Defeating airport security and getting frequent flyer points while you’re at it

I’ve only had a chance to briefly skim it, but the paper, titled Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System, outlines a hole in the security system currently used in airports to prevent another September 11th from happening. CAPS tries to predict whether you’re a likely to be a terrorist based on data pertaining to your history of ticket purchases. If you fit the terrorist profile, you’re singled out for extra security checks. When you’re singled out, ti’s quite obvious, and therein lies the weakness of the system.

(I once probably set off every CAPS alarm; I wrote about it here.)

Here’s what the writers of the paper have to say:

This transparency is the Achilles’ Heel of CAPS; the fact that individuals know their CAPS status enables the system to be reverse engineered. You, like Simonyi, know if you’re carryons have been manually inspected. You know if you’ve been questioned. You know if you’re asked to stand in a special line. You know if you’ve been frisked. All of this open scrutiny makes it possible to learn an anti-profile to defeat CAPS, even if the profile itself is always kept secret. We call this the “Carnival Booth Effect” since, like a carnie, it entices terrorists to “Step Right Up! See if you’re a winner!” In this case, the terrorist can step right up and see if he’s been flagged.

The recipe for defeating CAPS is quite simple:

1. Probe the system. Send one of your agents to simply take a flight. On this run, the agent’s not supposed to do anything other than report whether or not CAPS flaged him or her.

2. If your agent was flagged in step 1, take that agent off your martyrdom candidates list. Reassign the agent to something else (perhaps recruiting and handing out propaganda at the local University campus). Repeat step 1 with another agent.

3. Repeat this process until you’ve got one or more agents who consistently eludes CAPS flags. These lucky dogs get the 72 virgins. Get them to give you the frequent flyer points they accrued; they won’t be needing them anyway.

4. Now send this squad on a mission with intent to harm, complete with weapons, explosives and cliched prepared statement. Since CAPS didn’t flag them last time, it’s likely they won’t be flagged this time. Await congratulatory greeting card from Osama.

The authors of the paper state that even although it seems counterintuitive, randomly selecting passengers for extra scrutiny is more likely to catch terrorists than CAPS.

It’s an interesting read, and although there’s a little math to wade through (although it’s not terribly complex; anyone who’s read The Cartoon Guide to Statistics should get it), most people should find it reasonably easy to follow.