Appendix: Identifying terrorists before they strike by using Computerized Knowledge Assessment (CKA)

Steve Kirsch, stk@propel.com

This document is the Appendix for Identifying terrorists before they strike. If you are reading a hardcopy of this page, the most recent version of this page can be found at:
http://www.skirsch.com/politics/plane/ultimate_appendix.htm

Subjects covered in this document include (though not necessarily in order and not limited to the following):

  • Tables containing common technical and non-technical objections that people have raised and my response to each objection
  • System configuration details (many configurations are possible)
  • Why this isn't a violation of civil liberties
  • Why this isn't psychological profiling
  • Cost estimates for prototypes and deployment for each system component
  • CKA advantages
  • Iris scan advantages (and why the iris is the ideal biometric identifier)
  • Details on how CKA would work in this situation (beyond the info on Farwell's site) and the potential for additional technological breakthroughs in CKA
  • Why the FBI isn't pursuing this now (and why the leadership of the FBI or FAA must be involved for this to go anywhere)

Advantages of iris identification 

  • Each iris is absolutely unique. 
  • The iris is the most personally distinct feature of the human body.
  • The iris remains stable and unchanged throughout life.
  • Average recognition time is about one(1) second.
  • The iris alone is sufficient to uniquely identify a given individual in 1 second (no smart cards or ID cards are required)
  • The iris is superior to all other biometric forms of identification (see http://www.eyeticket.com/technology/biometric.html)
  • There has never been an error (the chance of an error is 1 in 1072 which means there will never be an error for all time because by this time the universe has degraded into black holes)
  • It's proven in US public airports for both access control as well as passenger ticketing. It is also in use for ticketing at sporting events.
  • It cannot be fooled
  • The characteristics of the iris are captured by simply glancing into a digital camera for a fraction of a second. 
  • Automatic identity verification is made in a non-intrusive way by matching patterns found in the iris against enrolled records. 
  • Eyeglasses and contact lenses are easily accommodated. 
  • No other biometric technology can rival the combined attributes of mathematical certainty and non-invasive operation offered by iris recognition.
  • See http://www.eyeticket.com for more info

Advantages of CKA

  • The underlying brain mechanism that the CKA technique relies upon is 100% accurate. It cannot be fooled. It has been known for 20 years and has been well studied and is without controversy.
  • The CKA technique was first published in 1987.
  • The only reason that the technique is typically only 99.9% accurate is due to a signal to noise issue which varies from person to person. With more people focused in improving the signal to noise ratio of the detector, we can both reduce testing time and increase accuracy rates.
  • The longer the testing time, the more accurate the results. We can achieve arbitrarily high confidence levels just by lengthening the testing time.
  • A 10 minute scan is sufficient to provide a rough screen against a wide variety of threats... in fact, fewer than 1 terrorist in 1,000 would escape detection (that's a worst case; in the typical case, when the system is fully tuned, only 1 terrorist in a billion might escape detection).
  • The computer can automatically probe any suspect areas in more depth that showed up during the initial screen if necessary
  • Most passengers will only need the 10 minute test (this is the security equivalent of a medical "whole body" scan... you only get specialized scans if the whole body scan shows that there might be a problem)
  • There is no chance of error. Unlike a lie detector, the test is completely objective and totally automated. Unlike a lie detector, there is no human judgment. All scores are mathematically quantifiable and calculated automatically by computer. Confidence levels are also automatically calculated by computer.
  • Unlike DNA which requires a sample, with CKA, anything can be tested.
  • The test is not a psychological profile; it cannot measure how you feel about something. It measures only the presence or absence of information. It is best equated to an automated version of the yes/no security screening questions we have today. Essentially, it is nothing more than a sequence of "Have you seen this item before?" questions. You can choose to stop the test at any time. You can review all the questions in advance of the screening (your particular screening will be a random subset of the full list of words and images).
  • It does not discriminate on race, creed, color, sex, religion, or any other factor. It just tests what you know.
  • By varying the testing protocol periodically, it would be impossible for terrorists to "teach around the test"
  • It has already been proven in two areas similar to terrorist identification. Terrorists are trained agents taught to murder. CKA has already been proven to identify murderers as well as FBI agents.
  • In 90 days from a request by the FBI or FAA, a terrorist screen can be put together and we can compare the results with the results a trained FBI agent could achieve in the same amount of time. The results are predictable: the brain fingerprint will identify a terrorist in a crowd every time. The FBI agent will miss every time. Which system would you rather have protecting you?
  • See http://www.brainwavescience.com for more info

The answer to the "Super Bowl scenario"
For any major event, such as a sporting event, you treat it no differently than you do access to the departure gates at an airport, i.e., you require all Super Bowl attendees over a certain age to get their security profile done at their leisure at any time in the months before the game at a local airport. So then each person looks into an iris scanner upon entry and if they pass, they are admitted. So as long as perimeter security is good (as it usually is in sporting events since otherwise they'd forfeit profits), the only way in is through the iris scanning stations, via airdrop from above (which would be very easy to detect), or by tunneling into the stadium (which would be prohibitively expensive and virtually impossible to do without arousing attention). Iris scanning and CKA have never been fooled. Never. So we'll accurately identify the terrorists, each and every one of them. We didn't have to know in advance how many there were. We didn't have to get the FBI tip. And we didn't need to know their organization.

Could a terrorist come up with a new technology to thwart the brain fingerprint/iris scan? Sure. Is it likely to happen in the next 100 years? Doubtful since terrorist organizations don't usually have big R&D labs to do this sort of work. But it's possible! However,  if they do, we'll be ready with effective counter-measures. No solution is perfect and no solution will cover all cases. If we attack any suggestion by pointing out the cases it won't cover, we'd never adopt any new ideas. Instead, we have to look at the solutions available to us, and pick the solutions that provide the greatest amount of protection at a price (money and convenience) that we are willing to pay.

Selling this to the public
Logically, this system is less invasive, more private, more secure and more convenient than today's system. Some people won't understand and will fail to comprehend the arguments in the three tables below. We've done this before with seat belts where people argued that the government has no right to dictate how we behave in a car. This system is far less problematic than seat belts! The technology wouldn't be ready to deploy for 2 years. During that period, it would be important to get the involvement and endorsement of the ACLU and other civil rights/privacy groups, as well as support from other influential groups (Teamsters, etc.). Members of Congress and the President should go through it before anyone else. We can phase this in for all people arriving into the US. Then expand it nationwide. We should start with an FBI test. The FBI can put a unknown number of terrorists in a group of 250 people to be tested. If the system can repeatedly without error find the terrorists in the group, then we should begin the next phase of development, e.g., a prototype of what an airport testing station might look like. 

Best way to explain it to people
I've found that if you explain it this way, you minimize objections.

The FBI has discovered that there is 20 question Yes/No test that we can give air passengers that is 100% accurate in identifying those passengers who have been trained by terrorist groups who have threatened the US. The questioning takes 10 minutes and need only be done once every two years. You are given the choice of two planes to board to your destination: one plane requires the screen of every passenger, the other does not. Which plane will you board?

