Xblog

So the problem that a number of commenters have pointed out is that these TSO’s are making up arbitrary rules, potentially violating the law and even constitutional rights of passengers, and the TSA lacks an effective mechanism for dealing with it. It’s great that they are capable of recognizing an error when it was reported, and in this case I don’t think any laws were broken (other than laws of rational thought perhaps ;-), but as far as I can tell, they could have been.

Here’s the thing: I expect local TSA offices to come up with their own procedures and policies. You need to give offices enough autonomy that they can adapt to local situations and/or come up with innovations. Security needs to flexible and adaptable. So a changing landscape at each office is par for the course and a sign the TSA is actually doing their job. The problem is, there are rules and laws that simply cannot be violated, no matter the rationale of the local office.

Simple straw man: on the off chance that passengers might carry an explosive in their stomach, it is not okay for TSO’s to punch each passenger in the gut as they walk through the security line (hmm… I’m sure there is a the makings of a good comedy sketch in there somewhere). Let’s just say for a moment, this were to actually happen. I’m going through the line and I notice TSO’s punching everyone in front of me. When it’s my turn, I protest, saying they can’t hit me, and if they do, I’ll charge them with assault. They then counter that they are required by law to punch each passenger in the gut before allowing them to board. I say, “I’ve never heard of something so ridiculous in my entire life. Show me the law that allows you to do this.” Guess what the answer is? Sorry, we can’t show you the law. In fact, not only can we not show you the law, but if you continue to protest this, we’ll arrest you. Either let us punch you or leave the airport. Even if I call the ACLU and start to file legal complaints, the case won’t be allowed to go forward. The only hope of getting this mess resolved is to contact the TSA, hope that someone with the right authority listens to me and agrees with me, and then acts. As seen in the “electronics” case, while the TSA can respond quickly, we’re still talking about weeks here, and that’s if I catch a sympathetic ear. With all the people that go through airports each day, we’re talking about potentially thousands of violations of people’s rights.

TSO’s wield a rather significant amount of authority. They have the power to keep you from making your flight. They have the power to arrest you, and can justify it simply on the grounds that you are creating a disturbance! This is very intimidating for most passengers, making it hard for them to defend themselves. A published set of laws would provide a mild counter balance to this, and make it easier for passengers to anticipate and accept new, innovative security procedures. Yes, there is a security advantage in hiding the rules of the game from your adversary, as it makes it harder for them to assemble a plan with a high degree of confidence it will work, but we’re talking about a “secret” shared by the thousands of employees of the TSA, which in my book is a secret only to citizens who don’t have the resources or the inclination to compromise a secret shared by thousands… and the courts (convenient that). To a well organized attacker, obtaining a secret known to so many people is trivial. The other thing is that I’m not expecting to have the actual procedures published (although the TSA frequently does this with new polities), just the laws governing what they can and cannot do. That way, if a TSO gets out of line, you have recourse.

I’m going to be flying alone with my son, so to prove I’m not a kidnapper, I need to be sure to have a notarized letter from his mother saying I’m allowed to leave the country with him. The notarized part really gets me, because the whole notary system depends on two things a) the verifier keeps a copy of the document with the notary’s seal, so that if necessary they can trace it back to the notary in question and check their log book and b) that there is an easy way to reverse the impact of a fraudulent seal once it is exposed. Neither a) or b) apply here, so I end up spending $15 so that someone who wants to kidnap my child has to spend $2 more. Brilliant.

There’s all these weird restrictions on liquids (3oz bottles that fit in 1 quart bag, and the bag needs to be zip top… are you kidding me?), but solid or gas form is apparently AOK. I’m thinking I’ll freeze whatever liquids I need to bring through and hope they don’t thaw out until I’m safely passed security.

Of course, there’s enough other exceptions to drive a truck through, so no need to bother with freezing things. With all these exceptions, one has to ask why bother with the restrictions at all? They seem more oriented around how much inconvenience they’d cause the passengers (and believe me I appreciate this, as I value such conveniences and I’m quite confident that I’m not up to anything nefarious on this trip) rather than any kind of security risk profile (this part I don’t like so much). So somehow water, apple juice, toothpaste or shampoo is a major security concern, but insulin, KY jelly, and bras filled out with gels or liquids are not.

The best one is the baby formula/milk/breast milk exemption. If you have a child with you, you can take as much of this stuff as you want. They promise they won’t test or taste it, or make you or your child test or taste it. So I gotta ask… is a guy traveling alone with a 12oz carton of what is claimed to be milk really more of a security threat than a baby with a 12oz baby bottle containing the same substance, particularly if the baby never drinks from it?

It’s been five years, and it still seems like these rules are set up by the Keystone Cops. The shocking thing is that it is not at all clear to me how we can stop this insanity. Any ideas?

Okay, I have to admit the notion of some TSA employee off in a room somewhere watching our naked bodies as we walk through the airport seems pretty awful, particularly for the TSA employee. Of course, the one highlight of the TSA employee’s day has been ruined by blurring of certain parts of the shot (not quite sure how they get the system to cover the right parts given all the funny shapes we come in, but we’ll hope it’s effective). Now that the titillating issue has been dealt with, we can start catching terrorists, right?

