Profiling

March 2006 Security Services & Risk Management

There is a great discussion about profiling going on in the comments to the previous post. To help, here is what I wrote on the subject in the book Beyond Fear (pp. 133-7):

Good security has people in charge. People are resilient. People can improvise. People can be creative. People can develop on-the-spot solutions. People can detect attackers who cheat, and can attempt to maintain security despite the cheating. People can detect passive failures and attempt to recover. People are the strongest point in a security process. When a security system succeeds in the face of a new or coordinated or devastating attack, it is usually due to the efforts of people.

On 14 December 1999, Ahmed Ressam tried to enter the US by ferryboat from Victoria Island, British Columbia. In the trunk of his car, he had a suitcase bomb. His plan was to drive to Los Angeles International Airport, put his suitcase on a luggage cart in the terminal, set the timer, and then leave. The plan would have worked had someone not been vigilant.

Ressam had to clear customs before boarding the ferry. He had fake ID, in the name of Benni Antoine Noris, and the computer cleared him based on this ID. He was allowed to go through after a routine check of his car's trunk, even though he was wanted by the Canadian police. On the other side of the Strait of Juan de Fuca, at Port Angeles, Washington, Ressam was approached by US customs agent Diana Dean, who asked some routine questions and then decided that he looked suspicious. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean's own words, he was acting 'hinky'. More questioning, there was no one else crossing the border, so two other agents got involved - and more hinky behaviour. Ressam's car was eventually searched, and he was finally discovered and captured. It was not any one thing that tipped Dean off; it was everything encompassed in the slang term 'hinky'. But the system worked. The reason there was not a bombing at LAX around Christmas in 1999 was because a knowledgeable person was in charge of security and paying attention.

There is a dirty word for what Dean did that chilly afternoon in December, and it is profiling. Everyone does it all the time. When you see someone lurking in a dark alley and change your direction to avoid him, you are profiling. When a storeowner sees someone furtively looking around as she fiddles inside her jacket, that storeowner is profiling. People profile based on someone's dress, mannerisms, tone of voice ... and yes, also on their race and ethnicity. When you see someone running toward you on the street with a bloody axe, you do not know for sure that he is a crazed axe murderer. Perhaps he is a butcher who is actually running after the person next to you to give her the change she forgot. But you are going to make a guess one way or another. That guess is an example of profiling.

To profile is to generalise. It is taking characteristics of a population and applying them to an individual. People naturally have an intuition about other people based on different characteristics. Sometimes that intuition is right and sometimes it is wrong, but it is still a person's first reaction. How good this intuition is as a countermeasure depends on two things: how accurate the intuition is and how effective it is when it becomes institutionalised or when the profile characteristics become commonplace.

One of the ways profiling becomes institutionalised is through computerisation. Instead of Diana Dean looking someone over, a computer looks the profile over and gives it some sort of rating. Generally profiles with high ratings are further evaluated by people, although sometimes countermeasures kick in based on the computerised profile alone. This is, of course, more brittle. The computer can profile based only on simple, easy-to-assign characteristics: age, race, credit history, job history, etc. Computers do not get hinky feelings. Com-puters also cannot adapt the way people can.

Profiling works better if the characteristics profiled are accurate. If erratic driving is a good indication that the driver is intoxicated, then that is a good characteristic for a police officer to use to determine who he is going to pull over. If furtively looking around a store or wearing a coat on a hot day is a good indication that the person is a shoplifter, then those are good characteristics for a storeowner to pay attention to. But if wearing baggy trousers is not a good indication that the person is a shoplifter, then the storeowner is going to spend a lot of time paying undue attention to honest people with lousy fashion sense.

In common parlance, the term 'profiling' does not refer to these characteristics. It refers to profiling based on characteristics like race and ethnicity, and institutionalised profiling based on those characteristics alone. During World War II, the US rounded up over 100 000 people of Japanese origin who lived on the West Coast and locked them in camps (prisons, really). That was an example of profiling. Israeli border guards spend a lot more time scrutinising Arab men than Israeli women; that is another example of profiling. In many US communities, police have been known to stop and question people of colour driving around in wealthy white neighbourhoods (commonly referred to as 'DWB' - Driving While Black). In all of these cases you might possibly be able to argue some security benefit, but the trade-offs are enormous: Honest people who fit the profile can get annoyed, or harassed, or arrested, when they sre assumed to be attackers.

