My LA Times Op Ed on Photo ID Checks at Airport

Opinion

The TSA's useless photo ID rules

No-fly lists and photo IDs are supposed to help protect the flying public from terrorists. Except that they don't work.

By Bruce Schneier

August 28, 2008

The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to secondary screening. Then the Transportation Security Administration realized that meant someone on the government's no-fly list -- the list that is supposed to keep our planes safe from terrorists -- could just fly with no ID.

Now, people without ID must also answer personal questions from their credit history to ascertain their identity. The TSA will keep records of who those ID-less people are, too, in case they're trying to probe the system.

This may seem like an improvement, except that the photo ID requirement is a joke. Anyone on the no-fly list can easily fly whenever he wants. Even worse, the whole concept of matching passenger names against a list of bad guys has negligible security value.

How to fly, even if you are on the no-fly list: Buy a ticket in some innocent person's name. At home, before your flight, check in online and print out your boarding pass. Then, save that web page as a PDF and use Adobe Acrobat to change the name on the boarding pass to your own. Print it again. At the airport, use the fake boarding pass and your valid ID to get through security. At the gate, use the real boarding pass in the fake name to board your flight.

The problem is that it is unverified passenger names that get checked against the no-fly list. At security checkpoints, the TSA just matches IDs to whatever is printed on the boarding passes. The airline checks boarding passes against tickets when people board the plane. But because no one checks ticketed names against IDs, the security breaks down.

This vulnerability isn't new. It isn't even subtle. I wrote about it in 2003, and again in 2006. I asked Kip Hawley, who runs the TSA, about it in 2007. Today, any terrorist smart enough to Google "print your own boarding pass" can bypass the no-fly list.

This gaping security hole would bother me more if the very idea of a no-fly list weren't so ineffective. The system is based on the faulty notion that the feds have this master list of terrorists, and all we have to do is keep the people on the list off the planes.

That's just not true. The no-fly list -- a list of people so dangerous they are not allowed to fly yet so innocent we can't arrest them -- and the less dangerous "watch list" contain a combined 1 million names representing the identities and aliases of an estimated 400,000 people. There aren't that many terrorists out there; if there were, we would be feeling their effects.

Almost all of the people stopped by the no-fly list are false positives. It catches innocents such as Ted Kennedy, whose name is similar to someone's on the list, and Yusuf Islam (formerly Cat Stevens), who was on the list but no one knew why.

The no-fly list is a Kafkaesque nightmare for the thousands of innocent Americans who are harassed and detained every time they fly. Put on the list by unidentified government officials, they can't get off. They can't challenge the TSA about their status or prove their innocence. (The U.S. 9th Circuit Court of Appeals decided this month that no-fly passengers can sue the FBI, but that strategy hasn't been tried yet.)

But even if these lists were complete and accurate, they wouldn't work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway bombers and most of the 9/11 terrorists weren't on any list before they committed their terrorist acts. And if a terrorist wants to know if he's on a list, the TSA has approved a convenient, $100 service that allows him to figure it out: the Clear program, which issues IDs to "trusted travelers" to speed them through security lines. Just apply for a Clear card; if you get one, you're not on the list.

In the end, the photo ID requirement is based on the myth that we can somehow correlate identity with intent. We can't. And instead of wasting money trying, we would be far safer as a nation if we invested in intelligence, investigation and emergency response -- security measures that aren't based on a guess about a terrorist target or tactic.

That's the TSA: Not doing the right things. Not even doing right the things it does.

Posted on September 1, 2008 at 5:15 AM • 60 Comments

Comments

Fergus GallagherSeptember 1, 2008 5:47 AM

Firefox has a new add-on call "Ubiquity" which allows in-place editing of a webpage. Faking boarding cards (or spoofing storied) has never been easier.

DaylightSeptember 1, 2008 5:51 AM

Well...you know, I've had my share of time as airport security, both as a boots on the ground "grunt" and a supervisor. (Mind you, not in in the US).
I've come across a lot of blogs and articles over the last few years that complain and complain about airport and airline security, but as far as I can remember, not even once have I come across any advice, sound advice that is, on how to improve things.
TSA is what it is, a massive beast with a nearsightedness issue. That doesn't mean we shouldn't try and give it glasses. However, complaining about the fuzzy vision it's got doesn't make things better.

"All you have to do is this..." and "all you have to do is that..." isn't helping anyone.

