TSA Publishes Standard Operating Procedures

BoingBoing is pretty snarky:

The TSA has published a "redacted" version of their s00per s33kr1t screening procedure guidelines (Want to know whether to frisk a CIA operative at the checkpoint? Now you can!). Unfortunately, the security geniuses at the DHS don't know that drawing black blocks over the words you want to eliminate from your PDF doesn't actually make the words go away, and can be defeated by nefarious al Qaeda operatives through a complex technique known as ctrl-a/ctrl-c/ctrl-v. Thankfully, only the most elite terrorists would be capable of matching wits with the technology brilliance on display at the agency charged with defending our nation's skies by ensuring that imaginary hair-gel bombs are kept off of airplanes.

TSA is launching a "full review" to determine how this could have happened. I'll save them the effort: someone screwed up.

In a statement Tuesday night, the TSA sought to minimize the impact of the unintentional release -- calling the document "outdated," "unclassified" and unimplemented -- while saying that it took the incident "very seriously," and "took swift action" when it was discovered.

Yeah, right.

The original link to the document is dead, but here's the unredacted document.

I've skimmed it, and haven't found anything terribly interesting. Here's what Wired.com noticed:

One of the redacted sections, for example, indicates that an armed law enforcement officer in or out of uniform may pass beyond the checkpoint without screening after providing a U.S. government-issued photo ID and “Notice of LEO Flying Armed Document.”

Some commercial airline pilots receive training by the U.S. Marshals Service and are allowed to carry TSA-issued firearms on planes. They can pass through without screening only after presenting “bonafide credentials and aircraft operator photo ID,” the document says.

Foreign dignitaries equivalent to cabinet rank and above, accompanying a spouse, their children under the age of 12, and a State Department escort are exempt from screening.

There are also references to a CIA program called WOMAP, the Worldwide Operational Meet and Assist Program. As part of WOMAP, foreign dignitaries and their escorts — authorized CIA representatives — are exempt from screening, provided they’re approved in advance by TSA’s Office of Intelligence.

Passengers carrying passports from Cuba, Iran, North Korea, Libya, Syria, Sudan, Afghanistan, Lebanon, Somalia, Iraq, Yemen or Algeria are to be designated for selective screening.

Although only a few portions of the document were redacted, the manual contains other tidbits that weren’t redacted, such as a thorough description of diplomatic pouches that are exempt from screening.

I'm a little bit saddened when we all make a big deal about how dumb people are at redacting digital documents. We've had a steady stream of these badly redacted documents, and I don't want to lose that. I also don't want agencies deciding not to release documents at all, rather than risk this sort of embarrassment.

EDITED TO ADD (12/10): News:

Five Transportation Security Administration employees have been placed on administrative leave after a sensitive airport security manual was posted on the Internet, the agency announced Wednesday.

EDITED TO ADD (12/12): Did the TSA compromise an intelligence program?

Posted on December 10, 2009 at 6:47 AM • 52 Comments

Comments

BF SkinnerDecember 10, 2009 6:59 AM

Been waiting for your comment on this since they said "critics of TSA will use this to further critizise us." I could almost hear them whisper '...Schneier, Schneier'

Information disclosures happen because humans are human and they make mistakes. In the 90s my average for responding to classified information released on unclassified circuits was about 1 every 3 years. In the oughts it was about every 1 every 18 months with the distribution being much broader. These were carefully marked documents (such as the handbook).

In our highly networked world with pressure to use multilevel information on the same infrastructure I'd be interested in seeing what the real figures of Practice Dangerous to Security are.

Robert CobbDecember 10, 2009 7:08 AM

Nah, it's a setup I tell ya. They just want everyone to think this is the real document and they're this dumb, that way the terrorists believe themselves to be on a level playing field.

Frank Ch. EiglerDecember 10, 2009 7:26 AM

"We've had a steady stream of these badly redacted documents, and I don't want to lose that."

Lose what? The opportunity to peep at document parts intended to be secret? Considering the meat-space implications of some of these, surely you would prefer the loss of peeping pleasure to the loss of life.

Clive RobinsonDecember 10, 2009 8:22 AM

Just one thing, I tell it to all people I have dealings with where there is even the romotest chance of sensitive information being involved (ie al the time ;)

PAPER PAPER NEVER DATA!!!

Oh and the older

"If writ on glass, that will be the last".

There is a reason why people have thin single sheet note paper and glass desk tops. You don't leave an impression for others to find...

jrrDecember 10, 2009 8:23 AM

It'd be much less sad if it hadn't happened dozens of times in the past, including with other government agencies which are now part of homeland insecurity.

jrrDecember 10, 2009 8:27 AM

If I were charged with redacting a document, first thing I'd do would be to cut/paste it to a plain old text editor, then replace redacted words with ******* or something, then cut/paste it back.

If required to release photographically-equivalent copies of original documents, I'd print them to a SIMPLE graphics format (without layers) then open them in a graphic editor and overwrite with black boxes, and again save in a graphics format that does not support layers or history. It's safest, printing then blacking out then rescanning might leave enough to recognize if you play with the brightness and contrast enough.

DerobDecember 10, 2009 8:32 AM

The procedure to prevent a thus redacted document from becoming readable by simple manipulation is also very simple. Just print the redacted document on paper and scan it back in. For me it is common practice, and most printers/copiers in the office are able to scan and send it automatically to our e-mail boxes as pdf by using a bar coded cover page. It takes a couple of seconds for a page, or at most a couple of minutes for a lengthy document.
Yes, this way you could even use an old fashioned marker and perhaps some post-it papers to do the redacting, which is still a lot faster then having to draw rectangles with a mouse.

BF SkinnerDecember 10, 2009 8:33 AM

"If I were charged with redacting a document..."

I'd print it out, redact with thick black ink. Make a copy and then a copy of the copy then scan it back in to a digital form.

But sometimes the FOIA law requires specific form. Seems the taxpayers are believed to have some rights or somthin'.

reeDecember 10, 2009 8:41 AM

Interesting that the walk through metal detectors are considered calibrated if the three test objects trigger an alarm for all of the passes, yet there's no process for operators to ensure they aren't too sensitive which would result in lots of false positives and grumpy travelers.

Cory DoctorowDecember 10, 2009 8:48 AM

"I'm a little bit saddened when we all make a big deal about how dumb people are at redacting digital documents. We've had a steady stream of these badly redacted documents, and I don't want to lose that. I also don't want agencies deciding not to release documents at all, rather than risk this sort of embarrassment."

The difference here is that the TSA has claimed a literally unquestionable technical superiority that allows it to, for example, deny you the right to travel based on its infallible IT systems.

Extraordinary claims require extraordinary proof. If you claim that the reason that you are certain that moisture bombs can be cooked up on airplanes -- even though all the disinterested experts say it's crazy -- is that you know more about technology than the rest of us, then stupid technology mistakes aren't just simple errors.

If the TSA has only-average technical competence, then we should only ascribe average levels of fallibility to its screening procedures, its ability to precompute your terroristic tendencies, and its ability to correctly assess the relative likelihood of technically sophisticated attacks.

For most of a decade, the TSA's answer to "why?" has been "Because we are more technically competent than you, so shut up." If they're not more technically competent than the rest of us, then they must start answering "why," and quick.

jgrecoDecember 10, 2009 8:58 AM

@BF Skinner

"But sometimes the FOIA law requires specific form. Seems the taxpayers are believed to have some rights or somthin'."

I'm curious what form would prevent them from doing this. If they need a hardcopy then photocopy a redacted document and send them a hardcopy. If they want a pdf, then send them the scanned pdf.

Is the issue that we have the right to request PDFs that contain text, not images? If that is the case then OCR might be a solution, though I'm admittedly not familar with how good that is these days. Besides, what would they do about documents that never had a digital form to begin with?

jgrecoDecember 10, 2009 9:03 AM

@Cory Doctorow

It is certainly reasonable to make fun of the TSA for slipups like this, but I think what Bruce is trying to say is we shouldn't make _too_ much fun of them, lest we miss out on future opportunities.

kangarooDecember 10, 2009 9:28 AM

I'd like to suggest to some of these folks -- don't use the black marker approach if you're very, very serious. You will leave patterns that MAY be possible to deconvolve. Use the digital black box so that the printer just gets a black bitmap at that location -- then do the reverse scan.

jgrecoDecember 10, 2009 9:36 AM

@kangaroo

I would suggest that while you are technically correct, using a marker will be, in practice, more secure.