Problem one: you get to choose whether you use it. This has to be the stupidest part of the whole thing. Before, you had to face the pat-down. Now, you can choose between the pat-down and the fancy X-ray machine. So now, someone attempting to compromise the integrity of airport security gets to choose whichever security measure they think they have the best chance of getting by. The end result is that adding these undoubtedly expensive machines provides no additional security over the traditional pat-down (if it was going to catch something the pat-down would miss, the attacker would simply elect for a pat-down), it potentially weakens security (if there is something that the pat-down would catch that the X-ray wouldn’t).

Problem two: you have to fail the initial test in order to get sent to this one. Much is made in the article of the ability for these new machines to “detect plastic and liquid explosives and other non-metallic weapons that can be missed by standard metal detectors”. The machine might be able to do it, but the security process they’ve got set up likely won’t, because you don’t get sent to this machine unless the “standard metal detectors” detect something. So, the machine really only helps reduce the number of false positives, doing nothing for all the false negatives we’re all freaking out about. There is a benefit to reducing the false positive rate (and lord knows the standard metal detectors seem to detect nothing but false positives), but frankly this seems like a horrible waste.

For the machines to be effective, the protocol ought to be something like random and/or TSA employee selection, with no choice for the target. Of course, trying to implement such a policy is going to be a nightmare. You’ll probably have people screaming in airports, lawsuits from the ACLU, etc., etc.

Which brings me to the more logical solution: just don’t do it. These machines are undoubtedly horribly expensive and do create serious privacy concerns. Worse still, you just know that this means more young boys are going to fall for those stupid X-ray glasses ads in the back of comic books. ;-) I’m sure we can spend the money on far less controversial and effective security measures, like checking more of the containers that get shipped in through our ports.

So why do this? Well, for starters, you know someone is making a killing on this. More importantly though, by giving us a new airport security measure that while ineffective is very titillating and demonstrates yet another new technology to protect air travelers, it helps spread the news (and nothing spreads faster than a titillating story that people can talk while pretending to focus on the privacy issue ;-) that it really is safe to fly again. Ultimately, that seems to be more of a concern than providing effective security measures.

I think my New Years resolution ought to be to always wear a tin foil hat when flying, as it will undoubtedly enhance my safety more than most measures that have been put in place in the last five years.

Of course, none of this should be a surprise to anyone. The efficacy of a name-based “No Fly” list has beeen questioned by security experts from the day it was first implement. There are so many ways it is a bad idea it’s hard to know where to start: terrorists aren’t exactly stupid enough to operate under a known alias, if they are you should be able to catch them fairly quickly, what are the odds that you know someone is intending a terrorist attack while on a plane without having a more precise fix on their identity than their name, names don’t map to a single person, and then there’s the fact that the list is so widely distributed that they have to keep a lot of names off the list to avoid tipping off targets that they are on their trail.

Given my own name, I’m intensely aware of the problems with name-based identification. I still remember being “Christophe cinque” in my high school French class because there were 6 Christophe’s in the class (representing about 1/4 of the class). At that same school there was another student with the same first and last name as me (and to add to the problem we had about the same size and build, similar physical traits, our dad’s worked for the same company, etc.). This was in a school with less than 500 students. I’ve had similar problems whenever dealing with bureaucracies of managing more than a few hundred people.

This problem is magnified by the fact that certain cultures tend to have limited name space. For example, in Arab culture (bets that there are a lot of Arab names on that list?) most of the population’s first names are drawn from a very small set of names of religious and cultural figures, with an even smaller subset being the most common. As a consequence Arabs are sometimes uniquely identified by citing their family tree (“ibin X ibin Y…”). Combine that with last names being common because families are often large, and you quickly discover that with perhaps 1,000 names you could probably cover a majority of the Arab population (this probably explains how the names of 14 of the 19 dead 9/11 hijackers are on the list).

Now, one could argue that maybe the security checks are more sophisticated than the public is aware of. Maybe if they get a hit on a list that just means the TSA calls up the FBI, sends an ID number or a photo, and clears a person quickly and quietly. Even better, since these days you have to provide an ID number just to buy a ticket, these hits could be prescreened. The only problem is that CBS found 12 people named “Ralph Johnson” who are detained “almost every time they fly”. Here’s a thought: if he’s cleared to fly one time, perhaps this particular Ralph Johnson should be cleared to fly subsequent times, particularly if a new terrorist “Ralph Johnson” has yet to be identified.

The truth that we all know is that a lot of the security measures that have been instituted since the 9/11 attacks, particularly those related to air travel, serve more to instill the public with confidence about their safety rather than to provide a real security benefit. Building up the public’s confidence has been necessary because politicians and the media have been self-servingly fanning the flames of the public’s fear rather than appealing to reason. The end result is unreasonable fear and unreasonable security protocols that if anything harm public safety by increasing paranoia without providing any practical security benefit.

The government isn’t the only source of this “all show and no go” approach to security. I’ve seen news reports raising the panic flag over the realitively easy access contractors have to small quantities of cesium, freaking out of “terrorism futures” markets, and playing to xenophobia by trumpeting how US ports will be run by a UAE-based conglomerate. Appealing to the public’s irrational fears is good business, regardless of whether you are a politician tyring to convince people that only you can protect them, a news outlet trying to get eyeballs, or Roger Corman. At least in the latter case the audience knows going in that it’s just a fantasy.

It’s time for everyone in the theatre to stand up and tell the people shouting fire to shut up. We simply don’t have the resources to be waste on feel good measures that accomplish little if not nothing. Security is a business that requires the same cold and calculating process that is employed by those most successful in overcoming it.