KashifSeptember 1, 2008 6:33 AM

@Daylight_ I believe your comment was not directed to Schneier's blog but more in general. Because the Schneier gives a valid advise in this post "...no one checks ticketed names against IDs, the security breaks down".

But of course some could argue that the whole process is so boneheaded that no good advise can help anyway, from security theater and one sided and narrow minded security processes to idiotic data design decisions. Did anyone consult an expert on data management before creating something like the the no-fly list/database or did they just cobble together whatever someone with basic MS Access skills thought would be a good data structure/workflow?

altjiraSeptember 1, 2008 6:53 AM

@Daylight

Penn Jillette gave sound advice back in 2002 - Make the Terrorists Do the Profiling. http://www.cato.org/pubs/regulation/regv25n1/finalword.pdf

I still can't see the flaw in letting anybody bring anything on a airplane. Ok, maybe it ought to be a registered weapon. With reinforced cockpit doors and a sick-of-being-scared public, any hijackers would have to fill half the seats on the plane to have a chance of pulling it off. The heroes of Flight 93, with no advance warning, prove what we will do to resist.

Carlo GrazianiSeptember 1, 2008 7:14 AM

@altjira: "I still can't see the flaw in letting anybody bring anything on a airplane."

No? I can. Liquored-up badasses-in-their-own-mind settling overhead compartment disputes with guns is a far more likely scenario than Flight 93 re-enactment.

Penn Jillette is a comedian, not a risk analyst. That piece was humor, not a cost-benefit analysis. The real question is "what is a reasonable threshold of security-related inconvenience to passengers that produces reasonable safety from realistic threats?" The answer is not TSA's non-sequiturish regs, but it's not zero either.

NealSeptember 1, 2008 8:15 AM

In the weeks following 9/11 the FBI published the list of suspected hijackers:
http://www.fbi.gov/pressrel/pressrel01/092701hjpic.htm

On a whim I searched Amazon.com for variations of the names and found this:
http://www.amazon.com/gp/registry/registry.html/?encoding=UTF8&type=wishlist&id=1UWSWIH3NXQJN

Note the similarity to one of the names. Note the area the person lived. Note the date the books were added to the wish list, well before 9/11 and therefore not a faked profile from after.

Is this the wishlist of a terrorist or an innocent coincidence? I don't know. The latter is a scary thought given the way we've treated some "potential terrorists." Did I find this before the FBI did? I don't know. Did they act on my report to check it out? I don't know. Have they considered how publicly available wishlists on high profile sites could be used, right under our noses, to communicate wants and needs or to obscure money trails? I don't know, but I hope so. It'd suck to discover another Amazon wish list, after a future event, in the name of one of the suspects - especially if that name was already known to the FBI.


NealSeptember 1, 2008 8:19 AM

Oh, for anyone who didn't follow the Amazon link but questioned the significance, the books in the wishlist are guides to residential airparks.

DaylightSeptember 1, 2008 8:34 AM

@kashif;
I see what you mean, but I don't think checking ticketed names against ID is anything but a very partial answer to this problem. There are too many variables. Again, I see what you mean, and indeed my first comment has to be seen the way you did.

@altjira;
Thanks for the link, I will read through that tonight.

AmySeptember 1, 2008 9:19 AM

I got married in 2001 and had my passport changed to my married name. All the US did was type my new name on the last name of the passport and emboss a stamp over it. (It really looks fake and I've always been worried it will cause me probs abroad.) So when I fly, my ticket never matches the name on the front page of my passport. The worrisome thing is that airport officials only flip to that back page maybe 20 pct of the time -- the rest of the time they obviously never even notice the names don't match. (And I've flown NYC-Heathrow at least once every year.)

dexeusSeptember 1, 2008 9:23 AM

@Carlo:

Of course it isn't zero...how about starting by rolling things back to the way they were about a decade ago. In most Western nations, at least security wasn't the bottleneck at airports, although some parts of it were quite obviously mere theater even back then.

But the cost/benefit analysis should be simpler if we start with something like that because the changes over the past decade can be examined to see if any of them actually have any benefit (I'm going to go with marginal if any).

Note that I'm speaking exclusively about airport security, not onboard security.

