Secure Flight/CAPPS II: Will it work?
The inner workings of
the TSA's "Secure Flight/CAPPS II" Database are considered secret
by the TSA, but the general architecture, and several components of
the system, are known. Because the system is designed to identify
individual travelers who may pose a threat, its basic unit is the
individual, who is identified with a unique number which can be
cross-referenced to other databases' keys, like social security
numbers, telephone numbers, and credit card numbers. The system is
believed to contain over a thousand data points on every
individual, including data from airline records, government
databases, telecom records, public directories, and the massive
commercial databases maintained by credit-reporting services.
This database would be El Dorado for an identity thief, but of
course the only people that have access to the information are TSA
employees (how many times have we written the words "TSA theft
ring" in the last couple years? -- but pay no attention to that,
for are they not honorable men?), contractors (some of whom
outsource to third world nations), and anyone with an Internet
connection when, as happens from time to time, one of these
contractors springs a leak. Nothing to worry about.
Some of the factors that make the TSA take notice of a traveler
include the type of flight, whether this fits in that person's
historic pattern of travel, whether the person's name is on a
terrorist watchlist, even whether the person owns or rents his or
her home (the theory is, suicide bombers won't be thinking about a
30-year mortgage). There are many other factors, each secret. Each
factor is given a certain weight by the system, which is also
secret. Finally, each traveler is assigned a "TSA Curiosity
Quotient" which determines the type and nature of the scrutiny he
or she will require -- these thresholds are also, you guessed it,
secret. Because numbers are hard things, the output of this system
to the line-level screeners who have to implement the data is
reportedly a simple color code: red, yellow or green.
Data will be retained for at least fifty years.
For many people, the loss of privacy and risk of identity theft
will be seen as a fair trade against the possibility of another
terrorist attack. But while the CAPPS II (now Secure Flight) system
is based on the assumption that studying data will reveal potential
terrorists, it fails to account for the likelihood that terrorists,
who are after all evil, not necessarily stupid, will react to CAPPS
by selecting or preparing terrorists who are likely to pass the
system's scrutiny.
It's interesting to note
that in 2002, when MIT students Samidh Chakrabarti and Aaron
Strauss subjected the concept of passenger prescreening to a
mathematical, computer simulation, they found that any passenger
prescreening system was vulnerable to an exploit they called the
"Carnival Booth" algorithm. They concluded that random searches
were a much greater threat to terrorists' success than prescreened
searches. "The results are clear. The less a system relies on
profiling and the more advanced its administrative searching, the
more terrorists it will catch," Chakrabarti and Strauss wrote. If a
terrorist makes a dry run and is not flagged by CAPPS, his odds of
being flagged the next time decrease. Indeed, the more times a
terrorist passes through the system the closer his probability of
being selected approaches zero.
The most disturbing thing is that, if the TSA has any answer to
the MIT report, they aren't
talking about it. There don't appear to be any technical data which
support the CAPPS II approach, just that it makes intuitive sense
-- which the two young MITers show to be a logical fallacy. It
would be nice to hear TSA say that their approach is better, and
the scientists have it wrong.
But then, if they said that, how would we know they were telling
the truth this time?