Schneier on Security
A blog covering security and security technology.
« Camouflage in Octopodes |
| More on ChoicePoint »
March 28, 2005
GAO's Report on Secure Flight
Sunday I blogged about Transportation Security Administration's Secure Flight program, and said that the Government Accountability Office will be issuing a report this week.
Here it is.
The AP says:
The government's latest computerized airline passenger screening program doesn't adequately protect travelers' privacy, according to a congressional report that could further delay a project considered a priority after the Sept. 11 attacks.
Congress last year passed a law that said the Transportation Security Administration could spend no money to implement the program, called Secure Flight, until the Government Accountability Office reported that it met 10 conditions. Those include privacy protections, accuracy of data, oversight, cost and safeguards to ensure the system won't be abused or accessed by unauthorized people.
The GAO found nine of the 10 conditions hadn't yet been met and questioned whether Secure Flight would ultimately work.
- TSA plans to include the capability for criminal checks within Secure Flight (p. 12).
- The timetable has slipped by four months (p. 17).
- TSA might not be able to get personally identifiable passenger data in PNRs because of costs to the industry and lack of money (p.18).
- TSA plans to have intelligence analysts staffed within TSA to identify false positives (p.33).
- The DHS Investment Review Board has withheld approval from the "Transportation Vetting Platform" (p.39).
- TSA doesn't know how much the program will cost (p.51).
- Final privacy rule to be issued in April (p. 56).
Any of you who read the report, please post other interesting tidbits as comments.
As you all probably know, I am a member of a working group to help evaluate the privacy of Secure Flight. While I believe that a program to match airline passengers against terrorist watch lists is a colossal waste of money that isn't going to make us any safer, I said "...assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement -- in almost every way -- over what is currently in place." I still believe that, but unfortunately I am prohibited by NDA from describing the improvements. I wish someone at TSA would get himself in front of reporters and do so.
Posted on March 28, 2005 at 7:03 PM
• 5 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce, very diplomatically stated. Are you trying to emulate an octopode in camouflage? ;) But seriously, my first nit is that I read your "final point" as this:
"I wish someone at TSA would get himself in front of reporters and [describe the improvements of Secure Flight]."
And that seems like saying NASA risk managers should extoll the virtues of the Shuttle safety program to their directors. I think America would be better served by a careful examination of critical flaws to help avert disaster. Put down your pom-poms, straighten your spine, and start pointing to the "o-rings" of Secure Flight...for example, why don't you suggest a solution that costs NO money. That would probably be a better figure for something that does nothing.
"And that seems like saying NASA risk managers should extoll the virtues of the Shuttle safety program to their directors. I think America would be better served by a careful examination of critical flaws to help avert disaster. Put down your pom-poms, straighten your spine, and start pointing to the 'o-rings' of Secure Flight...for example, why don't you suggest a solution that costs NO money. That would probably be a better figure for something that does nothing."
It's not that. There are a bunch of ways that Secure Flight is better than what we're doing today, but those things are not being discussed by anyone.
My complaints with Secure Flight are all bigger than the details of Secure Flight; they're about the viability of any program of that type.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.