FOIA Documents Expose Details On TSA's $47,000 Coin Flipping App

from the but-with-at-least-as-much-possible-groin-grabbing-as-Tinder! dept

Time for yet another episode of "Your Tax Dollars Faffing About." According to documents liberated by Kevin Burke, the TSA spent a ridiculous amount of money on an iPad app that randomly generates a left or right arrow.

They sent me two documents. The first is a disclaimer about how they had to black out some of the information. The second is the contract between the TSA and IBM. And there's the payment:

Later today Pratheek Rebala reached out to mention that this data is available publicly, and there were 8 other payments as part of the same award, totaling $1.4 million; the document I have is one part, totaling $336,000. Furthermore, there were 4 bids for the contract and IBM won the bidding.
Because these are FOIA documents, some information has not been freed. (See: FOIA Exemption: SOP) This makes it difficult to narrow down the amount of the contract that went just to the random number/arrow generator.

Here's a blurry photo of the app in use, overseen by a TSA agent wearing the regulation genital-fondling gloves.


The TSA -- presumably appropriately shamed for spending $1.4 million on an app someone could build for several hundred thousand dollars less/without IBM's awesome computing power during their spare time -- began reaching out to those covering this story with a correction.

Taxpayers: the $1.4 million may have been blown on a left/right arrow app in total, but only ~$50,000 went directly to the development of the TSA's random number generator.
The total development cost for the randomizer app was $47,400, a TSA spokesperson told Mashable, which was part of the $336,413.59 contract.
No further details were provided. This clarification suggests the TSA only comically overpaid for its "randomizer" rather than tragicomically overpaid for its digital coin flipper.

It's not that the app doesn't serve a purpose -- although it does so in an overpriced, underwhelming fashion. The TSA had two concerns to address. First, it didn't want to be viewed as "profiling" when "randomly" selecting people for extra scrutiny, as it had in the past.
You're OK.
You're OK.
You're… brown. Come this way.
You're OK.
You're OK.
You're… an infant. Please follow me.
Second, it had to actually randomize the outcome to deter would-be terrorists from gaming the system and bypassing the Director's Cut of the TSA's Security Theater.

So, it handled it as government agencies are supposed to. It made a list of requirements, opened up the floor for bidding, awarded the contract, and (most likely) watched deadlines and budget targets sail past like passengers granted instant Pre-Check approval just because the lines were getting a little long.

Now, it's probably not quite as ridiculous as it first appears -- all of this money devoted to a left/right arrow generator. The app would need to be both tamper-proof and idiot-proof and combining the TSA and IBM on a project is going to generate a lot of overhead costs. The total may also include the purchase of a few hundred iPads, which aren't exactly easy on the wallet.

But in the end, it's $50,000 for a random number generator with a lackluster front-end being run by a Wal-Mart greeter but for potential terrorists. And to date, it has yet to direct a would-be terrorist into the waiting arms of secondary screeners.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: foia, tsa


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ehud Gavron (profile), 7 Apr 2016 @ 10:59am

    mas o menos

    We're very proud of the "American tradition" that our free-market economy, supply-and-demand, and market-driven focus allows "greater freedoms."

    Of course ignoring tariffs*, trade-agreements, credit-exchanges, and other regulatory mechanisms that entirely make the above false, we get to the crux of the thing.

    We love it when we can get a great deal on a new car because we did our homework. We love it when we find a great special at Macy's on that crystal photo frame we just didn't get as a gift at wedding number one. We love it when we can get five limes for a dollar instead of three.

    On the flip side we're proud when we sold our used VW Bug for a few thousands of dollars over the estimated price. We love seeing that Blac Chyna will likely get one million dollars for "starring" in a KUWTK episode. We love it if our worthless script for "Time Tunnel 1980" (starring Barry Van Dyke and Kent McCord) is purchased for a million dollars.

    So we love getting something for less than what it's worth.
    We love selling something for more than what it's worth.

    This thing isn't a failure on IBM's part. IBM did their shareholders proud by collecting an amazing ("tragicomical"?) amount of money for a one-line app any schoolkid can code in under a minute. That someone put a graphical user interface (GUI) on it that's a big arrow, and someone else made it "tamper-proof"* is awesome.

    What IS the problem is that our government -- which is supposed to have accountability and checks and balances -- not only happily approved this whole mess, but then tries to explain it's not as bad as we think it is.

    So good on IBM and its shareholders for maintaining a profit margin on every app. Bad on the TSA for this. You can, however, consider that after fondling children, searching baby diapers, making people take out colostomy bags and various other things, having a mother drink her own breast milk, and holding travelers hostage for 15 years... this isn't even sweet icing on that cake.

