Recent discussions regarding the Real ID Act follow the same general path as many discussions about the trade-offs between security and privacy. These discussions typically begin with taking a security proposal and then weighing it against its costs to privacy and civil liberties. What is often not done, however, is to put the security proposal through meaningful scrutiny as an effective security measure. Instead, it is often assumed that the security measure is worthwhile, and the only question is whether it is worth the trade-off in privacy and civil liberties.
But what if security measures against terrorism were examined with a more critical eye? I believe that the risk of terrorism is not being assessed in a rational way and is receiving a disproportionate amount of resources. This can have grave consequences, probably resulting in significantly more loss of life than a major terrorist attack.
Consider the risk of death from terrorism on US soil. Here are the statistics I could find:
— First WTC bombing – 6 fatalities
— 9/11 – 2749 fatalities
— Oklahoma City bombing – 169 fatalities
— Unabomber – 3 fatalities
— Olympic Park bombing – 1 fatality
The total is 2928 fatalities. This has occurred over the past 15 years. That’s about 195 lives per year. Now, consider other risks. Flu deaths are estimated to be around 30,000 to 40,000 in a good year. Terrorism is nowhere near this danger level. Another 40,000 die in auto accidents each year. On the scale of things, dying from terrorism is a very tiny risk.
Dramatic events and media attention can cloud a rational assessment of risk. This reminds me of the summer of the shark bite, when a barrage of media coverage about shark bites lead to the perception that such attacks were on the rise. This wasn’t the case at all. Consider the following from a CNN article [link no longer available]:
The media coverage was prompted by a bull shark biting off the arm of an 8-year-old boy on a Florida beach July 6, 2001. Overnight, shark bites and sightings became major international news, triggering countless TV news reports and front-page stories. . . .
Lost in the hoopla was the fact that in 2001 there were 13 fewer attacks worldwide than the year before, Burgess said. The same year, four human deaths were linked to shark bites compared with 13 in 2000, he added.
Certainly, we should guard against terrorism, but rarely do discussions about the sacrifice of civil liberties explain the corresponding security benefit, why such a benefit could not be achieved in other ways, and why such a security measure is the best and most rational one to take.
What is troubling is that the government could reduce many risks we face if it expended more resources to address these risks. The government could do quite a lot to prevent flu deaths, such as subsidize more vaccines. Instead of spending millions studying data mining, maybe that money could be used to study ways to better prevent motor vehicle deaths or injuries. Instead, because terrorism is dramatic and gets lots of news coverage (like shark bites), it gets a disproportionate amount of attention.
Another risk that is not getting sufficient attention, in my opinion, is the risk from a pandemic of SARS or bird flu. This could kill millions of people. Consider the following from CNN [link no longer available]:
Pandemics usually occur every 20 to 30 years when the genetic makeup of a flu strain changes so dramatically that people have little or no immunity built up from previous flu bouts.
“During the last 36 years, there has been no pandemic, and there is a conclusion now that we are closer to the next pandemic than we have ever been before,” Stohr told reporters.
There are certainly grave risks from terrorism, and we should not ignore these risks. But we must prioritize risks. Even focusing on terrorism alone, we must recognize that not all terrorist risks are the same. There’s only so much damage one can do by blowing up a plane. In my view, the most serious risks of terrorism include nuclear or biological weapons. Protecting against bioterrorism would involve many of the same measures to ready ourselves for a pandemic. Regarding nuclear terrorism, it seems far from clear that increased identification or using databases to spy on people are a good way to address this risk. Consider this Washington Post article about our response to nuclear terrorism:
The obvious effective way to combat nuclear terrorism seems to be preventing nuclear material from getting into the hands of terrorists. Nevertheless, the government throws tons of money into identification requirements and into research into data mining, which have speculative benefits at best. In the meantime, more obvious and effective security measures aren’t being undertaken. Ironically, those who advocate for security should be just as outraged as the privacy advocates.
But more than 3 1/2 years after the Sept. 11, 2001, attacks, the U.S. government has failed to adequately prepare first responders and the public for a nuclear strike, according to emergency preparedness and nuclear experts and federal reports. . . .
Security experts consider a terrorist nuclear strike highly unlikely because of the difficulty in obtaining fissionable material and constructing a bomb. But it is a conceivable scenario, especially in light of the lax security at many former Soviet nuclear facilities and the knowledge of atomic scientists in such places as Pakistan.
Originally posted at PrawfsBlawg
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* LinkedIn Influencer blog
* Twitter
* Newsletter