For democratic governments, this is a major problem. It is just wrong to segregate people into 'more likely to be attackers' and 'less likely to be attackers' based on race or ethnicity. It is wrong for the police to pull a car over just because its black occupants are driving in a rich white neighbourhood. It is discrimination.

But people make bad security trade-offs when they are scared, which is why we saw Japanese internment camps during World War II, and why there is so much discrimination against Arabs in the US going on today. That does not make it right, and it does not make it effective security. Writing about the Japanese internment, for example, a 1983 commission reported that the causes of the incarceration were rooted in "race prejudice, war hysteria, and a failure of political leadership". But just because something is wrong does not mean that people will not continue to do it.

Ethics aside, institutionalised profiling fails because real attackers are so rare: Active failures will be much more common than passive failures. The great majority of people who fit the profile will be innocent. At the same time, some real attackers are going to deliberately try to sneak past the profile. During World War II a Japanese American saboteur could try to evade imprisonment by pretending to be Chinese. Similarly, an Arab terrorist could dye his hair blond, practice an American accent, and so on.

Profiling can also blind you to threats outside the profile. If US border guards stop and search everyone who is young, Arab, and male, they are not going to have the time to stop and search all sorts of other people, no matter how hinky they might be acting. On the other hand, if the attackers are of a single race or ethnicity, profiling is more likely to work (although the ethics are still questionable). It makes real security sense for El Al to spend more time investigating young Arab males than it does for them to investigate Israeli families. In Vietnam, American soldiers never knew which local civilians were really combatants; sometimes killing all of them was the security solution they chose.

If a lot of this discussion is abhorrent, as it probably should be, it is the trade-offs in your head talking. It is perfectly reasonable to decide not to implement a countermeasure not because it does not work, but because the trade-offs are too great. Locking up every Arab-looking person will reduce the potential for Muslim terrorism, but no reasonable person would suggest it. (It is an example of 'winning the battle but losing the war'.) In the US, there are laws that prohibit police profiling by characteristics like ethnicity, because we believe that such security measures are wrong (and not simply because we believe them to be ineffective).

Still, no matter how much a government makes it illegal, profiling does occur. It occurs at an individual level, at the level of Diana Dean deciding which cars to wave through and which ones to investigate further. She profiled Ressam based on his mannerisms and his answers to her questions. He was Algerian, and she certainly noticed that. However, this was before 9/11, and the reports of the incident clearly indicate that she thought he was a drug smuggler; ethnicity probably was not a key profiling factor in this case. In fact, this is one of the most interesting aspects of the story. That intuitive sense that something was amiss worked beautifully, even though everybody made a wrong assumption about what was wrong. Human intuition detected a completely unexpected kind of attack. Humans will beat computers at hinkiness-detection for many decades to come.

And done correctly, this intuition-based sort of profiling can be an excellent security countermeasure. Dean needed to have the training and the experience to profile accurately and properly, without stepping over the line and profiling illegally. The trick here is to make sure perceptions of risk match the actual risks. If those responsible for security profile based on superstition and wrong-headed intuition, or by blindly following a computerised profiling system, profiling will not work at all. And even worse, it actually can reduce security by blinding people to the real threats. Institutionalised profiling can ossify a mind, and a person's mind is the most important security countermeasure we have.

A couple of other points (not from the book):

* Whenever you design a security system with two ways through - an easy way and a hard way - you invite the attacker to take the easy way. Profile for young Arab males, and you will get terrorists that are old non-Arab females.

* If we are going to increase security against terrorism, the young Arab males living in our country are precisely the people we want on our side. Discriminating against them in the name of security is not going to make them more likely to help.

* Despite what many people think, terrorism is not confined to young Arab males. Shoe-bomber Richard Reid was British. Germaine Lindsay, one of the 7/7 London bombers, was Afro-Caribbean. Here are some more examples:

In 1986, a 32-year-old Irish woman, pregnant at the time, was about to board an El Al flight from London to Tel Aviv when El Al security agents discovered an explosive device hidden in the false bottom of her bag. The woman's boyfriend - the father of her unborn child - had hidden the bomb.

In 1987, a 70-year-old man and a 25-year-old woman - neither of whom were Middle Eastern - posed as father and daughter and brought a bomb aboard a Korean Air flight from Baghdad to Thailand. En route to Bangkok, the bomb exploded, killing all on board.

