The following is a brief writing by Bruce Schneir, of Counterpack Internet Security, and his bio. I guess technically, he's not in law enforcement so he shouldn't be considered "qualifed" to offer his opinion:
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.
His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as "the book the National Security Agency wanted never to be published." His book on computer and network security, Secrets and Lies, was called by Fortune "[a] jewel box of little surprises you can actually use." His current book, Beyond Fear, tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security.
Regularly quoted in the media, he has testified on security before the United States Congress on several occasions and has written articles and op eds for many major publications, including The New York Times, The Guardian, Forbes, Wired, Nature, The Bulletin of the Atomic Scientists, The Sydney Morning Herald, The Boston Globe, The San Francisco Chronicle, and The Washington Post.
"Security Notes from All Over: Hats in Banks
A Birmingham, Alabama, bank is prohibiting its customers from wearing hats inside its branches. The idea is to improve security against bank robberies.
I guess the ideas is that a bank robber without a hat will show up better on security cameras. This makes a little bit of sense, until you start thinking about how it might work in practice.
Someone walks in with a hat. He walks up to a teller and announces a stick-up. Meanwhile, a security guard calls out: "Excuse me, sir. Can you remove your hat." I'll bet the teller will press her little "alarm" button a whole lot quicker than that.
Maybe a hat will tip off bank security quicker, enabling them to react in time. But what about bank robbers in ski masks? Didn't that already arouse suspicion? Why didn't that work? And if it didn't work for ski masks, why will it work for hats?
And the false alarm rate must be horrible. People walk into buildings wearing hats all the time. Almost none of them are bank robbers. How many times a day will security guards say "please remove your hat" before they become conditioned to the fact that no one wearing a hat is a bank robber?
Ski masks, presumably, have a much lower false alarm rate.
But let's assume, for the moment, that there is this breed of hatted criminal that can be foiled by a ban on hats. Why can't they dress up as "a nun, an Orthodox Jew, a Sikh in a turban or a burqa-clad Muslim woman"? Those groups are specifically exempted from the hat restriction.
All this aside, the rule has a little bit of security benefit. Some bank robbers might decide to rob a different bank because the hat rule is a bit too annoying. But bank robbers relying on speed are unlikely to care, and bank robbers relying on stealth are unlikely to care.
Security is always a trade-off: you have to balance the security you receive with what you give up in exchange. This rule is likely to annoy and inconvenience customers, while doing little to improve bank security. Hardly a good trade-off in the end.
And it certainly would never work where the winters are cold. Hats are not just fashion; sometimes they're survival gear. Ski masks, too."