Bruce Schneier is one of the most thoughtful, knowledgeable security experts in the world, and he’s been constructively critical of the TSA’s airport policies and procedures for quite some time (so have I, but I have nothing like his expertise or his street cred). You may have seen Jeffrey Goldberg’s November 2008 Atlantic article, in which Schneier and Goldberg burst Swiss-cheese holes in the TSA’s policies and practices. In this article and other writings, Schneier describes the TSA’s policies and practices as “security theater”, intended to assuage an anxious traveling public without actually doing anything meaningful or substantive to ensure sufficient reduction in the probability of a terrorist attack using airports or airplanes.
Now Katharine Mangu-Ward has an interview with Schneier in Reason, and it’s well worth reading. The good news is that the TSA will phase out the small liquids policy (although until the UK does the same my travel will still involve stupid, pointless plastic bags of tiny bottles); can we expect some reasonable removal of the ludicrous shoe policy to follow? I certainly hope so.
Here’s one of my favorite parts of the article:
Reason: What would success look like for the TSA? If you were made King of Airport Security tomorrow and given the entire current budget of the TSA to do whatever you wanted, what kind of system would you design?
Schneier: If I were in charge of the TSA’s budget, I’d give most of it back. Politically, I wouldn’t be able to, of course, but it would be the best thing to do. Spending money on airport/airplane security only makes sense if the bad guys target airplanes. In general, money spent defending particular targets or tactics only makes sense if we can guess them correctly. If tactics and targets are scarce, defending against specific ones makes us safer. If tactics and targets are plentiful—as they are—it only forces the bad guys to pick new ones. Spending money on intelligence, investigation, and emergency response is effective regardless of the tactic or the target. Airport security is a last line of defense, and not a very good one at that. We need to remember that at budget time.
Schneier, unlike the TSA management, is capable of making reasoned, and reasonable, assessments of relative risk. This relative risk assessment is crucial for getting the most bang from the taxpayer’s money that is spent on security. Schneier argues that much of the TSA budget is better spent on “intelligence, investigation, and emergency response”. Schneier is also very effective at communicating the importance of making those relative risk assessments, and at communicating the necessity of evaluating and making tradeoffs instead of seeing security as a binary absolute. The TSA management could learn a thing (or a few!) from Schneier, both on substance and on communicating ideas.
That said, I’m confused by what I think is a false dichotomy he creates here:
Reason: What’s your reaction when you hear people say that we live in a “security state”?
Schneier: We live in an information state, which is subtly different. All computer processes produce data as a byproduct. As more parts of our lives are mediated by computers, more personal information about us is produced. This information is collected, and then bought and sold, by other institutions, both government and commercial, without our knowledge and consent. Some of this is driven by security concerns, but a lot of it is driven by economics. The problem is that personal data is looked at as property, which can be bought and sold, instead of as a right. Long term, we need to fix that.
I don’t understand the “property instead of a right” distinction. I can reconcile this “instead of” by saying that personal data are property, but they are the property of the individual to whom the data pertain. Therefore, individuals have rights to retain their data, access their data, and prevent others from accessing their data. Isn’t that approach consistent with the way we treat rights to personal data, and other personal property, in other situations?