Renowned security expert Bruce Schneier conducted an extensive interview with Transportation Security Administration head Kip Hawley, and asked him, in essence, when is airport security going to start making sense?

In the interview, conducted by e-mail during May and June and which Schneier published this week, Hawley tries to answer the tough questions in order to help combat TSA’s negative image.

You can read the whole thing yourself to see if he succeeded. But I do want to comment on a few of his answers.

Bruce Schneier: By today’s rules, I can carry on liquids in quantities of three ounces or less, unless they’re in larger bottles. But I can carry on multiple three-ounce bottles. Or a single larger bottle with a non-prescription medicine label, like contact lens fluid. It all has to fit inside a one-quart plastic bag, except for that large bottle of contact lens fluid. And if you confiscate my liquids, you’re going to toss them into a large pile right next to the screening station — which you would never do if anyone thought they were actually dangerous.

Can you please convince me there’s not an Office for Annoying Air Travelers making this sort of stuff up?

Kip Hawley: Screening ideas are indeed thought up by the Office for Annoying Air Travelers and vetted through the Directorate for Confusion and Complexity, and then we review them to insure that there are sufficient unintended irritating consequences so that the blogosphere is constantly fueled. Imagine for a moment that TSA people are somewhat bright, and motivated to protect the public with the least intrusion into their lives, not to mention travel themselves. How might you engineer backwards from that premise to get to three ounces and a baggie?

How indeed? It turns out that the mysterious liquid explosive threat referred to here apparently requires a large container. This is why TSA seizes containers that hold more than three ounces of liquid, even if they are empty. I don’t like it much, but it does make a certain kind of sense.

I often read blog posts about how someone could just take all their three-ounce bottles — or take bottles from others on the plane — and combine them into a larger container to make a bomb. I can’t get into the specifics, but our explosives research shows this is not a viable option.

If you’re to believe Hawley, then the explosives have to come in via the large container, and can’t be simply brought in via multiple small containers and transferred to a large container later. I don’t have the expertise to comment on this, but it sounds fishy.

BS: People regularly point to security checkpoints missing a knife in their handbag as evidence that security screening isn’t working. But that’s wrong. Complete effectiveness is not the goal; the checkpoints just have to be effective enough so that the terrorists are worried their plan will be uncovered. But in Denver earlier this year, testers sneaked 90% of weapons through. And other tests aren’t much better. Why are these numbers so poor, and why didn’t they get better when the TSA took over airport security?

KH: Your first point is dead on and is the key to how we look at security. The stories about 90% failures are wrong or extremely misleading. We do many kinds of effectiveness tests at checkpoints daily. We use them to guide training and decisions on technology and operating procedures. We also do extensive and very sophisticated Red Team testing, and one of their jobs is to observe checkpoints and go back and figure out — based on inside knowledge of what we do — ways to beat the system. They isolate one particular thing: for example, a particular explosive, made and placed in a way that exploits a particular weakness in technology; our procedures; or the way TSOs do things in practice. Then they will test that particular thing over and over until they identify what corrective action is needed. We then change technology or procedure, or plain old focus on execution. And we repeat the process — forever.

So without getting into specifics on the test results, of course there are times that our evaluations can generate high failure rate numbers on specific scenarios. Overall, though, our ability to detect bomb components is vastly improved and it will keep getting better. (Older scores you may have seen may be “feel good” numbers based on old, easy tests. Don’t go for the sound-bite; today’s TSOs are light-years ahead of even where they were two years ago.)

Who else would conduct extensive observation and testing, and perhaps attempt to exploit inside knowledge, in order to get weapons and explosives past screeners? If you said terrorists, give yourself a cigar. For bonus points, how many terrorists and terrorist sympathizers currently hold jobs as TSA screeners?

BS: You don’t have a responsibility to screen shoes; you have one to protect air travel from terrorism to the best of your ability. . . . It’s “cover your ass” security. If someone tries to blow up a plane with a shoe or a liquid, you’ll take a lot of blame for not catching it. But if someone uses any of these other, equally known, attack methods, you’ll be blamed less because they’re less public.

KH: Dead wrong! Our security strategy assumes an adaptive terrorist, and that looking backwards is not a reliable predictor of the next type of attack. Yes, we screen for shoe bombs and liquids, because it would be stupid not to directly address attack methods that we believe to be active. Overall, we are getting away from trying to predict what the object looks like and looking more for the other markers of a terrorist. (Don’t forget, we see two million people a day, so we know what normal looks like.) What he/she does; the way they behave. That way we don’t put all our eggs in the basket of catching them in the act.

At least they’ve learned what they need to do to catch hostile actors. My concern is how many perfectly innocent people also get caught in this behavioral dragnet because they don’t fit the TSA’s definition of “normal.”