    Ehud


    * Those blue regulation "genital fondling" gloves mean they can't hack anything. They don't trigger a response from capacitative-touch screens.

    link to this | view in chronology ]

  • icon
    Whatever (profile), 7 Apr 2016 @ 11:54am

    The Price Is Right-ish.

    A true randomizer (and not one that can be predicted) is actually a reasonable complex thing to write. The random() functions in most computer languages are not really as random as you wish they were.

    46k for a the software that includes the randomizer actually ain't very expensive at all. Remember, that is the whole APP, and not just the generator.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Apr 2016 @ 12:24pm

      Re: The Price Is Right-ish.

      Yes, true computer generated randomization is really hard to do.

      But I'd bet $46k that they didn't do anything fancier than built in random functions. Or, at most, stock IBM functions that they've had sitting around.

      link to this | view in chronology ]

      • icon
        JoeCool (profile), 7 Apr 2016 @ 9:45pm

        Re: Re: The Price Is Right-ish.

        No, "true" computer randomization is easy. It's beginner level stuff. If you don't have the math, there's a number of pages on the web that describe (complete with code) how to do any number of random number generators that are statistically indistinguishable from "true" randomization. Pick one and add the arrow and you're done. It's like 5 minutes work, with 4 of that being reading the web page and deciding which RNG you want to use.

        link to this | view in chronology ]

        • icon
          John Fenderson (profile), 8 Apr 2016 @ 5:58am

          Re: Re: Re: The Price Is Right-ish.

          Ummm, no, it's not. The best you can do is to pull tricks like measuring time between arbitrary noncomputed events, such as keystrokes. But even those aren't actually random.

          You can, as you say, select RNGs that have very similar statistical characteristics with actual randomness for a finite run, but they are not producing truly random numbers.

          But all of that is irrelevant, since what is needed for an app like this isn't anything close to randomness anyway. Just using the standard library RNG combined with reseeding every so often would be more than adequate.

          link to this | view in chronology ]

          • icon
            nasch (profile), 8 Apr 2016 @ 7:03am

            Re: Re: Re: Re: The Price Is Right-ish.

            Software for true randomness is probably not that hard either though is it? That has to be supported by special hardware, so you just query the hardware for some random output. I've never done it so maybe I'm wrong but it seems like it would be simple.

            link to this | view in chronology ]

            • icon
              John Fenderson (profile), 9 Apr 2016 @ 6:30am

              Re: Re: Re: Re: Re: The Price Is Right-ish.

              But that's not the software generating random numbers (something that is impossible with the sorts of computers we use). It's just the software reading a number from a device.

              If that's what the TSA was paying for, then one would think that they would have said so. Also, I don't see any hardware plugged into those tablets.

              link to this | view in chronology ]

              • icon
                nasch (profile), 9 Apr 2016 @ 8:01am

                Re: Re: Re: Re: Re: Re: The Price Is Right-ish.

                Right, I wasn't talking about this app, just software generally. And that's exactly right, software doesn't make random numbers.

                link to this | view in chronology ]

          • icon
            JoeCool (profile), 14 Apr 2016 @ 11:20am

            Re: Re: Re: Re: The Price Is Right-ish.

            Now you're just arguing philosophical definitions of "true". I'm talking engineering.

            link to this | view in chronology ]

            • icon
              nasch (profile), 14 Apr 2016 @ 12:31pm

              Re: Re: Re: Re: Re: The Price Is Right-ish.

              I'm talking engineering.

              Computer engineers are very aware of the difference between random numbers and pseudorandom numbers, and it is not a philosophical distinction.

              link to this | view in chronology ]

              • icon
                JoeCool (profile), 15 Apr 2016 @ 10:31pm

                Re: Re: Re: Re: Re: Re: The Price Is Right-ish.

                Not when they're statistically indistinguishable.

                link to this | view in chronology ]

                • icon
                  nasch (profile), 16 Apr 2016 @ 9:21am

                  Re: Re: Re: Re: Re: Re: Re: The Price Is Right-ish.

                  Not when they're statistically indistinguishable.

                  If by philosophical you mean academic or semantic, I'm fine with that. If you mean arbitrary or subjective, then no.

                  link to this | view in chronology ]

        • icon
          John85851 (profile), 8 Apr 2016 @ 10:27am

          Re: Re: Re: The Price Is Right-ish.

