Schneier on Security: Tagged no-fly list

Entries Tagged "no-fly list"

Page 2 of 3

Change Your Name and Avoid the TSA Watchlist

Shhhh. Don’t tell the terrorists:

The U.S. Department of Homeland Security wrote a letter to Labb&eacute in 2004, saying he had been placed on their watch list after falling victim to identity theft. At the time, the department said there was no way for his name to be removed.

Although Labbé wrote letters to the U.S. department, his efforts were in vain, prompting him to legally change his name.

“So now, my official name is François Mario Labbé,” he said.

“Then you have to change everything: driver’s license, social insurance, medicare, credit card—everything.”

Although it’s not a big change from Mario Labbé, he said it’s been enough to foil the U.S. customs computers.

Posted on September 15, 2008 at 1:25 PM • View Comments

My LA Times Op Ed on Photo ID Checks at Airport

Opinion

The TSA’s useless photo ID rules

No-fly lists and photo IDs are supposed to help protect the flying public from terrorists. Except that they don’t work.

By Bruce Schneier

August 28, 2008

The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to secondary screening. Then the Transportation Security Administration realized that meant someone on the government’s no-fly list—the list that is supposed to keep our planes safe from terrorists—could just fly with no ID.

Now, people without ID must also answer personal questions from their credit history to ascertain their identity. The TSA will keep records of who those ID-less people are, too, in case they’re trying to probe the system.

This may seem like an improvement, except that the photo ID requirement is a joke. Anyone on the no-fly list can easily fly whenever he wants. Even worse, the whole concept of matching passenger names against a list of bad guys has negligible security value.

How to fly, even if you are on the no-fly list: Buy a ticket in some innocent person’s name. At home, before your flight, check in online and print out your boarding pass. Then, save that web page as a PDF and use Adobe Acrobat to change the name on the boarding pass to your own. Print it again. At the airport, use the fake boarding pass and your valid ID to get through security. At the gate, use the real boarding pass in the fake name to board your flight.

The problem is that it is unverified passenger names that get checked against the no-fly list. At security checkpoints, the TSA just matches IDs to whatever is printed on the boarding passes. The airline checks boarding passes against tickets when people board the plane. But because no one checks ticketed names against IDs, the security breaks down.

This vulnerability isn’t new. It isn’t even subtle. I wrote about it in 2003, and again in 2006. I asked Kip Hawley, who runs the TSA, about it in 2007. Today, any terrorist smart enough to Google “print your own boarding pass” can bypass the no-fly list.

This gaping security hole would bother me more if the very idea of a no-fly list weren’t so ineffective. The system is based on the faulty notion that the feds have this master list of terrorists, and all we have to do is keep the people on the list off the planes.

That’s just not true. The no-fly list—a list of people so dangerous they are not allowed to fly yet so innocent we can’t arrest them—and the less dangerous “watch list” contain a combined 1 million names representing the identities and aliases of an estimated 400,000 people. There aren’t that many terrorists out there; if there were, we would be feeling their effects.

Almost all of the people stopped by the no-fly list are false positives. It catches innocents such as Ted Kennedy, whose name is similar to someone’s on the list, and Yusuf Islam (formerly Cat Stevens), who was on the list but no one knew why.

The no-fly list is a Kafkaesque nightmare for the thousands of innocent Americans who are harassed and detained every time they fly. Put on the list by unidentified government officials, they can’t get off. They can’t challenge the TSA about their status or prove their innocence. (The U.S. 9th Circuit Court of Appeals decided this month that no-fly passengers can sue the FBI, but that strategy hasn’t been tried yet.)

But even if these lists were complete and accurate, they wouldn’t work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway bombers and most of the 9/11 terrorists weren’t on any list before they committed their terrorist acts. And if a terrorist wants to know if he’s on a list, the TSA has approved a convenient, $100 service that allows him to figure it out: the Clear program, which issues IDs to “trusted travelers” to speed them through security lines. Just apply for a Clear card; if you get one, you’re not on the list.

In the end, the photo ID requirement is based on the myth that we can somehow correlate identity with intent. We can’t. And instead of wasting money trying, we would be far safer as a nation if we invested in intelligence, investigation and emergency response—security measures that aren’t based on a guess about a terrorist target or tactic.

That’s the TSA: Not doing the right things. Not even doing right the things it does.

Posted on September 1, 2008 at 5:15 AM • View Comments

TSA Follies

They break planes:

Citing sources within the aviation industry, ABC News reports an overzealous TSA employee attempted to gain access to the parked aircraft by climbing up the fuselage… reportedly using the Total Air Temperature (TAT) probes mounted to the planes’ noses as handholds.

“The brilliant employees used an instrument located just below the cockpit window that is critical to the operation of the onboard computers,” one pilot wrote on an American Eagle internet forum. “They decided this instrument, the TAT probe, would be adequate to use as a ladder.”

They harass innocents:

James Robinson is a retired Air National Guard brigadier general and a commercial pilot for a major airline who flies passenger planes around the country.

He has even been certified by the Transportation Security Administration to carry a weapon into the cockpit as part of the government’s defense program should a terrorist try to commandeer a plane.

But there’s one problem: James Robinson, the pilot, has difficulty even getting to his plane because his name is on the government’s terrorist “watch list.”

It’s easy to sneak by them:

The third-grader has been on the watch list since he was 5 years old. Asked whether he is a terrorist, he said, “I don’t know.”

Though he doesn’t even know what a terrorist is, he is embarrassed that trips to the airport cause a ruckus, said his mother, Denise Robinson.

[…]

Denise Robinson says she tells the skycaps her son is on the list, tips heavily and is given boarding passes. And booking her son as “J. Pierce Robinson” also has let the family bypass the watch list hassle.

And here’s how to sneak lockpicks past them.

EDITED TO ADD (8/21): Ha ha ha ha:

Even though its inspector’s actions caused nine American Eagle planes
to be grounded in Chicago this week, the Transporatation Security
Administration says it may pursue action against the airline for
security lapses.

And a step in the right direction:

A federal appeals court ruled this week that individuals who are blocked from commercial flights by the federal no-fly list can challenge their detention in federal court.

Posted on August 21, 2008 at 9:12 AM • View Comments

Sky Marshals on the No-Fly List

If this weren’t so sad, it would be funny:

The problem with federal air marshals (FAM) names matching those of suspected terrorists on the no-fly list has persisted for years, say air marshals familiar with the situation.

One air marshal said it has been “a major problem, where guys are denied boarding by the airline.”

“In some cases, planes have departed without any coverage because the airline employees were adamant they would not fly,” the air marshal said. “I’ve seen guys actually being denied boarding.”

A second air marshal says one agent “has been getting harassed for six years because his exact name is on the no-fly list.”

Another article.

Seriously—if these people can’t get their names off the list, what hope do the rest of us have? Not that the no-fly list has any real value, anyway.

Posted on May 2, 2008 at 7:14 AM • View Comments

Five-Year-Old Boy Detained by the TSA

His name is similar to someone on the “no fly” list:

A five-year-old boy was taken into custody and thoroughly searched at Sea-Tac because his name is similar to a possible terrorist alias. As the Consumerist reports, “When his mother went to pick him up and hug him and comfort him during the proceedings, she was told not to touch him because he was a national security risk. They also had to frisk her again to make sure the little Dillinger hadn’t passed anything dangerous weapons or materials to his mother when she hugged him.”

The explanation is simple: to the TSA, following procedure is more important than common sense. But unfortunately, catching the next terrorist will require more common sense than it will following proper procedure.

If I ever get to interview Kip Hawley again, I’ll ask him about this.

EDITED TO ADD (1/12): Another kid on the no-fly list.

Posted on January 10, 2008 at 10:53 AM • View Comments

Canadian Privacy Commissioner Comments on the No-Fly List

Refreshingly sensible:

Stoddart told inquiry Commissioner John Major she is concerned that people could be placed on the list in error and face dire consequences if their identities are then disclosed to the RCMP or passed on to police agencies in other countries.

And she questioned why, if people are so dangerous that they can’t get on a plane, they are deemed safe to travel by other means in Canada.

[…]

Between June 28, when the program came into effect, and the end of September, no passengers were turned away because of the list, the inquiry heard. Stoddart said that information only increases her suspicion about the value of the program.

“I think it only deepens the mystery of the rationale, the usefulness of this,” Stoddart said. “The program is totally opaque.”

Major suggested that perhaps less extreme measures could be taken. For example, individuals on the list might be able to undergo extra screening so they could be allowed to travel.

[…]

“We are looking to avoid what happened in 9/11. Presumably it’s to keep dangerous people capable of blowing planes up—or capturing them—off the plane. It seems difficult that you can do that by a name (on a list) alone.”

Other members of Stoddart’s staff added there are concerns someone could be stranded in Canada after arriving without incident, only to be prevented from boarding their return flight.

Posted on November 13, 2007 at 12:25 PM • View Comments

The No-Fly List Catches an Actual Terrorist

Or, at the very least, someone who has consorted with terrorists.

