Awash in Wasted Cash

Draconian obsession with travel security still part of flight

Since Sept. 11, 2001, our nation has been obsessed with air-travel security. Terrorist attacks from the air have been the threat that looms largest in Americans’ minds. As a result, we’ve wasted millions on misguided programs to separate the regular travelers from the suspected terrorists—money that could have been spent to actually make us safer.

Consider CAPPS and its replacement, Secure Flight. These are programs to check travelers against the 30,000 to 40,000 names on the government’s No-Fly List, and another 30,000 to 40,000 on its Selectee List.

They’re bizarre lists: people—names and aliases— who are too dangerous to be allowed to fly under any circumstance. Yet they are so innocent that they cannot be arrested, even under the draconian provisions of the Patriot Act. The Selectee List contains an equal number of travelers who must be searched extensively before they’re allowed to fly. Who are these people, anyway?

The truth is, nobody knows. The lists come from the terrorist screening database, a hodgepodge compiled in haste from a variety of sources, with no clear rules about who should be on it or how to get off it. The government is trying to clean up the lists, but—garbage in, garbage out—it’s not having much success.

The program has been a complete failure, resulting in exactly zero terrorists caught. And even worse, thousands (or more) have been denied the ability to fly, even though they’ve done nothing wrong. These denials fall into two categories: the “Ted Kennedy” problem (people who aren’t on the list but share a name with someone who is) and the “Cat Stevens” problem (people on the list who shouldn’t be). Even now, four years after 9/11, both these problems remain.

I know quite a lot about this. I was a member of the government’s Secure Flight Working Group on Privacy and Security. We looked at the Transportation Security Administration’s program for matching airplane passengers with the terrorist watch list and found a complete mess: poorly defined goals, incoherent design criteria, no clear system architecture and inadequate testing. (Our report was on the TSA Web site, but has recently been removed—“refreshed” is the word the organization used—and replaced with an executive summary that contains none of the report’s findings. The TSA did retain two rebuttals, which read like products of the same outline and dismiss our findings by saying that we didn’t have access to the requisite information.)

Our conclusions match those in two reports by the Government Accountability Office and one by the Department of Homeland Security inspector general.

Alongside Secure Flight, TSA is testing Registered Traveler programs. There are two: one administered by the TSA, and the other a commercial program from Verified Identity Pass called Clear. The basic idea is that you submit your information in advance, and if you’re OK—whatever that means—you get a card that lets you go through security faster.

Superficially, it all seems to make sense. Why waste precious time making Grandma Miriam from Brooklyn empty her purse when you can search Sharaf, a 26-yearold who arrived last month from Egypt and is traveling without luggage?

The reason is security. These programs are based on the dangerous myth that terrorists match a particular profile and that we can somehow pick terrorists out of a crowd if we only can identify everyone. That’s simply not true.

What these programs do is create two different access paths into the airport: high-security and low-security. The intent is to let only good guys take the low-security path and to force bad guys to take the high-security path—but it rarely works out that way. You have to assume that the bad guys will find a way to exploit the low-security path. Why couldn’t a terrorist just slip an altimeter-triggered explosive into the baggage of a registered traveler?

It may be counterintuitive, but we are all safer if enhanced screening is truly random and not based on an error-filled database or a cursory background check.

The truth is, Registered Traveler programs are not about security; they’re about convenience. The Clear Program is a business: Those who can afford $80 per year can avoid long lines. It’s also a program with a questionable revenue model. I fly 200,000 miles a year, which makes me a perfect candidate for this program. But my frequent-flier status already lets me use the airport’s fast line and means that I never get selected for secondary screening, so I have no incentive to pay for a card. Maybe that’s why the Clear Pilot Program in Orlando, Fla., only signed up 10,000 of that airport’s 31 million annual passengers.

I think Verified Identity Pass understands this and is encouraging use of its card everywhere: at sports arenas, power plants, even office buildings. This is just the sort of mission creep that moves us ever closer to a “show me your papers” society.

Exactly two things have made airline travel safer since 9/11: reinforcement of cockpit doors and passengers who now know that they may have to fight back. Everything else—Secure Flight and Trusted Traveler included—is security theater. We would all be a lot safer if, instead, we implemented enhanced baggage security— both ensuring that a passenger’s bags don’t fly unless he does, and explosives screening for all baggage— as well as background checks and increased screening for airport employees.

Then we could take all the money we save and apply it to intelligence, investigation and emergency response. These are security measures that pay dividends regardless of what the terrorists are planning next, whether it’s the movie plot threat of the moment, or something entirely different.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3