Michael AshSeptember 1, 2008 9:28 AM

@Daylight

I don't know how this ridiculous idea got started that you can't criticize something unless you know how to make it better, but I would like it to stop. I'm no architect or builder, does that mean I'm not allowed to complain when my roof leaks? When an organization which is supposed to be an expert at what it does is so obviously stupid, it's perfectly reasonable to complain even if you yourself are not expert enough to offer advice on how to improve.

Furthermore, if you've read Bruce's writings, you'll know that he has often suggested concrete improvements. From memory, please verify that he's actually said these things before you complain, he has suggested doing away with ID requirements, reducing passenger security screening to somewhat coarser levels, and using behavioral profiling to detect people with criminal intent.

ThomSeptember 1, 2008 9:37 AM

@Neal:

That's interesting and does illustrate where intelligence and data mining would be of far greater benefit than TSA security. Since this information isn't exposed to the search engines one would have to intercept this data, get a private peek with Amazon's cooperation, or just run myriad searches for known names and aliases to locate such an entry. I don't know how I feel about the government building profiles based on my wish list choices though, public or not.

Nick LancasterSeptember 1, 2008 9:48 AM

Whether it was done out of fear, incompetence, or simply the need to show the public that Something Is Being Done, the mess that comprises airport security should be self-evident.

We added more thorough security checks and limitations, and then we added a program to allow frequent travelers to go through abbreviated searches.

We implemented bans on liquids based on misreported facts from the UK bombing plot. We still haven't admitted that we got that wrong, even though we're supposed to learn that math is commutative in school. (That is, if I want more than 3 oz. of a liquid onboard, I need multiple bottles and/or multiple carriers.)

If statements pointing out the problem aren't helping, then neither is trying to silence criticism from other than approved sources. If you were to ask the Emperor's court, they'd all tell you his new clothes were daring and the height of fashion.

Ask the little kid on the street, and he'll tell you His Nibs was starkers, and ask you why that's so.

Clive RobinsonSeptember 1, 2008 10:14 AM

@ Bruce,

"That's the TSA: Not doing the right things. Not even doing right the things it does."

I think that is a little unfair.

I'm very sure it is "doing right the things it does", which is spending U.S. Tax and airport Tax as fast as it can get away with. Also it appears to be very successfully building a monumental empire for it's self...

I could go on but I'm sure those a little closer to the TSA than I could give better examples.

vwmSeptember 1, 2008 10:16 AM

@Neal, Thom: I don't get your point. Do you really think, data mining for people interested in "Pilot's Guide to Recreational Destinations" is helping to find dangerous people?

BTW al-Ghamdi seems to be a common name, e.g. there is a Saudi Airlines pilot and a soccer player (Saudi Arabian national team) who are called that way.

Oh, and some time ago I read about a woman complaining about being hassled by an immigration officer who seemed to have keen knowledge about her amazon wish list...

ThomSeptember 1, 2008 10:27 AM

@vmn - No, I don't think random datamining for books would but I do much but I think datamining for aliases might.

Certainly if the FBI had that guy on a list beforehand and searched the wish lists this could have helped locate him. Certainly it could have hinted at, or re-enforced, rumors of a plot involving aircraft. So yes, data mining could be beneficial.

Did he buy those books? Did someone who viewed his wish list buy those books? Who and where? Did someone in that area check those books out of the local library? Who and can we locate them? That is intelligence and that is proven to work.

ThomSeptember 1, 2008 10:30 AM

O, and yes his name and variations do seem common, but are you telling me that wouldn't have been worth exploring? A match on name. A match on last known location. A pair of books on airports. Rumors of a plot involving aircraft. If you don't find that compelling now then please, please, never enter any security or intelligence field because you would never have investigated it then.

P. BryanSeptember 1, 2008 10:57 AM


Part I: A significant part of the problem
How dare you provide details to the public that enables terrorists to subvert the security of our air travel? Don't you know we're fighting a war on terror? The TSA is doing the best they can with what they've got. If we want to stop the terrorists, we need to make sacrifices. One of those should be adding those who enable terrorists by discussing the security of the TSA onto the terrorist watch list.

Part II: Analysis
Part I paraphrases much of what I hear from many citizens. A significant number of people have bought into: the notion of declaring war on a tactic; maintaining security of a number of processes through secret lists, procedures, government agencies; putting up with incompetent bureaucracy; sacrificing freedoms for the promise of more security.

