Connecticut Gives Up Banning Cameraphones In Court Rooms

TSA Loses Laptops With 'Verified' Flyer Details

from the your-middle-name-is-what-now? dept

Tue, Aug 5th 2008 12:06pm — Mike Masnick

The concept of a "trusted" or "verified" traveler program at airports has been shown as not particularly secure for years -- but it didn't stop the TSA from aggressively rolling out the program. There's no doubt that, for frequent travelers to locations participating in the "Clear" program, it's wonderful. You pay $100/year and you get to bypass all the security lines, and head to a special faster security screening line, supposedly because your background is already "cleared." As Bruce Schneier writes in the above link, in terms of security, all this really does is give those looking to break security a better target. Get some "terrorists" on the list, and you've just made life a lot easier.

Either that, or pretend to be someone on the list.

And what better way to do that then to get your hands on the details of everyone on the list. Well, it appears that the TSA has forgotten its middle name, and failed to protect its own laptop carrying the (unencrypted, of course) details of 33,000 people on the clear list (Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it's not clear that the difference here really matters). While it certainly may have just been lost or stolen by someone who wanted a free laptop, whoever has that laptop now has the names, addresses and driver's license or passport numbers of 33,000 applicants. It's unclear if it indicates which of those applicants were approved, but I would still imagine that info would be useful to someone looking to bypass airport security.

The company that runs the program, Verified Identity Pass, issued statement that isn't particularly comforting:

"We don't believe the security or privacy of these would-be members will be compromised in any way."

First of all, that's not true. If you've exposed people's names, addresses and driver's license or passport numbers, their security has certainly already been compromised. But, more importantly, rather than those individuals' security and privacy, I would be worried about overall airport security, which has now been compromised. Update: So, this is weird. The laptop has been found. Where was it? Right where it was last seen. Not clear if it was actually lost or someone just got confused or what -- but still not particularly comforting.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: clear, laptops, lost data, security, tsa, verified identity

28 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 5 Aug 2008 @ 12:30pm

The TSA is a joke. They are on par with the same idiots in charge of security at your average branded community.
[ link to this | view in chronology ]
John, 5 Aug 2008 @ 12:31pm

TSA didn't lose it....
Unless those other news reports had it wrong, the company Verified Identity Pass owned and colected the data and failed to encrypt it. It was in a locked office, but then my house was locked when we were burgled, so ...

Point is that if you wish to blast someone for not taking security seriously, in this case it's hard to see why TSA is getting blamed.
[ link to this | view in chronology ]
- Lickity Split, 5 Aug 2008 @ 12:37pm
  
  Re: TSA didn't lose it....
  because the TSA contracted this company to do the work and paid them with taxpayer money, so legally they are the responsible party.
  
  Would you give the TSA as an organization a pass because one "employee" let a terrorist through the check point with a bomb..."hey man it's not the TSA's fault it was that one guy that let him in"...
  [ link to this | view in chronology ]
  - Larry, 5 Aug 2008 @ 2:05pm
    
    Re: Re: TSA didn't lose it....
    Not true. Like you, I haven't read the contract but I've read a lot of them and I'm pretty sure there will be all the proper legalese in there concerning data protection from loss/destruction/misuse.
    
    Unless SOMEHOW that detail wasn't in the contract, then the contractor is fully responsible (both legally and morally) and the TSA is not.
    
    Won't stop the bad press and TSA bashers (of which I'm one) however.
    [ link to this | view in chronology ]
JB, 5 Aug 2008 @ 12:41pm

Background Doesn't Matter On My Flight
Who cares if their background is pre-cleared?

All that really matters is today, right now, are they carrying a bomb or a weapon?

All passengers need the same pre-flight screening. I don't care if Osama Bin Laden himself is sitting next to me on a plane, as long as he doesn't have a bomb or a box cutter in his briefcase.
[ link to this | view in chronology ]
- dcg, 5 Aug 2008 @ 1:41pm
  
  Re: Background Doesn't Matter On My Flight
  You say that but it's not true...
  
  OBL would be a real PITA to sit next to: constantly calling you an infidel dog, bitching about the violations of the Koran all around him, and I'll bet you $100 he snores...
  [ link to this | view in chronology ]
- Anonymous Coward, 5 Aug 2008 @ 1:53pm
  
  Re: Background Doesn't Matter On My Flight
  There are no terrorists. They only exist as a way of keeping you scared, keeping you a sheep in the system.
  
  It's nothing more than a social control device.
  