BS: Let’s talk about ID checks. I’ve called the no-fly list a list of people so dangerous they cannot be allowed to fly under any circumstance, yet so innocent we can’t arrest them even under the Patriot Act. Except that’s not even true; anyone, no matter how dangerous they are, can fly without an ID ­or by using someone else’s boarding pass. And the list itself is filled with people who shouldn’t be on it — dead people, people in jail, and so on — and primarily catches innocents with similar names. Why are you bothering?

KH: Because it works. We just completed a scrub of every name on the no-fly list and cut it in half — essentially cleaning out people who were no longer an active terror threat. We do not publicize how often the no-fly system stops people you would not want on your flight. Several times a week would low-ball it. . . .

TSA does not add people to the watch-lists, no matter how cranky you are at a checkpoint. Second, political views have nothing to do with no-flys or selectees. These myths have taken on urban legend status. There are very strict criteria and they are reviewed by lots of separate people in separate agencies: it is for live terror concerns only. The problem comes from random selectees (literally mathematically random) or people who have the same name and birth date as real no-flys. If you can get a boarding pass, you are not on the no-fly list. This problem will go away when Secure Flight starts in 2008, but we can’t seem to shake the false impression that ordinary Americans get put on a “list.” I am open for suggestions on how to make the public “get it.”

Of course, that secrecy is the problem. People get held up at the airport and are told it’s because they are on a list of some kind. This drives innocent Americans absolutely nuts — but only after they experience it for themselves. (If this has happened to you, file for redress, if you can, and if it does any good.)

BS: Let’s talk about behavioral profiling. I’ve long thought that most of airline security could be ditched in favor of well-trained guards, both in and out of uniform, wandering the crowds looking for suspicious behavior. Can you talk about some of the things you’re doing along those lines, and especially ways to prevent this from turning into just another form of racial profiling?

KH: We use a system of behavior observation that is based on the science that demonstrates that there are certain involuntary, subconscious actions that can betray a person’s hostile intent. For instance, there are tiny — but noticeable to the trained person — movements in a person’s facial muscles when they have certain emotions. It is very different from the stress we all show when we’re anxious about missing the flight due to, say, a long security line. This is true across race, gender, age, ethnicity, etc. It is our way of not falling into the trap where we predict what a terrorist is going to look like. We know they use people who “look like” terrorists, but they also use people who do not, perhaps thinking that we cue only off of what the 9/11 hijackers looked like.

After all, there are plenty of black, white, and all sorts of other people who want to kill people in the name of Islam, or just in the name of mayhem. Right? Your 90 year old grandmother in her wheelchair could secretly be a member of al-Qaeda. Or a serial killer. Whatever you do, don’t get pissed off in the airport, or you too could find yourself behaviorally profiled.

One last little clip:

BS: I’ve read repeated calls to privatize airport security: to return it to the way it was pre-9/11. Personally, I think it’s a bad idea, but I’d like your opinion on the question. And regardless of what you think should happen, do you think it will happen?

KH: From an operational security point of view, I think it works both ways. So it is not a strategic issue for me.

SFO, our largest private airport, has excellent security and is on a par with its federalized counterparts (in fact, I am on a flight from there as I write this). One current federalized advantage is that we can surge resources around the system with no notice; essentially, the ability to move from anywhere to anywhere and mix TSOs with federal air marshals in different force packages. We would need to be sure we don’t lose that interchangeability if we were to expand privatized screening.

I don’t see a major security or economic driver that would push us to large-scale privatization. Economically, the current cost-plus model makes it a better deal for the government in smaller airports than in bigger. So, maybe more small airports will privatize. If Congress requires collective bargaining for our TSOs, that will impose an additional overhead cost of about $500 million, which would shift the economic balance significantly toward privatized screening. But unless that happens, I don’t see major change in this area.

SFO’s semi-private security really is on par with nationalized security at other airports. They both suck. Of course, this means nothing changed when airport security was taken over by the federal government as though it was Hugo Chavez taking over a company. For airport security to get no worse is, perhaps, the best possible outcome.

Let’s be clear: Airport security before 9/11 wasn’t bad because it was private. It was bad because it was strictly government regulated, largely preventing companies from instituting any real security measures such as we are finally starting to get out of the government, now that it has seized total control. For instance, screeners were frequently trained to spot only specific types of weapons on X-ray in order to pass FAA-mandated tests. Identifying “a gun” that wasn’t the specific gun being tested for would cause the screener to fail. Sound familiar? It should. That’s what you get with government.

Airport security clearly went the wrong direction after 9/11. Now we all have to pay for this sort of incompetence, whether we fly or not. The proper thing to do would have been to get the FAA off airport security’s back and let them do their jobs properly. Instead, we got a whole new level of government incompetence: the Department of Homeland Security.