Privacy takes flight

Negative effects of the FAA aviation security program

Do you fly? If you answered yes, you've probably been asked by an airline representative to show some photo ID before getting on the plane. The representative may even tell you that this is a FAA aviation security requirement designed for your safety to prevent terrorist incidents.

But have you ever stopped to think about the effectiveness of the photo ID requirement? Anyone who's passed through their teenage years should be able to list a few ways to evade the age limit on alcohol purchases, despite the fact that merchants also check photo ID before selling licquor. In fact, one of the more popular and easy ways to circumvent the restrictions is to buy a fake ID, or to use a friend's. If teenagers find it easy to obtain fake ID's, what does that say about terrorists?

A moment's reflection suggests that the photo ID requirement is unlikely to stop any dedicated terrorist. There is no public evidence that the photo ID check has ever prevented a terrorist incident, and I find it unlikely that this will ever change. Even FAA officials have privately begun to admit that the ID requirement may be passe.

What is not commonly recognized is that the photo ID requirement is not just another piece of useless but harmless regulation. To the contrary, this little requirement has serious consequences for privacy: maintaining your privacy is now nearly impossible if you ever plan to travel by air.

One aspect of this requirement that civil liberties groups find especially offensive is that it was secretly introduced in 1996 soon after the so-called "TWA800 bombing" (in retrospect, probably not a terrorist incident at all, the FBI says; can we get our privacy back now, please?). Ever since, the details of the photo ID regulations have been carefully kept secret by the FAA. This raises the spectre of checkpoints ("your papers, please") unsanctioned by any legal document available to the public, a vision I had imagined would wither away after the collapse of communism.

The reason the harmful nature of the ID checks is not commonly recognized is that the relevant government regulation is amazingly not available to the public -- the FAA is using secret law to push an invasive and useless requirement on the flying public! Secret law has historically been a common tool of terror and authoritarian regimes, and has no place in a freedom-loving democracy. Secret law prevents public debate and reasoned discourse; how can these laws be considered legitimate in a democratic society when even their mere existence (let alone their contents) is kept secret from the very citizens whose rights they affect?

These concerns inspired me to research the issue further. After a fair amount of research into the FAA's photo ID security requirements, what I've learned has left me truly depressed. I'm depressed not because I find the security requirements ineffective (which they probably are, by and large), but rather because they are so unnecessarily privacy-invasive.

Since the regulations governing these issues are secret, I've been forced to look in rather unusual places to acquire this evidence, evidence which might be hard for the average interested citizen to duplicate. Therefore, I've decided to publicly post some of what I've learned in my studies, to increase awareness and debate over the FAA aviation security regulations.

The purpose of this essay is to justify my position that most of these invasive "security" procedures are of dubious effectiveness. In my honest opinion, I'm sad to report that -- despite the privacy violations they inflict on the flying public -- I think they would be unlikely to slow down a motivated terrorist.

I've done some deep investigation and testing, and here is some analysis on the effectiveness on some of the FAA terrorism countermeasures [1]:

Defense: Photo ID requirements.

Prognosis: profoundly flawed.

• I've already mentioned that if teenagers find it easy to obtain fake IDs, presumably would-be terrorists can also get one. One has to expect that terrorists will have far more experience at this than the usual young adolescent. (There are plenty of other problems in this poorly-thought out defense, but this one seems enough.) Need I say more?

Defense: Hand-searching carry-on luggage for selectees.

Prognosis: easily bypassed.

• Anecdote: When I fly as a selectee, the usual procedure is that they search my luggage at the gate in advance, then let me roam before boarding. This does not require much thought to bypass: show up early, stash your bag in a public locker before the search, then retrieve it afterwards.
• Anecdote: Once, rather than searching my bags immediately, the checkin agent put a sticker on ticket that was supposed to alert the gate agent not to let me on the plane without searching my bag. I was truly impressed: I thought for once their hand-search procedure was going to be effective. When I got to the gate, the gate agent stared at the sticker for a long 5 seconds, clearly not sure what it meant, then finally looked at me and waved me through, without the search. Maybe it was just a fluke, but I'm skeptical.
• Note: a selectee is someone who claims to have forgotten their ID, or who cannot or does not produce photo ID. Selectees are processed with a special procedure, including X-raying checked luggage and hand-searching carry-on luggage.

Defense: Profiling.

Prognosis: I am skeptical.

• Suppose I have an ID under a false name. I use it to get a credit card under that name, then buy a suit and a round-trip ticket in first class. How is the profiling going to pick me out of the crowd of business travelers? Answer: it's not.