Another approach...Suppose we had a new airport security checkpoint that worked like this:

  • You approach a security officer. He does NOT ask you for any form of ID if you promise to tell the truth. He just asks you 20 yes/no questions. You can refuse to answer any question, but if you do, he may not let you on the plane. The test takes 10 minutes.
  • At the end of the 20 questions, he decides whether to allow you on the plane or not. However, the 20 questions are carefully selected so that only terrorists fail the exam. Everyone else passes. It's an infallible test. 100% accurate. It works even if you lie.
  • If you fail, you don't get through the checkpoint (you aren't arrested or anything). However, since the test is 100% accurate, no one but terrorists will be turned away.
  • If you pass, the security officer offers you a choice. You can look into a camera that will record what your eyes look like and store it in a federal database as a "good" set of eyes. No name is associated with that data. If you do this, any time you enter the airport, you can just look into the camera and it will lookup your records and pass you through in 1 second. If you choose not to have your eyes photographed and stored, then you must  take the 20 question test each time you want to pass through security.
  • Is this reasonable so far (if you trust my assumption that it is 100% accurate)?
  • Now suppose that instead of someone asking you questions, we ask you to wear a baseball cap and have you watch TV for 10 minutes. The security officer will look at you while you watch TV and make his determination. Would that be equally acceptable if the security officer is still 100% accurate in his assessments just by watching you watch TV?
  • Because we're concerned about civil rights and possible bias based on race, and because we want to lower costs, would it be OK to replace our security officer person with a computer that monitored your reaction while you watched TV (again, assume the computer program is perfect), i.e., are you OK with a machine, that is blind to racial and ethnic bias, monitoring you while you watch TV for 10 minutes?
  • Are you OK with the machine monitoring you using the same methods that hospitals use every day to monitor patients that has been proven to be medically safe and have no side effects?

Non-technical objections (see table below for Technical Objections )
This page has been viewed by over 20,000 people. Negative e-mails that have been received were mostly skeptical of future government abuse of the system, not the system itself. None of the those critical of the system offered a superior alternative. This demonstrates that if the concept is properly explained to people, it's not objectionable. In fact, the more people know about it, the better they like it. 

Even Thomas Greene, the reporter for "The Register" who wrote a scathing article about the approach admitted on CNET radio (on October 4) that " if it worked and if it could be confined to the very strict uses Steve proposes, which I very much doubt, then I'd have no objection." The biggest downside of the system is it's hard to explain to some people. The biggest objections are (a) skeptical that it can really work as described (i.e., sounds "too good to be true") and (b) fear of government misuse in the future. Here's the table:

Perception Fact
The government will misuse this screening in the future to find out things they have no right to know. This is a bit like arguing "we can't give the government the right to search us and ask us security questions before we're allowed to board the plane because if we let them do that, then who knows what they'll ask for next." So while we have a fear of the unknown, we should we remember that we elect the government. If the government oversteps its bounds, vote for someone else. 
Why not just make this test optional? Unless we have an equally reliable method of screening passengers on the plane that has the same accuracy as this technique, I do not think this should be an option and I would be very suspicious of traveling on a plane where this were not required. However, here's a way to accommodate your request: create "safe" planes (100% passengers are tested) and "unsafe" planes (traditional screening). This is sort of like non-smoking vs. smoking flights. I'll book my travel in the "safe" planes 100% of the time. How about you? Which plane would you ride on? Know anyone who wants to ride with the terrorists?
If this tool falls into the hands of a repressive government, it will be abused. If we really have a repressive government, this will be the least of our problems. Do you really think not using this today for airport security will stop them? The genie is already out of the bottle. Secondly, suppose you're right. Exactly how would they abuse the technology? What would they show you?
This is just a ruse to get my biodata so that the government can track me. You may not link the data today, but it's just one step closer to that. It's just like a social security number. It wasn't supposed to be a permanent identifier.  So shall we eliminate social security numbers and driver's license numbers? Shall we eliminate credit cards because the credit card company knows what you purchased? Shall we eliminate bank accounts and move to a Swiss banking system that is identified by number only? If everyone's lives would be better off this way, why isn't there any movement at all to eliminate these existing systems? Also, when we banned AK-47's some argued that was the tip of the iceberg and it would lead to a total ban on all weapons. It didn't.

There is an alternative which is to sign the brain data/iris data using the government's secret key and record it on a smart card instead of in a government databank.
Giving up my bio data to the government is too extreme. Then you should be in favor of replacing the current system with this system because it protects your biometric data better than the system we have now. Today, when you  check-in at the ticket counter and present your driver's license, your age, height, weight, eye color, and complete facial biometrics are disclosed to the agent. Wouldn't it be easier and more private if you only had to present one biometric (which is only useful to a machine) rather than at least 5? And wouldn't it be better if you can present that biometric (to check-in and board) completely anonymously so that no human being or computer can associate your biometrics with your identify? That's exactly what this system does. It protects your biometrics from disclosure to anyone. The computer tracks a list of enabled biometrics, but there isn't an association of biometrics and identity (your name) kept anywhere. So even if there were an association with your name, it's no worse than the system we have now. And today's system is acceptable to people, since we see no protests about presenting photo ID to check-in. This system is less intrusive than we have now.

