The central issues addressed in this article concern the political and ethical implications of shifting from a rule-based system of airport security to one based on risk. To begin with, however, it needs to be made clear in what this shift consists. What are the practices that are being contrasted? "Rule-based" or "bureaucratic" security refers to a setting characterized by uniform practices in which every case is accorded the same degree of scrutiny. This implies that, in the absence of some specific issue that draws attention to a specific case, all cases are treated as equal risks--probably meaning, in practice, that all cases will be treated as moderate risks. Thus, from this perspective, the gist of the issue regarding rule-based versus risk-based models of security would appear to focus on issues relating to selective attention given to high-risk cases. Yet once this is said, it is immediately clear that risk- and rule-based approaches are not mutually exclusive. For example, the "specific issues" that do draw attention to certain individuals are, at least in a loose sense, risk based. Such matters are likely to be things that indicate risks to security staff even though these are not necessarily generated by statistical data or security information. Such attention might be generated out of the working theories of security staff, built up out of years of experience and/or learned on the job from others. In this sense, rule-based regimes of security frequently include an informal apparatus for assessing risks. This being the case, a move to a "risk-based" approach will not necessarily entail a radical transformation but, rather, will represent the formalization and intensification of practices that are already in place. By this I mean both that risk will become the central issue in every case and that the model for assessing risk will be formalized in the form of a risk schedule or some other practice based on risk profiles and risk factors. Risk will be assessed not just by the official on the spot, according to personal experience or professional knowledge, but by a formal technique of risk calculation.
Moving toward such a risk-based model of security requires being reasonably clear about the precise nature of the risk technique being deployed. I would suggest that judgement about the costs and benefits of deploying risk will always need to focus on the specific technique involved, because risk is a fairly abstract technology involving the probabilistic prediction of harmful outcomes. While it is possible to draw some conclusions from the abstract form of risk--as I will attempt to do shortly--we need always to look at the specific ways in which risk is deployed, the other practices with which it is articulated, and so on. There is, for example, a world of difference between risk-based screening for cancer and risk-based techniques for apprehending alcohol-affected drivers. While both may deploy a rather similar probabilistic model, the moral character, social meaning, and personal consequences of each are very different. In this sense, risk itself accounts for a rather small part of the social and political nature of practices that are nevertheless regarded as "risk-based." This rather crucial point having been made, there are, however, certain broad characteristics of risk-based approaches that do warrant attention in this context.
Constructing the database: Self-fulfilling prophecies
Risk is always based on the adequacy of the data/intelligence that go into creating the predictive instruments. One of the problems with calculating risk in this way is that risk can be very conservative. Any given risk-forecasting technique will tend to reproduce the data and the assumptions on which it is based, so that a vicious circle of probability is set up. Racial profiling in relation to crime, for example, is usually based on official conviction rates. Yet conviction rates may be shaped by such factors as police "working culture," the assumptions of judges and prosecutors, and the social distribution of resources such as the ability to appoint defence council rather than relying on public defenders. …