Tag Archive: children

Airport Security

The security at airports, and 3D body scanners in particular, have been in the news a lot recently. The reason I wanted to write about this is that it demonstrates the reactionary way some security is implemented, while actually making things worse for everyone.

It seems that there are two types of security measure: those that reassure the public that something is being done to protect them, and those that actually help. The former is usually a lot less effective than the latter.

Consider traditional airport security. The departure lounge of an airport is considered a “sterile” environment; all of those in it have been screened. For many years, the visible side of this primarily consisted of an x-ray of carry-on luggage and a metal detector for people to walk through. These devices were designed to prevent people bringing knives and guns on board. In addition, hold-baggage cannot travel in an aircraft without an associated passenger as, in general, people don’t want to blow themselves up.

After entering the departure lounge, a passenger has entered into the “sterile” airline system: people transit through different airports and arrive at totally different destinations via different airlines, often without re-screening in transit.

The question is: what type of attack will this actually prevent? Consider the holes in the sterile environment: the baggage handlers, terminal shop staff, flight crews, maintenance workers and the physical security of the airport perimeter.

The additional security measures brought in over the last few years haven’t really addressed the holes, they simply reinforce the idea that something is being done to protect the travelling public. First it was the shoe scanner. Then belts had to come off, liquids were banned and now we have full body scanners. All of these can be circumvented. All of this inconveniences the travelling public, which I wouldn’t mind so much if someone could convince me that there is a point to it.

I will, like most people, grudgingly comply, but I wonder what measures are put in place to determine whether the benefits justify the cost and who actually makes that call. It is possible to opt-out of the enhanced screening (at least in the US), but this means you will be patted down physically, which can be traumatic for some people, especially kids.

These new controls are also inconsistently applied across the network of airports and some airports can opt-out of the TSA programme. I have, inadvertently, walked through a metal-detector at Heathrow with a solid, stainless-steel watch and been through multiple airports with bottles of water. For any control to work, it has to be applied consistently.

This post may come as a surprise as security people are often portrayed as wanting to lock down the world but I am of the belief it is both impossible and undesirable to live in a 100% risk-free environment and a balance has to be struck between security and preventing people getting on with their lives. What I don’t like are controls that are inconsistent and not comprehensive.

Bruce Schneier has much to say on this topic here.

Here’s a video from the TSA on airport security:

The BBC have an article on the balance between civil liberties and security.

Social Networking Risks

I went to Royal Holloway this week to give a presentation at the Information Security Group Alumni Conference about my personal views on social networking and the perception of risk. As a short summary, my main points were:

We’re bad at assessing risk

People really can’t tell whether it’s safer to fly that to drive and whether it’s more likely to drown in a flood than be hit by lightning. It all comes down to the perception of the risk.

Without context, it gets worse

People want to have sensory cues to allow them to work out the context in which they’re operating so that they can assess the risks they’re taking. People are inherently scared of the dark, because they can’t see what’s around them. In the absence of context, people fill the vacuum with the information that they do have: if they’re sitting at home, using the Internet, they are much less wary than in an Internet cafĂ© in Bangkok but the level of risk hasn’t necessarily changed.

Younger people don’t necessarily have an enlightened view of privacy

While young people growing up today are much more au fait with technology than their forebears were at the same age, they don’t have the life experience in which to assess the long-term impact of their actions. Few people realise that:

  1. It’s very hard to delete stuff from the Internet
  2. That large employers will take into consideration anything they find on the Internet about a candidate before making a decision to employ them
  3. Most things are open, anyway and you should never post anything anywhere that you don’t want made public.

Facebook’s Privacy policy includes a section that says:

Risks inherent in sharing information. Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorized persons will view your information. We cannot ensure that information you share on Facebook will not become publicly available*. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook. You can reduce these risks by using common sense security practices such as choosing a strong password, using different passwords for different services, and using up to date antivirus software.

*My emphasis

The Information Security Industry’s Responsibility

I’d suggest that we need to make it easier for people to manage their privacy settings and have a default=closed policy for social networking sites. The IT industry went through a period of providing operating systems, network gear and other kit with all of the bells and whistles turned on out of the box. It was realised that this wasn’t a particularly good way to go. I think the same is true of social network sites.

I realise that it is in the commercial interest of social media companies to have as much openness as possible and, in Facebook’s case, people who truly believe that a transparent society in the form of Mark Zuckerberg.

But nothing is inevitable and I, personally, am not happy with living on a society where everything is open. People do have a legitimate right not to tell people everything, in my opinion, and while you could argue no one is forcing them to post information (which is of course true) no one can say that anyone is posting data online in an informed way.

Several people made excellent points after my presentation, including one thought provoking one about the fact we don’t know what’s going to happen to all of this data in 10-15 years’ time and how it will affect people (think insurance companies harvesting data about you and it affecting your premiums, for example). There is a much wider, social problem about society’s inability to “forget” stuff, which is beyond the scope of this blog.

Comments welcome

%d bloggers like this: