||This article may require cleanup to meet Wikipedia's quality standards. (January 2009)|
Security theater is the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it. Some experts such as Edward Felten have described the airport security repercussions due to the September 11 attacks as security theater.
Security theater has real monetary costs but by definition provides no security benefits, or the benefits are so minimal as to not be worth the cost. Security theater typically involves restricting or modifying aspects of people's behavior or surroundings in very visible and highly specific ways, – that could involve potential restrictions of personal liberty and privacy, ranging from negligible (confiscating water bottles where bottled water can later be purchased) to significant (prolonged screening of individuals to the point of harassment).
Because security theater measures are often so specific (such as concentrating on potential explosives in shoes), it allows potential attackers to divert to other methods of attack. This not only applies to the extremely specific measures, but can also involve for example switching from using highly scrutinized airline passengers as attackers to getting employed as airline or airport staff, to simply avoiding attacks on aircraft in favor of for example attacking cinemas.
The direct costs of security theater may be lower than that of more elaborate security measures. However, it may divert portions of the budget for effective security measures without resulting in an adequate, measurable gain in security. In many cases, intrusive security theater measures also create secondary negative effects whose real cost is hard to quantify and likely to dwarf the direct expenses.
Such ripple effects are often connected to fear
- visible measures such as armed guards and highly intrusive security measures may lead people to believe that there must be a real risk associated with their activity.
An example for both issues is that after a recent increase in restrictions in air travel, many frequent air travelers have expressed that they will try to avoid flying in the future.
Security theater encourages people to make uninformed, counterproductive political decisions. The feeling of (and wished for) safety can actually increase the real risk.
The disruption, cost, and fear caused by security theater acts as positive feedback for those who wish to exploit it: even if they fail to take lives, they can cause large economic costs.
Critics such as the American Civil Liberties Union have argued that the benefits of security theater are temporary and illusory since after such security measures inevitably fail, not only is the feeling of insecurity increased, but there is also loss of belief in the competence of those responsible for security.
While it may seem that security theater must always cause loss, it may actually be beneficial, at least in a localized situation. This is because perception of security is sometimes more important than security itself. If the potential victims of an attack feel more protected and safer as a result of the measures, then they may carry on activities they would have otherwise avoided. In addition, if the security measures in place appear effective, potential attackers may be dissuaded from proceeding or may direct their attention to a target perceived as less secure. Unsophisticated adversaries in particular may be frightened by superficial impressions of security (such as seeing multiple people in uniform or observing cameras) and not even attempt to find weaknesses or determine effect.
It is inherently difficult to give examples of security theater that are clear and uncontroversial, because once it is agreed by all that a measure is ineffective, the measure seldom has any noticeable influence on perceived risk. The following are examples of alleged security theater.
- National Guardsmen carrying automatic weapons in airport lobbies in the months following the September 11 attacks. Reports varied on whether the weapons were loaded or unloaded; loaded weapons would apparently pose an extreme danger to the dense crowds found at an airport in the case of an actual incident.
- The announcement after the September 11th suicide attacks that airports would be discontinuing curbside check-in, which had no relationship to the tactics Al Qaeda employed in hijacking the aircraft and would pose no barrier to a suicide bomber who fully intended to board the aircraft with a bomb bag anyway.
- The air travel industry uses a screening system called Computer Assisted Passenger Prescreening System. This system relies on static screening of passenger profiles to choose which people should be searched. Systems of this nature have been demonstrated to reduce the effectiveness of searching below that of random searches since terrorists can test the system and use those who are searched least often for their operations.
- With the aim of preventing individuals on a No Fly List from flying in commercial airliners, U.S. airports require all passengers to show valid picture ID (e.g. a passport or driver's license) along with their boarding pass before entering the boarding terminal. At this checkpoint, the name on the ID is matched to that on the boarding pass, but is not recorded. In order to be effective, this practice must assume that 1) the ticket was bought under the passenger's real name (at which point the name was recorded and checked against the No Fly List), 2) the boarding pass shown is real, and 3) the ID shown is real. However, the rise of print-at-home boarding passes, which can be easily forged, allows a potential attacker to buy a ticket under someone else's name, to go into the boarding terminal using a real ID and a fake boarding pass, and then to fly on the ticket that has someone else's name on it. Additionally, recent investigations show that obviously false IDs can be used when claiming a boarding pass and entering the departures terminal, so a person on the No Fly List can simply travel under a different name.
- Random searches on subway systems, such as those taking place on the New York City Subway system, have been criticized by the American Civil Liberties Union and others as security theater. They allege that since such searches are only at some stations and that people may decline such a search and simply leave that station, a terrorist could simply find a station where no searches were occurring and board there..
- Spanish national railway operator RENFE performs passenger screenings at major stations for long distance trains. However, many of those trains also stop at stations providing only a simple ticket checking, and even some unstaffed stations where passengers could board the train without a ticket, rendering the screening ineffective. Furthermore, the 2004 Madrid train bombings targeted commuter trains: at the time there were screenings at Atocha station but not on the tracks used by the bombed trains.
- The 1950s "duck and cover" drills in U.S. public schools – which suggested that ducking under a desk is a reasonable way to protect oneself from the detonation of an atomic bomb.