Lastly, you trust the government with your complete financial data now when you file your taxes. And that data is associated with your identity. There aren't any protests that this is an invasion of privacy or too extreme. In the system described here, the government just has a biometric file with no names. Which database are you more afraid of being made public or misused? Even if the government could associate your biometrics with your identity, which is the greater threat to you: the government disclosing your eye color or your financial data? The point is that even if the governments bio data database were publicly disclosed, it's useless. The tax database is another matter. So we should be encouraging the government to adopt more systems such as this one because it is less intrusive than systems we have now. The fact that we don't rebel against the government having our tax data and willingly present our ID and biometrics upon airport check-in indicates that the system described here is completely socially acceptable since it is far more protective of personal privacy than existing systems.
This invades my privacy too much Actually, it doesn't invade your privacy at all. When you sent your SAT scores into colleges, did you consider that an invasion of privacy? Most people didn't. Suppose the colleges let you send in your SAT scores without your name so that nobody but you would know what your SAT scores were. Wouldn't that totally protect your privacy? Most people would say "absolutely!" Well, guess what? That's exactly the case here. After you take the test, since you don't have to present ID, nobody but you knows whether you passed or failed the test. So if nobody knows but you knows how you did on the security screen, then how can you be negatively impacted? In fact, the only people who get negatively impacted by this are people who are trained terrorists. That's the price we pay... the trained terrorists get negatively impacted. I'm willing to accept that tradeoff. Why aren't you?
This is some kind of trick. This will be used for mass mind control. If it is a trick, then someone will expose how people are being fooled. And then people will demand that it stop. Of course, this is based on science known for the last 20 years so it's no trick. And the EEG sensors are standard sensors that have been used in the medical community for decades.
It's inconvenient to have to take a 10 minute test every 3 years. Consider the alternative: long lines everywhere and showing up to the airport 3 hours before your flight? With this system, security screening can go back to the way it was before 9/11 because the system is so effective in identifying terrorists. The only reason for the increased security was to screen against terrorists. If there is an effective alternative, we can go back to the old system.
This won't work. Terrorists will find a way around the system. For example, they'll just pick someone, get them certified, then train them and have them execute the plan in under 3 years. The configuration described in the paper was just one possible approach. If we believe a terrorist can be recruited, brainwashed, and trained in less than 3 years, we can have 10 minute scans every 3 years and "quick scans" every month. The system need not be perfect to act as a significant deterrent. We'd expect to have a few loopholes and close them over time. We've got to start somewhere. Stopping 999 terrorists out of 1,000 is certainly a reasonable starting point.
If I don't pass the test for some reason, you'll restrict my freedom to travel. Not really. We'll probably just allocate an air marshal to your flight unless you have a really severe profile in which case you're right, we will restrict you from traveling and if you are a foreigner, we won't let you enter the country. That's the price you paid for going to terrorist training camp for 3 years. Next time, just say, "No."
What do privacy experts think of this? I wish I had a nickel for every time I've heard this. Funny how people can't seem to make up their own minds as to whether they should be upset or not... they want to be told by others how they should react. So see the section above on privacy.
This can't possibly work. If I haven't committed a crime, you've got no right to keep me off the plane. It's never been fooled. We aren't judging your future behavior. We are only making an objective determination as to whether you are a security risk. And if you are, we reserve our right to refuse to serve you and to to protect our citizens.
How would we get all of the possible terrorist suspects already in the U.S. to go to a CKA session? Wouldn't they simply not show up? They probably won't show up because if they do, they will be caught. So they won't be able to enter the country through any border we patrol and they won't be able to board planes or enter major sporting events, etc. If we want to go after the terrorists already here, then we might require anyone with a driver's license to be tested as well in order to renew their license. The nice part about this method is you only need to be tested once overall, not once for the DMV, once for airports, etc.
If it allowed 1 terrorist in 10,000 terrorists through, that's enough to do serious damage. By that logic, we should only implement a security measure if it is 100% foolproof. Since nothing is 100% foolproof, we'd do nothing. The point is that probabilities are everything and this substantially reduces the threat of terrorism on planes by at least 100 times at minimal cost and convenience. It's not perfect. But it's a good start.
This will cost too much. We can't afford it. We'll certainly save people's time like the 2 hour long waits in the security line while they look for nail clippers. What's that time worth? And hard dollars, we'll probably save those as well. So, for example, the cost of this single terrorist incident is probably $100B. If we spent $1B a year in prevention that's cheap insurance. We won't need to spend anything near that. To monitor 20 machines, maybe you have 1 full time person at $40K/yr.  So maybe the cost is $200M per year labor costs. That's rounding error compared to the cost of this one incident (or the other things we are doing such as the air marshal program). Again, compare the cost of the program to the cost of preventing one disaster and saving thousands and millions of lives. What price do you put on 5,000 human lives? On 100,000 lost jobs? The bottom line is that we can't afford not to have this system! 
This violates the 4th and 5th amendments. Nobody is forcing you to take the test. You are consenting to take the test because you want a benefit (air travel). Also, the 4th says you have a right to personal security and to me that means I have a right to travel on a plane where people are screened. The 5th applies only to crimes and seizure of tangible personal property without just compensation. Again, you are consenting to release information.
I'm much more worried about losing my Constitutional right to travel unmolested within the United States, than I am about "terrorists". You have no such Constitutional right. You are molested by having to show your ID (with 5 different biometrics typically) and to risk those biometrics being associated with your identity. You are scanned with a metal detector. Your carry-on bags are searched with an x-ray. Your checked bags probably go through a more sophisticated scanner. They might also be smelled by dogs. You may have to turn on your computer and cell phone. Your car is searched when you enter the parking lot. You must answer security questions. This system is superior to the current system since it achieves the same ends more reliably and more conveniently. 
If you offer both types of flights (secure and non-secure), how will you get a flight crew to agree to go on the non-secure flights? Just as there are people who would refuse the computer security screen, there are some people who value their perception of increased privacy over their personal safety. We should not force or require a airline employee to be on board an unscreened flight. If there are not enough of these people, then there will be fewer non-secure flights offered by the airlines. 
Congress will never vote to support this. They don't have to. It can be done via executive order. It could also be done by a single airline or a group of airlines acting together. There is substantial market demand for this. In fact, some of the biggest detractors of the approach fear that the market demand will be so substantial that there will be no flights available to people who aren't screened.
The public will never support this... brain probes...it sounds too invasive. People also said nuclear power is completely dead and that nobody would support it. Then we had a power crisis in California and suddenly virtually all the public is in favor of it. In this case, we are offering people an alternative to the 2 hour long security lines that make sure that honest travelers can't carry as much as a nail clipper (while leaving terrorists with sharpened credit cards, etc) and to the risks associated with flying. They don't have to take this option. But as Americans we must support giving those people who consent to this test the option to take the test. That's what freedom is all about. 

Technical objections/Misconceptions about the technology

This won't work because... Fact
Terrorists will easily fool the system by informing the public of every detail of their internal operations so that every member of the public looks like a terrorist, rendering the test useless. If the terrorists can accomplish such a thorough and mass education effort, then we should copy their techniques to educate the general public! If the terrorists did this, (a) it would be super easy to track where the money is coming from and shut them down, (b) you'd have to physically enroll in one of their training camps for at least a year for your P300 brain response to look similar to a terrorists brain response. So for example, looking at a picture of an AK-47 doesn't give you the same response as having used it to kill people. You'd have to do special drills as Rosenfeld's students did (see below) to fool the amplitude of the P300 (but not the latency). No honest person would do such preparation since there is no incentive.
The New York Times reported that Japanese researchers couldn't replicate Farwell's research. The Japanese researchers had results that were no better than random chance. It would be difficult to replicate Farwell's system because, according to Dr. Rosenfeld, Farwell has not disclosed his methods. If Farwell's system didn't work, how could we possibly explain how the computer was able to pick out the FBI agents without error? The odds of that happening by random chance are less than 1 in a million. So we're left with the inescapable conclusion that either Farwell is the greatest magician since Houdini (having fooled the FBI, his thesis advisor, peer reviewers, the experts interviewed for the article, and the rest of the brain science community), or it really does work. 
The New York Times reported that Dr. Rosenfeld of Northwestern has been able to train students to confound p300 lie detection tests and called it "a sound idea that's not ready for prime time yet." Rosenfeld's recent research published on his website is on measuring the P300 response for false memory, not on techniques for erasing true memory. However, Rosenfeld is preparing a paper for publication next Spring that describes how he can train students to deceive the P300 response, i.e., suppress true memory. But he's not tested it on Farwell's system. 

By "not ready for prime time," Rosenfeld said (in an e-mail to me) that he meant two things:

  • no countermeasures studies were tried
  • the total lack of real field data

Rosenfeld believes that the FBI wasn't trying hard enough to fool Farwell's system.

We are left with (a) the undisputed fact that nobody has ever demonstrated that they have "fooled" Farwell's system, and (b) that there are some calling for more data, and (c) that there is at least one researcher who claims he can beat Farwell's system.

There is one way to get to the truth and it's ridiculously inexpensive: have Rosenfeld "prep" a few FBI agents and run the same test material that Farwell used previously that the FBI was unable to fool and see who's right. I have asked Rosenfeld whether, if the FBI asked, he would cooperate, and he said he'd be glad to.

Separately, Rosenfeld said that although he believes that he has evidence that one form of the P300 recognition paradigm can be beaten, he said, "I am confident that very sophisticated brain wave tests--not simple P300-based recognition indicators-- perhaps in combination with other physiological measures, will one day in the near future give us an accurate lie-detector which is also hard to defeat." 

So our best case is that it's hard to defeat today. The worse case is that it's in the near future. So it seems worthy to test it out now and see how difficult it is to fool it.
The New York Times reported that Farwell's thesis advisor (Donchin) calls Mermer "business nonsense." Donchin co-authored the paper with Farwell 10 years ago citing 87% accuracy (it's been improved in the last 10 years to get 99.99% accuracy) and showing that it works even if subjects are deliberately trying to fool the system.

