hops
Member
I like Cringley's CAPPSII comparison to the Magiont Line.
No Feather in Our CAPPS:
How We Are About to Spend a Lot of Money and (Again) Alienate Our Allies by Building a Computer System That Invades Privacy and Does Nothing to Make Us More Secure
By Robert X. Cringely
In case you missed it -- and almost everyone in America did -- security officials in the U.S. and Europe have been at loggerheads the past two weeks over exchanging potentially sensitive airline passenger information. European airlines are going to be required to supply to the Transportation Security Administration quite specific information about every passenger arriving in the U.S. -- information that goes so far as to violate European privacy laws. If the airlines don't provide the information, they will be fined by the TSA and possibly lose their landing rights. If they do provide the information, the airlines will be fined by the European Union. Neither side is budging. But the worst part is that I am here to tell you what the TSA proposes won't work anyway.
The TSA program is called CAPPS-II -- the second generation Computer Assisted Passenger Prescreening System. The original CAPPS followed the crash of TWA Flight 800, when the Feds still believed that was an act of terrorism. CAPPS-II is the beefed-up post-9/11 system that smells strongly of Dr. Strangelove. The idea is fairly simple -- looking for likely terrorists among airline passengers. The way it is being implemented is a data-mining nightmare.
CAPPS-II was a clean sheet of paper operation. What information would have to be gathered about each passenger in order to identify those likely to have explosives in their shoes? The folks designing CAPPS-II came up with a list of 39 data points to be included in the Passenger Name Record that will be provided to the TSA by the airline. Name, Social Security Number (or its foreign equivalent), previous flights taken, meal preference, traveling companions, hotel reservations -- the list goes on and on. Some of the information can be generated as a matter of course just by processing the ticket -- your credit card number, for example -- but some will be new bits of information the airlines will ask you for the first time. If you want to fly to or in the U.S., you'll have to provide this information, but in theory, it will happen only once, after which your CAPPS-II record will follow you everywhere you fly.
Jet Blue was the airline being used to test CAPPS-II. Remember how the company got in trouble recently for providing passenger information to the TSA in violation of its own privacy rules? That was CAPPS-II.
Assuming that the airline is able to gather all 39 data points, under CAPPS-II they will be automatically reported to the TSA, which one might assume would compare the data to a terrorist profile. But before that happens, CAPPS-II uses the 39 data points to gather even more information about you from commercial and government databases. Some of this is confirming for accuracy the data already provided in the idea that a real terrorist would probably lie. Some of it is to dramatically expand the TSA's profile of you and me. To do this, they'll look at our credit reports, our credit cards and bank accounts. Using data from the Internal Revenue Service, if available, they'll confirm our employment and income. They'll check immigration and look for outstanding warrants through Interpol and the FBI. And they'll compare this information to that of our traveling companions and to the information for all other passengers on that plane in the assumption that we might be working together while appearing to travel separately. Eventually, we'll be rated on a red, yellow, green scale, and those of us lucky enough to get the green light will find it remarkably easy to get on an airplane. This rating and perhaps other information about us, will be held not just at the TSA but also in the computers of the four major reservations systems.
CAPPS-II, which is scheduled to be implemented next year, will have some interesting effects. It will keep criminals and former criminals off airplanes for one thing. So John Poindexter, the former U.S. National Security Advisor who was convicted and later pardoned for his Iran-Contra activities in the 1980s, ought to be targeted as a former felon. With more than three percent of U.S. males currently in jail or prison, I'd guess that probably 10 percent or more of Americans have criminal records of some sort, and will either be prohibited from boarding or be scared away from air travel. Foreigners will stand out, that's for sure. So will people who fly very infrequently. Deadbeat dads and former drunken drivers can drive, not fly. Maybe we'll finally get more legroom as a result of fewer passengers.
Certainly, CAPPS-II is well intentioned, and maybe it will cause an overall reduction of inconvenience at airports, but still there are aspects of the system that bother me and ought to bother us all.