Part III: A part of the solution
Not only do security professionals need to devise stronger methods of thwarting terrorist tactics, they need to further educate the public, as Schneier does on this blog. The citizenry should be engaged, even if needing to be encited by statements that upset them. The broken parts of the system needs to be challenged, not with the intent to subvert the security of the state, but to make us all stronger and resilient to attacks.

WillSeptember 1, 2008 10:58 AM

I'd assume the government (CIA/FBI/TSA) is monitoring known aliases but, after all I've read here about the quality of their computer systems and their other operations, I'd tend toward believing they're not doing a very good job of finding or sharing anything.

CameramanSeptember 1, 2008 11:16 AM

I wouldn't mind being allowed to carry a gun on a plane.

Come to that, I wouldn't mind being aloud to carry a gun on the street. You know, like the Constitution guarantees I am allowed to.

Hell, make me pass a license course to prove I can do so safely, like they do with cars. I can live with that. But then, let me carry a gun where I darn well please.

perlhaqrSeptember 1, 2008 11:49 AM

It's been a long time since I last flew, I admit, so my recollection is a bit fuzzy, but I would swear I recalled the Airline check-in desk checking my ID to make sure it was me and the name matched the ticket.

Does this not happen any more? Or are we assuming someone on the No-Fly List flying without luggage, and just going straight to security?

Come to think of it, I seem to recall security looking at both ID and boarding pass as well. Anyone else got more details?

Bruce SchneierSeptember 1, 2008 12:01 PM

"From memory, please verify that he's actually said these things before you complain, he has suggested doing away with ID requirements, reducing passenger security screening to somewhat coarser levels, and using behavioral profiling to detect people with criminal intent."

And -- most importantly -- taking the zillions saved from not doing ineffective airport security and channeling it into investigation, intelligence, and response: countermeasures that don't require us to guess the plot in order to be effective.

Oh, wait, I said that in the last paragraph.

I think most people who complain about me not offering solutions have a too narrow view of what a "solution" is.

MichaelSeptember 1, 2008 12:03 PM

@Community Organizer - Right, the Republicans are the ones always harping on security, the Republicans are the ones creating all these security beaurocracies, the Republicans are profiting from the contacts, the Republicans are the ones stripping us of our rights, but you blame the Democrats. Who are you trying to fool, fool.

Mark McSeptember 1, 2008 12:38 PM

@Thom,

> "Certainly if the FBI had that guy on a list beforehand and searched the wish lists this could have helped locate him... So yes, data mining could be beneficial."

That isn't data mining, it's investigation of a known individual suspected of association with a terrorist group.

> "Did someone in that area check those books out of the local library? Who and can we locate them? That is intelligence and that is proven to work."

My understanding is that under the PATRIOT Reauthorization Act a FISA warrant is required to obtain library records, and must be targeted at a named subject who is involved in an on-going FBI investigation. No random searching of library lending records is permitted.

CosSeptember 1, 2008 2:51 PM

Here's the biggest irony, though: As the ACLU has uncovered, the government deliberately does *not* put the names of the people they deem most dangerous on the no-fly or watch lists, because that list is insecure, and they don't want to leak the names. Since they don't trust TSA not to reveal who they're really watching most closely, TSA doesn't have those names.

ThomSeptember 1, 2008 2:51 PM

@Mark,

Sigh. Perhaps you could go back and read the posts in context and try to grasp that not every word I wrote was meant to describe data mining. Sorry, I'm not a grammar nazi, so I sometimes assume people can grasp the larger argument rather than focus on a single sentence.

To data mining - the explicit act of an agent going to amazon and searching for names and aliases then following up on them is indeed investigation. Automated searching of the entire Amazon database, along with other similar commerical databases, for all names and aliases, compiling statistics on addresses, emails, purchases, and book choices, then spitting this out for follow-up is data mining.

Regarding the library. You do note that no random searching of lending records is permitted. Assuming you think our government always follows the letter of the law, you should realize that all an agent need do is walk into the local libraries there, pick up the books in question, and see a list of everyone who checked them out. Unless of course it's fairly modern library that does everything electronically - still the minority in the US. Then the agent might need a search warrent if the Librarian is a good one and doesn't hand the information over when asked.

anonSeptember 1, 2008 3:10 PM

Our library went to a computer card catalog less than five yeras ago. It still used the check out slips in the front until last year though. Now its all computered but the slips are still there except on new books. I found a book my dad checked out before I was born (27 yrs).

