TSA Blows Off Inspector General's Suggestion Boarding Pass Information Be Encrypted
from the more-business-as-usual dept
The TSA's Secure Flight system apparently isn't all that secure, according to the barely-readable portions of the recently-released Inspector General's report. The TSA has a Pre-Check program that requires a ton of personal information and $85 to participate in. It also has "Secure Flight," which grants Pre-Check privileges on a case-by-case basis, for which travelers pay nothing. This simply means they won't always find themselves in the short line, but it does call into question the need to provide a ton of information up front, much less $85 for an experience others are getting for free.
Much like everything else the TSA is nominally in charge of, it has flaws. A whistleblower report to the TSA and the Office of the Inspector General claimed that the use of a "risk-based rule" led to a "vulnerability in aviation security" back in early 2014. (This would be before the Pre-Check system allowed a convicted murder with explosives experience to bypass more rigorous screening, simply because the boarding pass included the "wave me through" checkmark.)
What this "vulnerability" was is never openly explained. There's plenty of text in the report (28 pages of it, in fact), but everything specific is hidden under a thick layer of black ink. What we do know is that it involved boarding passes and the TSA's "risk-based assessment" program.
As a result of the report, the TSA suspended the redacted Secure Flight "rule". This rule was apparently linked to passengers' ability to print out their own boarding passes with the handy Pre-Check checkmark on them. Apparently, someone used someone else's ticket or found a way to print boarding passes without providing proper ID verification. Either way, this mysterious "rule" went away, and along with it, some Pre-Check passenger privileges.
Now, the TSA is planning to add additional layers of verification to the Pre-Check/Secure Flight system. But this won't fully go into effect until later this year. In the meantime, the "rule" remains suspended.
As a result of this redacted breach, the OIG's office made three recommendations -- which are also mostly redacted.
The first suggests the nature of the breach (or the problem with the rule) [or both].
Explore the feasibility of encrypting commercial aircraft carrier boarding passes [rest of sentence redacted].The other two recommendations target the TSA's upgraded credential authentication program.
The TSA pretty much disagrees with the entirety of the OIG's assessment. Scattered between heavy redactions are various punchy odes to its pretty-much-infallible coin toss it calls "risk assessment." Scattered between other redactions are assertions that the TSA is pretty good about assessing threats and has been steadily improving for years without the OIG's constant nagging.
But before it heads into that, the OIG declares the TSA to be "responsive" to its first recommendation, even though it didn't do anything more than declare the recommendation too expensive and too difficult.
Management Response to Recommendation #1: TSA officials did not concur with Recommendation 1. In its response, TSA said in 2012 it explored the cost and feasibility of encrypting commercial aircraft carrier boarding passes [redacted]. After engaging industry stakeholders, TSA decided not to adopt this approach because of limited data fields in some air carrier systems and encrypting boarding pass barcodes is cost prohibitive. TSA said it decided to pursue a more practical and affordable solution using a digital signature.Nothing's too good for the USofA! I mean, nothing's too practical and affordable. So, let's just use a "digital signature" because it's pretty much just as secure, right?
Now, we just have to assess the wisdom of the TSA's estimation of itself in light of this new (but very limited) information. It thinks it's doing a bang-up job making flying more secure. TSA head John Pistole frequently mentions the many programs it uses in addition to pre-flight scanning/screening, most of which have been determined by others to have a 50% hit rate.
On one hand, its screeners managed to miss 95 out 100 prohibited items during a recent assessment of its screening protocols. (But, man, it was all over that bag of cash, wasn't it!) On the other hand, its long-running ineptitude has yet to result in mass hijackings. It fails at the thing it does the most of (patdowns, screenings) and its more intangible efforts (risk assessment) haven't proven to be any more accurate than its in-person patdowns. In totality, we have a self-important entity whose presence is hardly justified. It appears air travel would be roughly as safe without the TSA's multiple encroachments. What it argues works well actually doesn't, and new issues are dismissed as not being worth the effort/expense to fix.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: boarding passes, encryption, pre-check, secure flight, tsa
Reader Comments
Subscribe: RSS
View by: Time | Thread
TSA risk assessment
Is the TSA's risk assessment as good as it's ability to assess whether an attractive person needs to be groped?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Lethal knowledge
So we should also put software engineers, demolitions experts, and high energy physicists (because who knows, right?) through more rigorous screening simply because of what they know?
Should we also forbid martial artists from boarding a plane with their fists and feet?
If you're going to start triaging people because of what they know, let's be thorough about it, shall we?
[ link to this | view in chronology ]
Re: Lethal knowledge
It's not the "explosives experience" alone, it's the "explosives experience" combined with the documented lack of moral restrictions against killing fellow humans.
Most "software engineers, demolitions experts, and high energy physicists" have moral restrictions against killing fellow humans, so they wouldn't misuse their knowledge in the ways the TSA is supposed to be worried about.
[ link to this | view in chronology ]
Re: Re: Lethal knowledge
That is your rational - amazing.
[ link to this | view in chronology ]
Re: Re: Lethal knowledge
[ link to this | view in chronology ]
Re: Re: Lethal knowledge
You obviously don't know too many 'software engineers, demolitions experts, and high energy physicists'
[ link to this | view in chronology ]
Re: Lethal knowledge
Unless the person is under court supervision, such as parole, there should not be discrimination in the USA. If the person really is a threat, TSA can use due process and go to court for an order against the person. Enough of this secret discrimination by the government, as it will only expand to others.
[ link to this | view in chronology ]
Oh great... REAL bullets!
So why start pretending now?
It's like asking an actor who plays a soldier to start doing REAL SOLDIER things.
Come on guys... THEY'RE ACTORS! It's what they do!
[ link to this | view in chronology ]
Re: Oh great... REAL bullets!
Anyone visited denver lately? The airport concession workers have a special door they use to bypass all of TSA. Flight crews literally get more screening than mcdonald workers.
Look closely in denver, south screening the special portal for workers dumps out in front of the police podium, after screening.
[ link to this | view in chronology ]
Re: Re: Oh great... REAL bullets!
I'll bet you have not spotted a breach. But your imagination and your indignation-engine got the best of you.
TSA sucks, but baseless accusations of scary doors with mcdonalds workers coming out just seem silly.
[ link to this | view in chronology ]
Re: Re: Re: Oh great... REAL bullets!
Certainly you remember the pilot who was reprimanded for pointing out this glaring loophole at SJC from a few years ago? We can't have people pointing out that the emperor has no clothes, now can we?
By and large, the people with access to do the most damage to aircraft receive no screening whatsoever. None. Nada. Zip. Merely a 10-year background check and they're good.
Some airports like MSP, BNA, and PHX do require airport workers to go through screening. Most do not. These aren't baseless accusations. It's true: there is this glaring hole in the process and yet nothing has gone boom.
Did you ever stop to wonder how DL flight attendants and pilots based in ATL seem to keep showing up at other airports with guns in their in-cabin luggage? Or baggage handlers run drug and gun rings from ATL up to NYC? Maybe you should connect those dots before you get offended next time.
[ link to this | view in chronology ]