Unsafe Safety

by Charles Miller on August 30, 2002

There are three kinds of security. Stuff that makes you safer, stuff that doesn't really work at all, and stuff that works so badly it makes you less safe than you were before.

In Bruce Schneier's latest Crypto-Gram, he links to Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System. It's a description of how the CAPS program, a system in use in US airports since 1999 that selects people to search based on terrorist profiling, actually makes it easier for a sufficiently large and organised terrorist organisation to sneak something onto a plane.

It works like this. Say the security at an airport have the personnel to thoroughly search 8% of passengers. Normally, you'd have an 8% chance of being caught sneaking something through that doesn't get picked up by the metal detectors. Enter CAPS. If CAPS flags the top 6% of passengers for search (and you keep doing the remaining 2% randomly), now your chance of being caught if you're on the profile is 100%, but if you're not on the profile, your chance of being caught has dropped to 2%.

So all terrorists have to do is send potential attackers on three or four flights before the main event. If they get searched, they're replaced by someone else. The "security measure" has actually reduced their chance of discovery by a factor of four.

Previously: Tue, 27 Aug 2002 11:51:05 GMT

Next: Signs Sucked. A movie review.