Schneier on Security
A blog covering security and security technology.
« Movie-Plot Threat: Terrorists Using Insects |
| Bad Password Security at Twitter »
January 12, 2009
DHS's Files on Travelers
This is interesting:
I had been curious about what's in my travel dossier, so I made a Freedom of Information Act (FOIA) request for a copy. I'm posting here a few sample pages of what officials sent me.
My biggest surprise was that the Internet Protocol (I.P.) address of the computer used to buy my tickets via a Web agency was noted. On the first document image posted here, I've circled in red the I.P. address of the computer used to buy my pair of airline tickets.
The rest of my file contained details about my ticketed itineraries, the amount I paid for tickets, and the airports I passed through overseas. My credit card number was not listed, nor were any hotels I've visited. In two cases, the basic identifying information about my traveling companion (whose ticket was part of the same purchase as mine) was included in the file. Perhaps that information was included by mistake.
Posted on January 12, 2009 at 5:15 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think the most important part of the article is at the end where he gives all the details required for US people to make a request.
Which raises a question does the FOI laws alow non US persons to obtain information held on them?
From the personal security perspective having the IP address held in the record is a little worrying.
If the records where lost (which lets face it is quite likley) then it would alow the machine used to be located electronicaly, which if it's an MS OS box (>90%chance) the chances are that all the information about passwords and credit card details are tucked away in the slack space etc.
However that may not be required. His credit card details where not on the information sent to him. However this does not rule out the fact that they may well be available on another related database that his FOI request did not cover...
Oh and by the way in the UK it is quite legal for the authorities to electronicaly search your computer remotely. Further under RIPA the definition of a machine that can be accessed is effectivly "any connected to a UK communications network" so any computer on the Internet or with a modem in it then...
Oh and for those in the US remember the BRUSA agrement where the UK spys on US citizens for the US and the US reciprocates, but both governments can claim that they do not spy on their own citizens...
Clive, you announce your IP address to every website you visit. It's trivial to dig up valid IP addresses, but even Windows machines aren't so easily compromised that that presents any kind of risk.
If your security depends on your IP being kept a secret, you have far bigger problems than the DHS having it on record somewhere.
It looks like the blacked out info can still be read through the black.
@Toast: The blacked out parts always seem to contain something like "(b)(2)", "(b)(6)&(b)(7)" or similar.
I would guess that these codes are indicating the *reason* for the blackening rather than being the removed information itself.
In fact, if you look at the FOIA (http://www.usdoj.gov/oip/foiastat.htm), you would find that (b) is the section of the document that lists the exceptions and (b)(2) for example is information "related solely to the internal personnel rules and practices of an agency" and therefore may be excluded from a FOIA request.
I don't find it "interesting" but would like to know if you think is ok!
"Clive, you announce your IP address to every website you visit."
Yes but the site is not going to know who you are unless you trust it enough to leave personal details on.
My view point is that with the DHS record you know who the person using the IP address (assuming it's static) is, that they have used their credit card on line and to some of the services they have given their personal details.
This gives you a "known" target with appropriate search strings as a crib to usefull information. Which is quite different to an unknown target for which you do not have a crib and may not contain any information of use to you.
With regards to,
"but even Windows machines aren't so easily compromised that that presents any kind of risk."
A simple question just how many home / SoHo computers have been compramised and are now part of a bot-net or worse?
For an attacker any information that improves the chances of finding information that is usefull whilst also lowering the risk is something they are likley to grab with both hands.
@Clive: "A simple question just how many home / SoHo computers have been compramised and are now part of a bot-net or worse?"
A follow-up for you: For how many of these botted PCs was "IP address being known to the attacker in advance" an essential part of the compromise?
How much of an apologist can someone be? Not only did he offer up "In two cases, the basic identifying information about my traveling companion (whose ticket was part of the same purchase as mine) was included in the file. Perhaps that information was included by mistake." without any concern that such a mistake could happen, but he also demonstrated that he has minimal clue by dismissing Bruce's comment with, "On the other hand, some people may find it reassuring that the government is using technology to keep our borders safe." (At least he had the integrity to include the quote.)
But the author made me want to bitchslap him for "Of course, there's a cost to taxpayers and to our nation's security resources whenever a request is filed, too." I'd say there's a much greater cost to not watching the watchmen.
It's also worth noting in this context that a bot-netted computer is probably less susceptible to further cracking, as the bot-net owner will usually take steps to secure it against other bot-net owners.
But I don't think IP addresses in the records is the biggest problem here...
Okay, here's the most frightening story I've seen lately about overuse of the word "terrorist".
Basically, the Maryland state troopers put the "terrorism" label on all sorts of political and domestic dissenters, even though they knew they were not terrorists. They infiltrated a bunch of peaceful groups, collected info about the participants, and pushed it all into federal inter-agency databases with the "terrorist" label applied.
Imagine being one of those abusively-labelled protesters and not being able to get on a plane for the next ten years without SSSS (if at all). Ugh.
On the one hand, I'm tempted now to always book via a TOR connection, but on the other hand, I'm concerned what else that TOR exit node may have been used for which the DHS would then tie back to me...!
