July 10, 2006

Schneier on Security.

For a while I have been hearing about “security guru” Schneier explaining how the government surveillance programs are useless and wrong and so on. It surprised me a lot - not because I expected something different from Schneier - I did not. It surprised me because I knew that he was a cryptography and computer security guru. A techie guy. Someone like an expert locksmith - you would want to consult him on how good your lock is, but not on how to investigate a burglary. It does not necessarily mean that what he says is wrong. A smart locksmith may very well be capable of figuring out “who done it” better then a dumb detective. However, when we talk about the NSA surveillance programs, to describe Mr. Schneier as some generic “security guru” without an explanation - is misleading and dishonest - it creates an impression that he has certain credentials that do not exist in reality. It is especially bad when he does this himself:
When people want to know how security really works, they turn to Schneier... His current book, Beyond Fear, tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security.
Annoying - was what I thought before I read this article on Mr. Schneier's web site. Now I think that the problem is not merely in how he is introduced.

Let's review the article. In fact, the article itself is written by a Norwegian Professor Floyd Rudmin, but Mr. Schneider prefaces it saying that it is a “more formal explanation” of why “NSA-style wholesale surveillance data-mining systems are useless for finding terrorists”. So, I guess, it represents his own thoughts too. A little bit strange that an expert in security had to use help from a professor of Social & Community Psychology to do his Bayesian formulas, but well – who cares? Let's read.
Suppose that there are 1,000 terrorists there as well, which is probably a high estimate. The base-rate would be 1 terrorist per 300,000 people. In percentages, that is .00033%, which is way less than 1%. Suppose that NSA surveillance has an accuracy rate of .40, which means that 40% of real terrorists in the USA will be identified by NSA's monitoring of everyone's email and phone calls. This is probably a high estimate, considering that terrorists are doing their best to avoid detection. There is no evidence thus far that NSA has been so successful at finding terrorists. And suppose NSA's misidentification rate is .0001, which means that .01% of innocent people will be misidentified as terrorists, at least until they are investigated, detained and interrogated. Note that .01% of the US population is 30,000 people. With these suppositions, then the probability that people are terrorists given that NSA's system of surveillance identifies them as terrorists is only p=0.0132, which is near zero, very far from one. Ergo, NSA's surveillance system is useless for finding terrorists.
Allow me to repeat his departing point: imagine that we have 300,000,000 suspects and know that only 1000 of them are terrorists. We have a tool that would select 30,000 suspects and there would be 400 terrorists among them. Think about it for a second. Imagine a police captain who walks into a room for a briefing and says - "Hey, boys, the witnesses saw a suspect leave in a blue sedan; let's check all the blue sedan owners in the area!" What do you think? Is this a useful idea? You bet you ass it is. No need to take Criminalistics 101 to know that - any TV police drama would supply you with this bit of education - NYPD Blue, Miami Vice, Law and Order - take your pick. This is what police officers do. Routinely, every day - they pick a clue and do the leg work, checking everyone who fits the profile – “an owner of a blue sedan”, “a tall guy in a yellow shirt”, “a senior from the Lincoln high-school”, or something else. And imagine - not all blue sedan owners are criminals. Yes, there is a hundred of them in the vicinity, but we still take this description and run with it. You know why? Because it is easier to check only one hundred blue sedan owners, then just everyone. It is not uselss. It is not “mathematically impossible”. It is not “McCarthyism”. It is a routine police work. And I can not believe that this has to be explained!

It is really a no-brainer. You have three hundred millions suspects, you can filter them down to thirty thousands and still have a lot of fish in the net - yeah, let's do it. By all means. We need to start somewhere, and it seems like a solid beginning. One may be annoyed that it is not a perfect answer, but to say that it is useless - is just plain dumb. No other word for it.


Post a Comment

Links to this post:

Create a Link

<< Home