Entries Tagged "air travel"

Page 43 of 46

Secure Flight

Last Friday the GAO issued a new report on Secure Flight. It’s couched in friendly language, but it’s not good:

During the course of our ongoing review of the Secure Flight program, we found that TSA did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act. In particular, the public was not made fully aware of, nor had the opportunity to comment on, TSA’s use of personal information drawn from commercial sources to test aspects of the Secure Flight program. In September 2004 and November 2004, TSA issued privacy notices in the Federal Register that included descriptions of how such information would be used. However, these notices did not fully inform the public before testing began about the procedures that TSA and its contractors would follow for collecting, using, and storing commercial data. In addition, the scope of the data used during commercial data testing was not fully disclosed in the notices. Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public. As a result of TSA’s actions, the public did not receive the full protections of the Privacy Act.

Get that? The TSA violated federal law when it secretly expanded Secure Flight’s use of commercial data about passengers. It also lied to Congress and the public about it.

Much of this isn’t new. Last month we learned that:

The federal agency in charge of aviation security revealed that it bought and is storing commercial data about some passengers—even though officials said they wouldn’t do it and Congress told them not to.

Secure Flight is a disaster in every way. The TSA has been operating with complete disregard for the law or Congress. It has lied to pretty much everyone. And it is turning Secure Flight from a simple program to match airline passengers against terrorist watch lists into a complex program that compiles dossiers on passengers in order to give them some kind of score indicating the likelihood that they are a terrorist.

Which is exactly what it was not supposed to do in the first place.

Let’s review:

For those who have not been following along, Secure Flight is the follow-on to CAPPS-I. (CAPPS stands for Computer Assisted Passenger Pre-Screening.) CAPPS-I has been in place since 1997, and is a simple system to match airplane passengers to a terrorist watch list. A follow-on system, CAPPS-II, was proposed last year. That complicated system would have given every traveler a risk score based on information in government and commercial databases. There was a huge public outcry over the invasiveness of the system, and it was cancelled over the summer. Secure Flight is the new follow-on system to CAPPS-I.

EPIC has more background information.

Back in January, Secure Flight was intended to just be a more efficient system of matching airline passengers with terrorist watch lists.

I am on a working group that is looking at the security and privacy implications of Secure Flight. Before joining the group I signed an NDA agreeing not to disclose any information learned within the group, and to not talk about deliberations within the group. But there’s no reason to believe that the TSA is lying to us any less than they’re lying to Congress, and there’s nothing I learned within the working group that I wish I could talk about. Everything I say here comes from public documents.

In January I gave some general conclusions about Secure Flight. These have not changed.

One, assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement—in almost every way—over what is currently in place. (And by this I mean the matching program, not any potential uses of commercial or other third-party data.)

Two, the security system surrounding Secure Flight is riddled with security holes. There are security problems with false IDs, ID verification, the ability to fly on someone else’s ticket, airline procedures, etc.

Three, the urge to use this system for other things will be irresistible. It’s just too easy to say: “As long as you’ve got this system that watches out for terrorists, how about also looking for this list of drug dealers…and by the way, we’ve got the Super Bowl to worry about too.” Once Secure Flight gets built, all it’ll take is a new law and we’ll have a nationwide security checkpoint system.

And four, a program of matching airline passengers with names on terrorism watch lists is not making us appreciably safer, and is a lousy way to spend our security dollars.

What has changed is the scope of Secure Flight. First, it started using data from commercial sources, like Acxiom. (The details are even worse.) Technically, they’re testing the use of commercial data, but it’s still a violation. Even the DHS started investigating:

The Department of Homeland Security’s top privacy official said Wednesday that she is investigating whether the agency’s airline passenger screening program has violated federal privacy laws by failing to properly disclose its mission.

The privacy officer, Nuala O’Connor Kelly, said the review will focus on whether the program’s use of commercial databases and other details were properly disclosed to the public.

The TSA’s response to being caught violating their own Privacy Act statements? Revise them:

According to previous official notices, TSA had said it would not store commercial data about airline passengers.

The Privacy Act of 1974 prohibits the government from keeping a secret database. It also requires agencies to make official statements on the impact of their record keeping on privacy.

