GAO's Report on Secure Flight

Sunday I blogged about Transportation Security Administration's Secure Flight program, and said that the Government Accountability Office will be issuing a report this week.

Here it is.

The AP says:

The government's latest computerized airline passenger screening program doesn't adequately protect travelers' privacy, according to a congressional report that could further delay a project considered a priority after the Sept. 11 attacks.

Congress last year passed a law that said the Transportation Security Administration could spend no money to implement the program, called Secure Flight, until the Government Accountability Office reported that it met 10 conditions. Those include privacy protections, accuracy of data, oversight, cost and safeguards to ensure the system won't be abused or accessed by unauthorized people.

The GAO found nine of the 10 conditions hadn't yet been met and questioned whether Secure Flight would ultimately work.

Some tidbits:

  • TSA plans to include the capability for criminal checks within Secure Flight (p. 12).

  • The timetable has slipped by four months (p. 17).

  • TSA might not be able to get personally identifiable passenger data in PNRs because of costs to the industry and lack of money (p.18).

  • TSA plans to have intelligence analysts staffed within TSA to identify false positives (p.33).

  • The DHS Investment Review Board has withheld approval from the "Transportation Vetting Platform" (p.39).

  • TSA doesn't know how much the program will cost (p.51).

  • Final privacy rule to be issued in April (p. 56).

Any of you who read the report, please post other interesting tidbits as comments.

As you all probably know, I am a member of a working group to help evaluate the privacy of Secure Flight. While I believe that a program to match airline passengers against terrorist watch lists is a colossal waste of money that isn't going to make us any safer, I said "...assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement -- in almost every way -- over what is currently in place." I still believe that, but unfortunately I am prohibited by NDA from describing the improvements. I wish someone at TSA would get himself in front of reporters and do so.

Posted on March 28, 2005 at 7:03 PM • 5 Comments

Comments

Bruce SchneierMarch 28, 2005 7:14 PM

Since I know people will misunderstand, let me try to make my final point clear. I think matching airline passengers against a terrorist watch list is a waste of money. But if someone passes a law requiring the TSA to do it -- which Congress has done -- then Secure Flight is a better way of doing it than what we're doing now. It's a better way of doing something not worth doing.

Davi OttenheimerMarch 28, 2005 10:57 PM

Bruce, very diplomatically stated. Are you trying to emulate an octopode in camouflage? ;) But seriously, my first nit is that I read your "final point" as this:

"I wish someone at TSA would get himself in front of reporters and [describe the improvements of Secure Flight]."

And that seems like saying NASA risk managers should extoll the virtues of the Shuttle safety program to their directors. I think America would be better served by a careful examination of critical flaws to help avert disaster. Put down your pom-poms, straighten your spine, and start pointing to the "o-rings" of Secure Flight...for example, why don't you suggest a solution that costs NO money. That would probably be a better figure for something that does nothing.

Israel TorresMarch 29, 2005 8:48 AM

If the passengers aren't truly protected, inherently they are vulnerable to most attacks. From privacy-abuse to "terrorism". There doesn't seem to be a "War for Privacy"...

Israel Torres

Bruce SchneierMarch 29, 2005 10:28 AM

"And that seems like saying NASA risk managers should extoll the virtues of the Shuttle safety program to their directors. I think America would be better served by a careful examination of critical flaws to help avert disaster. Put down your pom-poms, straighten your spine, and start pointing to the 'o-rings' of Secure Flight...for example, why don't you suggest a solution that costs NO money. That would probably be a better figure for something that does nothing."

It's not that. There are a bunch of ways that Secure Flight is better than what we're doing today, but those things are not being discussed by anyone.

My complaints with Secure Flight are all bigger than the details of Secure Flight; they're about the viability of any program of that type.

Edward HasbrouckMarch 29, 2005 6:46 PM

I've posted my analysis of the GAO report in my blog. Without repeating it all here, I conclude, among other things, that the GAO auditors were far too credulous, particularly in accepting the TSA's mis-characterization of personal information in PNR's as "passenger provided" data -- and thereby overlooking a likely criminal violation of the Privacy Act by the TSA personnel responsible for setting up the "Secure Flight" testing database(s) of PNR data.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..