          Let's get into more math...
          If the TSA wants a random number generator that's statistically more accurate than a regular computer's random number generator, then what is the probability this system will catch a terrorist, based on all the past evidence of catching any terrorist at the TSA line? If the number of terrorists to be caught is statistically 0, then there's no need for a random number generator with a higher level of precision.

          Or Occam's razor:
          What are the chances that a terrorist will take the time to determine that the TSA is using RNG-1 Alpha 3 and that the randomization pattern is 0-1-1-1-0-0 and he's able to slip into the wrong line? Compare that to a terrorist who just says "f this- I'm in the wrong line so I'll blow up the airport"?

          In other words, this is another $47,000 spent to make it look like the TSA is "doing something".

          link to this | view in chronology ]

          • icon
            Ehud Gavron (profile), 8 Apr 2016 @ 10:37am

            Re: Re: Re: Re: The Price Is Right-ish.

            John85851 wrote:
            > In other words, this is another $47,000 spent to make it look like the TSA is "doing something".

            Absolutely. All this talk of math is missing the forest for the trees.

            The TSA's job is to prevent hazardous materials and dangerous people from crossing into the sterile area of a public airport. All the rest of this discussion is about a trivial piece of waving shiny object with an arrow on it which is all just a part of The Security Theater.

            Ehud

            link to this | view in chronology ]

  • icon
    Maxwell (profile), 7 Apr 2016 @ 11:56am

    One line.....

    function directPassenger(){
    return Math.random() > 0.5 ? "RIGHT" : "LEFT" ;
    }

    link to this | view in chronology ]

    • icon
      Whatever (profile), 7 Apr 2016 @ 11:59am

      Re: One line.....

      Except that isn't truly random. It is pseudo random and talented people have proven the results can be predicted.

      link to this | view in chronology ]

      • icon
        Maxwell (profile), 7 Apr 2016 @ 12:09pm

        Re: Re: One line.....

        This is a passenger directing tool. You don't need crypto level secure PRNG. Your browser's Math.random() will do just fine and no one will notice. Even if you wanted more randomness existing implementation of other PRNG would do just fine (https://en.wikipedia.org/wiki/Mersenne_Twister)

        link to this | view in chronology ]

      • icon
        jupiterkansas (profile), 7 Apr 2016 @ 12:45pm

        Re: Re: One line.....

        Jeez, it's more than random enough for the purpose it needs to serve.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Apr 2016 @ 3:24pm

        Re: Re: One line.....

        OK. Yeah, if you simply took the pseudorandom number generated, they wouldn't be truly random. And yeah, if someone sat around long enough, they might be able to figure out the pattern, and make sure to take a position where they'd go into THIS line instead of THAT line. And that's not acceptable for this type of thing.

        But the solution to that is simple. Add the pseudorandom number to the human input you're getting. If the user presses the "next" button and the milliseconds are even, take the psuedorandom result. If the milliseconds are odd, take the opposite.

        For an application like this, that's more than enough. You can't get a reliable read on the pseudorandom sequence if the numbers are sometimes flipped. And even if you somehow could, there's no way you could know to the millisecond when the TSA guy was going to press the button when it was your turn.

        This should still take less than a day to make.

        link to this | view in chronology ]

      • icon
        nasch (profile), 7 Apr 2016 @ 4:41pm

        Re: Re: One line.....

        Except that isn't truly random. It is pseudo random and talented people have proven the results can be predicted.

        When the screening is not likely to catch any weapons anyway, what difference does it make?

        link to this | view in chronology ]

        • icon
          Whatever (profile), 7 Apr 2016 @ 11:26pm

          Re: Re: Re: One line.....

          The difference is that if you have someone in screening who is working for you, you might want to go through their line instead of another line so that you could get something truly bad through security (drugs actually would be a good example). The whole point of having more than one line and selecting people at random for each is to make it much harder for people to end up in the correct lane to pull off such a thing.

          It also why they rotate the workers around frequently and not on schedule so that it's harder to know where any employee or group of employees may be at any given them.

          In the world of what you guys would call "security theater" the random line selection software is actually something that adds to security in a small but real way.

          link to this | view in chronology ]

  • icon
    JonC (profile), 7 Apr 2016 @ 11:58am

    Of course it was $50000. They had to pay for enough licenses for all the iPads. They can't just buy one copy and install it on all their device. That would have to be infringement of some sort, and maybe piracy too.

    link to this | view in chronology ]

  • identicon
    Philip, 7 Apr 2016 @ 12:11pm

    In Defense of Walmart

    Referring to TSA agents as Walmart greeters is quite an insult. I am shocked by such insensitivity. Walmart greeters are much better trained than TSA agents.

    link to this | view in chronology ]

  • identicon
    Brad, 7 Apr 2016 @ 12:11pm

    Price isn't that far off

    I work in IT procurement for a non-IT fortune 50 company. We do business with all the major IT firms, IBM included.