The TSA revealed its use of commercial data in a revised Privacy Act statement to be published in the Federal Register on Wednesday.

TSA spokesman Mark Hatfield said the program was being developed with a commitment to privacy, and that it was routine to change Privacy Act statements during testing.

Actually, it’s not. And it’s better to change the Privacy Act statement before violating the old one. Changing it after the fact just looks bad.

The point of Secure Flight match airline passengers against lists of suspected terrorists. But the vast majority of people flagged by this list simply have the same name, or a similar name, as the suspected terrorist: Ted Kennedy and Cat Stevens are two famous examples. The question is whether combining commercial data with the PNR (Passenger Name Record) supplied by the airline could reduce this false-positive problem. Maybe knowing the passenger’s address, or phone number, or date of birth, could reduce false positives. Or maybe not; it depends what data is on the terrorist lists. In any case, it’s certainly a smart thing to test.

But using commercial data has serious privacy implications, which is why Congress mandated all sorts of rules surrounding the TSA testing of commercial data—and more rules before it could deploy a final system—rules that the TSA has decided it can ignore completely.

Commercial data had another use under CAPPS-II In that now-dead program, every passenger would be subjected to a computerized background check to determine their “risk” to airline safety. The system would assign a risk score based on commercial data: their credit rating, how recently they moved, what kind of job they had, etc. This capability was removed from Secure Flight, but now it’s back:

The government will try to determine whether commercial data can be used to detect terrorist “sleeper cells” when it checks airline passengers against watch lists, the official running the project says….

Justin Oberman, in charge of Secure Flight at TSA, said the agency intends to do more testing of commercial data to see if it will help identify known or suspected terrorists not on the watch lists.

“We are trying to use commercial data to verify the identities of people who fly because we are not going to rely on the watch list,” he said. “If we just rise and fall on the watch list, it’s not adequate.”

Also this Congressional hearing (emphasis mine):

THOMPSON: There are a couple of questions I’d like to get answered in my mind about Secure Flight. Would Secure Flight pick up a person with strong community roots but who is in a terrorist sleeper cell or would a person have to be a known terrorist in order for Secure Flight to pick him up?

OBERMAN: Let me answer that this way: It will identify people who are known or suspected terrorists contained in the terrorist screening database, and it ought to be able to identify people who may not be on the watch list. It ought to be able to do that. We’re not in a position today to say that it does, but we think it’s absolutely critical that it be able to do that.

And so we are conducting this test of commercially available data to get at that exact issue.: Very difficult to do, generally. It’s particularly difficult to do when you have a system that transports 1.8 million people a day on 30,000 flights at 450 airports. That is a very high bar to get over.

It’s also very difficult to do with a threat described just like you described it, which is somebody who has sort of burrowed themselves into society and is not readily apparent to us when they’re walking through the airport. And so I cannot stress enough how important we think it is that it be able to have that functionality. And that’s precisely the reason we have been conducting this ommercial data test, why we’ve extended the testing period and why we’re very hopeful that the results will prove fruitful to us so that we can then come up here, brief them to you and explain to you why we need to include that in the system.

My fear is that TSA has already decided that they’re going to use commercial data, regardless of any test results. And once you have commercial data, why not build a dossier on every passenger and give them a risk score? So we’re back to CAPPS-II, the very system Congress killed last summer. Actually, we’re very close to TIA (Total/Terrorism Information Awareness), that vast spy-on-everyone data-mining program that Congress killed in 2003 because it was just too invasive.

Secure Flight is a mess in lots of other ways, too. A March GAO report said that Secure Flight had not met nine out of the ten conditions mandated by Congress before TSA could spend money on implementing the program. (If you haven’t read this report, it’s pretty scathing.) The redress problem—helping people who cannot fly because they share a name with a terrorist—is not getting any better. And Secure Flight is behind schedule and over budget.

It’s also a rogue program that is operating in flagrant disregard for the law. It can’t be killed completely; the Intelligence Reform and Terrorism Prevention Act of 2004 mandates that TSA implement a program of passenger prescreening. And until we have Secure Flight, airlines will still be matching passenger names with terrorist watch lists under the CAPPS-I program. But it needs some serious public scrutiny.

