Schneier on Security
A blog covering security and security technology.
« Hurricane Security and Airline Security Collide |
| Man Arrested for Being A Computer Nerd »
September 26, 2005
Secure Flight News
The TSA is not going to use commercial databases in its initial roll-out of Secure Flight, its airline screening program that matches passengers with names on the Watch List and No-Fly List. I don't believe for a minute that they're shelving plans to use commercial data permanently, but at least they're delaying the process.
In other news, the report (also available here, here, and here) of the Secure Flight Privacy/IT Working Group is public. I was a member of that group, but honestly, I didn't do any writing for the report. I had given up on the process, sick of not being able to get any answers out of TSA, and believed that the report would end up in somebody's desk drawer, never to be seen again. I was stunned when I learned that the ASAC made the report public.
There's a lot of stuff in the report, but I'd like to quote the section that outlines the basic questions that the TSA was unable to answer:
The SFWG found that TSA has failed to answer certain key questions about Secure Flight: First and foremost, TSA has not articulated what the specific goals of Secure Flight are. Based on the limited test results presented to us, we cannot assess whether even the general goal of evaluating passengers for the risk they represent to aviation security is a realistic or feasible one or how TSA proposes to achieve it. We do not know how much or what kind of personal information the system will collect or how data from various sources will flow through the system.
Until TSA answers these questions, it is impossible to evaluate the potential privacy or security impact of the program, including:
- Minimizing false positives and dealing with them when they occur.
- Misuse of information in the system.
- Inappropriate or illegal access by persons with and without permissions.
- Preventing use of the system and information processed through it for purposes other than airline passenger screening.
The following broadly defined questions represent the critical issues we believe TSA must address before we or any other advisory body can effectively evaluate the privacy and security impact of Secure Flight on the public.
- What is the goal or goals of Secure Flight? The TSA is under a Congressional mandate to match domestic airline passenger lists against the consolidated terrorist watch list. TSA has failed to specify with consistency whether watch list matching is the only goal of Secure Flight at this stage. The Secure Flight Capabilities and Testing Overview, dated February 9, 2005 (a non-public document given to the SFWG), states in the Appendix that the program is not looking for unknown terrorists and has no intention of doing so. On June 29, 2005, Justin Oberman (Assistant Administrator, Secure Flight/Registered Traveler) testified to a Congressional committee that “Another goal proposed for Secure Flight is its use to establish "Mechanisms for...violent criminal data vetting." Finally, TSA has never been forthcoming about whether it has an additional, implicit goal the tracking of terrorism suspects (whose presence on the terrorist watch list does not necessarily signify intention to commit violence on a flight).
While the problem of failing to establish clear goals for Secure Flight at a given point in time may arise from not recognizing the difference between program definition and program evolution, it is clearly an issue the TSA must address if Secure Flight is to proceed.
- What is the architecture of the Secure Flight system? The Working Group received limited information about the technical architecture of Secure Flight and none about how software and hardware choices were made. We know very little about how data will be collected, transferred, analyzed, stored or deleted. Although we are charged with evaluating the privacy and security of the system, we saw no statements of privacy policies and procedures other than Privacy Act notices published in the Federal Register for Secure Flight testing. No data management plan either for the test phase or the program as implemented was provided or discussed.
- Will Secure Flight be linked to other TSA applications? Linkage with other screening programs (such as Registered Traveler, Transportation Worker Identification and Credentialing (TWIC), and Customs and Border Patrol systems like U.S.-VISIT) that may operate on the same platform as Secure Flight is another aspect of the architecture and security question. Unanswered questions remain about how Secure Flight will interact with other vetting programs operating on the same platform; how it will ensure that its policies on data collection, use and retention will be implemented and enforced on a platform that also operates programs with significantly different policies in these areas; and how it will interact with the vetting of passengers on international flights?
