to take down a plane.

But this says nothing about the likelihood of this happening again—or of being successful. In hundreds of millions of enplanements each year, this attack has manifested itself once. And it failed. The TSA effort is going after a vulnerability—of that there is no doubt—but it is arguable whether or not it is addressing a significant risk.

After risk assessment, the next step in risk management is choosing responses.

Though the concepts and terminology are not settled in this area either, there are four general ways to respond to risk:

• Acceptance – Acceptance of a threat is a rational alternative that is often chosen when the threat has low probability, low consequence, or both.
• Prevention – Prevention is the alteration of the target or its circumstances to diminish the risk of the bad thing happening.
• Interdiction – Interdiction is any confrontation with, or influence exerted on, a threat to eliminate or limit its movement toward causing harm.
• Mitigation – Mitigation is preparation so that, in the event of the bad thing happening, its consequences are reduced.

In its operation, the strip-search/grope combo is an interdiction against any who may try to carry dangerous articles on planes. As to the air transportation system, it might also be conceived of as a preventive measure.

The next analytical lens to look through is benefit-cost analysis, or trade-offs. The goal is to allay risk in a cost-effective way, spending the least amount of money, and incurring the least costs overall, per unit of benefit.

Security Benefits

Security systems involve difficult and complex balancing among many different interests and values. The easiest, by far, is comparing the dollar costs of security measures against the dollar benefits. This is analysis that GAO says the TSA has not done.

But if it were done, on the benefit side of the equation, you have that it reveals most articles a person might try to sneak onto a plane. There are at least two important limitations on the benefit. First, there is an open question as to whether the strip-search machine would successfully detect lower-density material like the explosive PETN. If it doesn’t, it’s utility against underpants bombing relies on potential attackers’ ignorance of that to deter their attempts. Second, the benefit of the strip-search/grope is not what it achieves from a basline of zero, but the marginal security improvement in provides over alternatives like the status quo magnetometer and random pat-downs.

How do you reduce security benefit to something measurable? It’s difficult, but I’ve been mulling a methodology for valuing security against rare attacks in which you assume a motivated attacker that would eventually succeed. By approximating the amount of damage the attack might do and how long it would take to defeat the security measure, one can roughly estimate its value.

Say, for example, that a particular attack might cause one million dollars in damage. Delaying it for a year is worth $50,000 at a 5% interest rate. Delaying for a month an attack that would cause $10 billion in damage is worth about $42 million. It is best to assume that any major attack will happen only once, as it will produce responses that prevent it happening twice. (The 9/11 “commandeering” attack on air travel is an instructive example. By late morning on September 11, 2001, passengers and crew recognized that cooperation with hijackers contributed to the deadliness of attacks rather than saving their lives. They spontaneously changed the security practice to meet the new threat, and the 9/11 attacks permanently changed the posture of air passengers toward hijackers, along with hardened cockpit doors bringing the chance of another commandeering attack on air travel very close to nil.)

Of course, one must consider “risk transfer.” That’s the shifting of risks from one target to another—say, from planes to buildings. (An organization like the Department of Homeland Security would regard this as lowering the benefit of a security measure, while an airline would be indifferent to it—unless it owned the building…) There is also the creation of new risks, such as the possible health effects of the strip-search machines. Which brings us to the cost side of the ledger….

Costs

On the cost side of the ledger, the easy stuff to measure includes the hundreds of millions or billions of dollars that must be spent on strip-search machines themselves. As much or more money will be spent on an ongoing basis to operate the machines. My observation is that it takes three people to operate one strip-search machine: a guide, an analyst to review the image, and a person to do the secondary pat-down which occurs regularly (though it would occur less over time). On a nationwide scale, this is hundreds of millions of dollars per year spent on TSA employees.

The value of travelers’ time is also important. This hasn’t received much discussion, but as more and more strip-search machines come into use, there will be more discussion of how much time they consume compared to magnetometers.

