Searching for Airline Security

Monday, November 22, 2010

Robert Gezelter

7e6249b5c7f6b63c28587c820b16edcb

The US Transportation Security Administration (TSA) implementation of enhanced security for air travelers has raised a well-spring of protest. What has been absent from the conversation has been a full discussion of the efficacy of these measures versus the risks.

The TSA has initiated full-body imaging and pat-down searches to prevent terrorists from smuggling hidden explosives and weapons onto aircraft. While these techniques raise the bar, they are by no means “silver bullets.” These search techniques are point solutions; they are highly invasive; and they have an as yet uncertain efficacy.

All security checks inherently involve trade-offs. The benefits of a security measure must be weighed against its costs and risks. In computer security, an old saw is that the most secure computer is one with its power source disconnected. While a powered-down computer is undoubtedly secure, it is also non-functional. It is thus useless.

The recent deployment of imaging scanners raises many questions. I have not personally seen reliable answers to these questions. While some of these questions may not be easily answered, I personally find the lack of information troubling.

Many full body imaging scanners use so-called “soft X-rays” to see through outer clothing. The goal is to make it impossible to secret weapons and explosives under clothing. In effect, the resulting picture is a picture of the individual naked. Thus, these images have been described as a “virtual strip search” with some justification.

Clearly, this is invasive and strips the individual of privacy and dignity. As offensive as this is, there would be some justification if the results were actual security. However, if the procedure is ineffectual, people's privacy and dignity are discarded on an altar before the false idol of security theatre, which is nothing but legerdemain.

Much of the discussion concerning soft-X-ray and backscatter imaging has focused on the privacy impact of such devices. In the UK, the explicit nature of the images provoked legal challenges that the images of children would violate the statutes criminalizing the production of child pornography .[1]

The question should be: Are these measures effective? What is the history of strip searches in preventing contraband materials? The answer is far from reassuring.

Regrettably, the best example of the efficacy of strip searches at will is prisons. Prison security personnel are free to search prisoners far beyond the virtual strip search that is being proposed, which stops at the skin. Prison security personnel are free to do full-body cavity searches.

One might think that such searches prevent drugs, cell phones, and other contraband from getting though. Yet it is well documented that this is not the case. This is not a new revelation; it is the experience of hundreds of years of experience with prisoners.

The nude imagery of the full body scans has occasioned the most comment. Members of Congress have objected that “nobody is going to see my [wife, daughter, sister, mother] naked.” I applaud their chivalry. However much as their chivalry is heartfelt and appreciated, considered opposition on the technical merits would be more appreciated.

Ensuring the security of aircraft and their passengers is a difficult challenge. However, the creation of wholesale pervasive surveillance of the traveling public is of questionable efficacy, and dramatically damages our society without producing plausible benefit.

Body scans have another flaw, similar to many IT security problems. They are an example of an enumerated threat. An enumerated threat is one specific threat. Rather than saying “Verify that the code is correct”, one attempts to enumerate the different ways that the code can fail. The resulting checklist may be educational, but it is almost certainly incomplete, limited by the imagination and past experiences of those producing the enumeration.

However, the focus on modesty and the images is a distraction that obscures two critical questions:

  • Does such imaging decrease the threat posed by those wishing to smuggle explosives and weapons aboard airliners?
  • Does repeated scanning have health implications for the traveling public? Similarly, are there hazards for airport and other aviation industry personnel who can reasonably be assumed to traverse the checkpoints several times/day?

The first question is the easiest to answer. While I freely admit that I am not an expert on this technology, I have significant questions. All accounts that I have seen have spoken about concealed weapons and explosives underneath clothing or otherwise secreted on the outside of the body.

These same accounts state that the devices do not have the capability to see materials secreted in body orifices. To see materials secreted inside of the body would require a far higher radiation exposure.

This raises the obvious question: Do terrorists have a documented history of using measures that would remain undetected by such a scan. After all, one has to presume that someone secreting an explosive onto an airplane has presumed that their mission is not survivable. Regrettably, the question must be answered in the affirmative.