Donchin's statement is most likely a reference to MERMERs; it sounds catchy but has no operational definition. 

However, the same article also quoted Donchin (and others) as endorsing the technology: "Dr. Donchin and others say that p300 testing may one day be as valuable as Dr. Farwell currently claims if more research into how to present the right questions or other stimuli." In our case, the research is in a very narrow area (terrorism) and this can be accomplished quickly (within a few months) and refined over time.
Farwell only produced one peer reviewed paper with Donchin. This statement by Rosenfeld is just flat out untrue. For example, Farwell's 2001 paper on mermers appeared in the Journal of Forensic Sciences.
Some scientists in the field think that Farwell has a reputation of making excessive claims that cannot be substantiated and that people in the CIA view him as an embarrassment and that he was never on the faculty of the Harvard Medical School. In court, Farwell produced evidence that he was on the faculty of the Harvard Medical School. Rather than argue each point, we should separate the science from the scientist and evaluate the hypothesis. If those claims are true (and I'm not saying that they aren't, but just trying to present both sides here), then: 1) how do we explain the undisputed 100% accuracy in the FBI tests (especially significant in the light of the Japanese getting no better than random chance), and 2) how do we explain the fact a very knowledgeable and senior FBI insider, Drew Richardson, recently joined Farwell's company 8 years after first learning of the technology? You'd think that in 8 years he would have heard all the pros/cons.
If this really worked as advertised, the FBI would be all over this. There must be a catch. The  New York Times article noted that Dr. Drew C. Richardson, a psychologist who formerly headed the FBI.'s research laboratory at Quantico, Va., and its unit overseeing chemical and biological warfare threats was so impressed by the technology that he recently left his job at the FBI to join Farwell's company. This was not a snap judgement. Richardson was first introduced to Farwell's technology 8 years ago so he had plenty of time to study it himself and read all the FBI's research on the technique. 

The reason the FBI hasn't pursued it is because they delegated the evaluation of the technology to the group that does polygraph examinations. Since Farwell's technology is 100% automated with no human expertise or interpretation required, endorsement of this technology would mean that they would be out of a job. The FBI has no evidence for opposing it that could be presented in a public forum that would stand up to any scrutiny at all. In fact, if there were a Senate inquiry into the matter, this would be obvious. There is a GAO report that is being done now (a report has not been issued), but it's merely a "he said, she said" type of report. Nobody is asking any tough questions to get to the facts.
How can you possibly claim 99.99% accuracy since this technique hasn't been tested on over 10,000 people? The P300 complex is 100% accurate. What's inaccurate is our ability to measure it. Every measurement in real-life has (gaussian) "noise." So if I give you an item exactly 1 inch long, and we used 10 rulers to measure that item, we'll get 10 different measurements. Statistically, we'd look at the mean and standard deviation of these points to determine the size and our confidence in our measurement. So we'd end up with say: it's 1 inch plus or minus .01" with 99% confidence and 1 inch plus or minus .1" with 99.999% confidence. The brain data is no different. The 99.99% confidence is calculated using established statistical formulas. If you want to get to arbitrarily high confident levels, you lengthen the test or test three different areas as described in the next row.
Even with a 99.99% accuracy rate, if you have 200M people you test, you'll get 20,000 people who are falsely identified. That's too many! 20,000 mistakes per year is about 1 per day per airport, and that could easily be handled with a federal officer. However, the actual number that would be problems is significantly less than that. This is because the 99.99% figure is on a single probe, e.g., familiarity with al Qaeda. So suppose we probed two things that terrorists would know. You'd have 1 chance in 100M of getting mistakenly nailed on two things. In our 10 minute test we probe at least 3 different areas so for a well constructed test, if you lead a relatively normal life, your chance of being rejected if you are not a terrorist is about 1 in a trillion. The converse is true. A terrorists chance of escaping detection is the same...so for every 1 trillion terrorists they try to put on the plane, we'll catch all but one. I can live with that.
Once people take the test, they'll have seen the images so if they take it again, they'll fail, so this won't work. Seeing a picture of an AK-47 doesn't elicit the same response as someone who has used it to kill people. Here's another simple example...suppose I were to show you pictures of 30 people that you saw the last time you visited the airport. These would be people you walked by on your way to the plane. How many of those people would you recognize? If you asked me, the answer would be zero. The point is that for things we are familiar with, there is a strong recognition response. For things we've seen in passing, or not at all, there is a weak response. The test itself is looking for strong familiarity and the thresholds for each person are easy to calculate.
We need more research before we try something like this, e.g., on uncooperative subjects, etc. The approach used by Dr. Farwell can determine whether or not someone has seen a particular image before. It has been tested on hundreds of subjects, including the uncooperative, intelligent, and even those who understand the system's workings. It is 100% accurate. This technique is based on the Sternberg paradigm, which has been known for decades. It has been very, very thoroughly peer reviewed. People in the field of brain wave science would stake their reputations on this. I encourage you to get an objective view on this from another neuroscientist.
Terrorists will have someone pass, train them, and have them kill people before that person is re-tested in 3 years If we're seriously concerned that this is viable, we can have people get "mini checkup screens" once every 60 days. Most people are not "instant terrorists" that are willing to die for their cause...it happens gradually over a period of years.
Terrorists will just find a way to fool the iris scan and walk right past the scanner, e.g., with a phony contact lens. Iris scans have never been fooled, but that doesn't mean it can't be done in the future. There are many ways to circumvent the people who try this, e.g., by observing the iris dialation response (being able to fake that is beyond the expertise of our best medical researchers). Someone may come up with a way to fool the iris scanners. After all, we know how big those R&D budgets are for terrorist organizations; we all know they get the cream-of-the-crop researchers working with all the best grad students at state-of-the-art facilities. So maybe they will figure out a way. If they do, we'll close the loophole after they point out the vulnerability to us.
Terrorists will come up with some other way to fool the system. Sure, just like terrorists will come up with a way to put a card into an ATM and draw out money from your bank account. So sure, it's possible. It just means we need to be careful to design the system right to minimize this possibility. We probably won't get it right the first time. And as holes are exposed, we'll close them so that the system gets more and more effective over time.
Creating the tests will be tricky so you don't get any false positives. That's true. Creating the tests are the key to making it work as promised. Undoubtedly, we'll get better and better at this over time. But even if the test is only 90% accurate, it means we'd only have to screen 10% of passengers rather than 100%. And it's highly likely that most people will pass with flying colors while terrorists will get nailed on every image, so in practice, the error rates will be quite small.
This depends on a connection to the Internet to work. The terrorists can bring down the Internet. Even if the Internet fails this system will still work. The complete government "OK irises" databank for every person on earth could be stored on a single hard disk that can be purchased for $250. So each airport can have it's own local copy of the database that can be updated daily with new additions/deletions.
You need an Internet connection to do authentication. If we issue people cards with a magnetic stripe (or smart chip) which has their data signed by the secret key of the US government, then we can do authentication without needing an Internet connection.
You need "goop" for the EEG sensors Wet sensors work somewhat better than dry ones. So it's a tradeoff between testing time and convenience. If we find most people are short on time, we'd use wet sensors. If convenience is a factor, we'd use dry sensors. The "goop" is non-toxic and water soluble and cleans up with a paper towel in seconds.
If the test shows you a question you object to, by the time you object and stop the test, it's too late. The software would be set up to not transmit an incomplete test into the federal database. This would have to be legislated and audited to ensure consumer safety. If it did do this, someone would know and tell everyone about it. Having the code to the machines made public or given to independent organizations to audit is probably the simplest way to accomplish this.

