web Musings of The Global Traveller

Thursday, July 24, 2008

TSA watchlist of 1 million

I don't blog much about the TSA (USA's transport security if you're lucky enough to not know what it is about), mainly because pretty much every policy they implement riles me up. There is plenty of coverage elsewhere on their terrible practices and stuff-ups.

However, an entry on the TSA blog from a couple of weeks ago has gotten me even more riled up than normal so that I have to comment on it. The blog entry is a self-styled myth buster on the recent news that the watchlist has 1 million names.

A summary of the TSA blog entry:

  • 2 million daily passengers (this is USA only)
  • 400,000 on a consolidated terror watch list
  • 50,000 selectee and no-fly lists (subsets of the consolidated terror watch list)
  • buster #1 - the list is not 1 million names long
  • buster #2 - ACLU's method to estimate 1 million names is flawed
  • buster #3 - Ted Kennedy, Catherine Stevens and Robert Johnson are not on the no-fly lists, they just happen to have the same names as other who are on the no-fly lists. Then there is spiel that spending more money will enable the number of false positives to be reduced, and that those who are falsely identified (false positive) face only minor inconvenience.
  • Terror watch lists keep legitimate terror threats off of airplanes every day, all over the world. (This point is a verbatim quote.)

Given the watchlist isn't public info, I'll take TSA's word that the list is "only" 400,000 names long. I'll also take their word that the names used to trigger extra security or outright prevent from flying are a mere 50,000 names.

Now to some that may not seem a big number, compared with say the population of USA.

However, a unique name is rather rare. Some common names have many thousands who share the exact same name - for example a couple of dozen others shared my name even in the small town I used to live in (and no my surname is not Smith). Suppose there are 100 people with the same name on average - this I think is a low estimate. Some unusual names will only have few people with the same name, while other names may have 100,000 people or more with the same name. That 50,000 list now matches 5,000,000 names. Not so small any more, is it?

Unfortunately that isn't the end of it. For "bad people" could try to fool the system by slightly tweaking their name - using initials, changing the spelling slightly, etc. So the watchlist system gets close matches as well as exact matches. The number of names matching the list grows again.

Now, for some the ends (prevent terrorist attack) justify the means (extra hassles for those whose name "matches" the selectee and no-fly lists). However, consider this. How many of the 50,000 names realistically will try to blow up or crash a plane? I bet it is a tiny number - let's say 100 for argument's sake. Of those, a portion will presumably be savvy enough to realise that if they can take a name that doesn't match the list (or find a suitably named new recruit) they won't be subject to extra security. So really the security the name matching provides is non-existant.

But for the notion of apparent security, a significant proportion of the travelling public faces inconvenience. The TSA blog entry downplays the impact by claiming it merely limits ability to check in online. However, the real impact is far worse. Missed flights due to longer times to check in, missed connecting flights, being stranded at the transit point (eg if you couldn't get through checked for the onward flight), not being able to easily switch flights to another airline in the event of irregular operations, etc. Then there is the time totally wasted by all these people, which somehow never make it into a proper cost-benefit analysis.

To sum up - lots of costs, no benefit, faulty logic being used to justify it all. Unfortunately this sounds rather like some other aspects of security (and not just TSA, other countries are not immune).

Those readers interested in finding out more, I suggest checking out the excellent Schneier on Security.

No comments: