Schneier on Security
A blog covering security and security technology.
« Remote Physical Device Fingerprinting |
| Secrecy and Security »
March 8, 2005
Sensitive Security Information (SSI)
For decades, the U.S. government has had systems in place for dealing with military secrets. Information is classified as either Confidential, Secret, Top Secret, or one of many "compartments" of information above Top Secret. Procedures for dealing with classified information were rigid: classified topics could not be discussed on unencrypted phone lines, classified information could not be processed on insecure computers, classified documents had to be stored in locked safes, and so on. The procedures were extreme because the assumed adversary was highly motivated, well-funded, and technically adept: the Soviet Union.
You might argue with the government's decision to classify this and not that, or the length of time information remained classified, but if you assume the information needed to remain secret, than the procedures made sense.
In 1993, the U.S. government created a new classification of information -- Sensitive Security Information -- that was exempt from the Freedom of Information Act. The information under this category, as defined by a D.C. court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words, "air" and "passengers," and changed "safety" to "security." Currently, there's a lot of information covered under this umbrella.
The rules for SSI information are much more relaxed than the rules for traditional classified information. Before someone can have access to classified information, he must get a government clearance. Before someone can have access to SSI, he simply must sign an NDA. If someone discloses classified information, he faces criminal penalties. If someone discloses SSI, he faces civil penalties.
SSI can be sent unencrypted in e-mail; a simple password-protected file is enough. A person can take SSI home with him, read it on an airplane, and talk about it in public places. People entrusted with SSI information shouldn't disclose it to those unauthorized to know it, but it's really up to the individual to make sure that doesn't happen. It's really more like confidential corporate information than government military secrets.
The U.S. government really had no choice but to establish this classification level, given the kind of information they needed to work with. for example, the terrorist "watch" list is SSI. If the list falls into the wrong hands, it would be bad for national security. But think about the number of people who need access to the list. Every airline needs a copy, so they can determine if any of their passengers are on the list. That's not just domestic airlines, but foreign airlines as well -- including foreign airlines that may not agree with American foreign policy. Police departments, both within this country and abroad, need access to the list. My guess is that more than 10,000 people have access to this list, and there's no possible way to give all them a security clearance. Either the U.S. government relaxes the rules about who can have access to the list, or the list doesn't get used in the way the government wants.
On the other hand, the threat is completely different. Military classification levels and procedures were developed during the Cold War, and reflected the Soviet threat. The terrorist adversary is much more diffuse, much less well-funded, much less technologically advanced. SSI rules really make more sense in dealing with this kind of adversary than the military rules.
I'm impressed with the U.S. government SSI rules. You can always argue about whether a particular piece of information needs to be kept secret, and how classifications like SSI can be used to conduct government in secret. But if you take secrecy as an assumption, SSI defines a reasonable set of secrecy rules against a new threat.
Background on SSI
TSA's regulation on the protection of SSI
Controversies surrounding SSI
My essay explaining why secrecy is often bad for security
Posted on March 8, 2005 at 10:37 AM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Just an editorial note that your apostrophes and some other items are displaying incorrectly.
Except... SSI is also being used to hide certain TSA directives. It's a law, but we can't show you it because it's SSI. Some of the reasons that SSI are being used are contrary to the spirit of it and are causing more problems.
This isn't a complaint about the principle, but a complaint about the application. For example some baggage handlers who were stealing luggage (or items from luggage) were released because they couldn't be tried as that would have meant certain procedures would come out in court and those are SSI. As a result suspected criminals went free, that makes me feel more secure. (Innocent until proven guilty, but if you're not allowed to even try to prove it?)
"If the list falls into the wrong hands, it would be bad for national security." - Would it? I frankly don't see why; that statement, to me, really seems to be in the same league as something like "If details on the encryption algorithm we use falls into the wrong hands, it would be bad for national security": a statement that appeals to "common sense" but is not actually backed up and probably will not survive close scrutiny.
What's worse, in the case of SSI, there are not only no clear benefits; the broad definition of what falls into this category also makes it very easy to abuse, as any kind of information the government does not want to be public can simply be labelled as related to "security". This will not only mean that it won't be on the news etc.; it will also mean that those who *do* make said information public will be vulnerable to being sued. And how long until the law will be modified again so there are actually criminal charges in addition to civil ones, too?
PLEASE fix the character set; it's almost unreadable in Firefox.
I've encountered "fouling" of the character set when copy and pasting from Microsoft Word into this Comments text box using the Mozilla FireFox browser. The comment field could probably be filtered better.
"But think about the number of people who need access to the list."
But they don't need the list itself, yes? Just the ability to see if someone is on the list? As such, couldn't you do this similar to the way passwords are done? Hash each name on the list, and have people who need to query the list hash the name of the person they're asking about and see if this hash appears on the list?
Can you use html escapes (ie: ampersand-code-semicolon) for characters like fancy quotes and apostrophes, instead of directly including the character? All the apostrophes turn up as a** in elinks.
As for SSI: the openness to abuse does worry me. It's very easy to classify almost anything as relating to "security".
ditto on the character set comments.
The reasoning behind a non-public watch list is simple: If a terrorist knows he or one of his aliases is on the list, then he will not ever try to fly under that name or anything similar. The list is big enough that there is the potential problem of choosing a new alias which coincides with something already on the list. Having a copy would negate this difficulty.
The business about making a law SSI is bullshit, and we really should do something about that. How are we supposed to follow a law we are not legally allowed to know? Ignorance of the law is not usually an excuse. Should it become so?
I'm sorry to see that you have been co-opted by the military/political establishment and are now endorsing this absurd policy. Apparently, now that you are an "insider", you no longer are capable of analyzing these security issues objectively. This is exactly what observers feared would happen when you joined the advisory group.
By its very nature, the widespread distribution and diffusion of SSI makes it impossible to keep it out of the hands of the people it is supposed to be hidden from. Do you think none of those 10 thousand people can be bribed or coerced into revealing the list? And that no one with connections and sympathies with terrorists could work his way into a position to see the list?
The only real effect of branding something as SSI is to keep it out of the hands of the American people, while making sure that it is available to the enemy. I suggest that you analyze the SSI concept with this effect in mind and see if it doesn't lead to a more logical and accurate picture of the true reasons for the classification. What bad things would happen if everyone saw the no-fly list, compared to the current situation where only authorized agents and terrorists can see it? Well, for one thing, there would probably be greater domestic opposition to the list, as people saw how many names were on it and recognized the names of respected members of their community. It would turn the list into an enormous administrative hassle and political liability. That's the real reason for the SSI classification.
Disappointing article. The reasoning that terrorists won't get those information because they are "less advanced" doesn't make much sense, and it is contrary to what we are being told all the time - that those terrorists are incredibly dangerous and capable of everything. I guess the terrorists have no difficulty do know whether they are on the "terrorist watch list", but innocent people who are on the list are denied the right of access and rectification. SSI may be effective to hide "sensitive information" from the general public, which probably is exactly the purpose, but I don't believe it is effective to hide it from the bad guys.
"Except... SSI is also being used to hide certain TSA directives. It's a law, but we can't show you it because it's SSI. Some of the reasons that SSI are being used are contrary to the spirit of it and are causing more problems."
Of course you're right. The discussion is about the mechanics of the classification level, not whether or not classifying any piece of information is a good idea or not.
"But they don't need the list itself, yes? Just the ability to see if someone is on the list? As such, couldn't you do this similar to the way passwords are done? Hash each name on the list, and have people who need to query the list hash the name of the person they're asking about and see if this hash appears on the list?"
Yes. That sort of solution would be better. But it required infrastructure. To solve the problem in a few hours, the only practical solution was to send the list to every airline.
Again, you can argue about the stupidity of the list in the first place and the stupidity of the name-matching system, but that's not the point of this post.
"As for SSI: the openness to abuse does worry me. It's very easy to classify almost anything as relating to 'security'."
That should worry you. Abuses of this type are probably more common than we think, and they're bad for security and open government.
"The business about making a law SSI is bullshit, and we really should do something about that. How are we supposed to follow a law we are not legally allowed to know? Ignorance of the law is not usually an excuse. Should it become so?"
Agreed. A society with secret laws is not a society that anyone can feel secure in.
"By its very nature, the widespread distribution and diffusion of SSI makes it impossible to keep it out of the hands of the people it is supposed to be hidden from. Do you think none of those 10 thousand people can be bribed or coerced into revealing the list? And that no one with connections and sympathies with terrorists could work his way into a position to see the list?"
But that's what makes this so interesting. Unlike the military classification system that assumed a single Soviet threat, the current threat is diffuse and diverse. Of course some of the bad guys have the list. But that doesn't mean that all the bad guys have the list. This is how the threat is different, and why a lover standard of classification works in this case.
