Airport kabuki: Bruce Schneier on “security theater”

Lynne Kiesling

Bruce Schneier is one of the most thoughtful, knowledgeable security experts in the world, and he’s been constructively critical of the TSA’s airport policies and procedures for quite some time (so have I, but I have nothing like his expertise or his street cred). You may have seen Jeffrey Goldberg’s November 2008 Atlantic article, in which Schneier and Goldberg burst Swiss-cheese holes in the TSA’s policies and practices. In this article and other writings, Schneier describes the TSA’s policies and practices as “security theater”, intended to assuage an anxious traveling public without actually doing anything meaningful or substantive to ensure sufficient reduction in the probability of a terrorist attack using airports or airplanes.

Now Katharine Mangu-Ward has an interview with Schneier in Reason, and it’s well worth reading. The good news is that the TSA will phase out the small liquids policy (although until the UK does the same my travel will still involve stupid, pointless plastic bags of tiny bottles); can we expect some reasonable removal of the ludicrous shoe policy to follow? I certainly hope so.

Here’s one of my favorite parts of the article:

Reason: What would success look like for the TSA? If you were made King of Airport Security tomorrow and given the entire current budget of the TSA to do whatever you wanted, what kind of system would you design?

Schneier: If I were in charge of the TSA’s budget, I’d give most of it back. Politically, I wouldn’t be able to, of course, but it would be the best thing to do. Spending money on airport/airplane security only makes sense if the bad guys target airplanes. In general, money spent defending particular targets or tactics only makes sense if we can guess them correctly. If tactics and targets are scarce, defending against specific ones makes us safer. If tactics and targets are plentiful—as they are—it only forces the bad guys to pick new ones. Spending money on intelligence, investigation, and emergency response is effective regardless of the tactic or the target. Airport security is a last line of defense, and not a very good one at that. We need to remember that at budget time.

Schneier, unlike the TSA management, is capable of making reasoned, and reasonable, assessments of relative risk. This relative risk assessment is crucial for getting the most bang from the taxpayer’s money that is spent on security. Schneier argues that much of the TSA budget is better spent on “intelligence, investigation, and emergency response”. Schneier is also very effective at communicating the importance of making those relative risk assessments, and at communicating the necessity of evaluating and making tradeoffs instead of seeing security as a binary absolute. The TSA management could learn a thing (or a few!) from Schneier, both on substance and on communicating ideas.

That said, I’m confused by what I think is a false dichotomy he creates here:

Reason: What’s your reaction when you hear people say that we live in a “security state”?

Schneier: We live in an information state, which is subtly different. All computer processes produce data as a byproduct. As more parts of our lives are mediated by computers, more personal information about us is produced. This information is collected, and then bought and sold, by other institutions, both government and commercial, without our knowledge and consent. Some of this is driven by security concerns, but a lot of it is driven by economics. The problem is that personal data is looked at as property, which can be bought and sold, instead of as a right. Long term, we need to fix that.

I don’t understand the “property instead of a right” distinction. I can reconcile this “instead of” by saying that personal data are property, but they are the property of the individual to whom the data pertain. Therefore, individuals have rights to retain their data, access their data, and prevent others from accessing their data. Isn’t that approach consistent with the way we treat rights to personal data, and other personal property, in other situations?

4 thoughts on “Airport kabuki: Bruce Schneier on “security theater”

  1. I think what Bruce is getting at is that people who collect data about others assume that the data is *their* property, and not ultimately the property of the people to whom the data pertains.

  2. I think Schneier’s point gets a little jumbled by his working out of the conventional, but muddled, distinction between “property rights” and “human rights” (here reduced to just “property” and “rights”).

    By “Long term, we need to fix that,” Schneier may be suggesting that the property right in data about a person should be held by the person to whom the data pertain (drawing on Cheryl’s phrasing).

    While the statement may be appealing on the surface, it leaves a large range of issues unsettled and I think it is unlikely to be the best division of rights. I’m more in favor of the current status quo division of rights, which I take to allow both parties a (non-exclusive) right to any data they collect about the transaction. Of course, parties should be free to negotiate other allocations of property rights in any data collected from prospective transactions.

  3. Don’t be sucked into this guy’s views – he likely has a hidden agenda and a personal axe to grind with TSA. He was a TSA consultant some time ago, so his perspective is very much in question, as far as I’m concerned. He’s also got a book out, and he’s been making the rounds on the media. I suspect a great amount of his criticism of TSA is more geared towards advancement of his own book sales than any concern for safety or security. (Do you find it odd that he’s such a harsh critic of an agency he did consultancy work for? I guess his consultancy work didn’t pan out, eh?) And as far as the author of THIS article calling the shoe policy “ludicrous” when it’s been established that Richard Reid’s shoebomb was a functional explosive device?

  4. Jay,

    You should do some research before you say such things. Bruce Schneier is one of the most knowledgeable, analytical, technical security experts in the world, and has been so for over two decades. His work in cryptography is unsurpassed. And his criticism of the TSA is entirely consistent with my experience with the TSA, and the experiences of many others.

    I stand by my claim that shoe removal requirement is ludicrous. It symbolizes the TSA’s inability to perform relative risk assessment *from the point of view of the traveling public*. It fails to take into account the inconvenience and time lost to all of us, in return for which we get “protection” from a highly improbable and low-impact event. It also fails to take into account the heightened sensitivity of air passengers to unusual behavior on the plane, and the fact that we’d pound the snot out of an attempted shoe bomber. In fact, isn’t that what happened to Reid?

Comments are closed.