    For a simple custom web app that is being deployed in a (hopefully) controlled environment, this isn't a terrible price. My guess would have been around 10-20k from a similarly sized developer. But the government contracting/requirements process by itself probably adds 50-100% to the cost, even before a line of code has been written.

    I'm sure Joe developer could do it at home for less, but IBM's not gouging them and the government isn't overpaying any more than normal for this.

    link to this | view in chronology ]

    • identicon
      Peter, 7 Apr 2016 @ 1:05pm

      Re: Price isn't that far off

      50 - 100 % is probably underestimating. Most of the requirements process is non-scaling. i.e. the costs remain the same no matter how small or simple the job.

      I remember a certain defence company being forced to go through a full requirements, tendering and evaluation process to buy two radios....not two types, count them, two actual radios (one of the requirements being they had to be off the shelf). One of the bidders commented that it would have cost them less to just ignore the bid process and just send the two radios.

      link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 7 Apr 2016 @ 12:34pm

    "True Random" vs "Pseudo Random"

    It's not really important whether it's truly random. As Whatever pointed out "A true randomizer (and not one that can be predicted)" is what's important. For being unpredictable the stock random functions are important enough.

    See http://www.2uo.de/myths-about-urandom/ for a much more thorough discussion.

    However, whatever random function they used, it's still a huge chunk of change...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2016 @ 12:40pm

    Coins

    I could have sold them dollar coins for only two dollars cents each that they could have flipped, if they had asked.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2016 @ 12:43pm

    Bidding?

    It made a list of requirements, opened up the floor for bidding,...

    Was there was actually a competitive bidding process?

    link to this | view in chronology ]

  • icon
    jupiterkansas (profile), 7 Apr 2016 @ 12:50pm

    Before this becomes a meme (too late?) it's worth noting that, "It's possible it also included the tablets themselves, which could account for some of the additional cost."

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2016 @ 12:54pm

    You're OK.
    You're OK.
    You're… brown. Come this way.
    You're OK.
    You're OK.
    You're… an infant. Please follow me.
    You're wearing a turban. OMFG!. That's sort of like a Muslim. Evacuate the terminal, call the SWAT team.

    link to this | view in chronology ]

  • icon
    Machin Shin (profile), 7 Apr 2016 @ 12:58pm

    The one thing that I keep seeing mentioned is that using the built in random function is not really random. This is indeed very true. The thing is, who is saying they actually wrote anything better? You assuming that almost $50k was used to make a more truly random system.

    I for one would not be shocked is that app just uses the built in random number generator everyone is complaining about. I would love to see a study showing how well they did at really making this random.

    link to this | view in chronology ]

  • identicon
    David, 7 Apr 2016 @ 1:05pm

    Why do they even need an app?

    There's only one reason why they really need an App.

    They don't trust their own staff.

    They don't trust agents to divide people to proper lines to maximize traffic flow.

    They don't trust agents to not divert hot chicks to their buddies.

    They don't trust agents to not divert valuables to their cohorts for pilfering.

    They don't trust agents to not inappropriately scrutinize people (racist, etc).

    They don't trust that they will divert an unsavory person over to the line with a willing cohort avoid detecting things.

    The only reason that makes sense why the TSA would spend $50K on an App to direct people randomly between two lines - is they are not able to trust their own agents.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Apr 2016 @ 4:32pm

      Re: Why do they even need an app?

      In fairness to the government, would YOU trust the average TSA agent that much?

      Hell, I'd be surprised if they don't have problems keeping them from getting their heads stuck in the cereal boxes in the morning.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Apr 2016 @ 4:44pm

        Re: Re: Why do they even need an app?

        I trust them to accept bribes to let terrorists onto a plane.

        link to this | view in chronology ]

    • icon
      morganwick (profile), 7 Apr 2016 @ 6:42pm

      Re: Why do they even need an app?

      I mean, if you're going to spend a million dollars, spend it on technology that counts how many people are in each line and automatically sends people to whichever line is shorter.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2016 @ 1:39pm

    Another consideration: humans are a poor judge of randomness, because our brains are designed to find patterns. True randomness may not be exactly what they needed here. It's the old problem people had with thinking their iPod's 'liked' certain artists over others. It didn't, the random number generator just happened to pick several tracks from the same artist or album in a run.