Reviewing tape of TSA checkpoints reveals that passing through the machines takes at least seven seconds per passenger. Variations in the time it takes to traverse the security checkpoint require all travelers to increase the amount of time they spend at the airport as a cushion against the risk of missing flights, which can cost many hours per incident. If each of 350 million trips in a year results in an additional minute at the airport to accommodate the vagaries of the strip/grope, five to six million person hours at the airport will be wasted, a cost of $145 million per year if we value travelers’ time at  $25 per hour.

It is more difficult is to balance interests like privacy and dignity against security benefits. A CBS News poll released yesterday says that four out of five Americans support the use of “‘full-body’ digital x-ray machines to electronically screen passengers.”

It’s an antiseptic description that strangely emphasizes computing. (X-rays are neither digital nor electronic, though the data the x-ray machines collect is digital and its processing is done with electronics.) The question doesn’t capture people’s feelings about images of their own denuded bodies being observed by a government official as a condition of travel. And, of course, it doesn’t capture feelings about the intimate pat-down alternative.

The amount of public reporting and discussion suggests that public opinion is not solidly on the side of the strip/grope. A hearing in the Senate tomorrow is also evidence that the security procedures do not comport with the American people’s rough judgment that the costs of these security measures are justified by their benefits.

My own view is that the strip/grope is security excess. If I had my way, I would choose the airlines and airports that do not go to this extreme. I do not get to have my way, and neither do you if you prefer a different security/privacy mix, because we all must use the same security system. That’s why I wrote five years ago that the TSA should be abolished and responsibility for security restored to airlines and airports. Their experimentation could blend security with privacy, convenience, and comfort, improving the travel experience overall while restoring liberty to American travelers.

‘Strip-or-Grope’ vs. Risk Management is a post from Cato @ Liberty - Cato Institute Blog

This week, Secretary of Homeland Security Janet Napolitano is pressing countries around the world to use “strip-search machines,” low-power x-ray and radio wave scanning devices that reveal what is underneath travelers’ clothes. The machines provide a small margin of security at a high risk to privacy.

And those privacy risks are manifesting themselves overseas. On AllAfrica.com, news service This Day reports on how strip-search machines have been used to peep at travelers as nudes in Lagos, Nigeria:

[D]uring off-peak periods, the aviation security officials, who are trained on the use of the scanners, usually stroll from the cubicle located in a hidden corner on the right side of the screening area where the 3D full-body scanner monitors are located. They do so to catch a glimpse of some of the passengers entering the machine and immediately go back to view the naked images, in order to match the faces with the images since the faces are blurred on the monitors while passengers are inside the machine.

The report notes that one of the “conventional scanners”—a magnetometer, most likely—was put out of service to corral people into the strip-search machine.

Italy has abandoned strip-search machines after a six-month test, due both to privacy issues and “because they are slow.” This is the sleeper issue that may soon wake as more machines show up in our airports: Strip-search machines take a very long time compared to magnetometers.

There are more than half a billion enplanements in the United States each year. If each traveler is delayed by 10 seconds, strip-search machines would waste nearly 1.4 million hours of Americans’ time directly—much more if you include the schedule-padding that all fliers would have to practice to avert strip-search machine delays.

The margin of security provided by these machines is small. In an interview on Fox’s local affiliate in D.C. last night, I said, “If we go down the strip-search machine route, there’s going to be more methods of concealment, and we certainly don’t want the TSA looking there.”

Hopefully, my poor grammar distracts you from the full import of that line.

Strip-Search Machines on the International Scene is a post from Cato @ Liberty - Cato Institute Blog

The TSA is exceeding its authority.

At what point does an airport search step over the line?

How about when they start going through your checks, and the police call your husband, suspicious you were clearing out the bank account?

This kind of thing was supposed to stop after the TSA revised its policies a year ago. The revision came in the wake of the unconstitutional seizure of Campaign for Liberty staffer Steven Bierfeldt for carrying cash donations (prompting a lawsuit from the ACLU). A federal judge had already determined that fake passports found on an airline passenger were inadmissible in court.

The TSA is not a law enforcement agency. TSA screeners aren’t supposed to search for anything beyond weapons and explosives. Or, as TSA policy currently reads, “Screening may not be conducted to detect evidence of crimes unrelated to transportation security.”

