Combining ease of use with high-security is not plain sailing

Speaking of shipping and identity (which was the topic of the previous newsletter), I’ve just come off a cruise through the Caribbean, my first cruise since before September 2001. Identity security has gotten more stringent, but I’m not sure how effective it might be.

Before boarding, passengers fill out an identity form (which can now be done online, at least with Holland-America lines). By filling it out online, all of the internal consistency checks as well as any cross-checking to other databases can be done before you embark which is a time saver. Otherwise, you must present a filled-in form, proper identification (typically any two of passport, driver’s license or birth certificate). Once your identity has been established you’re given a room key (card with magnetic stripe), which is your ID token while onboard. It also contains a unique barcode so that whenever you get off the boat, you swipe the card (or, rather, a ship’s security officer swipes the card) through a barcode reader which “checks you out” of the boat.

Returning to the boat, though, you need a photo ID and your token. An officer compares your face to the photo, then compares the photo ID’s name to that on the token. If all matches then the card is swiped through the barcode reader and once again you’re counted as being on board.

In year’s past, getting on and off was a bit more lax with only a ship’s ID card required. When the electronic cards were first introduced seven or eight years ago the readers frequently malfunctioned or the computer link would be down and people were simply waved through – good for customer relations and “ease of use” but not so good for security (Microsoft, are you listening?). Twenty years ago, of course, almost anyone could get on the ship as a “visitor” (remember those bon voyage parties in the movies of the 1930s and 1940s?).

U.S. security is so tight, in fact, that when docking in Saint Thomas, in the U.S. Virgin Islands, after visiting a port in Bermuda, all passengers had to go through U.S. immigration (showing proof of identity and – for U.S. citizens – proof of citizenship). This was not stringently handled as the immigration officer barely looked at my passport, seeming to believe that carrying a U.S. passport (any U.S. passport) was sufficient identification. When we ended the cruise and disembarked in Florida, we had to go through it all again (as well as visit Customs to pay any duty that was owing – Customs are much more thorough about collecting money).

What we had was the appearance of tight security without necessarily being any more secure. We were protected against bumblers but any dedicated person bent on evading the security could have done so, perhaps needing a single accomplice.

The lesson for us, I think, is an old one – ease of use and security are very frequently diametrically opposed. We must decide which we will strive to have, because it’s impossible to award both the highest priority, as Microsoft has finally learned and as other vendors should continue to remember.