ZDnet ran a story last week citing how security guru Bruce Schneier slams the US-VISIT program, which collects biometrics from people entering the country, saying that it has “zero benefit.”
I respect and like Bruce – he will be a participant in a major counterterrorism strategy conference we are having at the Cato Institute in January – but I have to voice my disagreement with him on this score. My belief is that border biometrics have an extremely small benefit – a benefit that rounds to zero, and one that is more than cancelled out by the costs. But not zero.
As of 2006, US-VISIT had cost about $15 billion and been responsible for the apprehension of about 1,000 criminals.
“Take that $15 billion number,” wrote Schneier in a 2006 blog post. “One thousand bad guys, most of them not very bad, caught through US-Visit. That’s $15 million per bad guy caught. Surely there’s a more cost-effective way to catch bad guys?”
He’s right, but that’s an illustration of the costs overshadowing the benefits, not zero benefit. (Net benefits are actually negative. We’d be better off letting those 1,000 criminals free to do their hundreds of thousands in damage or using conventional law enforcement methods than spending $15 million each to catch them.)
In defense of border biometrics, the article cites Robert Jamison, undersecretary at the Department of Homeland Security’s National Protection and Programs Directorate, which oversees US-VISIT:
“There have been several instances of someone applying for entry under one name, being denied, applying under another name, and again being denied [due to biometrics records],” said Jamison. “In a few cases, criminal activity and, in some cases, terrorist activity have been prevented.” Jamison declined to say exactly how many terrorists had been caught as a direct result of the program, saying the information was “classified”.
Rather than granting Jamison’s assertions and accepting the existence of benefits, Schneier has probably done in shorthand what any good judge in a court would do: find unproven a fact that a party won’t present reliable evidence for. Though the average American (and reporter) probably does, Schneier doesn’t grant as proven whatever a self-interested national security bureaucrat claims to be true but secret.
But for the sake of argument, let’s grant that a few people with some level of terrorist intent were turned back by border biometrics. This is prevention of “terrorist activity” in the sense that a person with terrorist intent was prevented doing something they wanted to do. But entering the country is only a small part of doing any damage once inside the country.
There’s a terrific example written up here of a man turned away at the U.S. border (not by US-VISIT but by a program called ATS-P) who later became a suicide bomber in Iraq. The implication DHS officials would like you to take from this is that preventing his entry into the country prevented a suicide bombing in the United States. In fact, it’s just as likely, if not more, that this individual became suicidal because of being turned away – he had already lived in California for two years without incident. And one can’t exclude the possibility that he was coerced to commit a bombing through threats, a hostage-taking of a family member, or some other way.
Anyway, turning someone away from the border is a trivial security against terrorism because terrorists are fungible. Turning away a known terrorist merely inconveniences a terrorist group, which just has to recruit someone different. The 9/11 attacks were conducted for the most part by people who had no known record of terrorism and who arrived on visas granted to them by the State Department. Biometric border security would have prevented none of them entering.
(Another option is physical avoidance of the border – crossing into the United States from Canada or Mexico at an uncontrolled part of the border. I know if no instance of this occuring (successfully), but it could. And, most importantly, there’s no cost-effective way to prevent it.)
In summary, border biometrics have some benefit! They are at best a mild inconvenience to terrorists – an inconvenience that the 9/11 attacks mostly anticipated. But that’s not zero benefit! It’s just negligible benefit.
In May 2007, I testified in the Senate Judiciary Committee about the costs and benefits of the REAL ID Act, a similar identity-based security system – and similarly expensive at about $17 billion. Because avoidance of identity-based security is so easy, its benefits are quite small, though I allowed it generous assumptions at every turn:
Assuming . . . that a future attack would be on the scale of a 9/11 — an exaggerated assumption unless all the rest of our security efforts have done nothing — REAL ID might be assumed (generously) to delay such an attack by six months. The value of delaying such an attack, and thus the security value of REAL ID, ranges from $2.24 billion to $13.1 billion. REAL ID offers less in benefits than it does costs — even using very generous assumptions.
But, again, that’s not zero benefit. It’s a very small benefit, a benefit that is far outstripped by costs. We’re doing ourselves more harm than we’re preventing with border biometrics – and that’s just on a static dollar-for-dollar basis, not accounting for lost tourism, trade, and goodwill.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.