People are lazy and you can reasonably suspect someone down the line to be "clever" and take a shortcut, resulting in a leak similar to this one. Training could alleviate this concern to some degree, but I think realistically redacting with good black ink, then scanning it back in is more than secure enough. (particularly if you scan it with "black and white", not grayscale)

mooDecember 10, 2009 9:47 AM

Why don't they have an "automatic redacting appliance" of some sort? Basically a printer, scanner with OCR combined into one? Just feed it your PDF (or paper document), draw black rectangles on-screen to redact the proper stuff, and then it would produce for you a "clean" PDF by transforming it into physical paper and ink, then back again.

jrrDecember 10, 2009 9:53 AM

@kangaroo: that's why I suggested printing to a simple graphics format and manually overwriting with black boxes. I KNOW that's not recoverable. Scanned documents with black ink MIGHT be at least partially recoverable with enough tweaking with contrast/brightness values.

@jgreco: scanning in b/w is also a good idea. And while it's true that people are lazy, at some point we should have a right to expect people who are getting paid to do something to do it correctly. And in the case of redacted documents, I would think that they'd have a review process.

EponymousDecember 10, 2009 10:19 AM

Saudi's are not selectively screened? Well that's interesting. We've never had a problem with Saudis, especially not Saudi dignitaries or the relatives of wealthy Saudis.

Phil MocekDecember 10, 2009 10:20 AM

The Identity Project have posted an analysis of what they think is significant about the Screening Management SOP (including a comparison with the redacted excerpts they previously obtained via FOIA requests), an update on their pending FOIA appeal for the current Screening Management SOP, and their other pending FOIA requests for other screening SOPs and related documents: http://www.papersplease.org/wp/2009/12/10/...

Brad ConteDecember 10, 2009 10:59 AM

Here's the NSA's recommendations for document "censoring":

http://www.fas.org/sgp/othergov/dod/...

It's fairly detailed. Unfortunately, it's only through Word 2003, but I'm sure the methods could be easily adapted to later versions of Word. (I don't use Word often, so I don't know the details.)

Just having the right person read through that is worth far more that whatever bumbling, bureaucratic approach they use to try to fix the problem.

AdrianDecember 10, 2009 11:01 AM

Assuming this was an unintentional disclosure, there was failure at multiple levels (aside from the ineffective redactions).

Somebody pushed the document to the public website. Either that person thought the publication was authorized (communication failure), or that person is malicious (and thus shouldn't have access to the document or the .gov publication channel).

Given that somebody attempted to redact parts of the document AND its publication meant that there were at least two chances for somebody to stop release of the document. Why bother redacting it if it isn't going to be released? To decide what to redact, wouldn't you need to know the purpose of the release and the intended audience?

We've heard multiple conflicting responses from the TSA and DHS. "It's old", "it was never implemented", "it has been revised six times," "it's already widely circulated in the airline industry, so there's nothing new."

None of those claims are quite consistent with the fact that papersplease.org got portions of this same draft under an FOIA request when they asked for information about the *implemented* ID checking procedures.

Something smells. My theory is that there was a plan to redact and publish this document (possibly to give contractors information they needed to bid or fulfill their obligations). After the fact, it was considered an embarrassment (possibly because of the botched redactions). The people who were instructed to redact and publish will now be punished as scapegoats.

TimDecember 10, 2009 11:19 AM

"I'd print it out, redact with thick black ink. Make a copy and then a copy of the copy then scan it back in to a digital form."

"Why don't they have an "automatic redacting appliance" of some sort? Basically a printer, scanner with OCR combined into one?"

Wow. That's almost more idiotic than the TSA. You know you can convert PDFs to images (TIFF or PNG would be best)?

The easiest way is to use ImageMagick

False DataDecember 10, 2009 11:24 AM

I wonder if there's any useful information to be gleaned from examining what was redacted versus what wasn't, sort of like a traffic analysis problem. Completely aside from how outdated, unclassified or unimplemented these procedures might or might not be, are there patterns that someone could use to reveal new information about other redacted documents?

TimDecember 10, 2009 11:27 AM

Actually, even easier method. All they needed to do was:

Open the PDF in gsview. File->convert->png or tiff.