Most importantly in my view, there is a disturbing discrepancy between the stories about CAPPS-II being told by U.S. and European authorities. The Europeans say the Americans are demanding 39 individual data points on each passenger, but under European privacy laws, they are allowed to gather only 19, so that is also the limit of what they can provide. The U.S. authorities, on the other hand, say they are requiring only three data points per passenger. Wait a minute! These groups have been meeting for more than two weeks, and one side thinks at issue are 39 data points, and the other thinks there are only three? How can that be? Engineers involved in designing CAPPS-II say privately that the number is 39, and if you think about it, the Europeans really don't have an incentive to lie about this. So the U.S. government is most likely, let's say, trying to finesse the issue. They are dissembling at best, and lying at worst.
This attitude on the part of U.S. authorities ought to concern us all. It shows, I believe, a disturbing arrogance and a fundamental disrespect for you and me. We are not stupid.
Then there is the little part about CAPPS-II not achieving its stated goals. Is this inconvenience, intrusion, and expense justified if it has no effect on terrorism?
CAPPS-II is simply trying to do too much in a single effort. Sometimes it is better to solve problems one at a time. Our first problem is identity. There is clearly a need for me to be able to prove I am me and that you are not me. CAPPS-II purports to do this for airline passengers, but really doesn't.
Identity is a serious problem, and the cost to correct it is very low, but CAPPS-II isn't the answer.
After identity, we have to decide who the bad guys are. CAPPS-II purports to do that by profiling 100 million people. The best way to beat that is by pretending to be someone you aren't. CAPPS-II can say I have a bad credit rating, but it can't guarantee I'm not lying dead in my car trunk in the airport parking garage, replaced by someone in disguise. There will always be ways to elude the system.
Anyone who thinks someone can write a computer program that will PREVENT future terrorist attacks is nuts. Prevention only works when you have a thorough understanding about how and why things fail. Since terrorists tend to use new and unforeseen methods of attack, you can't depend solely on a system that tries to anticipate the attack.
If you are going to collect lots of personal information, it has to be for a very good reason. There must be a high degree of certainty terrorist attacks would be completely eliminated as a result. Since this is an impossibly ridiculous expectation -- collecting the data won't help. So don't do it.
An often overlooked part of security is improving your ability to minimize the damage. The trick is to quickly know WHEN you have a problem and be able to act quickly and effectively. The best security is a combination of prevention and protection.
The problem with 9/11 wasn't that terrorists got weapons past security. The problem was they were able to get control of an airplane. The most positive reaction to 9/11 was reinforcing cockpit doors. That single change has made it easily 100 times harder to use airplanes to destroy buildings. No amount of computer technology could do that.
Of course, this only means that the terrorists will choose another method of attack, preying on one of the many other points of vulnerability that we still protect as poorly as we protected aircraft cockpits in 2001. Will CAPPS-II be of any help preventing those other forms of attack? No.
If you knew someone was going to release a biological weapon in a subway, what would you do? You can't stop them. You know it is going to eventually happen. So how do you minimize the damage? Can you quickly evacuate the area? Can you thoroughly ventilate the area? Can you easily wash down and decontaminate the area? Many chemical plants have had these capabilities for 35 years. It is neither complicated nor expensive to anticipate a subway attack and minimize the amount of damage caused. But instead, we spend billions profiling terrorists.
We should spend less time chasing bad ideas based on unrealistic expectations and spend more time making it harder for terrorists to cause any real harm.
And there is even a side benefit to this approach. If we anticipated the possible attack on a water system and installed some smart improvements, we'd never have an e.coli problem again. We'd never have a water purity problem, either. We would be prepared to keep the contamination from leaving the site, no matter what the cause of the contamination.
We look at security as a cost, not an opportunity to improve our infrastructure.
Remember the Taguchi Methods I wrote about a few weeks ago. They produce robust designs that continue to function in the presence of degrading influences. CAPPS-II and its ilk don't do that. CAPPS-II is an electronic Maginot Line that will cost a lot, is vulnerable to abuse, will cause rifts in our own community and with our neighbors, and will ultimately achieve no good at all.
Now for a bit of housekeeping. You've noticed our new page design and most of you say that you hate it. Readers always hate change. The old design -- the one you say you miss so much -- was what you hated three years ago when it was new. You will grow to like this design too, I promise. Not that there aren't improvements that can be made. The biggest gripe seems to be with our choice of a serif font that is too small, especially on Macs running IE 5. So either this week or next we will be placing a control on the page so that you can choose your preferred font and make it larger if you like.