If anyone is interested in making such a FOIA request themselves, Edward Hasbrouck has detailed information on how to make a request for your PNR's and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS): http://hasbrouck.org/blog/archives/001607.html
"My traveling companion..." I guess you are a Paul Simon fan...
"A follow-up for you: For how many of these botted PCs was "IP address being known to the attacker in advance" an essential part of the compromise?"
The silly answer is all of them otherwise they could not have been botted.
I suspect what you realy mean is how many where specificaly targeted. The answer is difficult if not impossible to determin.
However we do know that more recent attacks have been more specificaly targeted than in the past.
But knowledge of the IP address in advance is not realy a relavant point in how easy a home or SoHo computer can be compromised.
Hm. Now I'm wondering who's stolen my surname to post on here! :-)
I'm not entirely surprised to see an IP address being logged: they're probably wanting to know "where the ticket was bought", which would mean either the travel agent issuing the ticket for physical purchases, the delivery address for mail order or the IP address for e-tickets. As I recall, this is meant to be logged for credit card transaction purposes anyway (anti-repudiation), so passing that through to DHS makes some sense. Omitting the credit card number makes sense too: it's no use in itself to DHS, but a big problem should it ever leak or indeed be misused by their own people.
@Clive's question about non-US persons:
"A FOIA request can be made by 'any person,' a broad term that encompasses individuals (including foreign citizens), partnerships, corporations, associations, and foreign or domestic governments. . . .
"There are two narrow, noteworthy exceptions to this broad 'any person' standard, however. First, courts have denied relief under the FOIA to fugitives from justice if the requested records relate to the requester's fugitive status. This holds true also when the FOIA plaintiff is an agent acting on behalf of a fugitive.
"Second, the Intelligence Authorization Act of 2003 amended the FOIA to now preclude agencies of the intelligence community from disclosing records in response to any FOIA request that is made by any foreign government or international governmental organization, either directly or through a representative. This means that agencies such as the CIA, the NSA, and even some parts of the FBI and the DHS may refuse to process such requests."
--From the Freedom of Information Act Guide, March 2007 (http://www.usdoj.gov/oip/foia_guide07.htm)
Note that the Privacy Act is another avenue for obtaining records, but only applies to "a citizen of the United States or an alien lawfully admitted for permanent residence."
--From Overview of the Privacy Act of 1974, May 2004 (http://www.usdoj.gov/oip/04_7_1.html)
Both of these references are rather voluminous; an easier-to-digest overview can be found at (http://www.firstamendmentcenter.org/press/information/topic.aspx?topic=how_to_FOIA).
Other than Sutherland, everybody seems to think that DHS is collecting this info, IP address and all. Nope, this is the Airline that is collecting it and handing it over to the DHS. So actually, while I may (or may not) trust the DHS is doing its job and that it is an imporant one, I should probably worry about the airline that is collecting IP addresses and correlating them with my private data and leavign it in their own systems withmuch less protection.
"Clive's question about non-US persons:"
Thanks for the information I will be following up on it in the very near future.
@Anonymous at 7:17 PM Jan 12th 2009.
"I should probably worry about the airline that is collecting IP addresses and correlating them with my private data and leavign it in their own systems withmuch less protection."
Yes that is another concern, however from the article it looks like the DHS are taking very little care of it...
From an attackers point of view the DHS is a central point with all the information, were as a particular person may or may not have used one of a number of airlines.
Therefore if it's a general trawl for information or a directed search against an individual the DHS database is going to be the favoured target. And as such the DHS should adopt an apropriate stance to protecting the information (afterall it's of much use to terrorists as it is to other ID theft crooks).
@ James Sutherland,
"Omitting the credit card number makes sense too: it's no use in itself to DHS, but a big problem should it ever leak or indeed be misused by their own people."
If I remember correctly (I could not find the web link on a quick search to confirm it) a UK merchant would be in breach of the EVM merchant rules if they disclosed or kept the card number (not sure about other countries or if legislation would override).
Criticizing the government or the TSA from the same computer you're buying your tickets from is apparently potentially risky.
as a foreigner you now have to fill out a online form 72 hours before flying (its the online version of the paper questionaire you had to fill out in the plane before).
It features a very interesting privacy statement... You have absolutely no privacy...
full text of pop up before entering the online form:
You are about to access a Department of Homeland Security computer system. This computer system and data therein are property of the U.S. Government and provided for official U.S. Government information and use. There is no expectation of privacy when you use this computer system. The use of a password or any other security measure does not establish an expectation of privacy. By using this system, you consent to the terms set forth in this notice. You may not process classified national security information on this computer system. Access to this system is restricted to authorized users only. Unauthorized access, use, or modification of this system or of data contained herein, or in transit to/from this system, may constitute a violation of section 1030 of title 18 of the U.S. Code and other criminal laws. Anyone who accesses a Federal computer system without authorization or exceeds access authority, or obtains, alters, damages, destroys, or discloses information, or prevents authorized use of information on the computer system, may be subject to penalties, fines or imprisonment. This computer system and any related equipment is subject to monitoring for administrative oversight, law enforcement, criminal investigative purposes, inquiries into alleged wrongdoing or misuse, and to ensure proper performance of applicable security features and procedures. DHS may conduct monitoring activities without further notice.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.