Divorce analysis of this system from the broader question of what should and should not be kept secret. Assume for a moment that there is something that should be kept secret from the terrorist threat. Given that, I think SSI is a good compromise between complete openness and the old military classification system.
"The reasoning that terrorists won't get those information because they are 'less advanced' doesn't make much sense, and it is contrary to what we are being told all the time - that those terrorists are incredibly dangerous and capable of everything."
That's government propaganda talking. I was surprised, and refreshed, that in this one instance the government isn't believing their own rhetoric.
Side note: the Department of Energy has an essentially parallel classification system to the DOD. 'L' closely maps to "Secret" and 'Q' closely maps to "Top Secret", and the "SCI" level is above that.
"Of course you're right. The discussion is about the mechanics of the classification level, not whether or not classifying any piece of information is a good idea or not."
I'm not sure if there really can be a disembodied discussion of the "mechanics" of the classification level without a discussion of what should be classified. The level of and method of classification is interrelated to what it covers. You can't discuss the appropriateness of the classification methodology without context, just as you can't discuss what the best lock is without saying what it is you are trying to protect.
I'd say that how the SSI is used to hide laws makes for an interesting juxtaposition of this supposedly low level of security. The fact that the government wouldn't initially acknowledge if a law requiring ID to fly existed, let alone what the text of the law or rule was, shows that the idea that SSI is a "lower level" of secret information is not the way the government treats SSI when it comes to the courts.
Right now, it seems that SSI is more of a threat to democracy than a help. You can't have a democracy with secret laws, even if the new secrets have a new mechanism for legal enforcement.
You can discuss the mechanics of a lock without discussing what the lock is supposed to protect.
And for those worried about the SSI designation applying to regulations on flight, the release of the Supreme Court decision yesterday requiring openness on the part of the US Tax Court may set a legal precedent for dealing with these kinds of things. The US Tax Court had made its findings secret for some time, with even the judges handling the appeals never knowing the final decision of the original judge. The Court found that at the very least, the Tax Court was violating its own rules, and at worst was violating the right to due process. I can see how this could be used as leverage to force the TSA to reveal the hidden regulations.
"You can discuss the mechanics of a lock without discussing what the lock is supposed to protect."
Yes, you can. But the utility of that discussion is limited without context. Bruce's comments on the mechanics being good are only understandable relative to the importance of the secrets. You can discuss the mechanics of a good deadbolt lock for a house, but that lock is only good in the context of being a lock for a home. It would be completely inappropriate to use the deadbolt lock on a bank vault. The mechanics do not exist in isolation to the threat level.
"The level of and method of classification is interrelated to what it covers. You can't discuss the appropriateness of the classification methodology without context, just as you can't discuss what the best lock is without saying what it is you are trying to protect."
I am not trying to discuss the lock without discussing what we're trying to protect. I'm discussing the lock and what we're trying to protect, but not discussing whether or not protecting it is a good idea. In other words, I am discussing the details of the implementation of a policy, but not whether or not the policy is a good idea.
I'm doing much the same thing with Secure Flight. I think it's an idiotic idea. But given that it's being done -- and Congress has mandated that it be done -- I'd like it to be done well instead of poorly.
I'll rewrite this for Crypto-Gram, though. Clearly I need to make that distinction more, um, clear.
"SSI can be sent unencrypted in e-mail; a simple password-protected file is enough."
How do you password-protect a file in an email without encrypting it?
"Of course some of the bad guys have the list. But that doesn't mean that all the bad guys have the list. "
Ever heard of this thing called the internet? Google? Having obtained a copy of the list, what's to stop someone publishing it? It may be watermarked, and thus the leak plugged, but with (your estimate of) 10,000 people having access to the list there are still 9,999 other potential sources.
A "secret terrorist watchlist" makes about as much sense as "secret vulnerability lists" for computers, and for the same reasons. Too many good-guys need the info to keep it from the bad-guys. The only ones hurt are those without the information, the average citizen.
Remind me again, why is a black-list or secret watch-list good for national security? Or could you point to a time in history when secret watch-lists have been a good thing for the public?
Should the FBI most-wanted list be classified SSI? What about the SANS top-twenty?
Today, seasoned Information Security Experts call for more open communication to mitigate risk in a business-forward environment at the same time that anti-terrorist wonks insist on black-ops methods. Why such a stark difference?