    A truly random system can have a long run of the same or similar results but on a long enough time scale will still show an even distribution of the possibilities. Imagine what a disaster it would be if the app selected LEFT a thousand times in a row, while the right lane stayed empty. And does the app support checkpoints with more than two lines?

    They probably wanted a combination of randomness and even distribution on a short to medium timeframe so all lanes are utilized to capacity but no one can claim that they were profiled. You have to be random, but not too random. This might not have been the world's most complicated software, but it isn't trivial either. There's plenty to criticize the TSA about; I'm not sure this is worth as much bluster as other things they do.

    link to this | view in chronology ]

    • icon
      nasch (profile), 7 Apr 2016 @ 4:54pm

      Re:

      Imagine what a disaster it would be if the app selected LEFT a thousand times in a row, while the right lane stayed empty.

      If I understand right, this is not to optimize traffic flow. People will mostly even out the length of lines if left to their own devices. This is to decide who should get random additional (useless) screening. So it should choose one direction most of the time, and only divert someone now and then.

      link to this | view in chronology ]

  • identicon
    Mark Wing, 7 Apr 2016 @ 2:04pm

    That app probably came with an inch-thick specification document and took two junior developers and a project manager 6 months to build. It was probably a fair price considering all the bureaucracy and hassle of dealing with the government.

    But yeah, a normal company with streamlined / sane requirements could've had it build for a fraction of the cost.

    link to this | view in chronology ]

    • icon
      nasch (profile), 7 Apr 2016 @ 4:55pm

      Re:

      But yeah, a normal company with streamlined / sane requirements could've had it build for a fraction of the cost.

      As in, one developer in less than a day.

      link to this | view in chronology ]

  • icon
    CynicalChris (profile), 7 Apr 2016 @ 4:06pm

    New Tech for Old Tech

    I remember visting Brazil around 20 years ago. As you got to the front of the customs queue, you pressed a button and were presented with a green or red light.

    Green light, you went straight out the door, red light you were searched on your way out.

    Probably just as random as this app, but in addition, there may have been someone watching the queue and overriding any random light selection!

    link to this | view in chronology ]

    • icon
      Whatever (profile), 8 Apr 2016 @ 12:46am

      Re: New Tech for Old Tech

      I suspect that wasn't technology at work, rather a camera, a couple of switches, and a bored clerk in another room (who couldn't get assaulted for the choice) decided who went which way.

      That isn't random at all, just "distant" selection.

      link to this | view in chronology ]

      • icon
        CynicalChris (profile), 8 Apr 2016 @ 3:36pm

        Re: Re: New Tech for Old Tech

        I didn't say that wasn't the case. Who' can say that isn't the case with this app, unless someone has reviewed the code?

        link to this | view in chronology ]

  • icon
    Berenerd (profile), 8 Apr 2016 @ 5:35am

    For 500 bucks *I* could have made this app. (Hell for 5 bucks i could have done it but I figured I could get some extra mad money from them)

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Apr 2016 @ 8:22am

    Missing the point.

    Nobody is actually going to believe that it's random anyway.

    The point, is that by putting it on a screen, the perp/vic can't tell who picked him. Which makes litigation more difficult. And lessens the likely-hood of a direct conflict at the time of selecting said perp/vic.

    Yep. It would be one line of code if it worked as described. No it isn't one line of code.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Apr 2016 @ 12:00pm

    Did I miss where the application requirements defined? Is the app actually supposed to be random or is everyone assuming this?

    link to this | view in chronology ]

    • icon
      nasch (profile), 8 Apr 2016 @ 12:30pm

      Re:

      Did I miss where the application requirements defined?

      They're not in the contract, they're in some other document that I don't think has been made public.

      link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 10 Apr 2016 @ 2:06pm

    $1.4M?

    "The TSA -- presumably appropriately shamed for spending $1.4 million on an app someone could build for several hundred thousand dollars less/without IBM's awesome computing power during their spare time."

    I am a professional software engineer with 30+ years experience in the field. I could write this program in about 15 minutes! At $200/hour (my consulting rate - may have to increase that), and a 1 day (8 hour) minimum, ok - $1600 bucks. That is almost 3 orders of magnitude (1000x) less than IBM charged!

    link to this | view in chronology ]

  • identicon
    Lonesome Whistle, 13 Jul 2017 @ 4:09am

    Missing the point

    We should be following the Israeli method and profiling.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.