Kathy Parker, a business support manager for a large bank, was flying with a deposit slip and several checks made out to her and her husband. TSA screeners suspected she was skipping town in the midst of a “divorce situation.”

Two Philadelphia police officers joined at least four TSA officers who had gathered around her. After conferring with the TSA screeners, one of the Philadelphia officers told her he was there because her checks were numbered sequentially, which she says they were not.

“It’s an indication you’ve embezzled these checks,” she says the police officer told her. He also told her she appeared nervous. She hadn’t before that moment, she says.

She protested when the officer started to walk away with the checks. “That’s my money,” she remembers saying. The officer’s reply? “It’s not your money.”

Glad to see that we’re in good hands, and that no one has lost focus on the aviation security mission at TSA. Read the whole thing.

TSA on the Prowl for Embezzlers is a post from Cato @ Liberty - Cato Institute Blog

The Transportation Security Administration will be sure to point out that it was not them—it was the U.S. Marshals Service—that kept ”tens of thousands of images recorded with a millimeter wave system at the security checkpoint of a single Florida courthouse,” according to Declan McCullagh of C|Net news.

The TSA has taken pains to make sure that their use of strip-search machines does not produce compromising images of the traveling public, but rules are made to be broken. How do you protect privacy in the use of a technology that is fundamentally designed to invade privacy?

Strip-Search Images Stored is a post from Cato @ Liberty - Cato Institute Blog

Via Adam Serwer, New York governor David A. Paterson is expected to sign a bill today doing away with data collection on people the police stop and question, but who have done nothing wrong.

The Transportation Security Adminstration’s “SPOT” program—recently the subject of a scathing Government Accountability Office critique—does similar data collection about innocent people.

From late May 2004 through August 2008, “behavior detection officers” referred 152,000 travelers to secondary inspection at airports. Of those, TSA agents referred 14,000 people to law enforcement, which resulted in approximately 1,100 arrests. None had links to terrorism or any threat to aviation.

The data TSA collects “when observed behaviors exceed certain thresholds”—that is, when a traveler garners TSA suspicion—includes:

• first, middle, and last names
• aliases and nicknames
• home and business addresses and phone numbers
• employer information
• identification numbers such as Social Security Number, drivers license number or passport number
• date and place of birth
• languages spoken
• nationality
• age
• sex
• race
• height and weight
• eye color
• hair color, style and length
• facial hair, scars, tattoos and piercings, clothing (including colors and patterns) and eyewear
• purpose for travel and contact information
• photographs of any prohibited items, associated carry-on bags, and boarding documents
• identifying information for traveling companion.

Stop ‘n’ Frisk Databases is a post from Cato @ Liberty - Cato Institute Blog

Returning from Chicago this past weekend, I noticed that they were using strip-search machines in several security lanes at the TSA checkpoint (ORD Terminal 1). Naturally, after the ID check—yes, I did show ID this time—I chose a lane that lead to a magnetometer rather than a strip-search machine.

Annnnnd, anyone wanting to smuggle a plastic weapon could do the same.

For all the money spent on strip-search machines at ORD, and for all the exposure law-abiding travelers are getting, the incremental security benefit has been just about exactly zero. Security theater. TSA has to direct people to lanes mandatorily or install strip-search machines at all lanes to get whatever small security benefit they provide.

Going through the strip-search machine is optional—you can get a pat-down instead. Signage to that effect was poorly placed for informing the public, at the entrance to the strip-search machine. Travelers might read it as they stepped into the machine, realizing from that standing spread-eagle position that they didn’t have to be there.

Good Thing There Are So Few Bad Guys is a post from Cato @ Liberty - Cato Institute Blog

The Smoking Gun and Miami Herald report that a Miami International Airport TSA worker has been arrested for beating up a co-worker who joked about his endowment after observing the assailant walk through a whole-body imager or “strip-search machine.”

The Onion? No, Real Life is a post from Cato @ Liberty - Cato Institute Blog