Do people actually prefer this approach over the existing solution?
Suppose the government had two different systems to protect air travelers. Let's call them System A and System B. Which system would you choose based on the table below?

Attribute System A System B

Time to get past security

 Huge lines to get past security. Best to arrive an extra hour or two earlier. Lines comparable to pre-Sept 11 plus 10 minutes every 3 years
Terrorists allowed on plane  Yes. Allows equal access for terrorists to boarding areas and planes. No. All terrorists are accurately identified. Under no circumstances will terrorists be permitted on the plane.
Security screener knows your name Yes. The screener sees your ID so he knows your name, where you live, and gets to ask you all sorts of personal questions. The security screen is completely private and anonymous. Nobody but you knows how you answered the questions.
Security mechanism Search all your bags and arrive 2 hrs early. No sharp objects allowed including nail clippers, screw drivers, pocket knives.  We ask you 20 Yes/No questions once every 3 years. Small objects are OK if you passed the 20 question screen. Same x-ray and metal detectors as before the 9/11 incident.
Gate security Photo ID at gate. Fake IDs are acceptable if they are realistic looking. Biometric data must be presented before boarding to authenticate your identity.
Treatment Assumes everyone is a terrorist. Assumes everyone is minimal risk. Only treats people with terrorist training as a terrorist.

System A is pretty much the system we have now. System B is our proposal. Do you know anyone who prefers System A? This is the approach we must use to sell this to the public.

Here are some other questions to ask people:

  • Is there a better way to reduce the threat of terrorism in the US?
  • If this system is implemented as described, how would you be worse off or negatively impacted?
  • Does this system require you to give up any freedom or liberty? 
  • What could you not do after the system is in place that you could before?

Ideal equipment configuration
Set up the equipment outside the boarding area since some boarding areas are relatively small and isolated. These stations are like phone banks. There is one security officer monitoring the machines at all times. There is a "check-in" station where you present your iris. If you're cleared to go, it tells you you're done and enables your biometrics for 2 hours (until used to board a plane). If you need a "refresh" or a "retest" or an "initial test" it notifies you. If this is your first test or a periodic retest, it records your new biometrics. Then you pick a station and sit down at it, and present one of your biometrics. Since there is a human monitor at all time, we need not have iris checks at each station. You put on the headset and watch images. If you pass it will tell you, and enable your biometrics for the next 2 hours for boarding at this airport. So the whole thing is anonymous. Also, there is a special fast-pass security checkpoint for people who cleared the screening machine. You just present a biometric (like your hand) and a card with an ID number on it (no name). If you pass, then they give you a simple screen like the "old days" of screening... small objects are OK. So no long waits in line and no inconvenience of not being able to carry your razor and nail clipper in your carryon. 

Commercializing the computerized security screening stations
The government can allow private industry to create these stations. Either the consumers can be charged a fee to be profiled, or the airports or airlines can pay the companies a fee per year for the devices. The federal government can create the standards, certify the manufacturers, and certify the devices on a regular basis. By having commercial enterprises create these devices we increase innovation and lower government costs.

Costs

Computerized screening stations: The biometric sensors to record your brain waves cost $5K in low volume. The computer with keyboard and Internet connectivity costs about $1,000. The display device and iris scanning goggles would cost about $4K. The machine to make the ID badges can be shared for every 10 stations so is a trivial cost. The same is true for multiple biometric sensors. Since this part is very quick, there can be a single "biometric measurement" station that you go to after you are done profiling that, after you put on the goggles again to read your iris, takes all your biometric data and keys it to your iris. So the cost per station is about $10K. If we place in a huge number of stations, say 100K stations, we're looking at a $1B one-time capital investment which can all be funded privately (see section above on commercializing). 100K stations is huge overkill; it would allow us to screen every passenger on every flight. So it's probably at least 10X more machines than we need. So $1B is a conservative estimate.

Security checkpoint stations: These stations would use a system similar to that used by http://www.eyeticket.com/. There is nothing to put on and you can be scanned and told your results in under 1 second. These stations cost $10,000 each. Unlike metal detectors, there are no false positives (no hassle of emptying your pockets and trying again). Since there are 3M travelers per day, and since each machine can handle thousands of passengers per hour, let's be conservative and put in 1,000 machines. That would cost only $10M.

Check-in and boarding gate stations: We'd need a cheap biometric sensor and in the worst case, the equivalent of a way underpowered laptop PC. So say $1,000 per station. Assuming there are 30,000 gates, that's $30M.

Federal Computer database: The data used by these devices is small. If we save all biometric data plus profiling, we're looking at 5K bytes per passenger. Assuming 1B passengers, that's 5 Terabytes. Amazingly, you can buy a 100Gb hard disk for $250. We'd need 100 to allow for failure and to provide a throughput of 10,000 IO/sec. That's about $25,000. We could distribute the data on 100 PCs for safety and throughput. Each PC is $1,000. So for $125K, we have all the hardware we need. And Larry Ellison said he'd donate all the Oracle licenses we need.

Iris enrollment (from Iridian): $4,899 for a single unit! Under 15 seconds per person.

Iris recognition unit (from Iridian): $2,999 for a single unit. You can be 1 foot away and look at it for a second. Set up for physical security.

Panasonic Authenticam (from Iridian): $239 each (single quantity). Can be mounted on top of a computer to authenticate user while he is taking the test.

CKA notes
The brain response used by CKA is 100% accurate. The reason our final accuracy is not that good is due to signal to noise... there is a lot of things going on in the brain and different people have different signal to noise ratios. So on any given topic area to probe, the final confidence in the result (solely because of the signal to noise ratio) is typically 90% to 99.9%. So if we can reduce the signal to noise of the technique through application of differential sensors, repetitive tests, etc., we'll get a higher confidence. Still 90% confidence is orders of magnitude more than what we can get from manual questioning. In 10 minutes, we can probe about 3 major areas with at least 90% confidence in each area. So in our worst case scenario, only 1 in 1,000 terrorists would get a clean bill of health. In other words, at a bare minimum, we've made their job 1,000 times harder. In the more typical case, each area will have 99.9% confidence. In this case, only 1 in 1 billion terrorists would escape with a clean bill of health. In other words, in the most typical case, the terrorists' job just got a billion times harder.  

The benefit is huge today, but the potential for improvement is huge as well. Today, there are only a small number of people focused on the problem. With more people thinking about the problem, it's likely we'll be able to improve the signal to noise level dramatically.

Why the FBI isn't pursuing this
The FBI is a big organization. The people who know about the technique within the FBI, such as Sharon Smith, are not the people involved in the decision for how to combat terrorism. So unless someone high up in the FBI finds out about this, it won't happen.

Creating the risk profile
We can create a "security risk profile" for most people in as little as 10 minutes using a completely automated solution that is 100% automated and up to 99.9% accurate. In fact, even if this system is only 90% accurate it's still several orders of magnitude better than what we have now which has close to zero accuracy in being able to screen out a terrorist. In fact, we couldn't even stop the terrorists we knew about! 