RandomSeptember 1, 2008 4:39 PM

I flew 3 times recently, comprising 2 trips.

First time: one-way, carryon only, no checked luggage, so I didn't checkin at airline counter. The fake boarding pass would have worked to get me past TSA security.

Second time: round-trip, checked luggage. At luggage checking, the iirline employee checked my picture ID and correlated it to my booked entry (brought up onscreen by PNR number). The fake boarding pass would NOT have worked here, unless the airline agent made a mistake. TSA accepted the boarding pass I printed myself.

Third time: return of round-trip, checked luggage. Airline employee did NOT check picture ID, although I fully expected this to happen. TSA only checked against the boarding pass I printed myself, even though I had the airline agent reprint it because my inkjet printer had some clogged jets that yielded gaps in the printed output.

So, for 3 anecdotal results in just 4 weeks, I'd say Bruce's point is well made. The TSA's procedure is flawed in exactly the way Bruce describes. Furthermore, the airline's procedure is also flawed, since every checkin at front counter does not result in an ID check.


The OperatorSeptember 1, 2008 6:51 PM

While "security theater" may be one explanation for the increased screening of passengers, I would wager that the present staff are but dramatis personae and the present "precautions" merely props.

As this Post 9/11 Reality public relations stunt runs its course, it will become de rigeur to present your papers before travelling - and that's what the list of one million names is really all about (we've established that the list only grows, no?).

GeorgeSeptember 1, 2008 7:23 PM

For those who insist that it's inappropriate to criticize something without including a complete, validated, workable solution, I think it's best to say that no such solution is possible because the airport "security" system can't be fixed.

We have the very same "system" that failed on 9/11. The only difference is that they've replaced minimum-wage private flunkies with government employees. They've also added a haphazard series of patches and jury-rigging in reaction first to 9/11 and then to various highly-publicized threats. So we have the same x-ray machines, metal detectors, and overall approach we had on September 10, 2001. But they've added shoe removal, ridiculous rules about liquids, multiple checks of boarding passes within the checkpoints, watch lists that put quantity way ahead of accuracy, pointless ID checks, and screeners empowered to make up new rules as they see fit because "unpredictability" is now a "Security Strategy." They now want to add machines that strip-search passengers.

The TSA seems inextricably wedded to the current failed approach despite its proven ineffectiveness. And if someone breaches the system, they'll just add another patch that will create yet another incomprehensibly arbitrary hassle for passengers. I suspect the real problem is they're incapable of coming up with anything that is genuinely effective, so they're insisting that if you just add enough patches, make screening intrusive enough, and react quickly enough to publicized breaches, it will eventually become effective. And they have no choice but to impugn patriotism of anyone who publicly mentions that the emperor is not only naked but is visibly in dire need of a "male enhancement product."

It's the same approach they use toward the War on Drugs. Yes, it hasn't done much over 30-odd years, but if we stay the course with more budget, more Warriors, and more prisoners, we'll have the long-promised Victory. As with the Drug Warriors, the TSA is "not doing the right things and not even doing right the things it does." The only acceptable response is we need to give the TSA more funding and more power to do more of the things it does. Only then will they be proved right.

gopiSeptember 1, 2008 10:49 PM

@Community Organizer:
"The TSA is just another make work program for those who vote Democrat."

What do you mean? The Republicans are the ones pushing it. People sometimes accuse the Remocrats of funding things like welfare to get more votes. I think the TSA is ample proof that the Republican party has finally caught on to the trick.

At least people on welfare aren't being paid to actively disrupt our lives...

HankSeptember 2, 2008 12:10 AM

"At security checkpoints, the TSA just matches IDs to whatever is printed on the boarding passes. The airline checks boarding passes against tickets when people board the plane. But because no one checks ticketed names against IDs, the security breaks down."

At Ben Gurion airport in Israel, they have been doing it the right way for the past 25 years.

John TannerSeptember 2, 2008 4:54 AM

By contrast, I've seen Asian airlines like Cathay Pacific and Singapore Airlines check boarding passes against passports at the boarding gate. I don't think it's an airport requirement because not every airline does it. And as far as I know, you can only use a printed online boarding pass at the check-in desk, where they print you a separate boarding pass to (1) get through immigration and (2) take to the gate. That may change, though, since a couple of airlines have installed self-service check-in kiosks. I haven't tried one yet, so not sure what sort of boarding pass you get.

gregSeptember 2, 2008 7:39 AM

ID checks against passports is often done internationally for liability reasons. Basically if you get to the other country and are not allowed in and have no money, the airline has to foot the bill to fly you back. Its gets really complicated if your are not allowed back into the country you come from however.

