Terror profiles by computers are ineffective

Tuesday 21 October 2003This is over 19 years old. Be careful.

Every time I read something Bruce Schneier writes about security, I agree with him: Terror Profiles By Computers Are Ineffective.

I have an idea. Timothy McVeigh and John Allen Muhammad — one of the accused D.C. snipers — both served in the military. I think we need to put all U.S. ex-servicemen on a special watch list, because they obviously could be terrorists. I think we should flag them for “special screening” when they fly and think twice before allowing them to take scuba-diving lessons.

What do you think of my idea? I hope you’re appalled, incensed and angry that I question the honesty and integrity of our military personnel based on the actions of just two people. That’s exactly the right reaction. It’s no different whether I suspect people based on military service, race, ethnicity, reading choices, scuba-diving ability or whether they’re flying one way or round trip. It’s profiling. It doesn’t catch the few bad guys, and it causes undue hardship on the many good guys who are erroneously and repeatedly singled out. Security is always a trade-off, and in this case of “data mining” the trade-off is a lousy one.


If you enjoyed that you should read his most recent book "Beyond Fear: Thinking Sensibly About Security in an Uncertain World". Very, very good. I wrote a quick review in my blog on September 11th.
How about treating all legal gun-owners like criminals? I have been fingerprinted more times than John Muhammad.

And as for "profiling", I am all for giving everybody the same once-over necessary for security. If that cannot be done, then some rational basis for determining a subset of the population for the afore mentioned "once-over". Pretending that there is some sense to shaking down 80 year-old grandmothers in an airport so to be able to "justify" talking to that single 20-something male with a one-way ticket is beyond political correctness, it is suicidal stupidity. And yes, he is likely to have a muslim name. I hate to point out the blindingly obvious, but 100% of the terrorists that are trying to blow our planes out of the sky are arab muslims. Again, pretending that this is not the case is suicidal stupidity.
I hate to point out the blindingly obvious, but we have no idea who is trying to blow planes out of the sky. All we know for sure is who has managed it so far.

Was Richard Reid an "arab muslim"? In some ways, yes, in some ways no. Would the profiling have caught him?

We're all reacting to the worst terrorist attack on US soil, and we need to react to it, but have we forgotten about the second worst terrorist attack on US soil? It was Timothy McVeigh. Would he have fit any of the profiling? Why do we think the next attack won't be from someone more like McVeigh?
Richard Reid? You mean Abdel Rahim, schooled by Hamas in Palestinian controlled areas?
I'm posting this because after briefly discussing this with Ned he suggested I should make my arguments here.

The article references is remarkably content free. His claims that data mining and profiling are ineffective are not backed up with data or facts.

There are good reasons why racial profiling (muslim implies terrorist, black implies drug smuggler) is counter productive, but its not clear that data mining is the same as racial profiling. And in this case while he's specifically denouncing data mining, he makes implications that data mining is racial profiling by anecdotally enumerating the ethnicities of several terrorist. Yet he offers nothing that links data mining to racial profiling.

So, no I don't agree with the premise that "Terror Profiles By Computers Are Ineffective". They may or may not be, but he doesn't effectively make any case.
I think a key point in Schneier's general argument is that security is always a trade-off. How much security am I getting, and what am I giving up to get it? No screening process will be perfect so what level of false positives are we willing to accept? One percent? 1/10 percent? Tens of millions of people fly, even these low levels of false positives would be unacceptable if false positive resulted in substantial flight delays and travel disruptions. And it assumes that the next terrorist strike will be highjacking planes. Maybe, but probably not.

In his book, Schneier talks about unintended consequences of security measures. Privacy abuse is a disturbing consequence of these data mining programs. What data is being collected? Who has access to the data being mined? How secure is it? No really, how secure is it? How secure are the data mining algorithms? If terrorists can figure out what you're looking for, how likely will you be able to find them?

What if I end up being identified as a potential terrorist? How do I avoid getting hassled every time I try to fly? How do I question the logic that got my name on the list? Maybe the "data mining" software thought I was suspicious because I registered a scatological domain name ;-) How would I know? What if the decision to consider me suspicious was based on incorrect information? How could I question it or have the information corrected?

I'd rather that money be spent on hiring more people checking passports than on data mining technology.

"Those who would give up essential Liberty, to purchase a little temporary safety, deserve neither Liberty nor Safety."
- The Papers of Ben Franklin
There's one thing that seems to be left out in your quote, which is the simple basic fact that any ex-military personnel must by definition have already demonstrated a devotion far beyond the general citizenship population to risk their own lives _defending_ the country, not trying to destroy it.

It is true that the military has training-- but it's also true that any of that training includes instilling the most basic, fundamental patriotic values of all in the trainees.

In terms of metrics used for this kind of security, well, yes it's very difficult to deal with a problem where you have a few people willing to die for their cause. While (ex-/)military are also willing to die for a cause, in many cases having actually risked it, they're on the completely opposite side of the likelyhood spectrum, at least further from the side terrorists are on than the rest of us in the middle.

Talk about security through obscurity. Put me on the plane with the veterans. Who was it that said, if you fought for your country, your vote should count twice?
David, we're back to square one; that "simple basic fact" of yours would have made McVeigh and Muhammad pass the test. And due to their training, I disagree they are further from terrorists than "the rest of us in the middle". People who know how to cook C4, or how to make loads of explosives with fertilizer might be no more likely than me to blow up innocents. They are still more able to do so. Which hardly puts them further from terrorists than I am. After all, while they might not be more likely than me to have the motive, they do have some, if not all, of the skills. I have neither.

Profiling is a necessary evil, a crude risk evaluation tool. Is computer-based profiling better ? Well, compared against what ?

Richard Reid, for instance, did fit a profile. A Middle Eastern man with a brand new passport, no luggage and a one-way ticket paid in cash should definitely raise alarm bells. It doesn't follow the next one will, of course, but a Richard Reid should not get on a plane. Assuming Paris CDG security profiled passengers at the time, one could argue the fact that he did somewhat nails the profiling coffin. I don't know.

In the end, I think better profiling has a lower priority than basic security. When TSA agents can still get guns, pipe bombs or knives through security at Logan Airport, and the only consequence for the screeners involved is to get a remedial class, I must say profiling hassles are rather low on my radar screen. First things first. Before telling me how you're going to spot that anonymous terrorist in the crowd, please make sure you find the weapons and explosives in the luggage...
Sylvain, those are good points, and ultimately you can't tell from profiling- but I don't think ex-military should be singled out without having a few other supportive facts handy for any profiling done. If only there were a quick way to check everyone.

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
Comment text is Markdown.