Interestingly, it does not seem that anti-terror advocates will be found in violation of civil liberties (right to travel) or constitutional rights (fifth and first amendment). http://www.fas.org/sgp/crs/RL32664.pdf
But that is not the point of SSI. It seems to me we have many prime examples of what to expect from secret watch lists:
Tuesday March 8, 2005
The Russian military today said it had killed the Chechen rebel leader, Aslan Maskhadov, one of its most wanted men, in a "special operation".
Surprise. The ability to carry out extra-legal operations is what the SSI really enables.
When critical evidence is unobtainable, the government raises the stakes of resistance and thwarts anyone's ability to challenge not only the foundation of the laws but the "special operations" used to enforce them.
"But given that it's being done -- and Congress has mandated that it be done -- I'd like it to be done well instead of poorly."
Bruce, I whole heartedly agree with the idea that good laws are better than bad, but I think you really have to stop yourself here and ask if a grave mistake is being made on your watch.
For example, some argue that if Truman's administration had dealt swiftly and directly with early public anxiety and mistrust at the start of the Cold War perhaps there would not have been a need for the eventual naming-of-names in 1952 (blacklist) or for a Joe McCarthy.
Lemon Muffin: One thing I can think of is that if the terrorist watch list falls into the hands of an attacker, they might be able to reverse-engineer the algorithm used to determine whether people are on that list, and hence manipulate their agents so they're guaranteed not to be on the list. There may be arguments about how likely an attack on an airline is, but working from the government's assumption that it is likely, keeping the watch list secret is importantl.
bob: View -> Character Encoding -> UTF8 is a simple work-around for the character set issues in Firefox.
Davi raises a good question:
"why is a black-list or secret watch-list good for national security?"
The list is secret because they can't defend it: about 99.99% of the people on the list haven't done anything wrong: certainly nothing they can be charged with. So we declare them guilty in secret bureaucratic courts, and they find out about it when they try getting on an airplane.
This web server is miss-configured. Although the HTML for this page contains an http-equiv header for Content-Type that specified utf-8 as the character encoding for this page, the HTTP response includes a Content-Type header that says the encoding is iso-8859-1.
The HTTP header from the server takes precedence over any http-equiv in the HTML document:
To sum up, conforming user agents must observe the following priorities when determining a document's character encoding (from highest priority to lowest):
1. An HTTP "charset" parameter in a "Content-Type" field.
2. A META declaration with "http-equiv" set to "Content-Type" and a value set for "charset".
3. The charset attribute set on an element that designates an external resource.
Restricting access to laws and regulations has already happened. Copyrighted regulations written by private organizations have already been given the force of law. See http://www.g4tv.com/techtvvault/features/32238/... This includes building codes and fire safety regulations. It is said that this reduces costs and allows for consistent rules in multiple locations. Organizations charge for copies of the regulations. However, there have been concerns about public access to copyrighted regulations.
"Ever heard of this thing called the internet? Google? Having obtained a copy of the list, what's to stop someone publishing it? It may be watermarked, and thus the leak plugged, but with (your estimate of) 10,000 people having access to the list there are still 9,999 other potential sources."
I just Googled for it. Couldn't find it.
So, either no one has a copy of it (unlikely), or those who do didn't put it on the Internet.
"Remind me again, why is a black-list or secret watch-list good for national security? Or could you point to a time in history when secret watch-lists have been a good thing for the public?"
Don't ask me. I've been saying forever that it's bad. It's bad for a free society, it's bad for a democracy, it's bad for the rule of law, and it's bad security.
This essay has nothign to do with that. This essay is about the SSI mechanisms for keeping that list secret.
"Bruce, I whole heartedly agree with the idea that good laws are better than bad, but I think you really have to stop yourself here and ask if a grave mistake is being made on your watch."
No doubt about that. A grave mistake is being made on my watch. And I will do everything I can to stop it. But as part of the TSA working group that's involved in the security and privacy of Secure Flight, there's nothing I can do. The TSA has rigged the charter of the group so that every interesting question about the watch list is outside our scope. This is bad because I can't do anything within the group to affect this. But it's good because the NDA I signed doesn't prevent me from talking about any of the interesting questions.
"The list is secret because they can't defend it: about 99.99% of the people on the list haven't done anything wrong: certainly nothing they can be charged with. So we declare them guilty in secret bureaucratic courts, and they find out about it when they try getting on an airplane."
To some extent, I believe that is true. The list would not be able to stand up to public scrutiny. There are two problems. The first is the "Ted Kennedy" problem: people with common names on the watch list that result in all sorts of false positives. The second is the "Cat Stevens" problem: people on the watch list who shouldn' be.
"I just Googled for it. Couldn't find it."