  Here, let me say it so you'll understand:
  "baa, baa baa, baa."
  [ link to this | view in chronology ]
  - Anonymous Kansas Coward, 5 Aug 2008 @ 2:20pm
    
    Re: Re: Background Doesn't Matter On My Flight
    #7, you're an idiot. Have you ever heard of the World Trade Center?
    [ link to this | view in chronology ]
    - Anonymous Coward, 5 Aug 2008 @ 2:55pm
      
      Re: Re: Re: Background Doesn't Matter On My Flight
      This is a stupid conversation. #7 and #12, both of you shut up, thank you.
      [ link to this | view in chronology ]
    - Anonymous Coward, 5 Aug 2008 @ 8:00pm
      
      Re: Re: Re: Background Doesn't Matter On My Flight
      those terrorists mostly blew themselves up. now are any left?
      [ link to this | view in chronology ]
ScaredOfTheMan, 5 Aug 2008 @ 1:47pm

identity theft yes, security risk for flights....not so much
This is really bad news for those people on the list, now if that data falls into unscrupulous hands someone will assume their identity and do the awful things to their credit.

But to assume their identity to get on a plane will be a little more difficult as you will need to pass a retina scan (part of the Clear enrollment) before you get passed the gate.
[ link to this | view in chronology ]
tm, 5 Aug 2008 @ 1:59pm

Laptop Encryption Question
I had a friend at GE in the financial dept under the large hospital equipment dept. He had a work laptop that somehow that this encryption key and a fob that changed digits like every 30 seconds. Whenever he used his laptop, he had to enter this code from the fob. The idea was that if he ever lost or got his laptop stolen, the person who had the laptop could not access the hd contents unless they had this code, only found on his fob.

Do our gov't agencies or organizations as large as the TSA with private info not use security like this? And if they do, should we really be all that worried about the info on these computers?
[ link to this | view in chronology ]
- Estelle, 5 Aug 2008 @ 2:31pm
  
  Re: Laptop Encryption Question
  I have one of those fob gadgets for my Paypal account. When I want to log into my Paypal account, I have to type in my username and password and then on a second screen I am asked to press the button on the handheld gadget, which creates a 3 digit code that is good for 30 seconds. I am then required to type in that 3 digit code and hit the Enter key. I'm a tech and I have no idea how this damned thing works.
  [ link to this | view in chronology ]
Osama Bin Hidin', 5 Aug 2008 @ 2:07pm

99% of the companies that the Government contracts things out to are incompetent to do the work they're contracted for. Everything gets "fast tracked" into some Senator's buddy or fund raiser's nephew's company, and the only ones who get screwed are the public. I used to work for the TSA, back when it was founded. There were a lot of highly qualified, highly motivated people who were very concerned about this country's security. When it became clear that most of those running the organization (political appointees) were only interested in looking like they were doing something, rather than actually making things secure, most of us left. You don't need a screened passenger to put a bomb on board a plane, the non-US citizens who clean the airport bathrooms can do it, as they go through no screening whatsoever on a daily basis, and have access to all the secure areas of the airport.
[ link to this | view in chronology ]
- to continue, 5 Aug 2008 @ 2:10pm
  
  Re:
  Sure, they face an "initial" background check, but who's to say that the "Manuel Labor" that shows up on Tuesday is the same guy who passed the background check? Nobody checks them as they come and go, and while they have picture ID cards, so do guys on the streetcorners of East L.A., and for $30, you can have one too.
  [ link to this | view in chronology ]
Steve, 5 Aug 2008 @ 2:52pm

Does it matter? Its not like our government is computer literate or will be for that matter. Just ask Lee Gomes at the WSJ. HA!
[ link to this | view in chronology ]
Enis McGee, 5 Aug 2008 @ 3:45pm

Another one, or same one?
Is this the "missing laptop" you speak of? or another security breach?

http://www.bizjournals.com/eastbay/stories/2008/08/04/daily32.html
[ link to this | view in chronology ]
iblanetheirmom, 5 Aug 2008 @ 3:53pm

TSA is a JOKE!!
for the past three months I have flown 1-3 flights a week. Countless hours lost to retarded lines that make me feel no safer to fly than pre 9-11. We have basicly hired McDonalds drive through qualified individuals, paid them way to much money to automatically assume that every American is a terroris. Every airport seems to have different search proceedures, different treatment of fliers but they all have one thing in common, their job is a joke, "Homeland Security" is a joke, give me my rights back, my time back, and stop creAting another tier of society, those that can buy their freedoms and those who are criminal for not proving otherwise by being forced to allow an unlawful search of personal property.
[ link to this | view in chronology ]
Ryan, 5 Aug 2008 @ 5:04pm

the real question
The real question I keep asking whenever I read about these things is:

Why is this data on a laptop to begin with?

