borderline security theatre performing asymmetric risk with no-fly lists and biometric...
TRANSCRIPT
Borderline Security TheatrePerforming asymmetric risk with no-fly
lists and biometric identification
Andrew ClementInformation Policy Research Program
Identity, Privacy & Security Initiative
Fac. of Information Studies, Univ of Toronto
Presentation, Documentation and Mediation New Sciences of Protection
IAS, Lancaster University
Mar 14, 2008
Some notably ‘UnSafe’ persons
Ted Kennedy (US Senator)– Name match > flight boarding difficulties (x5)
Yusuf Islam (singer, peace advocate)– aka ‘Cat Stevens’– Removed en route from UK>US flight, 2004)
Ann Wright (Colonel, US Army Ret’d)– On FBI ‘criminal’ list > denied Canadian entry
Maher Arar (Canadian engineer)– ‘Person of interest’ > ‘extraordinary rendition’
Less publicized ‘UnSafe’ persons
Some other Canadian citizen’s recently denied entry to the US:• Karim Meziane, physicist, Univ of New Brunswick (2004)
– CAUT gets about 12-24 of these kinds of complaints a year.
• Muzaffar Iqbal, chemist (2003) • Mohamed Hassan Mohamed, PhD student, U of Alberta (2003)• John Clarke, Canadian anti-poverty activist, in 2002• Ahamad Kutty, Muslim cleric (2003)• Andrew Feldmar, Psychiatrist (2007)
People named:• Bill Graham, T. (E.?) Kennedy, John Lewis, Patrick Martin,
James Moore, David Nelson, Robert Johnson, …Plus many (30,000++) more -
The US government's ‘terrorist screening database flagged Americans and foreigners as suspected terrorists almost 20,000 times’ in 2006, but with few arrests or detentions. (Washington Post, Aug 25, 2007)
Observations - I
‘Nothing to hide, nothing to fear’?
Let’s bury this myth!
Reflect a pre-emptive ‘war on terrorism’
See Illusions of Security, by Maureen Webb
Are we safer with these measures?
Let’s look at no-fly lists
No-fly basics
1. PNR reservation data > security agency
2. Analysis & vetting against watch lists
3. Data back to airline
4. Check-in screening
Board flight or Detained
Situational awareness and risk management support
Processing of screened
data
Pre-screening
Processing of pre-screened
data
Screening
Dialogsupport
Decision-making support
Formingthe
person’s file
Global database
Decision making
Visible band
camera
Visible band
camera
IR band camera
IR band camera
IndividualLine/lounge
Voice analyzer
Officer
Level 3: Works for detection of early warning information
Dr.Svetlana N. Yanushkevich, IPSI lecture, slide #5, October 2007
The future of airport ‘security’?
U.S. No-fly operations
Airline passenger profiling schemes– Computer-Aided Passenger Pre-screening System (CAPPS)
1997-– Computer-Aided Passenger Pre-screening System (CAPPS - II)
2002-04 (never implemented)– Secure Flight 2004- ?? (not yet implemented)
Plagued by policy controversy and implementation difficulties
ACLU concerns about:– Ineffectiveness– Lack of due process and redress– ‘Mission creep’– Unreliable watch lists
Canada’s ‘Passenger Protect’
Implemented by Transport Canada, June 18, 2007 If name, age, gender matched on ‘Specified
Persons List’ (‘individuals who may pose an immediate threat to aviation security’) could be denied boarding
Applies to anyone ‘who appears to be 12 years of age or older.’
Appeals to Office of Reconsideration (OOR) + … “Too dangerous to fly, but too innocent to arrest?”
- Lyon, June 5, 2007
Biometric Basics
A Biometric system has three basic functions:
Enrolment is the process of establishing a template for a particular real world entity (Clarke, 1994)
Authentication involves the one to one (1:1) match of a claimed identity to one in the system database. Authentication is a true/false test for identity that compares the input at the user interface to a specific template
Identification is the process of recognizing a real world entity (Clarke, 1997). Unlike authentication where the system checks the new input against a single specific template, the process of identification requires the system to check an unknown to all of the templates in its database (1:N). Identification, is a specific function of biometric systems.
Biometric travel documents
Smart Borders (Canada-US)– Common standards for (multiple) biometric identifiers (Dec 2001)
ICAO (International Civil Aviation Organization) – “... If a state is putting biometrics on its travel documents, the
incorporation of a facial image is mandatory …” (May 19, 2003)
US-VISIT (based on USA PATRIOT Act)– Digital scans of both index fingers and facial image are required of
non-Americans (January 5, 2004)
UK Biometric Passport & ID card (2006+?) – Facial image stored on an embedded RFID chip
EU Proposed biometric ID– Finger print and facial image - 'Draft Council Regulation on
standards for security features and biometrics in passports and travel documents issued by Member States'.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
American Airlines #11
American Airlines #77
United Airlines #93
United Airlines #175
Which 9/11 attackers would pass?
London bombers? (July 7, 2005)
Mohammad Sidique Khan, 30
Hasib Mir Hussain, 18
Shehzad Tanweer, 22
Germaine Lindsay
Can any ID
scheme catch
attackers like
these?
No!
Everyone with a ‘clean’ record passes– Most 9/11 & London attackers had NO record of suspicion– Terrorist training manual: “fit in” as “normal”– Can repeatedly test screening system, then only need to
pass once!
“The positive identification of individuals does not equate to trustworthiness or lack of criminal intent.” (emphasis in original)
(Ben Shneiderman, USACM testimony at the Congressional Hearings on National Identification Card Systems, Nov 2001)
It’s not about identity
Applying the Four Part TestThe burden of proof must always be on those who claim that some new intrusion
or limitation on privacy is necessary. Any proposed [security] measure must meet a four-part test:
1. Necessary: It must be demonstrably necessary in order to meet some specific need
2. Effective: It must be demonstrably likely to be effective in achieving its intended purpose. In other words, it must be likely to actually make us significantly safer, not just make us feel safer.
3. Proportionate:The intrusion on privacy must be proportional to the security benefit to be derived.
4. Minimal: and it must be demonstrable that no other, less privacy-intrusive, measure would suffice to achieve the same purpose.
Privacy Commissioner of Canada, Nov’02, derived from Oakes
Observations - II
Security vs. Civil Liberties?
If there is no clear case for a security gain, then don’t concede a civil liberties tradeoff!
This is Security Theatre (or worse)
Security Theatre: “… ostensible security measures which have little real influence on security whilst being publicly visible and designed to show that action is taking place.”
See: Schneier, Bruce. Beyond Fear: Thinking Sensibly about Security in an Uncertain World, Copernicus Books, 2003, p. 38
Designing Safe Traveling
Refuse no-fly & biometric ID security measures unless demonstrably effective and safe– independent assessment of efficacy and
safety– adequate legal framework based on the rule
of law• openness, transparency, presumption of innocence
– adequate remedies and effective oversight • expeditious complaint and redress process, breach
notification
Resistance, agit-prop, travelers rights,…– e.g. www.passageoublie.org
More generally, we need:
Intelligent public discussion of risk– The threat of terrorism is almost negligible in comparison
to more normalized ones
(e.g. auto travel)
Understanding the dynamics of animosity– how generated– how mitigated– how avoided….