You can then convert it back to a PDF using ifranview if required:
View->Multipage images->Create multipage PDF.

PackagedBlueDecember 10, 2009 12:17 PM

Modern pdf security and OS security is really bad, for something like redaction.

I would expect smart programmers to be able to track pdf useage, printage, and rescan, all on the same machine, or even others for those more determined. Redaction is too sensitive and important to leave to a casual process.

Covert channels can get ugly, especially in ugly formats like P pdf D pdf F.

RHDecember 10, 2009 12:21 PM

I don't know how well they're holding up in modern digital processing times, but there is a pen for redacting paper documents. Its a deep dark maroon. You can still read the text underneath (incase there's rules about the duplication of the document... the original still works), but when photocopied on a carefully calibrated variant of copier, the maroon comes out pitch black.

In all... for the love of sanity! Redact the bloody documents correctly!

'Course this also goes to show that the document was never actually classified to start with; are you telling me that there's no brain-dead easy redacting process for a minion to follow, under penalty of death?

Matt from CTDecember 10, 2009 12:44 PM

>carefully calibrated variant of copier

Had a temp job once rebuilding high-volume scanners used for digitizing forms and such.

Theyre' not specially calibrated...they use a red bulb, and standard senstivity isn't enough to pickup whats in the field then.

That's why certain fields (usually containing privacy related information) are a reddish-pink. The scanner won't pick it up.

Put a clear bulb in them, they pickup what's in the red fields.

-----
As for print-and-mark with a black marker, if you're going to that extent just get out a cutting board and xacto knife. After you make the copy of the xacto'd document, there's no question about whether the ink is dark enough, etc.

As some of the links above suggest, there's "good enough" ways to electronically redact -- but you have to follow the specific procedures for it to be successful.

scottDecember 10, 2009 1:28 PM

@Cory

That's a nice argument that makes us people on the street feel better, but I'm not sure it's valid.

Clearly the TSA is not a single entity, and it's not particularly helpful to think of it as such. It's a large organization that does not have a single rating of technical competence.

In particular, the fallible nature of its secretaries says absolutely nothing about the quality of its thoughtcrime division. You just can't generalize single incidents across the organization.

It's fun to bash the TSA, but I'm afraid that it would be more fun to do so with actual devastating evidence.

RoyDecember 10, 2009 2:01 PM

Section 4.1 shows how to sneak weapons or drugs aboard by making the container a diplomatic pouch, and what materials you must have forged for you in order to pass yourself off as a diplomatic courier. If the credentials look good, you're good to go. Nobody is actually going to check any of it.

Bruce ClementDecember 10, 2009 3:50 PM

In the first world war (and probably others) letters home from our soldiers were censored to prevent information that would "aid the enemy" (or alert the folks back home how bad the situation was) from getting out.

When the censors found something they wished to suppress, they didn't cross it out or black it out, they physically cut it out of the page; once it's gone it's gone for good.

The electronic equivalent isn't hard to do, but it requires users taking ownership for what their software is doing, and may require moving away from COTS products for some purposes. Your government is well known for the size and expertise of its counterintelligence services ... they should be advising the counterintelligent sections of the government.

FrostyDecember 10, 2009 4:22 PM

I can't believe dumb was just a couple of pay grades above me, however I am just as dumb for thinking that way. We got dumb pretty well covered to the top. I have a award for protecting what you are seeing and I would like to give it back.

G-mannDecember 10, 2009 5:36 PM

@Matt from CT

I agree with the Xacto Knife method. I used it for years while in the Gov't. Just cut the redacted stuff out and make a new non-sensitive copy to send or scan as needed.

I suspect that if the document had been classified, the IT people that handle their classified networks would have cracked open a book to see what to do and would have stumbled upon the NSA procedure... These Sensitive But Unclassified categories like "Sensitive Security Information" leave too much gray area when it comes to following Info Security protocols.

B. RealDecember 10, 2009 5:44 PM

I've always had clients use the product MicroFiche -- you redact in that and THEN it creates the PDF. No muss, no fuss, and no data in the PDF that doesn't belong in there. Can't be the only document management software that does that. Can't believe their sitting there drawing little black squares in a PDF overlay... Must be a bunch of people with way too much time on their hands (as in not enough to do).