I keep hearing of all these stories, and I find no reason why all these laptops have plain text files of all this data on them. It shouldn't be sitting around in plain text, and it shouldn't be on laptops.

This is what VPN is for people.

Is it time for a law against storing CC#, DLN, Passport, or SSN information on any portable device?
[ link to this | view in chronology ]
Perry Masonary, 5 Aug 2008 @ 5:14pm

Another chapter in the continuing saga of
they do not give a rats ass about whether your personal information is kept secure or is divulged

Companies, government, your doctor ... they do not have a reason to care.

One of these days someone will take them to court.
[ link to this | view in chronology ]
Anonymous Coward, 5 Aug 2008 @ 10:33pm

In the interest of security the first thing that needs to be done is to put those 33,000 people whose identities have been compromised straight onto the no-fly list.

On the bright side, at least the TSA has a ready supply of potential replacement laptops to pick from.
[ link to this | view in chronology ]
Enrico Suarve, 6 Aug 2008 @ 3:57am

A farce from begining to end
Couple of things:

1) Before Osama turned 'bad', before he was friends with the CIA, before all that, he was the son of a very well respected family (shake hands with the Bushes and all that good stuff) - who says that just because you aren't a threat today you won't be tomorrow?. Therefore the whole concept of a 'Clear' list is ridiculous

2) As noted by other posters the quality of staff enforcing the 'rules' isn't exactly sky high. I don't know what it's like in the US at the moment, but whenever I fly from the UK I take one look at the spotty reject nosing through my hand luggage and think "If you're the last line of defense between me, and a criminal mind so ingenious they can make a bomb out of 101ml of water then I am so DEAD!"

3) If you contract out work to the lowest bidder (or let's be honest your best mate), no matter how much legalese you get them to sign and whether or not you are legally liable its still YOUR FAULT when something goes wrong. You trusted someone who was not worthy of trust. The same people who are saying otherwise in this thread are probably the exact same people who would jump all over me if I were to double click on every attachment which came from someone I tusted

4) The laptop was 'found' - yeah right, translation: "We are getting shit loads more flak from this than we expected and since we still have copies of the data you can't prove anything". Whether it was found or not the best that can be said is that this sensitive information is revealed to be stored on an unencrypted portable device, which they do not keep good tabs on and have no idea where it is some of the time. Serious security that!

5) As for the statement "Yes, it was sensitive privacy information, but not the stuff that was most sensitive", translation: "We store that on a CD...". Once you have got to the point where you have stolen 33,000 ($3.3million TSA dollars worth incidentally) records containing enough information to potentially clone supposedly 'safe' IDs, does it really matter if you didn't managed to get their sexual preferences?
[ link to this | view in chronology ]
llorgam, 6 Aug 2008 @ 5:37am

get it straight
"(Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it's not clear that the difference here really matters)."

no it was NOT the TSA that lost the laptop: it was a PRIVATE firm whose office was broken into. Granted, the laptop was not encrypted (a cost saving measure -- private firms do that a lot nowadays). The office was at SFO, so the airport didn't provide strong doors(?).

the program is supported by user fees, so tax dollars are not as much an issue.

Try to keep it straight -- or at least share the stuff you're smoking
[ link to this | view in chronology ]
- Anonymous Coward, 6 Aug 2008 @ 7:14am
  
  Re: get it straight
  no it was NOT the TSA that lost the laptop: it was a PRIVATE firm whose office was broken into.
  Yeah. A private firm employed by the TSA. So you're trying to argue that the TSA isn't responsible for the actions of those it employs?
  [ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2008 @ 7:17am

The laptop was "found"? If it was there, and then it wasn't, and then it was, you'd better opperate on the assumption that everything on it has been compromised. It's not like the data couldn't be copied and the physical device returned.
[ link to this | view in chronology ]
Mike, 6 Aug 2008 @ 1:18pm

Giving so much power to the uneducated...
Would YOU work for the TSA? Enough said. I can't trust the Khmer Rouge types at all!
[ link to this | view in chronology ]
Mike again, 6 Aug 2008 @ 1:26pm

Laptops multiplied by airports...
Does this mean that they have UNENCRYPTED laptops that can be easily STOLEN at every major airport in the US? Sensitive info should never be stored on laptops or on networked computers.
[ link to this | view in chronology ]
Howard_NYC, 11 Aug 2008 @ 5:24pm

Q: if they cannot guard a laptop, how can they protect an airport?
Q: if they cannot guard a laptop, how can they protect an airport?

the deal was, citizens would trade comfort for safety... and now we have neither...

if TSA keeps this or any other vendor capable of such a knucklehead play, there should be terminations of senior managers...

the C-levels at the vendor should be asked to step down -- today
[ link to this | view in chronology ]