We aim to please.
No Feather in Our CAPPS:
How We Are About to Spend a Lot of Money and (Again) Alienate Our Allies by Building a Computer System That Invades Privacy and Does Nothing to Make Us More Secure
By Robert X. Cringely
In case you missed it -- and almost everyone in America did -- security officials in the U.S. and Europe have been at loggerheads the past two weeks over exchanging potentially sensitive airline passenger information. European airlines are going to be required to supply to the Transportation Security Administration quite specific information about every passenger arriving in the U.S. -- information that goes so far as to violate European privacy laws. If the airlines don't provide the information, they will be fined by the TSA and possibly lose their landing rights. If they do provide the information, the airlines will be fined by the European Union. Neither side is budging. But the worst part is that I am here to tell you what the TSA proposes won't work anyway.
The TSA program is called CAPPS-II -- the second generation Computer Assisted Passenger Prescreening System. The original CAPPS followed the crash of TWA Flight 800, when the Feds still believed that was an act of terrorism. CAPPS-II is the beefed-up post-9/11 system that smells strongly of Dr. Strangelove. The idea is fairly simple -- looking for likely terrorists among airline passengers. The way it is being implemented is a data-mining nightmare.
CAPPS-II was a clean sheet of paper operation. What information would have to be gathered about each passenger in order to identify those likely to have explosives in their shoes? The folks designing CAPPS-II came up with a list of 39 data points to be included in the Passenger Name Record that will be provided to the TSA by the airline. Name, Social Security Number (or its foreign equivalent), previous flights taken, meal preference, traveling companions, hotel reservations -- the list goes on and on. Some of the information can be generated as a matter of course just by processing the ticket -- your credit card number, for example -- but some will be new bits of information the airlines will ask you for the first time. If you want to fly to or in the U.S., you'll have to provide this information, but in theory, it will happen only once, after which your CAPPS-II record will follow you everywhere you fly.
Jet Blue was the airline being used to test CAPPS-II. Remember how the company got in trouble recently for providing passenger information to the TSA in violation of its own privacy rules? That was CAPPS-II.
Assuming that the airline is able to gather all 39 data points, under CAPPS-II they will be automatically reported to the TSA, which one might assume would compare the data to a terrorist profile. But before that happens, CAPPS-II uses the 39 data points to gather even more information about you from commercial and government databases. Some of this is confirming for accuracy the data already provided in the idea that a real terrorist would probably lie. Some of it is to dramatically expand the TSA's profile of you and me. To do this, they'll look at our credit reports, our credit cards and bank accounts. Using data from the Internal Revenue Service, if available, they'll confirm our employment and income. They'll check immigration and look for outstanding warrants through Interpol and the FBI. And they'll compare this information to that of our traveling companions and to the information for all other passengers on that plane in the assumption that we might be working together while appearing to travel separately. Eventually, we'll be rated on a red, yellow, green scale, and those of us lucky enough to get the green light will find it remarkably easy to get on an airplane. This rating and perhaps other information about us, will be held not just at the TSA but also in the computers of the four major reservations systems.
CAPPS-II, which is scheduled to be implemented next year, will have some interesting effects. It will keep criminals and former criminals off airplanes for one thing. So John Poindexter, the former U.S. National Security Advisor who was convicted and later pardoned for his Iran-Contra activities in the 1980s, ought to be targeted as a former felon. With more than three percent of U.S. males currently in jail or prison, I'd guess that probably 10 percent or more of Americans have criminal records of some sort, and will either be prohibited from boarding or be scared away from air travel. Foreigners will stand out, that's for sure. So will people who fly very infrequently. Deadbeat dads and former drunken drivers can drive, not fly. Maybe we'll finally get more legroom as a result of fewer passengers.
Certainly, CAPPS-II is well intentioned, and maybe it will cause an overall reduction of inconvenience at airports, but still there are aspects of the system that bother me and ought to bother us all.