In 1999, men dressed as businessmen (and one dressed as a Catholic priest) turned out to be terrorist hijackers, who forced an Avianca flight to divert to an airstrip in Colombia, where some passengers were held as hostages for more than a year-and-a-half.

The 2002 Bali terrorists were Indonesian. The Chechnyan terrorists who downed the Russian planes were women. Timothy McVeigh and the Unibomber were Americans. The Basque terrorists are Basque, and Irish terrorists are Irish. The Tamil Tigers are Sri Lankan.

And many Muslims are not Arabs. Even worse, almost everyone who is Arab is not a terrorist - many people who look Arab are not even Muslims. So not only are there a large number of false negatives - terrorists who do not meet the profile - but there are an enormous number of false positives: innocents that do meet the profile.

Bruce Schneier is the founder and CTO of Counterpane Internet Security. He can be contacted at [email protected]. To subscribe to a free monthly newsletter providing summaries, analyses, insights and commentaries on security: computer and otherwise, visit http://www.schneier.com/crypto-gram.html





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Boost revenue streams for MNOS
News & Events Security Services & Risk Management Financial (Industry)
ReveNet has introduced its new solution, designed to safeguard and potentially boost revenue streams in an increasingly challenging landscape for MNOS. The new platform combines advanced analytics and is built on trust, transparency, and sustainability principles.

Read more...
Risk-IO manages mining security risks
Security Services & Risk Management Mining (Industry)
[Sponsored] A local mining company with three large operations experienced increased security costs. The liability included no standardised risk assessment, poor management of the efforts to mitigate hazards, and unauthorised access with subsequent theft. The reactive approach to security was not only expensive but also wasteful in the sense that the costs were poorly managed, and there were no metrics to show improvement or trends in incidents.

Read more...
NIS2 compliance amplifies skills shortages and resource strain
Information Security Security Services & Risk Management
A new Censuswide survey, commissioned by Veeam Software reveals the significant impact on businesses as they adapt to this key cybersecurity directive, with 95% of EMEA businesses siphoning other budgets to try and meet compliance deadline.

Read more...
SA company develops world-first safe K9 training for drug detection
Editor's Choice News & Events Security Services & Risk Management Government and Parastatal (Industry)
The Braveheart Bio-Dog Academy recently announced the results of its scientific research into training dogs to accurately detect drugs and explosives without harming either the dogs or their handlers.

Read more...
Understanding South Africa’s Cybercrimes Act
Information Security Security Services & Risk Management
The Cybercrimes Act No.19 of 2020 is a comprehensive legislative response to the evolving landscape of cyberthreats in South Africa. Its effectiveness, however, relies on enforcement, which relies on implementation, international cooperation, and collaboration between the public and private sectors.

Read more...
Partnership addresses fire hazard mitigation
Brigit Fire (a Division of Hudaco Trading) Elvey Security Technologies Fire & Safety Security Services & Risk Management
Brigit Fire has partnered with the Elvey Group. The collaboration will see Brigit Fire distributing both the advanced C-TEC addressable fire detection systems (CAST Technology) and GreenMist lithium extinguishers.

Read more...
Fire protection for a solvent extraction plant in Africa
FS Systems Fire & Safety Security Services & Risk Management Mining (Industry)
A prominent mining site operates a state-of-the-art solvent extraction (SX) plant, integral to separating and purifying metals from ores, which pose significant fire risks, as SX processes involve highly flammable organic solvents and elevated operating temperatures.

Read more...
Taking fire safety seriously
G2 Fire Editor's Choice Fire & Safety Security Services & Risk Management
To gain insights into how fire systems must be designed, installed and maintained, SMART Security Solutions asked Nichola Allan, MD of G2 Fire, for some insights into the local fire market.

Read more...
New data privacy trends increase large cyber claims
Security Services & Risk Management News & Events
Frequency and value of sizeable cyber insurance claims up 14% and 17% year-on-year in the first half of 2024, with a growing trend in the US for litigation against large corporations related to privacy violations.

Read more...
Streamlining and securing enterprise risk management
Security Services & Risk Management
[Sponsored] A new enterprise risk management web app from Zulu Consulting, called Risk-IO, is designed to automate and streamline the enterprise risk management process, ensuring no steps are skipped and everything is securely documented.

Read more...