In August 2009, there was an assassination attempt against Prince Mohammed bin Nayef, a senior member of the Saudi counterterrorism organization and a member of the Saudi royal family. Some have reported that his assailant, Hassan al-Asiri, brother of reported al Queda bomb maker Ibrahim Hassan al-Asiri, secreted an explosive device within his person.[2] Since this was a suicide mission, there was no need to physically access the detonator; reportedly the device was detonated using a cellular telephone signal.

Thus, it is clear that those wishing to do harm are perfectly willing to secret such devices within recruits' bodies, beyond the reported reach of surface scanning technologies.

Repeated scanning should be simpler to assess. While I am not trained in radiation safety, I well remember an earlier, pre-digital photography encounter with “low-dose” X-ray technology. In the pre-digital photography era, the X-ray scanners for belongings were alleged to be film safe.

Over time this advice was rescinded, first for high-speed (ASA 400) films; then for travelers whose photographic equipment would pass through multiple X-ray systems. This brings up an important technical point that has been known for some time: radiation exposure is cumulative.

The problem with exposing people to X-rays is not the vacation traveler who encounters one of the scanners once or twice a year. For them, the exposure may well be orders of magnitude lower than a routine dental X-ray. Rather, the problem is with frequent travelers and aviation industry workers, who will often be subject to scanning multiple times per day, many days of the year.

Outside of security, we see a similar phenomenon with paintings. Even those collections that permit photography using ambient lighting often have strict prohibitions on photography using any kind of flash. It is not the effect of a single flash that is the hazard; it is the cumulative effect of thousands upon thousands of flashes over the years that is the concern.

On November 20, 2010, John McGaw, the founding Administrator of the Transportation Security Administration obliquely referred to this problem when he referred to precisely the same cohort; extremely frequent travelers, as a possible concern, during an interview on ABC’s Good Morning America.

Even if the radiation dose from the X-ray scanner is 0.1% of the radiation dose of a chest X-ray, this is a concern. Consider a business traveler who travels 200 days/year. Alternatively, consider those workers who never leave the ground, but work in the vicinity of or must go through the scanners regularly.

Even though many airports have central security screening operations, there still remain main airports, including many hubs, where changing planes almost always forces one to go out of the secured area and then enter a different secured area. Thus, a round-trip may require four or more encounters with screening. In 200 trips, that can mean 800 scans per year.

Flight crews and ground personnel who go back and forth during the day have an even worse problem. They could easily need to be scanned several times per day without setting foot in an aircraft. Delivering supplies to stores in the secured area requires going through the checkpoint. Worst off may be those workers, including TSA personnel, who work in the vicinity of the scanners. While radiation exposure decreases according to the inverse of distance, these personnel will be spending the majority of their day in close proximity to these devices.

Following extensive protests that searching pilots for weapons when they will shortly have control of an aircraft has now exempted pilots in uniform with proper ID from full body scans. Other flight crew members were not included in this exemption.[3]

Radiation exposure is radiation exposure. The category does not matter. Having 800 scans from TSA, plus a chest X-ray is cumulative (using the 0.1% number, the exposure would be approximately two chest X-rays). The deployment of these measures was triggered by a failed attempt this past Christmas Eve (2009) to detonate a bomb onboard a Northwest Airlines flight from Amsterdam to Detroit.

The facts surrounding the Christmas Day episode are well-published. On Christmas Day, Northwest Airlines Flight 253 from Schlipol Airport outside Amsterdam to Detroit Metropolitan Airport outside Detroit was the target of an attempted bombing while approaching its destination.