Most importantly in my view, there is a disturbing discrepancy between the stories about CAPPS-II being told by U.S. and European authorities. The Europeans say the Americans are demanding 39 individual data points on each passenger, but under European privacy laws, they are allowed to gather only 19, so that is also the limit of what they can provide. The U.S. authorities, on the other hand, say they are requiring only three data points per passenger. Wait a minute! These groups have been meeting for more than two weeks, and one side thinks at issue are 39 data points, and the other thinks there are only three? How can that be? Engineers involved in designing CAPPS-II say privately that the number is 39, and if you think about it, the Europeans really don't have an incentive to lie about this. So the U.S. government is most likely, let's say, trying to finesse the issue. They are dissembling at best, and lying at worst.
This attitude on the part of U.S. authorities ought to concern us all. It shows, I believe, a disturbing arrogance and a fundamental disrespect for you and me. We are not stupid.
Then there is the little part about CAPPS-II not achieving its stated goals. Is this inconvenience, intrusion, and expense justified if it has no effect on terrorism?
CAPPS-II is simply trying to do too much in a single effort. Sometimes it is better to solve problems one at a time. Our first problem is identity. There is clearly a need for me to be able to prove I am me and that you are not me. CAPPS-II purports to do this for airline passengers, but really doesn't.
Identity is a serious problem, and the cost to correct it is very low, but CAPPS-II isn't the answer.
After identity, we have to decide who the bad guys are. CAPPS-II purports to do that by profiling 100 million people. The best way to beat that is by pretending to be someone you aren't. CAPPS-II can say I have a bad credit rating, but it can't guarantee I'm not lying dead in my car trunk in the airport parking garage, replaced by someone in disguise. There will always be ways to elude the system.
Anyone who thinks someone can write a computer program that will PREVENT future terrorist attacks is nuts. Prevention only works when you have a thorough understanding about how and why things fail. Since terrorists tend to use new and unforeseen methods of attack, you can't depend solely on a system that tries to anticipate the attack.
If you are going to collect lots of personal information, it has to be for a very good reason. There must be a high degree of certainty terrorist attacks would be completely eliminated as a result. Since this is an impossibly ridiculous expectation -- collecting the data won't help. So don't do it.
An often overlooked part of security is improving your ability to minimize the damage. The trick is to quickly know WHEN you have a problem and be able to act quickly and effectively. The best security is a combination of prevention and protection.
The problem with 9/11 wasn't that terrorists got weapons past security. The problem was they were able to get control of an airplane. The most positive reaction to 9/11 was reinforcing cockpit doors. That single change has made it easily 100 times harder to use airplanes to destroy buildings. No amount of computer technology could do that.
Of course, this only means that the terrorists will choose another method of attack, preying on one of the many other points of vulnerability that we still protect as poorly as we protected aircraft cockpits in 2001. Will CAPPS-II be of any help preventing those other forms of attack? No.
If you knew someone was going to release a biological weapon in a subway, what would you do? You can't stop them. You know it is going to eventually happen. So how do you minimize the damage? Can you quickly evacuate the area? Can you thoroughly ventilate the area? Can you easily wash down and decontaminate the area? Many chemical plants have had these capabilities for 35 years. It is neither complicated nor expensive to anticipate a subway attack and minimize the amount of damage caused. But instead, we spend billions profiling terrorists.
We should spend less time chasing bad ideas based on unrealistic expectations and spend more time making it harder for terrorists to cause any real harm.
And there is even a side benefit to this approach. If we anticipated the possible attack on a water system and installed some smart improvements, we'd never have an e.coli problem again. We'd never have a water purity problem, either. We would be prepared to keep the contamination from leaving the site, no matter what the cause of the contamination.
We look at security as a cost, not an opportunity to improve our infrastructure.
Remember the Taguchi Methods I wrote about a few weeks ago. They produce robust designs that continue to function in the presence of degrading influences. CAPPS-II and its ilk don't do that. CAPPS-II is an electronic Maginot Line that will cost a lot, is vulnerable to abuse, will cause rifts in our own community and with our neighbors, and will ultimately achieve no good at all.
Now for a bit of housekeeping. You've noticed our new page design and most of you say that you hate it. Readers always hate change. The old design -- the one you say you miss so much -- was what you hated three years ago when it was new. You will grow to like this design too, I promise. Not that there aren't improvements that can be made. The biggest gripe seems to be with our choice of a serif font that is too small, especially on Macs running IE 5. So either this week or next we will be placing a control on the page so that you can choose your preferred font and make it larger if you like.
We aim to please.