Clickstream

TSA Uses Data Warehousing to Further Terrorism: A Lesson in How Not to do Security

From the last post, I was asked "how is the TSA's no-fly list less secure than not having a list?" Because maintaining a predetermined list that is uniform (uniformly wrong if you're David Nelson) rather than performing random checks of passengers means there are ways to use the system against itself.

The government has tipped its hand as to who is interesting. If a group of people wants to infiltrate flights or travel incognito, all that is necessary is to obtain fake IDs and travel to see which IDs attract attention and which don't. Spending some time and money, a group can try different combinations of activity as well. For example, buy one-way tickets, pay cash for a round trip, book from rural to metropolitan airports and see which segments are flagged.

Knowing what the TSA considers important, it's possible to obtain safe fake IDs and fly under the TSA's radar.

To make matters worse, if you want to divert security's attention and resources, simply send someone with ID that is guaranteed to be flagged to the airport when you go. You can bring your favorite plague-and-bomb kit while the person with the "bad" ID has nothing but nail clippers.

Contrast this with random searches. If it's random, the system can't be gamed. It is more difficult to anticipate who will be targeted for searches or what activities, if any, will attract attention. As an added benefit, we avoid the false sense of security caused by the belief that the bad ones have been weeded out in the trusty TSA data warehouse.

We need security based on sound principles, not on the assumption that terrorists are unsophisticated goofs or that computers and databases can't contain mistakes. This is one data warehouse I'd like to see decommissioned.

Posted by Mark Wednesday, July 09, 2003 8:27:00 PM | permalink |