Saturday, January 29, 2011

The TSA Color Coded Alerts: Fade To Black

Is it any surprise that the TSA announced this week that the color-coded threat system it has had in place since post-September 11th is being replaced?


I will refrain from comment on the new system it the details have been fleshed out and give it a chance to better inform us of what real and imminent dangers we may be in store for.


However, last post I made a point about the threat system having 5 different levels, and never having ever been at the two lowest colors - blue and green. Security Expert Bruce Schneier makes this pithy insight:


"The DHS could have lowered the level to something more reasonable, but that would have been politically impossible. If there were a terrorist attack and the threat level had been blue or green, the DHS would have been blamed for not warning us. Keeping the level high might increase the general dread among some people and cause sniggering among others, but it helps protect the jobs of those charged with keeping us safe from terrorism."


Schneier also goes on to make the great point about our ability to be on alert, which in the intention of the colored system. But always having the alert color be at one of the three highest of the colors puts a tremendous burden of responsibility on average travelers. Schneier says "According to scientists, California could experience a huge earthquake sometime in the next 200 years. Even though the magnitude of the disaster will be enormous, people can't stay alert for two centuries."


He's right. We have to be on our guard for sure, and I always like to say that every and any decision we make day-to-day is a risk-based decision, but we cannot be infinitely diligent. Human beings just don't have the mental ability to be that alert at all times. We can't even text and drive at the same time.

Thursday, January 13, 2011

What hath too much security awareness wrought?

As a creator and purveyor of security awareness, it has always been my position that there is no such thing as too much awareness or the need to be alert and attentive to the possibilities of an untoward or adverse event. So I can appreciate the fact that the TSA or Department of Homeland Security wants to make us aware of new and impending threats to our safety. But in this day of Threat Advisories, patdowns, three ounce liquid limitations, X-Ray scanners and the like, I believe that we have finally crossed the line into the surreal.

Two events this month have made airline security like the annual Simpsons Halloween special. (For non-Simpsons fans, this is the one annual episode where the show takes on a bizarre plot line and completely abandons any pretense of being realistic.)

On January 5th, while over Canada en route to Germany, an airplane's radio went awry, and the pilot thought he put the “No Radio” code (7600) in the transponder but mistakenly entered the code ‘7500’, which means "hijacking or unlawful interference". The crew ultimately confirmed that the issue was a communication issue and not a hijacking. The plane was ultimately diverted to Toronto however.  What caused the ruckus? One of the pilots spilled some coffee on the console due to some turbulence, and while trying to clean up the mess the pilot entered the wrong code.
 
The second story, a day later, was a case where a Florida professor was arrested and removed from a plane after fellow passengers alerted crew members they thought he had a suspicious package in the overhead which was “making suspicious sounds.”  That "suspicious package" turned out to be a set of keys, a hat, and a bagel with cream cheese. He was removed from the plane because he took exception to the crew’s questioning, probably reminiscent of the KGB (Where are your papers?!) and was ultimately handcuffed.  Note to self: always order the ‘noiseless’ cream cheese.

(I am not even going to tell you about the passenger on a flight from Fort Lauderdale to Denver who was pulled off a plane last week after other passengers said he was “taking too many bathroom breaks”!)

Because of the deluge of awareness warnings and veiled threats to your safety, we have become so prone to over-reacting that now we all jump if we here a loud sound in the airport. Even in the subways in NYC we are urged that if we "see something" we should "say something." Average citizens have become deputized Barney Fife’s with no accountability but plenty of assumed authority, as the bagel and bathroom cases above suggest. Passengers have become the de facto authorities of suspicious or terrorist activities on planes all of a sudden.  Now I know that many real threats have been thwarted or suspects captured with the help of average citizens who report tips, but imagine the inundation of false and ridiculous leads law enforcement have to follow-up on when you request the aid of amateurs. As a Muslim man, you almost couldn't get on a plane in the US after 9/11 due to the hysterics that followed. And God forbid if you were flying with a few of your friends.

The Department of Homeland security has five levels of alerts: Low = Green; Guarded = Blue; Elevated = Yellow; High = Orange; Severe = Red. Since the introduction of the system in 2002, we have never had a Green or Blue status, only Yellow, Orange and Red. Do you know how many times it has been changed since 2002? No? Why would you? Do you get to keep your shoes on instead at the airport when the threat is lowered? No. Do you see any real improvement in security after they raise the threat? Not really, but you do see some procedural changes in which the government and TSA react to the last threat - not necessarily a future, possible threat. How many other shoe bombers have we had since Richard Reid? (None) How many additional underwear bombers have we had since the Underpants of Mass Destruction attempt (None) Boxcutters? You get my point... (By the way the Threat Level has been changed 16 times since 2002).

If I have learned anything about security awareness training and campaigns is that though people can deal with the constant reinforcement of subtle awareness messages, people quickly become desensitized to hysterical warnings, especially if they see no immediate crisis to warrant the warnings. The most effective training, in my opinion, is to mete out the awareness with intelligent, well-reasoned arguments about what is the best behavior and what the possible risks might be. Both 'Chicken Little' and 'The Boy Who Cried Wolf' approaches are proven dead-ends.

Sunday, January 2, 2011

The Right to be Forgotten Exists In Some Cases...Like This One.


In these blogs I have often presented the perils that we face if we unthinkingly post pictures, opinions or tweets about activities or events we have engaged in or have experienced. The takeaway has always been that the users must analyze every possible aspect of what his or her post will or may be construed as, not only now, but five years from now when, for example, the adolescent is applying for that position at a respected organization, scholarship at some Ivy League school, or even a prospect for a first date.

Most people rightly have no sympathy for smart individuals who should otherwise know better, and who cannot self-censor. At this stage in the evolution of social media, we all know how data persists forever, and what you post or say online should be something that you should be prepared to live with, or defend, forever. (You do understand this, right?)

But what about those that can't defend themselves? 

You may have missed this recent story but it is a frightening example of how, though no fault of their own, two children, 4-and-5 years old, will forever be affected by the ubiquity and persistence of information in the public domain.

Here's the story: an 87 year old woman with a walker was knocked down by accident on a street in New York City by one or both of the two children, 4-and-5-years old ,who were riding their bicycles. The woman had to be taken to the hospital. She subsequently died 3 months later of unrelated causes. The old woman's estate sued the parents of the children claiming negligence: they should have been supervised better, the suit asserts.

A judge in NY state ruled that the kids could be sued in a civil injury context and the names of the children were then made part of the public record, as is customary. Ultimately, the New York Times reported on the case due to its extraordinary nature, and the kid's names have now become more widely distributed. A common practice in the world of public law has now uniquely, and probably permanently identified these children in a less than positive light for the rest of their lives. 

Though the parallels between a post on Facebook, LinkedIn, Twitter or MySpace, and the publication of the two children's names may seem unrelated and dissimilar, they have one component in common: the perpetuity of the information. The issue is not that the legal process required the publication of the defendants names in a public record; that procedure has been common practice for hundreds of years. The issue is more the fact that the memory of online databases and search engines is or will be assumed to be infinite.

Ten years from now when the classmates of these two children do Google searches on all their friends, what do you think the top search result will be? How do think teenagers in high school will likely interpret and process that data? (Johnny killed some old lady when he was 5?!!). I doubt that Johnny will see that past experience as a possible résumé enhancer. 

It is inevitable and to be expected that a future Human Resource manager will do a Facebook or Google troll on you to see why they might not want to hire you. What do you think the impact will be on the job prospects of these two kids when this case comes up on the search? These two children may always be haunted by the persistence of memory and will not have the privilege or the right to be forgotten.