- How will commercial data sources be used? One of the most controversial elements of Secure Flight has been the possible uses of commercial data. TSA has never clearly defined two threshold issues: what it means by "commercial data" and how it might use commercial data sources in the implementation of Secure Flight. TSA has never clearly distinguished among various possible uses of commercial data, which all have different implications.
Possible uses of commercial data sometimes described by TSA include: (1) identity verification or authentication; (2) reducing false positives by augmenting passenger records indicating a possible match with data that could help distinguish an innocent passenger from someone on a watch list; (3) reducing false negatives by augmenting all passenger records with data that could suggest a match that would otherwise have been missed; (4) identifying sleepers, which itself includes: (a) identifying false identities; and (b) identifying behaviors indicative of terrorist activity. A fifth possibility has not been discussed by TSA: using commercial data to augment watch list entries to improve their fidelity. Assuming that identity verification is part of Secure Flight, what are the consequences if an identity cannot be verified with a certain level of assurance?
It is important to note that TSA never presented the SFWG with the results of its commercial data tests. Until these test results are available and have been independently analyzed, commercial data should not be utilized in the Secure Flight program.
- Which matching algorithms work best? TSA never presented the SFWG with test results showing the effectiveness of algorithms used to match passenger names to a watch list. One goal of bringing watch list matching inside the government was to ensure that the best available matching technology was used uniformly. The SFWG saw no evidence that TSA compared different products and competing solutions. As a threshold matter, TSA did not describe to the SFWG its criteria for determining how the optimal matching solution would be determined. There are obvious and probably not-so-obvious tradeoffs between false positives and false negatives, but TSA did not explain how it reconciled these concerns.
- What is the oversight structure and policy for Secure Flight? TSA has not produced a comprehensive policy document for Secure Flight that defines oversight or governance responsibilities.
The members of the working group, and the signatories to the report, are Martin Abrams, Linda Ackerman, James Dempsey, Edward Felten, Daniel Gallington, Lauren Gelman, Steven Lilenthal, Anna Slomovic, and myself.
My previous posts about Secure Flight, and my involvement in the working group, are here, here, here, here, here, and here.
And in case you think things have gotten better, there's a new story about how the no-fly list cost a pilot his job:
Cape Air pilot Robert Gray said he feels like he's living a nightmare. Two months after he sued the federal government for refusing to let him take flight training courses so he could fly larger planes, he said yesterday, his situation has only worsened.
When Gray showed up for work a couple of weeks ago, he said Cape Air told him the government had placed him on its no-fly list, making it impossible for him to do his job. Gray, a Belfast native and British citizen, said the government still won't tell him why it thinks he's a threat.
"I haven't been involved in any kind of terrorism, and I never committed any crime," said Gray, 35, of West Yarmouth. He said he has never been arrested and can't imagine what kind of secret information the government is relying on to destroy his life.
Remember what the no-fly list is. It's a list of people who are so dangerous that they can't be allowed to board an airplane under any circumstances, yet so innocent that they can't be arrested -- even under the provisions of the PATRIOT Act.
EDITED TO ADD: The U.S. Department of Justice Inspector General released a report last month on Secure Flight, basically concluding that the costs were out of control, and that the TSA didn't know how much the program would cost in the future.
Here's an article about some of the horrible problems people who have mistakenly found themselves on the no-fly list have had to endure. And another on what you can do if you find yourself on a list.
EDITED TO ADD: EPIC has received a bunch of documents about continued problems with false positives.
Posted on September 26, 2005 at 7:14 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
They put into production use, a system as useless and harmful as secure flight -- yet dispose of Able Danger as if it produced the terrorists itself. How can the government get everything so backward! This is insane...
Tell me Bruce...why do they even put people such as yourself on a working group if they are not going to listen to you? For looks?
I totally disagree. Competent people in any commitee, working group etc. is the minimum for a wrong policy to change (or, even better, be right to start with).
Even if an organization doesn't listen to these people, and TSA is definetely not the only one, the public needs them so that an independent voice can be heard.
So I wish more competent people, like Bruce, were in place. Not vice versa.