- Facial recognition technology was introduced at Manchester Airport in August 2008. A journalist for The Register claimed that "the gates in Manchester were throwing up so many false results that staff effectively turned them off. Previously matches had to be 80% the same – this was quickly changed to 30%. According to Rob Jenkins, a facial recognition expert at Glasgow University, when testing similar machines at a 30% recognition level, the machines were unable to distinguish between the faces of Osama bin Laden and Winona Ryder, bin Laden and Kevin Spacey, nor between Gordon Brown and Mel Gibson.
- Australian airline authorities now prohibit any liquids, aerosols, and gels in a container larger than 100 ml in luggage hand carried onto international flights. They would prohibit a tube of toothpaste labeled able to contain more than 100 ml, even if it were squeezed empty. They would, however, allow the carrying on of 2 or 3 tubes of paste provided each is labeled to carry less than 100 ml.
- As demonstrated on the Discovery Channel show It Takes a Thief, most low-end locks and security systems provide minimal actual protection against an experienced burglar. Commercially constructed doors without deadbolts can be simply overpowered by human kicks, and police response times to security alarms are frequently far too slow to catch a thief before he is finished ransacking the house and in flight.
- The use of virus scanners to detect malware on computer systems. In order to be "scanned", a piece of malware (be it a virus, trojan horse, spyware, rootkit, etc.) needs to be identified and recognized by the company developing the software to create a "signature" for it and deploy this to machines running its software. This reveals some considerable doubts about the approach in general in that:
- First, if a virus or piece of malware is not identified, it will not be detected in time to prevent it from delivering its payload. In the case of a rootkit it is usually insufficient to simply "scan and remove" it, requiring a restore or reinstall to guarantee a clean system.
- Second, if the antivirus company refuses to identify a virus or other piece of malware or acknowledge it, the malware gets a free pass, regardless of damage caused or data compromised. This was the case in the Sony rootkit scandal.
- Third, a computer system which can be compromised via an automated method such as viruses or malware has inherent security flaws which could just as easily be exploited by an individual looking to exploit the flaw.
The term security theater was coined by computer security specialist and writer Bruce Schneier for his book Beyond Fear, but has gained currency in security circles, particularly for describing airport security measures.
Examples of use of the term:
For theater on a grand scale, you can't do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration. ... The T.S.A.'s profession of outrage is nothing but 'security theater,' Mr. Schneier said, using the phrase he coined in 2003 to describe some of the agency's procedures.
Airline passengers will be able to bring many types of cigarette lighters on board again starting next month after authorities found that a ban on the devices did little to make flying safer, a newspaper reported Friday. 'Taking lighters away is security theater,' Transportation Security Administration chief Kip Hawley told The (New York) Times in an interview.
- Christopher Soghoian, creator of a website that generated fake airline boarding passes
- Placebo effect
- Schneier, Bruce (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. Copernicus Books. p. 38. ISBN 0-387-02620-7.
- Edward Felten (2004-07-09). "Security Theater". Retrieved 2009-07-22.
- "Smoke Screening". Vanity Fair. 20 December 2011. Retrieved 27 December 2011.
- Zack Phillips (2007-08-01). "FEATURES Security Theater". Government Executive. Retrieved 2009-07-22.
- Peter N. Glaskowsky (2008-04-09). "Bruce Schneier's new view on Security Theater". Retrieved 2009-07-22.
- Chakrabarti, Samidh and Strauss, Aaron (2002-05-16). Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System. Massachusetts Institute of Technology. Retrieved 2006-09-06.
- Slate's Andy Bowers on Airport Security loopholes – Boing Boing
- Crypto-Gram: August 15, 2003
- A dangerous loophole in airport security. – By Andy Bowers – Slate Magazine
- Fake Boarding Pass Generator mirror site – Boing Boing
- Flying without ID won't work? Try making your own ID. – Boing Boing
- Cardiff Airport gets more security theatre
- Gardham, Duncan (2009-04-05). "Airport face scanners 'cannot tell the difference between Osama bin Laden and Winona Ryder'". Telegraph, The. Retrieved 2013-04-20.
- "McAfee Customers Complain of Ineffective Scanning". McAfee Communities. 2010-04-17. Retrieved 2011-01-25.
- Danseglio, Mike (2005-10-06). "Rootkits: The Obscure Hacker Attack". Microsoft Technet. Retrieved 2011-01-25.
- Schneier, Bruce (2005-11-17). "Real Story of the Rogue Rootkit". Wired.com. Retrieved 2011-01-25.
- Moen, Rick (2010-09-29). "Should I Get Antivirus Software for My Linux Box?". LinuxMafia. Retrieved 2011-01-25.
- 60 Minutes (2008-12-21). "Expert: TSA Screening is Security Theater". CBS News. Retrieved 2009-07-22.
- Theater of the Absurd at the T.S.A.
- http://www.cbsnews.com/stories/2007/07/20/national/main3080127.shtml TSA To Lift Ban On Most Lighters On Planes/Security Chief Says Taking Lighters Away From Passengers Was "Security Theater"
The dictionary definition of security theater at Wiktionary
- Crypto-Gram, Bruce Schneier's newsletter
- stupidsecurity.com a site highlighting inefficient security measures
- Sometimes, Security Theater Really Works experts Gadi Evron and Imri Goldberg show how security theater saves lives in Israel by stopping suicide bombings