Source:
CRYPTO-GRAM
April 15, 2005
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.schneier.com

Secure Flight Is in Trouble

Report #1: There's a report from the Department of Homeland Security's Inspector General that the TSA lied about its role in obtaining personal information about 12 million airline passengers to test Secure Flight.

The report doesn't explicitly say that the TSA lied, but the TSA lied.

The details are worth reading. And when you read it, keep in mind that it's written by the DHS's own Inspector General. I presume a more independent investigator would be even more severe. Not that the report isn't severe, mind you. Here are some highlights from an AP story:

"The report cites several occasions where TSA officials made inaccurate statements about passenger data:

"In September 2003, the agency's Freedom of Information Act staff received hundreds of requests from Jet Blue passengers asking if the TSA had their records. After a cursory search, the FOIA staff posted a notice on the TSA Web site that it had no JetBlue passenger data. Though the FOIA staff found JetBlue passenger records in TSA's possession in May, the notice stayed on the Web site for more than a year.

"In November 2003, TSA chief James Loy incorrectly told the Governmental Affairs Committee that certain kinds of passenger data were not being used to test passenger prescreening.

"In September 2003, a technology magazine reporter asked a TSA spokesman whether real data were used to test the passenger prescreening system. The spokesman said only fake data were used; the responses "were not accurate," the report said."

There's much more. The report reveals that TSA ordered Delta Air Lines to turn over passenger data in February 2002 to help the Secret Service determine whether terrorists or their associates were traveling in the vicinity of the Salt Lake City Olympics.

It also reveals that TSA used passenger data from JetBlue in the spring of 2003 to figure out how to change the number of people who would be selected for more screening under the existing system.

The report says that one of the TSA's contractors working on passenger prescreening, Lockheed Martin, used a data sample from ChoicePoint.

The report also details how outside contractors used the data for their own purposes. And that "the agency neglected to inquire whether airline passenger data used by the vendors had been returned or destroyed." And that "TSA did not consistently apply privacy protections in the course of its involvement in airline passenger data transfers."

This is major stuff. It shows that the TSA lied to the public about its use of personal data again and again and again.

Report #2: The GAO (Government Accountability Office) issued its own report about Secure Flight. Last year, Congress passed a law that said that the TSA couldn't implement Secure Flight until it met ten conditions: privacy protections, accuracy of data, oversight, cost and safeguards to ensure the system won't be abused or accessed by unauthorized people, etc. The GAO report found nine of the ten conditions hadn't yet been met and questioned whether Secure Flight would ultimately work.

Some tidbits: TSA plans to include the capability for criminal checks within Secure Flight (p. 12). The timetable has slipped by four months (p. 17). TSA might not be able to get personally identifiable passenger data in PNRs because of costs to the industry and lack of money (p.18). TSA plans to have intelligence analysts staffed within TSA to identify false positives (p.33). The DHS Investment Review Board has withheld approval from the "Transportation Vetting Platform" (p.39). TSA doesn't know how much the program will cost (p.51). Final privacy rule to be issued in April (p. 56).

These two reports put the TSA in a bind. It is prohibited by Congress from fielding Secure Flight until it meets a series of criteria. On the other hand, I'm not sure the TSA cares. It's already announced plans to roll out Secure Flight. In August they're going to implement the program nationwide with two still-unnamed airlines.

My own opinions of Secure Flight are well-known. I am a member of a working group to help evaluate the privacy of Secure Flight. While I believe that a program to match airline passengers against terrorist watch lists is a colossal waste of money that isn't going to make us any safer, I said "...assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement -- in almost every way -- over what is currently in place." I still believe that, but unfortunately I am prohibited by NDA from describing the improvements. I wish someone at TSA would get himself in front of reporters and do so.

IG report:
http://www.dhs.gov/interweb/assetlibrary/OIGr-05-12_Mar05.pdf

Article on IG report:
http://www.dailystar.com/dailystar/news/67386.php

My previous comments on Secure Flight:
http://www.schneier.com/crypto-gram-0501.html#9
http://www.schneier.com/crypto-gram-0502.html#1

Airline passenger data also used by the Center for Disease Control:
http://www.boston.com/news/nation/washington/articles/2005/04/07/delta_ hoping_to_curb_spread_of_diseases/ or http://tinyurl.com/5snng
My commentary:
http://www.schneier.com/blog/archives/2005/04/more_uses_for_a.html