EDITED TO ADD: Anita Ramasastry’s commentary is worth reading.

Posted on July 24, 2005 at 9:10 PMView Comments

Anti-Missile Defenses for Commercial Aircraft

In yet another “movie-plot threat” defense, the U.S. government is starting to test anti-missile lasers on commercial aircraft.

It could take years before passenger planes carry protection against missiles, a weapon terrorists might use to shoot down jets and cause economic havoc in the airline industry. The tests will help the nation’s leaders decide if they should install laser systems on all 6,800 aircraft in the U.S. airline fleet at a cost of at least $6 billion.

“Yes, it will cost money, but it’s the same cost as an aircraft entertainment system,” Kubricky says.

I think the airline industry is missing something here. If they linked the anti-missile lasers with the in-seat entertainment systems, cross-country flights would be much more exciting.

Posted on July 21, 2005 at 8:58 AMView Comments

Security Risks of Airplane WiFi

I’ve already written about the stupidity of worrying about cell phones on airplanes. Now the Department of Homeland Security is worried about broadband Internet.

Federal law enforcement officials, fearful that terrorists will exploit emerging in-flight broadband services to remotely activate bombs or coordinate hijackings, are asking regulators for the power to begin eavesdropping on any passenger’s internet use within 10 minutes of obtaining court authorization.

In joint comments filed with the FCC last Tuesday, the Justice Department, the FBI and the Department of Homeland Security warned that a terrorist could use on-board internet access to communicate with confederates on other planes, on the ground or in different sections of the same plane—all from the comfort of an aisle seat.

“There is a short window of opportunity in which action can be taken to thwart a suicidal terrorist hijacking or remedy other crisis situations on board an aircraft, and law enforcement needs to maximize its ability to respond to these potentially lethal situations,” the filing reads.

Terrorists never use SSH, after all. (I suppose that’s the next thing the DHS is going to try to ban.)

Posted on July 14, 2005 at 12:02 PMView Comments

Disarming Soldiers

Airplane security is getting surreal:

…FAA regulation that requires soldiers—all of whom were armed with an arsenal of assault rifles, shotguns and pistols—to surrender pocket knives, nose hair scissors and cigarette lighters.

“A foolish consistency is the hobgoblin of little minds.”—Ralph Waldo Emerson

Posted on June 20, 2005 at 3:04 PMView Comments

Orlando Trusted Traveler Program

I’ve already written about what a bad idea trusted traveler programs are. The basic security intuition is that when you create two paths through security—an easy path and a hard path—you invite the bad guys to take the easy path. So the security of the sort process must make up for the security lost in the sorting. Trusted traveler fails this test; there are so many ways for the terrorists to get trusted traveler cards that the system makes it too easy for them to avoid the hard path through security.

The trusted traveler programs at various U.S. airports are all run by the TSA. A new program in Orlando Airport is run by the company Verified Identity Pass Inc.

I’ve already written about this company and what it’s doing.

And I’ve already written about the fallacy of confusing identification with security.

Posted on June 12, 2005 at 8:57 AMView Comments

Backscatter X-Ray Technology

Backscatter X-ray technology is a method of using X rays to see inside objects. The science is complicated, but the upshot is that you can see people naked:

The application of this new x-ray technology to airport screening uses high energy x-rays that are more likely to scatter than penetrate materials as compared to lower-energy x-rays used in medical applications. Although this type of x-ray is said to be harmless it can move through other materials, such as clothing.

A passenger is scanned by rastering or moving a single high energy x-ray beam rapidly over their form. The signal strength of detected backscattered x-rays from a known position then allows a highly realistic image to be reconstructed. Since only Compton scattered x-rays are used, the registered image is mainly that of the surface of the object/person being imaged. In the case of airline passenger screening it is her nude form. The image resolution of the technology is high, so details of the human form of airline passengers present privacy challenges.

EPIC’s “Spotlight on Security” page is an excellent resource on this issue.

The TSA has recently announced a proposal to use these machines to screen airport passengers.