The testing can be completely automated and secure, requiring no human intervention or training. Machines to do the testing can be built for approximately $10,000. You just put on a custom headset (much like the new video headsets from Olympus and Sony) containing optical imaging to show you various test images, brain-wave sensors to measure your response, and iris sensors to ensure that you are the person we are testing. There are also a few biometric sensors at the station to associate additional biometric data with your identity. A 10- minute screen can tell us whether or not a person has any "security risk profile" elements at all. Most people will pass the first screen. A very small percentage of people will require extra testing time in the areas that showed up in the preliminary screen (the test is adaptive so that it can probe deeper into any of the areas identified in the initial screen). The few people who fail to qualify  as being risk-free after extra testing time could then volunteer, if they still want to travel, to be  interrogated by trained professionals who would have face recognition equipment and fingerprint equipment to match these individuals up with known criminal databases. 

We can convince ourselves of the efficacy of CKA over human security screening very simply. Recall that CKA was able to correctly identify FBI agents who were posing as "normal" people with 100% accuracy. Do we have any FBI agent in the country who, when given a group of 20 people, only 1 of whom is an FBI agent, could correctly identify who the FBI agent is? I don't think so.

We can also convince ourselves of the efficacy of CKA by looking at the 9/11 attack. We had the knowledge that Osama bin Laden was planning something big. CKA could have been used to screen for bin Laden associates. No other technology would have worked for this purpose. And after the 9/11 attack, we'd like to screen for commercial pilots and associates of al Qaeda. CKA can do this easily without human interpretation or intervention. No other technology can.

Because the technique is blind to race, creed, color, sex, religion, etc. it is not a violation of civil rights. It is, in effect, an automated way to ask the "security questions" that we are now asking (and much more) that is cheaper, faster, and 100% accurate. This will actually increase passenger convenience as well as passenger security because it need only be done with a 10 minute screen once every two years or more. 

The bottom line is that the vast majority of passengers will find this system both more convenient and more secure than the system we have today! A tiny percentage of passengers may find the system less convenient (for example, if they have a strong risk profile, they may be denied access to flights). So we somewhat inconvenience a tiny percentage of passengers, and we terrify the terrorists who would have no means of circumventing the system but would have to rely on having a few orders of magnitude more people to carry out a task undetected. Is it perfect? No. Will it make a mistake? Yes. Is it better than anything else we've got? Absolutely.

Key benefits
Here are some key benefits relative to the alternatives (manual security questioning like El Al):

  • It's more secure because 100% of passengers on the plane are screened by a machine and 100% were biometrically screened before boarding. It's also more secure since any currently known intelligence risks can be factored into who gets to board the plane and the number of sky marshals on the plane can be adjusted to the risk level of the plane. Lastly, it's much more secure since the computerized security screening is much more accurate than a human asking the same questions: the computer simply cannot be fooled. We'd never catch a terrorist with manual screening or by trying to detect the objects they are carrying. A terrorist's most dangerous weapon is what's in his head and this system disarms that.
  • It's more accurate because everything is done by machine. There is no possibility of human error. The machines are self-testing as well as periodically inspected by federal agents. Any tampering would be detected by the machine and would place the machine offline until a federal agent could re-certify it (including check-summing the code, etc.). The longer the testing time, the lower the chance of error (a 10 minute test will catch 999 terrorists out of 1,000).
  • It's more convenient because it adds only 1 second to the air travel process and  the 10 minute security screen was done only once every few years. Most people will be in the no-risk category, they can enter through the minimum security entrance, while others might have to enter through a high security entrance (e.g., having their items hand searched, being prohibited carry-ons, or being denied boarding altogether if the appropriate number of sky marshals are unavailable). The passenger can be "checked in" at the gate with an inexpensive biometric sensor so long lines should be a thing of the past. And there is no more problem with "I forgot my ID" or "I lost my ticket" because everything is tied to your biometrics. Lastly, those "arrive at the airport 3 hours early to check-in" can be avoided since most passengers will be pre-screened (they can do the 10 minute pre-screen at any time it's convenient).
  • It's less expensive because if everyone on the plane is a no-risk, there is no need for a sky marshal. Also, we'd save the huge cost of training people to do security screening questions (assuming we were to implement an El Al-style security screening policy in which each passenger is individually interrogated). We'd get the equivalent benefit of a 10 hour FBI grilling with a lie detector on every passenger for a fraction of the inconvenience and expense. The total system cost for everything is less than $1B, much of which can be privately financed. Authentication stations can be set up anywhere at low-cost. Using a wireless PalmPilot, an agent could key in your ID number, bring up your photo and perform an authentication by looking at you. In this case, it's done without any biometric sensor at all. All that is required is an Internet connection. The biometrics are purely optional for additional speed and accuracy (less likely to make a mistake than a person doing a visual match).
  • It's less intrusive because you don't have to answer any security questions. You just put on a cap and watch TV for 10 minutes. The profiling is just a yes/no profile of certain knowledge you have. It is not a psychological profile and the data gathered cannot be used for psychological profiling (see more information below)
  • It's more private because you can control who accesses your data and your data is not released to anyone. You just permit your knowledge area to be judged against the profile of the place you wish to enter. You get to choose whether or not you want to associate your security screening with your name, i.e., you can take the test anonymously without providing any identification. If you are arrested and charged with a crime, the police and FBI will be allowed to associate a name with your profile (which is not much different than the fingerprinting they do now when you are arrested). There are certain benefits to voluntarily associating your name with a profile; for example, at airport check-in, you wouldn't need to present ID anymore; you wouldn't need to carry any ID or even remember your ID number. But the tradeoff of convenience vs. privacy is totally under your control. If you don't trust the government, don't provide your name when you take the test.
  • It's publicly acceptable because the alternative, a 1 hour manual security screening with an FBI agent with a 2 hour wait is a lot less palatable than watching TV for 10 minutes, especially if the public has been educated that it is nothing more than a sequence of "Have you seen this item before?" questions. Over time, it will become second nature. The public should love it because most people are legal and would want to be protected against threats. There is simply no downside to this testing if you are not a terrorist. You know exactly what questions are being asked because they are shown to you on the screen. If you don't want to answer, you can remove the headband. You'd want the government to do this for your own protection.
  • It could increase your freedom. Today, you cannot carry a pocket knife on a plane. You can't even carry nail clippers. Even the pilot isn't trusted with a nail clipper (funny, we let him fly the plane, but we don't trust him with a nail clipper, isn't is?). Once the FAA is satisfied that the security screen works, if you have a "no risk" profile (as most of us will have), we can let you carry the items you used to be able to carry before 9/11. So your freedoms just got expanded in return for answering a few questions.
  • It's more fair because unlike a human screener, the computer is completely blind to race, creed, color, sex, religion, etc. The test is completely objective. There is no human intervention or interpretation. It is not a psychological profile. The computer cannot determine how you feel about anything. It is best equated to an automated version of the Yes/No security screening questions we have today. Essentially, it is nothing more than a sequence of "Have you seen this item before?" questions. You may review the questions in advance and you may choose to halt the test at any time. Your answers cannot be used to incriminate you.
  • It would have prevented 9/11 and future 9/11 style incidents. We knew about bin Laden before the attacks. Had the system been in place, we could have done a security screen for bin Laden and not allowed more than one bin Laden knowledgeable person on any flight. Today, we can prohibit anyone from flying who has any inside knowledge of al Qaeda and specialized terrorist knowledge. 
  • It aids law enforcement by allowing us to easily capture anyone we want to talk with or arrest, i.e., it creates a convenient and precise dragnet for capturing criminals. Suppose the FBI wants to contact someone for questioning. Or has found a suspect and wants to arrest them. Or maybe they want to just monitor their movements. Or maybe they have determined that that person should no longer be allowed to fly or be admitted to sporting events. This system allows the FBI to do all of this at any place where any biometric information is used for authentication. Immigration authorities can use the system to instantly ID whether an individual is a legal immigrant or not. If all citizens are entered into the database at birth, proof of US citizenship is no longer subject to fraud. While civil liberties advocates would argue that this particular application of the system could be abused by the government, the facts are quite the opposite since the effectiveness of the system depends upon the cooperation of the organizations with the scanners, e.g., the ballpark attendant could just ignore the signal to detain a person. So as long as our society feels that the balance should be in favor of protecting millions of lives, this will be an acceptable tradeoff. The system still leaves us in control, not the government.
  • Expanding the use of iris identification can accomplish good things for good people. The federal iris databank can be used for positive deeds as well as stamping out terrorism. We could iris scan all infants and parents at birth making abandoned babies a thing of the past. We could find out of Chandra Levy really did take a train or a plane from Washington before she vanished (saving a huge amount of police time spent searching Washington DC). We could use it to unite children with parents.
  • It makes it easier for you to buy tickets to anything. You can buy tickets to an event at the sports arena over the phone or over the Internet using your ID number. There is nothing to mail and no ticket to lose. You then just show up at the "FastPass admission gate," glance into the lens (or present a biometric associated with your ID) and you're in (it might then print a ticket for you to show you your seat). Super convenient and super secure.
  • It's extraordinarily difficult for a terrorist organization to "train around" the test to avoid it. If the test was static, a terrorist group could avoid detection by ensuring that all of its members had no knowledge of what was on the test, e.g., if composite weapons were on the test, the terrorists would just avoid that and teach automatic weapons or bombs. However, because the content of the video is set by the federal government and because the specific test given to a person is randomly selected from a huge list of authorized images, it's impossible for terrorists to "train around" the test because it keeps changing and is random and different for each person. In addition, the test can be adaptive, drilling down in an area that looks questionable. This is exactly like the El Al security questions (which start general and drill down randomly into an area). So in order to avoid detection, a terrorist group would have to avoid teaching any terrorist techniques. And without any training or knowledge, they won't be very effective.
  • It will rarely keep even borderline people from flying if they are truly innocent. At first, we may end up giving a high risk profile to people who don't really deserve it, e.g., an FBI agent or SEAL might know many of the same techniques as a terrorist as well as knowledge of specific terrorist groups, e.g., training camps, the al Queda motto, the leadership of al Queda. In these cases, where there might be ambiguity on the standard screen and where the programmed secondary screen still fails, these people can go through special screening terminals at the airport that would provide a different and extensive test so that their profiles would reflect their unique circumstances and backgrounds. The same would be true of former FBI agents, etc. Still there may be a few cases where people are given "unfair" security profiles. In this case, they can be scanned using special programs under selection by specialists. Another available alternative is that the airline just adjusts the number of sky marshals that they place on the plane to over power the security risk profile of the plane. In this way, we minimize the inconvenience of otherwise innocent travelers while only incurring additional expense when absolutely necessary.
  • It's adaptable to new threats. As new threats are discovered, we can modify our screening thresholds and/or require people to "re-certify" on the incremental material. Depending on the severity of the threat, the re-certification can be required immediately, or within a 2 month grace window. So any threat, of any level of urgency can be accommodated using the existing testing infrastructure.
  • The timing is good. It will take a couple of years to put all the pieces in place so that this can be installed in airports. The government has a wide window in which to "time" the announcement to the public. In addition, a gradual phase-in period or "test period" at a single airport will help tremendously. Making travel more convenient with the new technology should be a major selling point to the public.
  • It doesn't have to work perfectly...in fact, may not have to work at all! Deterrence is based on perception, not reality. It has only to work well enough to discourage any terrorist from trying to take the test and be identified. So if the technology doesn't even work at all initially, but there are "changes" being made "daily" to improve the system, then how many trained individuals will a terrorist sacrifice to probe the efficacy of the system? If they get caught a few times, they will decide to go elsewhere.