Umar Farouk Abdulmutallab, a 23-year old Nigerian national attempted to detonate an explosive device secreted in his under shorts. Fortunately, the device failed to detonate, instead starting a fire that was extinguished by the passengers and cabin crew. Mr. Abdulmutallab was then restrained by those on the scene until the aircraft landed, where Federal authorities took custody. As a response to this incident, numerous procedures were initiated, including:

  • pat downs
  • passengers restricted to their seats for the last hour
  • shutdown of map display systems
  • no access to carry-on luggage for the last hour

It is worth noting that it is unlikely that any of these published steps would have prevented the Christmas Eve 2009 episode. On the contrary, it is becoming clear that intelligence information was not properly correlated[4] including:

  • last minute ticket purchased for cash
  • no luggage
  • indications that a Nigerian was involved in an attack plan
  • a warning from the suspect’s father that his son was radicalized

My recollection is that all of these factors were long identified as factors that should arouse suspicion. Admittedly, they are not determinative, as it is not unusual for business travelers to make last minute, one way flight arrangements and travel with little luggage.

Bruce Schneier, Chief Technology Security Officer for BT, has often observed that security theatre (or theatrics) can be counterproductive; resources are expended without truly increasing security. Costly scanners that invade privacy, and expose the innocent to health challenges while not accomplishing the purpose intended, take this discussion to a whole new level.

In the past, “security theatre” has been non-productive and annoying, but has not created health hazards. In the case of X-ray scanning of people, we may have crossed the line where the scanning-imposed health hazard to the traveling public and aviation workers exceeds the efficacy of the “security” measure.

[Author's Note: Much of the preceding was written shortly after the Christmas Eve 2009 bombing attempt; I held it from posting in the vain hope that reason would prevail.]

Notes [1] BBC (2010, March 29) “Children ‘must use body scanners’” [2] Peter Bergen (2009, September 30) “Saudi investigation: Would-be assassin hid bomb in underwear” [3] Mike Ahlers and Jeanne Meserve (2010, November 19) “U.S. pilots to get speedier screening procedures” [4] Dan Eggen, Karen DeYoung and Spencer S. Hsu (2009, December 27) “Plane suspect was listed in terror database after father alerted U.S. officials”

References

Reproduced from Searching for Airline Security, an entry in Ruminations -- An IT Blog by Robert Gezelter. Copyright (c) 2010, Robert Gezelter. Unlimited Reproduction permitted with attribution.
Possibly Related Articles:
8810
Security Strategies Security Airport Search and Seizure
Post Rating I Like this!
Default-avatar
Aldo Kho

Full body scanning device pictures of personal individuals made it to the Internet today. The leak of the full body scanner pictures occurred after a U.S. Marshall in FL saved and stored more than 35,000 of the images. As the body scanning issue as grown more heated, The Transportation Security Administration has been assuring air travelers that the images are never saved for future prying eyes.
1291094669
Default-avatar
J J You sir, are analyzing the complete wrong problem with TSA. Remember that the machine is no more effective than the person using it, and the people the TSA employs are often recruited from places like retail stores, then work for about $10/hr.
How effective could any measures be?

No, if anyone is going to stop a terrorist attack, it's going to be the passengers themselves. The minute something happens, they will tear the attackers apart limb from limb if necessary.

Looked at from a systematic standpoint, we are wasting our money on anything coming out of the TSA. Only when airlines are able to hire their own security again will the situation become sane again.
1291273102
7e6249b5c7f6b63c28587c820b16edcb
Robert Gezelter JJ,

Thank you for your comment.

By no means did I mean to exclude questions relating to personnel. Without exaggeration, one could write volumes on the whole question of airline security. In this posting, I chose to focus on the use of the full-image scanners.

Giving control back to the airlines is not likely to correct the issue. TSA was created after the 9/11 hijackers went through security run by the airlines.

Rather, the major thrust is that the latest round of measures have risks and do not accomplish their stated goal. Measures to reassure undeniably have a benefit for many who seek psychological reassurance that something is being done. However, when such "security theater" has the potential to cause harm, either physical or psychological, there must be a balance.

Full-image scanning would appear to be a case where the costs are high (monetarily and psychologically) and the effectiveness is of question.
1291289040
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.