JayDecember 10, 2009 6:19 PM

I can't believe nobody's mentioned the black-box-size side-channel attack yet!

Basically, if all you do is draw a black box over a word, people can measure the size of the box, and correlate it against a dictionary. Variable-width fonts make it far more accurate.

The correct way to redact is to replace the text with Lorem Ipsum before adding the boxes - then it doesn't matter how the boxes are done, either...

Bartnicki v. VopperDecember 10, 2009 6:45 PM

Congressmen propose to go after Cryptome and WikiLeaks.

> “How has the Department of Homeland
> Security and the Transportation Security
> Administration addressed the repeated
> reposting of this security manual to other
> websites and what legal action, if any, can be
> taken to compel its removal?” wrote Reps.
> Peter T. King (R-NY), Charles W. Dent
> (R-PA) and Gus M. Bilirakis (R-FL).

http://www.fas.org/blog/secrecy/2009/12/...

Picked up via ThreatLevel.

Clive RobinsonDecember 10, 2009 7:42 PM

@ Bruce,

With regards to,

"Some commercial airline pilots receive training by the U.S. Marshals Service and are allowed to carry TSA-issued firearms on planes. They can pass through without screening only after presenting “bonafide credentials and aircraft operator photo ID,” the document says."

And @ Roy,

"If the credentials look good, you're good to go. Nobody is actually going to check any of it."

Err if you had looked at the document I posted a link for above you would know that the TSA had a pilot scheme running to put RFID tags in the credentials and the weapons...

Also that the RFID tags in question are designed to work at a distance.

So anyone with an apropriate box of quite simple electronics will know with a good degree of probability if and who has the weapons...

Security thearter or what...

You could not make it up.

EpimortumDecember 10, 2009 8:56 PM

@The correct way to redact is to replace the text with Lorem Ipsum before adding the boxes - then it doesn't matter how the boxes are done, either...

Personally, if available my preferred method is to replace the word(s) with [redacted]
simple and clean

Trevor StoneDecember 10, 2009 11:14 PM

I didn't realize Somalia had enough of a government to issue passports.

Given the recent front in the anti-al Qaida fight, I'm surprised Pakistanis aren't on the list for special treatment.

ScottDecember 10, 2009 11:53 PM

The devil is in the details - well into the fine print on p.89 you'll find that they allow carry-on matches (but not checked) and that the one-book limit is no longer enforced. Correct me if I'm wrong but didn't we used to make nifty explosives out of match heads when we were young and foolish?

uk visaDecember 11, 2009 10:16 AM

The TSA does nothing for it's credibility; if it even cares about it's credibility.
One thing's more certain - the CIA won't appreciate it's WOMAP being outed even if it is only a cloak and dagger version of meet and greet.

AndrewDecember 12, 2009 5:14 PM

Workers make a human error like this and are suspended.

President and his staff make a stupid decision wasting thousands of lives and billions of dollars in Iraq, and there is no punishment.

AndrewDecember 12, 2009 5:17 PM

Also, given that so many non-cleared low-pay recent-hire workers already have these procedures in their possession, do you think these redacted parts are really secrets?

Clive RobinsonDecember 13, 2009 2:10 AM

@ Andrew,

"President and his staff make a stupid decision..."

And others who should know better.

Do you remember the CIA boss who used to use a computer at home with the most classified of intel, the same computer his kids used for the Internet.

Well he got away with it, but about the same time there was a researcher who had backup tapes of unclasified information relating to their work at work. Who was made out to be some international spy simply because there was a witch hunt on at the time...

It's not "what" but "who" you know. Likewise it's not "what" you do but "who" sees you do it.

And the more the vested interests in the administration "scare to paranoid" the population the more abuses the vested interests in the administration will get away with.

Once upon a time it was the stupid "if you knew what we know" trick to gull elected representatives and "you scratch my back and i'll scratch your back" pork of "If you aprove the money I'll spend it in your state".

Saddly it has become a lot more sinister with workers doing what they have been told and then scape goated.

I'm surprised people have not asked the $64,000 question of "were they used to put fear into their co-workers?"