Important Note: Instead of just fingerprinting and photographing people who are arrested, the FBI and local police should also start iris scan them for rapid identification at airports, etc. Anyone entering the country or traveling by air would also be entered.

Why most air travelers will find this more secure, more convenient, less expensive
There are many scenarios in which this technology can be deployed to make air travel both safer and more convenient. The preferred method is that the machines perform an iris scan of the subject throughout the exam to associate a permanent iris ID to a person. The iris ID is totally unique, cannot be forged, has a 100% accuracy rate, and the iris does not change over a person's lifetime. Thus, a person cannot change his identity. In addition, unlike other biometric techniques, iris data alone can be used for a positive ID on a person (that means a person doesn't need a smart card...they just walk up to a terminal, glance into the device for a fraction of a second, and one second later we know exactly who they are). 

Upon completion of the basic 10 minute screen (which tests for all basic terrorist "risk profiles") or the extended screen, he's issued a card with his photo, his name, and a 12 digit number (which will call his OneID) imprinted on the card (this is just a serial number), and the same number is encoded on the magnetic strip. If he loses the card, the card can be easily re-issued without an additional test. The card doesn't require a smart chip. No PIN is needed. No public-key encryption is needed. Of course we can add all these options and get their associated benefits. The point is that the issued card is only a convenience to facilitate doing authentication in the field (we can still do field authentication without the card). We also record other biometric information (fingerprint, hand geometry, facial features, etc) to associate those measurements with the iris and "security profile" information. That way, less expensive means can be deployed to authenticate someone than having to have iris scanners everywhere. The least expensive would be just the OneID number and pulling up a photo, name and risk profile on the Internet. The most expensive would be an iris scan. A midway solution would be to ask for the OneID, verify one or more biometrics (e.g., hand geometry and photo), and you've got something that's almost as certain (for most practical applications) as an iris scan for a lot less money per station. If you lose your card, we just print you a new one; the card itself is completely useless to anyone but yourself.

We can install an even higher level of security for entrance to the secured area. At the main security gate we can install iris scanners. These are the same scanners that were inside our enrollment machines. These are a bit more expensive, but, unlike most biometric devices, they provide positive ID in 1 second (see other benefits below). So we'll know exactly who went through. We can only allow passengers who have a flight on that day into the secured area and only allow non-terrorists through. All in 1 second (since we've already pre-screened the passengers and we are just authenticating them). The airport security checkpoint system can also operate totally independently of the airlines system (just directly accessing the federal database).

How to authenticate people with high confidence using only an Internet connection
In the previous section, we've described how, once enrolled in the federal database, we can perform totally flawless authentication with an iris scanner and nearly flawless authentication with inexpensive biometric devices (some costing as little as $60). But it gets even better than that. By leveraging our own ability to do biometric identification (i.e., every person can do "face recognition"), all we need is an Internet connection to do authentication! And we can do it all on a device as inexpensive as a wireless PalmPilot (about $300).