Defense: Random bag searches as you pass through the metal detectors.

Prognosis: probably not very reliable, though surely they help a little.

• Anecdote: When the security guard at the X-ray detector asked if he could search my bag (a random suspicion-less search), I played dumb and asked "Do I have to?". He said, warmly, "Oh, are you late for your flight?". When I nodded yes, he let me go without searching. Friendly guy!
• Anecdote: One FAA document had to advise security guards to not pick just small bags for the "random" searches. Turns out that some guards were avoiding the big bags because they took more effort to search, and searching just the little bags allowed them to maintain their quotas. I suppose I don't have to elaborate on how a potential terrorist might use this observation to sneak through the security checkpoints.

Defense: metal detectors & X-ray machines as you enter the gate.

Prognosis: actually a pretty good defense, but they can be defeated without too much effort.

• Simple attack: carry a big bulky "laptop" that actually contains a pound of nasty explosives. This is pretty hard for the good guys to stop with current procedures, sadly... The new "sniffer" machines at the most popular airports are somewhat useful in this regard, but they can handle only a very small percentage of the number of laptops that go through the airports, and they are only available at major airports, so exploding laptops are easy to smuggle in by taking a connecting flight from a smaller airport.
• Anecdote: Ever wonder how they get the beer and other supplies into the bars and restaurant near the gate? Lucky Green tells an eye-opening story about the time he saw them wheeling these kegs of beer around the metal detectors as the guards waved them on. When you realize that these are opaque containers that block X-rays, it is clear that pretty much anything could potentially be transported past the security perimeter in a keg, no questions asked, if you can position yourself as the beer-supplier.

Defense: Positive bag matching.

Prognosis: Positive bag matching seems like it must be a pretty good defense, if you assume the terrorist doesn't want to die from his own bomb, and if you apply it to every passenger, although even then, it still can be defeated. (But it certainly can't stop a terrorist who's willing to die by his own hand.)

• The attack that seems hard to prevent: The terrorist finds a flight with a stopover, boards with a bomb in his carry-on luggage, then gets off the plane at the intermediate destination (leaving his carry-ons up in the overhead compartment) and never re-boards.
• Another weakness: In practice, it's only applied to fliers that "hit" in the profile, so adversaries actually have two ways to defeat positive bag matching: avoid the profile, or play the stopover trick mentioned above.

Notice how the most privacy-invasive security techniques (ID checks, profiling, hand-searches, etc.) are also the ones that are the least likely to be effective in practice?

Notice also that the techniques which seem most likely to provide some small amount of defense (e.g., positive bag matching, X-ray machines) are also the ones which are least likely to have serious privacy implications.

Based on this analysis, it would not be unreasonable to hypothesize that the ineffective techniques (photo ID checks, etc.) are there just to reassure the flying public that the FAA "is doing something": in other words, an example of perception management (normally called "pulling the wool over your eyes") taking precedence over real security. Sadly, it's exactly their privacy-invasive nature which makes these techniques work well for perception management, so I don't think we'll be rid of this problem soon.

Another big problem the good guys have is transitive trust. If you pass security in Podunk Airport and fly to JF Kennedy, you can then wander around the "secure" area and get on another flight from JFK to SFO, without ever going through security in JFK -- and if Podunk Air is lax about security, you can use them to bypass the strict security in JFK. In other words, the security of the US airport system is only as strong as its weakest link.

I don't envy the position of those responsible for aviation security; if the goal truly is to prevent terrorist attacks (not just to project a false sense of security, as the cynics would suggest), they have a very hard problem on their hands.

However, I fear that the FAA has struck a terrible balance in their current aviation security policy: the current policy is not strict enough to offer real defense, but just harsh enough to invade our privacy -- we give up some of our freedom when flying, and in return, all we get is "security procedures" that don't actually do much to protect us. All this is surely old hat for the grizzled cypherpunk, but depressing nonetheless.

Another observation: what most people don't know is that the FAA regulations which require airlines to ask for photo ID don't apply if you aren't checking luggage. (Caveats: Only applies to domestic flights. And a few airlines have stricter regulations than what's required by law. I last checked about 6 months ago; if the policy has changed since then, all bets are off.)

However, there's an education problem -- many airline employees don't know this, and in practice you will have a hard time convincing them. Sadly, I think the FAA is complicit in this problem -- when I called them, they (reluctantly) confirmed over the phone that this is indeed their policy once I volunteered that I knew about it, but flat out refused to confirm it in written form (!), saying that this information only goes to those with a need-to-know. Yet another example of secret law.

This essay is based on a public post to the cypherpunks discussion list that I sent some time ago.