Good on you for trying!
You made the point that SSI may be effective at keeping information from a dispersed threat. I just wanted to point out that disseminating information is no longer difficult.
A while ago some Windows source code was leaked onto the intenet. Pretty soon, anyone who wanted a copy could have one. By making 'secret' information publicly available, curiosity guarantees that enough people will access it to make finding the goat among the sheep impossible.
Keeping the list secret is fragile: all it takes is one person posting it on the 'net. This is "Wizard of Oz" security: "Do not look at the man behind the curtain!"
Bruce, you say that the scope of this article is the protection of data, rather than than the data itself. Just wondering, other than secret blacklists, what type of date is SSI useful for? (This isn't an attack on you, I really want to know)
"The second is the "Cat Stevens" problem: people on the watch list who shouldn' be."
I don't know, have you heard any Cat Stevens songs lately? I think we need to add more singers to the do not fly list...now if only I could remember who wrote Macarthur Park--he defiantly needs to be on the list.
Now, speaking as to the mechanics of the SSI, making violation a civil issue is in some ways very insidious. With a civil prosecution, the accused has to pay for his own defense. I think that the SSI, "mechanically" speaking, has some additional teeth I'd rather the government not have, though I can see some need for aspects of it. It is just that the current use of SSI is not encouraging, nor is the current Administration's use of secrecy for political ends encouraging.
"Now, speaking as to the mechanics of the SSI, making violation a civil issue is in some ways very insidious. With a civil prosecution, the accused has to pay for his own defense."
That's a really good point; I hadn't thought of that.
"It is just that the current use of SSI is not encouraging, nor is the current Administration's use of secrecy for political ends encouraging."
I agree with that 100%. See my blog posting for today.
"Keeping the list secret is fragile: all it takes is one person posting it on the 'net."
Posting something on the Internet somewhere does not automatically allow everyone access to the information for all time. If this were the case, anybody could download the entire Windows source code right now.
This leads to this classification system being less fragile than you think. One characteristic of the sort of information protected by this classification is that there are many people not authorized to have the information whom, if it fell into their hands anyway, would do little harm. For a terrorist watch list, for example, if the point is to keep it out of the hands of terrorists, we need keep it from a relatively small fraction of the total population. Thus, only a small fraction of the possible leaks actually cause a problem. Most leaks are essentially harmless.
It seems to me that there is one Fatal Flaw in the Watch List: people on it are not allowed to fly, but are not subject to arrest because the no fly list isn't a list of people with outstanding warrants for their arrest.
This means that anyone who is on the list will find out that they are on it and they can just try using a different name the next time they fly.
The no fly list is secret because it won't stand up to the light.
But never let it be said that a feel-good measure that has been proven not to work will be re-evaluated. There has never been a single--not one--spy unearthed by a lie detector, yet the random use of lie detector interviews is on the rise.
The Bush Administration is science hostile, ideology first. Secrecy is merely a tool to help advance ideology while preventing those pesky facts from getting in the way, and the SSI is another way to enforce that.
My knowledge of the kind civil lawsuits the SSI allows the government to prosecute against alleged violators far from complete, but in addition to their being no right to free legal council in a civil suit, I believe there is also no 5th amendment protection. This makes the SSI a really big hammer to use against individuals who can be compelled to give testimony against themselves and to bankrupt themselves just fighting the allegations--Just paying for a lawyer for one day could put a front line employee into debt.
@Curt: "For a terrorist watch list, for example, if the point is to keep it out of the hands of terrorists, we need keep it from a relatively small fraction of the total population. Thus, only a small fraction of the possible leaks actually cause a problem. Most leaks are essentially harmless."
Please. This is the case for all secure or sensitive information: most leaks don't cause problems. This doesn't answer the question of how best to protect that information. On the bottom line, the decisive question is not how small the group of "dangerous" people is but how great a damage it might cause if they get access to that information. And here we have a paradox. The SSI rules are on the one hand so lax that we must assume the potential damage to be small. On the other hand, the rules are sufficiently strict to prevent democratic control, and this strictness is justified by the greatness of the terrorist threat. Got it? The rules are defined to be convenient for the government, not necessarily to be good for security.
In fact, US information sesnitivity classification system is an exact replica of the old Soviet system.
That system even had the "For Official Use" category (Dlya Sluzhebnogo Pol'zovaniya, "DSP") which correpsonds to SSI.
