At 6:23 AM -0600 2/15/05, Bruce Schneier wrote: > TSA's Secure Flight > > > >As I wrote last month, I am participating in a working group to study >the security and privacy of Secure Flight, the U.S. government's >program to match airline passengers with a terrorist watch list. In the >end, I signed the NDA allowing me access to SSI (Sensitive Security >Information) documents, but managed to avoid filling out the paperwork >for a SECRET security clearance. > >Last month the group had its second meeting. > >At this point, I have four general conclusions. One, assuming that we >need to implement a program of matching airline passengers with names >on terrorism watch lists, Secure Flight is a major improvement -- in >almost every way -- over what is currently in place. (And by this I >mean the matching program, not any potential uses of commercial or >other third-party data.) > >Two, the security system surrounding Secure Flight is riddled with >security holes. There are security problems with false IDs, ID >verification, the ability to fly on someone else's ticket, airline >procedures, etc. There are so many ways for a terrorist to get around >the system that it doesn't provide much security. > >Three, the urge to use this system for other things will be >irresistible. It's just too easy to say: "As long as you've got this >system that watches out for terrorists, how about also looking for this >list of drug dealers...and by the way, we've got the Super Bowl to >worry about too." Once Secure Flight gets built, all it'll take is a >new law and we'll have a nationwide security checkpoint system. > >And four, a program of matching airline passengers with names on >terrorism watch lists is not making us appreciably safer, and is a >lousy way to spend our security dollars. > >Unfortunately, Congress has mandated that Secure Flight be implemented, >so it is unlikely that the program will be killed. And analyzing the >effectiveness of the program in general, potential mission creep, and >whether the general idea is a worthwhile one, is beyond the scope of >the working group. In other words, my first conclusion is basically all >that they're interested in hearing. > >But that means I can write about everything else. > >To speak to my fourth conclusion: Imagine for a minute that Secure >Flight is perfect. That is, we can ensure that no one can fly under a >false identity, that the watch lists have perfect identity information, >and that Secure Flight can perfectly determine if a passenger is on the >watch list: no false positives and no false negatives. Even if we could >do all that, Secure Flight wouldn't be worth it. > >Secure Flight is a passive system. It waits for the bad guys to buy an >airplane ticket and try to board. If the bad guys don't fly, it's a >waste of money. If the bad guys try to blow up shopping malls instead >of airplanes, it's a waste of money. > >If I had some millions of dollars to spend on terrorism security, and I >had a watch list of potential terrorists, I would spend that money >investigating those people. I would try to determine whether or not >they were a terrorism threat before they got to the airport, or even if >they had no intention of visiting an airport. I would try to prevent >their plot regardless of whether it involved airplanes. I would clear >the innocent people, and I would go after the guilty. I wouldn't build >a complex computerized infrastructure and wait until one of them >happened to wander into an airport. It just doesn't make security sense. > >That's my usual metric when I think about a terrorism security measure: >Would it be more effective than taking that money and funding >intelligence, investigation, or emergency response -- things that >protect us regardless of what the terrorists are planning next. Money >spent on security measures that only work against a particular >terrorist tactic, forgetting that terrorists are adaptable, is largely >wasted.
-- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'