I am halfway through the report now and my first impression is that Secure Flight will meet its goal of transfering government money to contractors. Improving my or your security doesn't seem on the list:
"So far, however, Secure Flight is being developed without the authorization and guidance of a clear, comprehensive and published policy document issued by a politically accountable senior official, stating the goals of Secure Flight clearly and to the exclusion of other goals, until such time as that basic policy document is amended."
This just screams "Bad management". The story of pilot Robert Gray can be sufficiently explained by that.
When I skimmed the report this morning from a link off of a Wired article, I got the impression that the few people at TSA that actually know what is the intended plan for Secure Flight don't want to talk about it; the rest of TSA doesn't seem to have a solid idea of what's going on. This is worrying, though I get some small consolation from the fact that some Republicans in Congress are getting increasingly annoyed at the answers (or lack thereof) to questions asked of DHS in general, and TSA in particular.
"I had given up on the process, sick of not being able to get any answers out of TSA, and believed that the report would end up in somebody's desk drawer, never to be seen again."
--> Don't give up! You were dealing with the goverment, which means it is a slow political and painful process -- you knew that! If the key people, people with the right ideas such as you all give up, then there won't be any hope of fixing the process...
Welcome to the Fall of the Republic!
I suspect that the basic scheme is to counterfeit security. Contractors will make fortunes pretending to provide security, in return kicking back to election campaigns. Meanwhile, parasitic schemes will operate in secrecy, using available information, licit or not, to advance hidden agendas.
As an example, if a politico wanted to give his enemies list the force of law, what better way to punish his them than to add their names to a blacklist? They can't fight back, as there is no legal recourse to being secretly named on a blacklist, and no accuser to confront in court, since the identity of the accuser is always secret, even if it is mere software.
The Bill of Rights, I'm afraid, is becoming, to use the phrase made popular by US Attorney General Alberto Gonzales, 'rendered quaint'.
The grounding of pilot Robert Gray is obviously an attempt to quiet the squeaky wheel. It would be nice for him to know who grounded him and why so he could face his accuser(s) in a court of law. The faceless corporation has now turned into the unknown corporation. I know I'm going to get roasted here for saying this, but I'm less interested in how the data is acquired and used and more interested in who's responsible for the mess when it breaks. I need someone accountable for his actions.
the history of the tsa is the history of lies told to congress and the american people. if it intended to work in good faith with its advisory panel, it would have provided the panel with all the information relating to the task, right? right? its abject failure to do this reveals the panel inquiry as a dog and pony show from the gitgo. ah gonna tell you nuthin so's you kin write nuthin bad about me!
Forgive me if this is an obvious question, but what would be used as the unique identifier within such a database? Would it be an internally defined code, some kind of officially granted number from the individual's country of origin, or something as generic as a name? Also, how difficult is it in the United States and elsewhere to produce and travel on false documents? This whole system seems as though it might be fairly easily circumvented.
I just posted an update, with some more links.
Bruce, thanks for the updated links.
How about those people who are not on the the no-fly list, but are ALWAYS 'randomly' selected for additional checks at the airports, sometimes being held for 2 hours before getting 'cleared' .
Is there a way to address that, my guess is NO .... *huge sigh*
My guess as to one of the primary goals is to increase passenger traffic (by making passengers feel they are secure)
As the years have passed since 9/11, I have begun to wonder more and more if Homeland Security has really done that much to secure the US at all. Seems like it has just become a big La Brea tar pit - a bunch of agencies got pushed into it but they're so mired in confusion, bureaucracy and political wrangling that nothing is really being accomplished - the FEMA fiasco just reinforced my belief. Anyone know of a HSA program/agency that has actually improved? I know the party line is that HSA is effective because there hasn't been another terrorist attack in the US, but there was a long hiatus between the World Trade Center bombing and 9/11 - so I have a hard time buying that. Also - thanks, Bruce for hooking me up with Wiley. Looks like that might work out.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.