Bruce Schneier

TSA Roundup

by Ryan Young on November 23, 2010 · 2 comments

in Nanny State, Personal Liberty, Precaution & Risk, Regulation, Tech & Telecom

The Thanksgiving travel rush is officially underway. Airports are clogged with passengers. Many of them are upset at new TSA screening policies. A new poll finds 60 percent support for full-body scanning, and just under 50 percent support for pat-downs that involve touching breasts, buttocks, and genitals.

If that sounds high, remember that most Americans don’t fly. Jim Harper also points out that the poll’s wording is biased. “Before being asked about strip-search machines, poll-takers hear cognates of “terror” three times, “privacy” once.” Wording like that skews the results in the TSA’s favor.

Unsurprisingly, many TSA employees don’t care for the new pat-down policy either. Near-constant verbal abuse and poor passenger hygiene are among their biggest complaints. There is also the matter of having to “feel inside the flab rolls of obese passengers.”

Assuming that most TSA screeners are not sex perverts, it can’t be much fun spending 8-hour shifts inspecting other peoples’ genitals. However, not all TSA employees are mentally sound. A TSA employee kidnapped a woman from Hartsfield-Jackson Atlanta International Airport and assaulted her.

This was the action of a disturbed individual, and probably unrelated to the backlash against the TSA’s new policies. Even so, that means the TSA has done more harm than good; TSA has yet to catch a single terrorist during its entire existence.

One reason is that its screeners are ineffective. Adam Savage from the television show Mythbusters accidentally arrived at airport security with two 12-inch razor blades. The TSA did not find them, despite giving him a full-body scan.

Ars Technica posts a video of Savage telling his story, and points out that ”If the TSA thinks you can hijack a plane with saline solution and nail clippers, Savage’s 12″ razor blades are the equivalent of a nuclear bomb. Since the blades weren’t anywhere near Savage’s privates, they likely would have been missed by the pat-down as well.”

At least one argument against full-body scanners does not hold ground: that the radiation dose from repeated scans can cause cancer and other illnesses. The dose of so small, that the odds of dying from the radiation exposure is roughly the same as dying in a terrorist attack. Those odds are less than 1 in 10,000,000. Passengers are over 20 times more likely to be struck by lightning.

As with any government agency, the TSA is highly politicized. ?The two companies that make the scanners have ramped up their lobbying efforts? in recent years, getting political heavyweights such as Linda Daschle (the lobbyist wife of former Sen. Tom Daschle) and Michael Chertoff to promote the scanners on Capitol Hill.

One privacy concern about full-body scans is that the images could be stored and possibly leaked on the Internet. This has already happened at a courthouse in Florida (you can see 100 of the 35,000 leaked images ?here?). But the TSA says that won’t be a problem with their scanners. Common sense says otherwise.

Their machines are unable to store images, yes. But any enterprising screener can modify them. Or he could even snap a picture of a naked image with his cell phone. Fortunately, a recent story about a Denver TSA screener who was caught masturbating is a hoax. But the very fact that it is plausible should give TSA boosters pause.

In fact, flying at 30,000 feet exposes passengers to “3 mrem of radiation, an amount that is 150 times greater than the scanner gives you before you board the same flight.”

That’s about the strongest argument in favor of the scanners. But it is outweighed by the fact that they induce some people to drive instead of fly. Since driving is more dangerous than flying, the scanners are expected, on net, to kill people.

They are not expected to actually save any lives, as security expert Bruce Schneier makes crystal clear.

It is well past time to abolish the TSA. Let airlines and airports determine their own policies. Let them compete on safety; if people think flying is dangerous, they won’t fly. Airlines have everything to lose. The TSA has no such incentive. If anything, its repeated failures are rewarded with budget increases.

Privacy Declared Public Good

by Jack O'Connor on June 19, 2009

in Privacy

Bruce Schneier, eminent cryptographer, has declared market failure. He points to what he calls a meta-problem:

Those entrusted with our privacy often don’t have much incentive to respect it . . . What this all means is that protecting individual privacy remains an externality for many companies, and that basic market dynamics won’t work to solve the problem. Because the efficient market solution won’t work, we’re left with inefficient regulatory solutions.

Privacy is indeed an externality, but customer satisfaction is an externality, too. The whole point of markets is that they help us work these things out. What Mr. Schneier has described is not a market failure but in fact the original sin of the regulator: the assumption that, though the market chose publicity, it should have chosen privacy. We can’t make that claim without evidence.

Before we go making assumptions about what homo economicus might or mightn’t choose, we should remind ourselves of some of the benefits of publicity. Search engines like Google can give me tailored results, and targeted advertising funds many of their nifty services. When TransUnion vouches for me, I can reliably get a loan from a banker I’ve never met. If I’m married with kids, insurers who know that can offer me cheaper policies. These benefits are substantial, and we should be quicker to assume that the market values them than that it has ignored the associated costs.

There are plenty of good reasons for choosing privacy, and for the most part that choice is open to us. It’s still legal to pay with cash, walk around without ID, and forgo health insurance. It can be monstrously inconvenient, but that’s the price we pay when we make unusual choices. Of course, these options may not be legal for much longer, and there are already many legally required disclosures that should include privacy requirements–car insurance and airplane tickets, for example. There’s plenty of work to be done to make sure privacy stays legal, but that’s a long way from making it mandatory.

Mr. Schneier acknowledges several of the inefficiencies of regulation, to his credit, but he misses the single largest. None of us have exactly the same priorities when it comes to privacy, but when the choice is made for us by legislation, we’re stuck with a one-size-fits-all regime. As Mr. Schneier points out himself, there are also limits to how much regulation can accomplish. A privacy violation is the act of revealing information–not using it–and without any “IRS misplaces laptop” headlines, it’s usually impossible to tell whodunnit.

And of course, that’s the real problem here. If we don’t act like private people, we won’t be private people. I don’t share Mr. Schneier’s willingness to regulate, but he is absolutely right that the reality of privacy has changed too quickly for our norms to keep up. Posting drunken photos on Facebook is one of the stupidest things we can do with a computer, yet we do it all the time, because we don’t appreciate the consequences. It’s not just a lack of judgment, either. Everyone knows not to send cash through the postal service, but most of us still don’t have the slightest clue how email works. This too shall pass.

When man discovered fire, he learned not to burn himself. When we brought electricity into the home, we learned not to shock ourselves. If and when our online indiscretions come back to haunt us, we’re going to learn the value of privacy, and how to get it. Once we do, the market will bend over backwards to sell it to us. But insulating us from the consequences of our decisions can only make things worse.  If we try to save ourselves the trouble of adjusting, if we put our chips on government to simply make the problem disappear, we won’t be ready when the stakes are a lot higher.