The "DSP" category ended up including practially all technical specifications and design documents, including those which were mere translations of American originals. Needless to say, nobody cared about protecting it. But, then, Saltykov-Shedrin once wrote "Severity of the Russian laws is mitigated by the arbitrariness of their application".
Seem to be a lot of people making that sort of comparison these days.
If you check Bruce's next blog entry, you'll find that the Director of the National Security Archive said:
"The strength of our open society is the free flow of information but the [Bush Administration's] SHARE concept looks more like the Soviet GOSPLAN."
"... those who do didn't put it on the Internet."
Remember, the people who (hypothetically) have illegitimately obtained the list are not supposed to have it, so posting it online (on a public site) would be equivalent to admitting to the world that there was a leak. Since the list is constantly being updated, a loss of access to the leak would be potentially harmful to the group backing it.
In addition, I would suppose that any group which has obtained the list probably does not want it getting out to any other groups.
This is like those scientists who reviewed the code for the atomic bombs. They would habve justified their actions by things like, "It's just a technical issue", "the uses of the information are nothing to do with me", "they'd never really drop a bomb anyway".
We may lambast those scientists now for not being more active in stopping the dropping of the bomb on civilians. But we should act and react with conscience.
Those who fail to act are implicitly agreeing with the policies enacted by the users of the information.
"They came for the communists, and I did not speak up because I wasn't a communist;
They came for the socialists, and I did not speak up because I was not a socialist;
They came for the union leaders, and I did not speak up because I wasn't a union leader;
They came for the Jews, and I didn't speak up because I wasn't a Jew.
Then they came for me, and there was no one left to speak up for me."
-- Martin Niemoller, 1892-1984
It is intriguing to see the level of anti-government paranoia some posters are exhibiting. It has always seemed obvious to me that the No-Fly list is an exercise in CYA, a very frequent exercise by mid-level government bureaucrats. After the September 11 attacks, it emerged that some of the hijackers had been persons who had already been suspected of being terrorists, and one had even gone on to commit a traffic offence without being picked up. The Press, Congress, and various anti-intelligence activists screamed out for blood: why hadn't these guys been fingered by the all-pervasive computer surveillance network that various novels describe the spooks as having? So, naturally, they had to get one (an all-pervasive computer surveillance network, that is). Since the problem is almost impossible the result, needless to say, is a piece of garbage; but next time Congress asks they can at least say they have one.
As to why the list is not published, one obvious (to me) reason is something else that (understandably) really grabs the spooks' attention: protection of sources. If you have a terrorist cell consisting of Andrew, Bob, Charles and Dave (sorry Alice, these guys are misogynists), and Bob, Charles and Dave are on the list but Andrew isn't, you're going to think: "hmm, that new guy Dave has met Bob and Charles but he hasn't met Andrew yet. Dave, let's go for a little hike in the woods." Another obvious problem is that now you know Andrew isn't on the list, you will send the rest home (Bob and Charles, anyway) and Andrew will do the job.
Someone else wondered about hashed lookups. The problem with that is that hashed lookups require exact entry of the item being checked, whereas names have to be "fuzzily matched" because it's very common to get them slightly wrong--especially with foreign sounding names. A possible work-around would be to have a central database where fuzzy matching is done, and allow the airlines (and highway patrol, etc.) to send their queries into this database. However it would be fairly difficult to set this up in a secure manner if you needed to permit real time queries, and it would have even less transparency than the current system--database administrators could reject passengers completely capriciously. The current set-up may not be as insecure as some have suggested, anyway; assuming their IT people are on the ball (and that's a big IF), I doubt very much if most people using the list are able to browse it, or still less likely, to copy it.
"The Press, Congress, and various anti-intelligence activists screamed out for blood: why hadn't these guys been fingered by the all-pervasive computer surveillance network that various novels describe the spooks as having?"
Not true. Nobody called for "all-pervasive surveillance". People called for good old solid intelligence work. The tragedy is that there has been a lot of inforation which might have been used to prevent 9/11 if only the services had paid more attention to it. And the farce is that as a result of the services' failure, they got more money and new and unprecedented power. Their failure was actually a political success for them. That should be worrying.
In the meantime, many people have realized that intelligence which relies on technological surveillance is bound to fail again (I think Bruce wrote a lot about that). The no-fly list is just another example. "Names have to be "fuzzily matched" because it's very common to get them slightly wrong--especially with foreign sounding names". Yeah, we know that. You remember the planes that were prevented from flying christmas 2003 because US intelligence identified an 8 year-old "terrorist suspect" on board?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.