Personal experiences with security theatre
“Security theatre.” The concept is easy to understand. Members of the public will feel more secure if there are obvious signs that an organization or their government is taking steps to protect them from threats real and imagined.
This is especially true if these threats are new – the attacks of 9/11 helped to usher in a new set piece in North America featuring pervasive surveillance, recurring identity verification on a technological and personal level, and more frequent interactions between the public and security agents from public and private organizations.
This type of theatre is particularly effective in times of crisis, when the threat seems more immediate, and seems capable of affecting a segment of society rather than simply an individual. As a result of past crises, governments have put in place proposals that have led to increased identification requirements, greater surveillance powers, frequent intrusion into their personal lives and restriction in the activities they can undertake without challenge from authorities.
As individuals, though, we constantly come across moments that pull back the curtain to expose the machinery. These prompt us to question the usefulness to an individual security measure, if not an entire security strategy.
There is a small but relevant example in our own building. The landlords have recently installed a number of surveillance cameras capable of panning over every square inch of the public space in our building. There are even multiple cameras in each of the enclosed emergency stairwells.
If we assume that the landlord has implemented these cameras as a result of a security audit, where known and potential threats suggested that a level of risk, then we might just suffer the constant monitoring of our activities in the building.
But what if one of these cameras was evidently broken? I’ve passed by the same camera, located in a remote corner of the building, seven times in the last week. The plastic dome that protects the lens and rotating assembly has fallen off. I’ve reported the problem to security twice. After the first report, they obviously tried to replace the dome – with electrical tape. That failed, and the dome has been lying on the ground for the past five days.
Now, this isn’t the biggest problem that could beset a technologically advanced security camera, but its continuing condition does lead to three questions:
- Why can’t someone take the time to repair it properly?
- If they don’t need to repair it, do they need it to be operational?
- If it doesn’t need to be operational, why does the camera need to be there at all?
I think we’ve all had a similar experience at some time, where it becomes obvious that there is more concern in having security equipment or procedures in place than ensuring they work effectively.
Or am I wrong? Have you?
3 Responses
9:53 am
At the office Christmas party last year, the Commissionaire (security guard) insisted that my 4 year-old wear a Visitor pass. Despite the recent focus on recruiting youth, I don’t think anyone would have mistaken her for an employee and allowed her access to any restricted areas or information. On the other hand, I have colleagues who prop security doors open so that they don’t have to let a visitor back into the meeting room once the visitor has used the bathroom. There’s a happy medium somewhere.
10:45 am
My bank (it doesn’t matter which, they probably all do it) added a bunch of fake security to their web banking system a year or two ago. It’s pure security theater.
In online authentication, there is a concept called “two-factor authentication”. It is an enhancement on the “username and password” method of authenticating. The idea is that you never rely on just one method, like a password. You will combine it with another method of identifying yourself, like an SSL certificate, smart card, biometric, one-time pad, etc.
Unfortunately, my bank has decided that simply using two passwords to log in will work just as well. This is an obvious misunderstanding of the concept that looks to me an awful lot like a cracked camera lens. So I’m inconvenienced for no gain.
What’s more, I cannot pick the second password. It must be a logical response to a question from a very small pool of questions the bank maintains. “What street did you grow up on?” “What is your favourite colour?” That sort of nonsense. So now my second password has a built in and intentional guess-ability. It’s worse than useless!
The frustrating thing for me as a web developer is that I can think of several ways the bank could have implemented two-factor authentication that would have actually made my life easier. Client-side SSL certificates would be fantastic. Unfortunately, the general public does not have experience using these sorts of “exotic” authentication methods, and anything that is foolproof for the user (eg, a card that displays a constantly changing number the user must type in) costs money. Fortunately, the appearance of security is just as good as actual security… right?
6:47 pm
There is a dome camera mounted in the ceiling next to my desk at work. So far it’s only been pointing to the office door but in any case, I don’t like not being trusted every time I walk in.
In fact, I don’t think the camera will go in and remove unauthorized people from the office. Only a security guard can do that. However, these folks are sitting in a far away country, probably watching hundreds of such feeds (we’re a very large company). If something happens, all they’ll be able to do at best is look at some footage later on. I consider this pure security theatre at play.