Steve Kroft of 60 Minutes has obtained a copy of the no-fly list the TSA uses to decide who among the flying public should be subject to extra scrutiny or denied the right to fly altogether. It is, not surprisingly, shockingly inadequate. It includes the “names of people not likely to cause terror, including the president of Bolivia, people who are dead and names so common, they are shared by thousands of innocent fliers.”
We’ve been told since the beginning of the program that we couldn’t release the list because it might tip off the terrorists. This has never made much sense–future terrorists can find out if they’re on the list by doing a test flight and seeing if they get extra scrutiny. The more plausible explanation for the TSA’s reluctance to release the list was due to their fears that it would be subject to harsh criticism. Luckily, the press has done its job here, and the list is now being subject to the scrutiny it deserves. Hopefully that will lead to improvements in our security procedures.
This point can be generalized: systems are made more, not less, secure when they’re open to scrutiny. This is the majority view among computer security experts, who tend to trust open, time-tested encryption algorithms over new-fangled proprietary ones, because it’s less likely that someone will discover a serious flaw in the system. We’ve seen the same phenomenon with computerized voting machines, where closed, proprietary machines have consistently been found to have serious security flaws. And the same is almost certainly true of physical security: opening up our airport security system to greater scrutiny will give security experts and the general public the opportunity to spot problems and pressure the authorities to remedy them. Security through obscurity doesn’t work in the high-tech world, and it’s not likely to work in airport security either.
Hat Tip: Jim Lippard