AnonymousSeptember 2, 2008 8:13 AM

@daylight: If you go back and read the second-to-last paragraph, Mr. Schneier is very clear about how he would improve security: spend money on "intelligence, investigation and emergency response", instead of wasting it on ineffective screenings at airports.

Of course he doesn't give any suggestions about improving airport screening, because he thinks even done right airport screening is mostly a waste of security resources that could be put to more effective use.

DavidSeptember 2, 2008 8:49 AM

Airport security was fine on September 10, 2001. The hijackers didn't even try to bring guns on board. The only reason they succeeded was that the standard practice in case of hijacking was to cooperate; now that standard practice is to take down the hijackers, they don't have a chance.

Now that passengers believe that they have to stop hijackers or die, and the cockpit doors are reinforced, there is no possibility of another 9/11 hijacking and attack. Just don't let people on with guns (and the pre-9/11 security was quite good enough for that).

kangarooSeptember 2, 2008 9:39 AM

Ching Ching Ching!

And David wins the money!

It's bad enough when you're fighting the last war: how much more imbecilic to be fighting the incorrect last war?

TSSeptember 2, 2008 11:45 AM

@perlhaqr

Must have been a long time ago.

You can check-in online and print your boarding passes at home. With the boarding pass, you can walk straight to security (with the fake pass) and then to the boarding gate (with the real pass). So yes, it is exactly as Bruce describes.

Why would a terrorist, let alone a regular passenger, ever want to check a bag? Pay $25 for the checked bag, risk baggage handlers stealing stuff from the bag, risk the airline losing the bag, having to wait at the carousel for your bag... I avoid it as much as possible, as do most business travelers.

bobSeptember 2, 2008 11:46 AM

@Carlo Graziani, David: Until the "take me to Cuba" hijackings started in the '60s having guns in the cabin was legal; I don't remember hearing about any shootouts over luggage space.

@Daylight: Im afraid I dont follow your logic. Pretty much everyone here agrees that static, random lists of names would only thwart terrorists at the pre-school (madrassa?) level, ie it would only stop non-existent threats. Pretty much useless and a total waste of money.

But I think you are saying keep doing a useless thing because we didnt put forth a better suggestion? Thats like saying if I am on the Titanic and I see a crewmember repeatedly throwing an empty bucket overboard, filling it and hauling water from the ocean INTO the ship, he should not stop simply because I dont have a better suggestion?

If something is useless, than doing nothing IS a better suggestion because they both provide the same security benefit and nothing costs WAAAY less.

Bruce SchneierSeptember 2, 2008 2:02 PM

"But I think you are saying keep doing a useless thing because we didnt put forth a better suggestion? Thats like saying if I am on the Titanic and I see a crewmember repeatedly throwing an empty bucket overboard, filling it and hauling water from the ocean INTO the ship, he should not stop simply because I dont have a better suggestion?"

Sadly, it's a standard argument. I like to think of it as: "We must do something. This is something. Therefore, we must do it."

charlieSeptember 2, 2008 2:08 PM

Does anyone know the statutory authority TSA uses to

1) Deny people access to areas past security posts?

2) Access the "no-fly" list

Isn't the "no-fly" list itself run by DOJ?

Rob HughesSeptember 2, 2008 3:29 PM

You can actually get off the no-fly list by going to http://www.tsa.gov/travelers/customer/redress/index.shtm and following the procedure. It took me about a month, but I'm off the list and can actually do electronic check-in for the first time in about 6 years now. But in general, I agree with the article. This is bureaucrats doing bureaucratic stuff to make themselves look good while providing no appreciable increase in security to the public.

Phil MSeptember 2, 2008 3:35 PM

Charlie asked about TSA's statutory authority.

In a [June 15, 2008, TSA press release describing updates to their airport ID policy][1], TSA wrote:

"Under the law that created TSA, the Aviation and Transportation Security Act, the TSA administrator is responsible for overseeing aviation security (P.L. 107-71) and has the authority to establish security procedures at airports (49 C.F.R. § 1540.107). Passengers that fail to comply with security procedures may be prohibited from entering the secure area of airports to catch their flight (49 C.F.R. § 1540.105(a)(2)."