It would be by no means the first time that would have been done by those who do not know how to manage people only scare them. We see that sort of tyranical dictitorial behaviour all the time in "tin-pot" third world countries and we say "how horible, I'm glad I don't live there" yet...

Carlos VelezDecember 13, 2009 9:20 AM

No excuses for this MAJOR security gap. Although this may be consider a draft document, the wording is questionable but more important pretty sensitive information is in there and more important instructions and procedures to be followed by TSA agents!. The rationale behind posting such information on internet does not make any sense.

John DittmerDecember 15, 2009 8:44 AM

There was no reason for TSA to release this document even if it was outdated. You tell me that a majority of the procedures have changed since May of 2008? I find that hard to believe.

I don't buy the RFP argument either. I have done plenty of proposal work as a contractor. After reading the manaual, a simple abstract could have served the same purpose without posing a security risk.

It's not the technical issues that bother me. It was the fact that very little thought was given before the release. Also, there needs to be a consolidation of the "sensitive, but unclassified" labels such as SBU, CUI, FOUO, etc. The sheer number of them makes them meaningless to people outside certain organizations. Most people can figure out that a document labeled TOP SECRET, SECRET, or CONFIDENTIAL needs to be handled a certain way. If they don't know exactly, they will usually find someone who does. However, other labels tend to be blown off by people because almost no one knows what exactly they mean. Thus, you will get incidents like this as long as this gray area condition exists.

Dale SwansonDecember 15, 2009 9:36 PM

@Jay
"I can't believe nobody's mentioned the black-box-size side-channel attack yet!

Basically, if all you do is draw a black box over a word, people can measure the size of the box, and correlate it against a dictionary. Variable-width fonts make it far more accurate.

The correct way to redact is to replace the text with Lorem Ipsum before adding the boxes - then it doesn't matter how the boxes are done, either..."

This is a pretty good point. Does anyone have any info on how competent agencies avoid this problem? It would seem a nontrivial amount of info would be revealed. For example if context limited a redacted word to a rather short list of likely candidates the length could easily limit to a single possibility.

As said replacing the word would solve the problem. But as far as I know this isn't commonly done when materials are declassified and published.

Clive RobinsonDecember 16, 2009 5:32 AM

@ jay, Dale Swanson,

"I can't believe nobody's mentioned the black-box-size side-channel attack yet!"

"This is a pretty good point. Does anyone have any info on how competent agencies avoid this problem? It would seem a nontrivial amount of info would be revealed."

There are several issues.

The first is that few documents being redacted are electronic nearly all are 30 or more years old.

Thus there is little or no oportunity to re-format, which is why they tend to redact paragraphs not individual words etc.

Thus the "black out" process is an ingrained way of doing the redacting. And as is often the case with a buracratic process it's the "look of the results" not the "actual results" that count.

Then there is the "elephant in the room" of what does the legal system think, that is what is the case law.

Contary to what most people belive courts make judgments on "evidence in documentation" that is the pieces of paper that "say" what the evidence is not the physical items etc themselves.

Even spoken evidence gets transcribed onto a piece of paper. Thus in reality courts only believe in pieces of paper their records are in pieces of paper, and they require tracability that is the pieces of paper remain unchanged...

With redacting a document nobody knows how a court will react if any other part of the document is changed....

As is normal technology has shown yet again that we have incorrect assumptions about "information" in our ordinary lives.

This issue is just going to get worse for about the next 20years or so....

NathanaelJanuary 5, 2010 3:02 PM

Here's the really crazy part.

I can't see anything even potentially worth keeping secret in the redacted material. Why did they bother? None of this is secret and there's no reason to keep it secret. This is just stupid Soviet-style "We will be secretive because we can be secretive, comrade." Gorbachev tried to get rid of that with glasnost.

I'm sure the terrorists could figure out on their own that having diplomatic credentials and State Department credentials would get them through.

If anything, letting us know why some people are being allowed through security without any screening (because they're diplomats, security officers, etc.) will make us feel more comfortable than the "what the hell they just let that guy go through" reaction we have now.

united Slaves of AmericaJuly 30, 2010 7:24 PM

This whole TSA crap is an insane persons insecurities gone wild. I say every one should be armed and carrying. Close all regular police departments as obsolete, outdated, unnecessary and unAmerican. Let them all work for the department of sanitation .

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..