I’m not impressed with this security trade-off. Yes, backscatter X-ray machines might be able to detect things that conventional screening might miss. But I already think we’re spending too much effort screening airplane passengers at the expense of screening luggage and airport employees…to say nothing of the money we should be spending on non-airport security.

On the other side, these machines are expensive and the technology is incredibly intrusive. I don’t think that people should be subjected to strip searches before they board airplanes. And I believe that most people would be appalled by the prospect of security screeners seeing them naked.

I believe that there will be a groundswell of popular opposition to this idea. Aside from the usual list of pro-privacy and pro-liberty groups, I expect fundamentalist Christian groups to be appalled by this technology. I think we can get a bevy of supermodels to speak out against the invasiveness of the search.

News article

Posted on June 9, 2005 at 1:04 PMView Comments

Risks of Cell Phones on Airplanes

Everyone—except those who like peace and quiet—thinks it’s a good idea to allow cell phone calls on airplanes, and are working out the technical details. But the U.S. government is worried that terrorists might make telephone calls from airplanes.

If the mobile phone ban were lifted, law enforcement authorities worry an attacker could use the device to coordinate with accomplices on the ground, on another flight or seated elsewhere on the same plane.

If mobile phone calls are to be allowed during flights, the law enforcement agencies urged that users be required to register their location on a plane before placing a call and that officials have fast access to call identification data.

“There is a short window of opportunity in which action can be taken to thwart a suicidal terrorist hijacking or remedy other crisis situations on board an aircraft,” the agencies said.

This is beyond idiotic. Again and again, we hear the argument that a particular technology can be used for bad things, so we have to ban or control it. The problem is that when we ban or control a technology, we also deny ourselves some of the good things it can be used for. Security is always a trade-off. Almost all technologies can be used for both good and evil; in Beyond Fear, I call them “dual use” technologies. Most of the time, the good uses far outweigh the evil uses, and we’re much better off as a society embracing the good uses and dealing with the evil uses some other way.

We don’t ban cars because bank robbers can use them to get away faster. We don’t ban cell phones because drug dealers use them to arrange sales. We don’t ban money because kidnappers use it. And finally, we don’t ban cryptography because the bad guys it to keep their communications secret. In all of these cases, the benefit to society of having the technology is much greater than the benefit to society of controlling, crippling, or banning the technology.

And, of course, security countermeasures that force the attackers to make a minor modification in their tactics aren’t very good trade-offs. Banning cell phones on airplanes only makes sense if the terrorists are planning to use cell phones on airplanes, and will give up and not bother with their attack because they can’t. If their plan doesn’t involve air-to-ground communications, or if it doesn’t involve air travel at all, then the security measure is a waste. And even worse, we denied ourselves all the good uses of the technology in the process.

Security officials are also worried that personal phone use could increase the risk that remotely-controlled bomb will be used to down an airliner. But they acknowledged simple radio-controlled explosive devices have been used in the past on planes and the first line of defence was security checks at airports.

Still, they said that “the departments believe that the new possibilities generated by airborne passenger connectivity must be recognized.”

That last sentence got it right. New possibilities, both good and bad.

Posted on June 8, 2005 at 2:40 PMView Comments

Lighters Banned on Airplanes

Lighters are now banned on U.S. commercial flights, but not matches.

The Senators who proposed the bill point to Richard Reid, who unsuccessfully tried to light explosives on an airplane with matches. They were worried that a lighter might have worked.

That, of course, is silly. The reason Reid failed is because he tried to light the explosives in his seat, so he could watch the faces of those around him. If he’d gone into the lavatory and lit them in private, he would have been successful.

Hence, the ban is silly.

But there’s a serious problem here. Airport security screeners are much better at detecting explosives when the detonation mechanism is attached. Explosives without any detonation mechanism—like Richard Reid’s—are much harder to detect. As are explosives carried by one person and a detonation device carried by another. I’ve heard that this was the technique the Chechnyan women used to blow up a Russian airplane.

Posted on April 20, 2005 at 4:21 PMView Comments

1 41 42 43 44 45 46

Sidebar photo of Bruce Schneier by Joe MacInnis.