However, a frequent commenter on [TSA's "Evolution of Security" blog][2] who uses the pseudonym "Trollkiller" has repeatedly asked, in many places including [TSA's "Answers to Your Top 10 Questions" post][3], for TSA to reconcile their policy of forced identity verification as a criterion for allowance of access to "sterile areas" of airports with [49 C.F.R. § 1540.5][4], which defines:

"Sterile area means a portion of an airport defined in the airport security program that provides passengers access to boarding aircraft and to which the access generally is controlled by TSA, or by an aircraft operator under part 1544 of this chapter or a foreign air carrier under part 1546 of this chapter, through the screening of persons and property."

and also:

"Screening function means the inspection of individuals and property for weapons, explosives, and incendiaries."

TSA has not responded.


References:

[1]: http://www.tsa.gov/press/happenings/enhance_id_requirements.shtm
[2]: http://www.tsa.gov/blog/
[3]: http://www.tsa.gov/blog/2008/08/answers-to-your-top-10-questions.html
[4]: http://law.justia.com/us/cfr/title49/49-9.1.3.5.8.1.10.3.html

Phil MSeptember 2, 2008 3:50 PM

TSA or anyone who knows: Where has TSA published a list of all the rules and regulations that TSA will subject someone to if that person wishes to cross a U.S. Government checkpoint at an airport en route to the gate from which his domestic flight will depart, not including laws that the person is required to abide by outside of the airport checkpoint (i.e., just those rules and regulations that apply only at the checkpoint). Please provide a URL or name of the government publication.

I am not asking to see TSA's operating procedures, or for tips, hints, clues, or guidelines, but the rules TSA requires us to follow at an airport checkpoint in order to avoid having our freedom of movement restricted by TSA staff.

Does anyone know where to find the rules TSA requires us to follow? If not, how can we be expected to comply with those rules?

BrettSeptember 2, 2008 3:54 PM

@George

You just described the Microsoft Business Plan as relating to Windows:

release - patch - release - patch

Mark McSeptember 2, 2008 5:48 PM

@Thom,

> "Sigh. Perhaps you could go back and read the posts in context and try to grasp that not every word I wrote was meant to describe data mining. Sorry, I'm not a grammar nazi, so I sometimes assume people can grasp the larger argument rather than focus on a single sentence."

Nothing to do with grammar, just content.

> "To data mining - the explicit act of an agent going to amazon and searching for names and aliases then following up on them is indeed investigation. Automated searching of the entire Amazon database, along with other similar commerical databases, for all names and aliases, compiling statistics on addresses, emails, purchases, and book choices, then spitting this out for follow-up is data mining."

I agree, it would be. But when "vmn" asked you whether datamining to find people interested in a particular book or type of book would help find dangerous people, you answered "No, I don't think random datamining for books would but I do much but I think datamining for aliases might." What do you mean by that? If correlating a particular type of Amazon purchase with particular names isn't helpful, what ARE you suggesting should be the outcome of this datamining?

> "Regarding the library. You do note that no random searching of lending records is permitted. Assuming you think our government always follows the letter of the law,"

Of course not - but librarians in general are pretty adamant about not allowing federal agents any more access to their records than that absolutely required under relevant legislation. Perhaps federal LEOs are hacking into library information systems to perform illicit searches, but I rather doubt that.

> "you should realize that all an agent need do is walk into the local libraries there, pick up the books in question, and see a list of everyone who checked them out. Unless of course it's fairly modern library that does everything electronically - still the minority in the US. Then the agent might need a search warrent if the Librarian is a good one and doesn't hand the information over when asked."

Despite a good deal of library usage, I haven't seen one of those systems where you sign your name on the checkout card in more than 20 years - perhaps I'm biased due to living in a city. It didn't occur to me that they might still exist. I haven't found statistics on their frequency, but when you can buy library software that performs all common library book-keeping functions as well as printing and scanning book and card barcodes for around $200, it's hard to imagine most libraries in the US function solely with pen and paper.

Davi OttenheimerSeptember 2, 2008 7:05 PM

Excellent. Congrats on another Kafka reference.

Lately when people ask me for a good reference on security in America I hand them a copy of Kafka's "The Trial".

You aren't supposed to know what you have done wrong, or who is accusing you...just feel the pressure from someone, somewhere who has accused you of something.