It had to happen sooner or later; even a broken clock is right twice a day.

Posted on September 7, 2007 at 1:41 PM • View Comments

Conversation with Kip Hawley, TSA Administrator (Part 3)

This is Part 3 of a five-part series. Link to whole thing.

BS: Let’s talk about ID checks. I’ve called the no-fly list a list of people so dangerous they cannot be allowed to fly under any circumstance, yet so innocent we can’t arrest them even under the Patriot Act. Except that’s not even true; anyone, no matter how dangerous they are, can fly without an ID or by using someone else’s boarding pass. And the list itself is filled with people who shouldn’t be on it—dead people, people in jail, and so on—and primarily catches innocents with similar names. Why are you bothering?

KH: Because it works. We just completed a scrub of every name on the no-fly list and cut it in half—essentially cleaning out people who were no longer an active terror threat. We do not publicize how often the no-fly system stops people you would not want on your flight. Several times a week would low-ball it.

Your point about the no-ID and false boarding pass people is a great one. We are moving people who have tools and training to get at that problem. The bigger issue is that TSA is moving in the direction of security that picks up on behavior versus just keying on what we see in your bag. It really would be security theater if all we did was try to find possible weapons in that crunched fifteen seconds and fifteen feet after you anonymously walk through the magnetometer. We do a better job, with less aggravation of ordinary passengers, if we put people-based layers further ahead in the process—behavior observation based on involuntary, observable muscle behavior, canine teams, document verification, etc.

BS: We’ll talk about behavioral profiling later; no fair defending one security measure by pointing to another, completely separate, one. How can you claim ID cards work? Like the liquid ban, all it does is annoy innocent travelers without doing more than inconveniencing any future terrorists. Is it really good enough for you to defend me from terrorists too dumb to Google “print your own boarding pass”?

KH: We are getting at the fake boarding pass and ID issues with our proposal to Congress that would allow us to replace existing document checkers with more highly trained people with tools that would close those gaps. Without effective identity verification, watch lists don’t do much, so this is a top priority.

Having highly trained TSOs performing the document checking function closes a security gap, adds another security layer, and pushes TSA’s security program out in front of the checkpoint.

BS: Let’s move on. Air travelers think you’re capricious. Remember in April when the story went around about the Princeton professor being on a no-fly list because he spoke out against President Bush? His claims were easily debunked, but the real story is that so many people believed it. People believe political activity puts them on the list. People are afraid to complain about being mistreated at checkpoints because they’re afraid it puts them on a list. Is there anything you can do to make this process more transparent?

KH: We need some help on this one. This is the biggest public pain point, dwarfing shoes and baggies.

First off, TSA does not add people to the watch-lists, no matter how cranky you are at a checkpoint. Second, political views have nothing to do with no-flys or selectees. These myths have taken on urban legend status. There are very strict criteria and they are reviewed by lots of separate people in separate agencies: it is for live terror concerns only. The problem comes from random selectees (literally mathematically random) or people who have the same name and birth date as real no-flys. If you can get a boarding pass, you are not on the no-fly list. This problem will go away when Secure Flight starts in 2008, but we can’t seem to shake the false impression that ordinary Americans get put on a “list.” I am open for suggestions on how to make the public “get it.”

BS: It’s hard to believe that there could be hundreds of thousands of people meeting those very strict criteria, and that’s after the list was cut in half! I know the TSA does not control the no-fly and watch lists, but you’re the public face of those lists. You’re the aspect of homeland security that people come into direct contact with. Some people might find out they’re on the list by being arrested, or being shipped off to Syria for torture, but most people find out they’re on the list by being repeatedly searched and questioned for hours at airports.

The main problem with the list is that it’s secret. Who is on the list is secret. Why someone’s on is secret. How someone can get off is secret. There’s no accountability and there’s no transparency. Of course this kind of thing induces paranoia. It’s the sort of thing you read about in history books about East Germany and other police states.

The best thing you can do to improve the problem is redress. People need the ability to see the evidence against them, challenge their accuser, and have a hearing in a neutral court. If they’re guilty of something, arrest them. And if they’re innocent, stop harassing them. It’s basic liberty.

I don’t actually expect you to fix this; the problem is larger than the TSA. But can you tell us something about redress? It’s been promised to us for years now.

KH: Redress issues are divided into two categories: people on the no-fly list and people who have names similar to them.