For example, if someone applies for a job at my company, I can just ask him for his OneID number, type it in my web browser, and see that 1) he's registered in the federal database, 2) his picture matches (i.e., we use humans as "face recognizers" to provide authentication), 3) his true name (aliases and name changes are impossible since a given person has only one iris and thus only one record), 4) whether he is a security risk or not. The latter is not a privacy violation because (a) we never forced the person to take the test and (b) the person decided whether to make his terrorist profile public or private. Of course, if the person hasn't registered, I can choose not to hire him. And if he chooses not to make his profile known to me, I can choose not to hire him. We do not force or require anyone to do anything. However, we will probably make it illegal for a flight school to train anyone with security risk profile above a certain level.
For airport security applications, no OneID card is even required for complete security! The passenger enrolls in the government database once every two years (just like you get a driver's license re-test every few years, not every time you drive). So on a typical airport visit, the passenger shows up at the ticket counter and tells the agent his "number". The agent enters the number to view the person's photo. This proves the person is who he says he is to a degree much stronger than someone presenting fake ID. The airline agent can then determine, based on the person's risk profile and the risk profile of the other passengers, whether to allow the person on the plane. If the person is allowed to travel, their biometric information is "enabled" to board the plane. Only people which match the biometrics of a cleared passenger can board. So we can install different types of simple (and cheap... less than $100) biometric sensors at the gate and scan people when they board (the comparison job is trivial since your match universe is just the people on the plane). We'll typically install a few different types of scanners at a gate and randomly select which one to use. 

We can now target our clamp downs to remove high risk people, rather than shutting everyone out
Another highly desirable property of CKA is that we can precisely target only those people who are "at risk" without affecting 99% of the traveling public. For example, if the FBI decides there is a heightened terrorist risk, we just decrease our tolerance so only people with virtually zero terrorist profiles can board (instead of completely shutting down airports as we do now). Same is true for crop dusters, etc. (we can enable only non-terrorist crop duster pilots to fly). We can dynamically tune our "risk threshold" on a daily basis to react to situations. Even better, since the profile is done on individual probe areas (such as "knows about composite weapons", "knows how to pilot a commercial aircraft", "knows terrorism techniques", "knows about false IDs", "knows bio-terrorism technology"), if we believe there is a bio-terrorism threat that is imminent, we can deport/restrict/monitor only those people with a high bioterrorism profile.

If there is a new threat that we haven't pre-screened people for, we can require them to get their profiles "updated" before they travel again. For example, if al Qaeda is just discovered to be a threat, we can tell people to get an "incremental" security scan to probe for this. They pop into the booth, their iris is recognized, and they are only tested on the material that is new since they were last tested, i.e., their association with al Qaeda. While this is an inconvenience to everyone, the amount of time required per person is minimal (about 5 minutes for the incremental scan) and it sure beats having to get to the airport 3 hours early. 

The networking, protocols, infrastructure, iris and biometric identification performance, and so forth are all well established commercially. All of the identification times cited above are easily doable. For example, Internet search Google performs full text searches of 1 billion documents in a fraction of a second tens of millions of times a day...the requirements of the system described here are approximately two orders of magnitude simpler. The only thing that hasn't been shown is how quickly we can perform our terrorist profiling. Larry estimates 10 minutes for the first pass. This time may be adjusted to be shorter or a bit longer depending on how many "risk factors" we want to screen for. Therefore, we get to decide the balance between terrorist risk and inconvenience. We can make it short or long. 

Is this a violation of civil liberties?
We have a curtailed version of the desired security screen in place today: we all consent and agree to answer the security questions we are asked when we travel and the more extensive questions we are asked by customs agents when we enter the US. So doing a security risk profile on people isn't new. It's accepted here and abroad. 

Some may think this smacks of a huge invasion of privacy to be profiled. However, it's actually much less an invasion than other things that we've all done that we never complained about. Note the following:

  • Nobody forces you to take the test. It's only required if you want to travel by air.
  • The test does not discriminate on race, creed, color, religion, sex, or any other attribute. It's totally unbiased.
  • You are tested by a machine using an objective test, in areas that are safety related (it's just an automated, more complete version of those security questions)
  • It doesn't require knowledge of English. You are just viewing images. So, unlike written or verbal exams, it is completely non-discriminatory. If we do show you words, it will be words in your native language (you'll get to select the language before the test).
  • The test results are only available to the general public if you designate that.
  • If you implicitly release your information, by willingly giving out your OneID number or willingly allow your iris to be scanned, that is totally your choice

Now contrast that with the math exams you were required to take as a kid. You were given no choice. And those test scores can cause you not to advance a grade. You were required to submit your SAT scores to the colleges you applied to. You are required to take a driving test to get a license. You are required to answer security questions to board an airplane. And how your driving record is stored in a database and available to peace officers. You are required to take a civil service exam to become a government employee. You are required to take a blood test to participate in the Olympics and to get certain jobs. You are required to provide all sorts of personal information to get a security clearance. Is this any different than that? We're just saying you need a simple "security clearance" to board a plane---for everyone's safety, especially yours. People should welcome this! I know I would feel safer knowing this system were in place. Wouldn't you?

Lastly, associating a name with a profile is strictly optional. Your option. The system can screen against terrorists just fine even if everyone is anonymous. It does not depend on knowing your name. Your biometrics can be completely disassociated with your name. So this system is actually less of a privacy invasion than having a security officer ask you a bunch of questions The security officer can associate a name with a profile; the computer need only associate iris data with a security profile.

Is this psychological profiling in disguise?
No, it's a computerized version of a small number of yes/no security questions like:

  • Do you have knowledge that only an insider would know about al Queda?
  • Do you know how to fly a commercial jet?
  • Do you have any skills for taking over a commercial aircraft using force?

So we do NOT ask what knowledge they have. We only ask whether they have knowledge in certain areas. We don't ask for their opinion. We don't ask how they feel. We don't ask how they perceive. We don't ask what they like. In fact, the computer doesn't "ask" them anything at all, but the brain patterns it looks at are just equivalent to the yes/no questions above. We cannot tell what they "feel" or their "opinions" about anything. We only test for the presence or absence of knowledge.

If we get a positive response on any probe areas in our initial screen, the computer can then automatically tack on an additional screen in that area. We have to be careful to ask questions that would only be known by terrorists. For example, if we found that the person knew how to fly a jet, we don't want to probe whether he works for an airline because a terrorist could be trained on all that. Instead, we'd probe whether he knew inside details about terrorist organizations. 

The brain is a one-way storage device. You can "look" like an FBI agent to the machine by training to acquire everything an FBI agent would know, but an FBI agent can never "look" like a normal person because he cannot erase the knowledge that he has (without risk of permanent brain damage).

Security considerations
The system can be designed such that hacking the system is virtually impossible. For example, all responses from the government database would be signed with the government's private key and the response would include the request number of the sender (a 64 bit random number) to guard against a replay attack. Multiple copies of the database would be available so if one site were attacked, the government could transmit, via SSL, the IP address of the backup servers so that service would not be interrupted. In addition, because the cost to replicate the database is small (we could store 64 bit checksums of iris data instead of the full data in our backup database), we could replicate the data at each airport on a local disk. So even if Internet service were disrupted, we could still authenticate passengers and no unauthorized passenger could sneak through.

Other resources
Identifying terrorists before they strike
 Appendix: (costs, configuration, list of objections)
Reader comments
FAQ on CKA (written by a PhD student at UCSD)
List of endorsers

Press articles
ZDNet article
ZDNet article#2
Response to article in The Register

Hit Counter