Seems kind of like what happened to Alaska Public Safety Commission Walt Monegan, when Gov. Sarah Palin sent a messenger to fire the man she hired.

""They can call me in and say, you know, 'I don't like your hair; you're fired,' " Monegan said.

[...]

"I said, 'What's this mean ... I guess I'm no longer commissioner?' He said, 'That's correct.' "

Monegan must be a name on the Palin list.

charlieSeptember 2, 2008 9:34 PM

phil, thank you for the information.

I am still trying to figure out how the "no-fly" lists exists with that legal framework. Does TSA use the "no-fly" list as a part of the screening towards a "sterile area". Can a "no-fly" selectee fly general aviation or their own private plane. I suspect the recent case on "no-fly" redress will provide some answers.

Michael AshSeptember 2, 2008 10:36 PM

@charlie

I can't say for certain but I don't think the no-fly list applies to general aviation. I don't think that the FAA has access to the list, and if they do I don't think that they would use it. Pilots commonly make fun of how absurd the FAA is about many things, but compared to the TSA they are very reasonable. I've never heard of a general aviation pilot having trouble with the no-fly list, and given the quantity of common names on the list I'm sure that it would have come up by now. For passengers, I don't believe that anyone screens them except the people flying them. It may be different for larger operators, but certainly nobody has to screen *my* passengers when I take people for rides.

The security-type requirements for becoming a pilot are pretty low in general. They do a quickie background check (takes about 30 minutes) when you first apply for a student license, and that's about it. If you're not a US citizen then you need to submit to a much more extensive screening to get training if you're going to become a regular private pilot, but not for less common things like gliders or balloons.

Phil MSeptember 3, 2008 2:13 PM

Charilie, I don't have the information you seek. Following are a few leads someone posted to the TSA blog that might generate some leads for you:

Electronic Frontier Foundation's October, 2007: "Comments on Terror Watch List"
http://www.eff.org/deeplinks/2007/10/eff-comments-terror-watch-list

Review of the Terrorist Screening Center:
Chapter 7: Database Accuracy and Completeness:
http://www.usdoj.gov/oig/reports/FBI/a0527/chapter7.htm

Audit of Terrorist Screening Center:
http://www.usdoj.gov/oig/reports/FBI/a0741/final.pdf

Washington Post: Terrorism Watch List Is Faulted For Errors:
http://www.washingtonpost.com/wp-dyn/content/article/2007/09/06/AR2007090601386.html

Also, keep an eye on The Identity Project's blog. They periodically report on DHS' no-fly and terrorist watch lists:
http://papersplease.org/wp/

SkorjSeptember 3, 2008 6:43 PM

@ Bruce

One flaw in your recipe to bypass security (feel free to delete this comment if it's intentional): the guy who checks your boarding pass against your ID will initial it with colored marker. Presumably there's a "color of the day". If you then try to board with a different pass, one that hasn't been initialed, questions will be asked.

Not that it's hard to defeat this system, but it takes it beyond "casual", as you have to probe to determine what color marker you need.

averrosSeptember 4, 2008 6:55 AM

>>"The TSA is just another make work
>> program for those who vote Democrat."

>This just has to be a joke, but I don't get it.

Maybe that's because you do not apply your mind to the task of figuring out who benefits and instead rely on the cliches from the statist propaganda.

Law enforcement unions are big (really big) Democrat donors and power bases. TSA creates lots more jobs (and therefore members) for these unions.

SkorjSeptember 4, 2008 2:40 PM

@ averros

You cannot then deny that the TSA keeps us safer - all those TSA employess might otherwise be on the street!

averrosSeptember 4, 2008 4:41 PM

Skorj - I prefer they'd just go for burger flipping.

Apropos... a month or so ago I had a misfortune to have a bunch of TSA bozos conducting handgun training next to my lane in the range. Their *instructor* was waving loaded gun in all directions; I ended up telling him to put it down, and calling range security.

Jonathan RockwaySeptember 4, 2008 11:15 PM

@Skorj: This isn't true. I've reprinted my boarding pass inside of security a number of times. You can, for example, change your seat assignment online and then reprint a boarding pass. Or, you can change flights. Or, you can simply throw the boarding pass away with your receipt from lunch, and need another one so you can get on the flight.

All in all, it is very easy to get on a plane with a boarding pass without the TSA mark on it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..