In our experience, the first group is not a heavy user of the redress process. They typically don’t want anything to do with the U.S. government. Still, if someone is either wrongly put on or kept on, the Terrorist Screening Center (TSC) removes him or her immediately. In fact, TSA worked with the TSC to review every name, and that review cut the no-fly list in half. Having said that, once someone is really on the no-fly list, I totally agree with what you said about appeal rights. This is true across the board, not just with no-flys. DHS has recently consolidated redress for all DHS activities into one process called DHS TRIP. If you are mistaken for a real no-fly, you can let TSA know and we provide your information to the airlines, who right now are responsible for identifying no-flys trying to fly. Each airline uses its own system, so some can get you cleared to use kiosks, while others still require a visit to the ticket agent. When Secure Flight is operating, we’ll take that in-house at TSA and the problem should go away.

BS: I still don’t see how that will work, as long as the TSA doesn’t have control over who gets on or off the list.

Part 4: Registered Traveler and behavioral profiling

Posted on August 1, 2007 at 6:12 AM • View Comments

Is Big Brother a Big Deal?

Big Brother isn’t what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today’s information society looks nothing like Orwell’s world, and watching and intimidating a population today isn’t anything like what Winston Smith experienced.

Data collection in 1984 was deliberate; today’s is inadvertent. In the information society, we generate data naturally. In Orwell’s world, people were naturally anonymous; today, we leave digital footprints everywhere.

1984‘s police state was centralized; today’s is decentralized. Your phone company knows who you talk to, your credit card company knows where you shop and Netflix knows what you watch. Your ISP can read your email, your cell phone can track your movements and your supermarket can monitor your purchasing patterns. There’s no single government entity bringing this together, but there doesn’t have to be. As Neal Stephenson said, the threat is no longer Big Brother, but instead thousands of Little Brothers.

1984‘s Big Brother was run by the state; today’s Big Brother is market driven. Data brokers like ChoicePoint and credit bureaus like Experian aren’t trying to build a police state; they’re just trying to turn a profit. Of course these companies will take advantage of a national ID; they’d be stupid not to. And the correlations, data mining and precise categorizing they can do is why the U.S. government buys commercial data from them.

1984-style police states required lots of people. East Germany employed one informant for every 66 citizens. Today, there’s no reason to have anyone watch anyone else; computers can do the work of people.

1984-style police states were expensive. Today, data storage is constantly getting cheaper. If some data is too expensive to save today, it’ll be affordable in a few years.

And finally, the police state of 1984 was deliberately constructed, while today’s is naturally emergent. There’s no reason to postulate a malicious police force and a government trying to subvert our freedoms. Computerized processes naturally throw off personalized data; companies save it for marketing purposes, and even the most well-intentioned law enforcement agency will make use of it.

Of course, Orwell’s Big Brother had a ruthless efficiency that’s hard to imagine in a government today. But that completely misses the point. A sloppy and inefficient police state is no reason to cheer; watch the movie Brazil and see how scary it can be. You can also see hints of what it might look like in our completely dysfunctional “no-fly” list and useless projects to secretly categorize people according to potential terrorist risk. Police states are inherently inefficient. There’s no reason to assume today’s will be any more effective.

The fear isn’t an Orwellian government deliberately creating the ultimate totalitarian state, although with the U.S.’s programs of phone-record surveillance, illegal wiretapping, massive data mining, a national ID card no one wants and Patriot Act abuses, one can make that case. It’s that we’re doing it ourselves, as a natural byproduct of the information society.We’re building the computer infrastructure that makes it easy for governments, corporations, criminal organizations and even teenage hackers to record everything we do, and—yes—even change our votes. And we will continue to do so unless we pass laws regulating the creation, use, protection, resale and disposal of personal data. It’s precisely the attitude that trivializes the problem that creates it.

This essay appeared in the May issue of Information Security, as the second half of a point/counterpoint with Marcus Ranum. Here’s his half.

Posted on May 11, 2007 at 9:19 AM • View Comments

Find Out if You're on the "No Fly List"

I’m not. Are you?

Soundex works, generally, by removing vowels from names and then assigning numerical values to the remaining consonants.

This has been the basis for the Computer Assisted Passenger Pre-Screening System (CAPPS) and it is horrendously inadequate and matches far too many names. To see just how poorly Soundex performs, visit nofly.s3.com and type in your name to assess your chances of being on the No Fly or Watch List. This is the only known publicly available site for checking your name against potential terrorist identities and databases. It was developed by S3 Matching Technologies of Austin, Texas. The company’s database technicians merged the best known data on terrorists with the Soundex system to create the site.

Posted on March 14, 2007 at 7:51 AM • View Comments

←Previous 1 2 3 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.