FOIA Documents Expose Details On TSA's $47,000 Coin Flipping App
from the but-with-at-least-as-much-possible-groin-grabbing-as-Tinder! dept
Time for yet another episode of "Your Tax Dollars Faffing About." According to documents liberated by Kevin Burke, the TSA spent a ridiculous amount of money on an iPad app that randomly generates a left or right arrow.
They sent me two documents. The first is a disclaimer about how they had to black out some of the information. The second is the contract between the TSA and IBM. And there's the payment:Because these are FOIA documents, some information has not been freed. (See: FOIA Exemption: SOP) This makes it difficult to narrow down the amount of the contract that went just to the random number/arrow generator.
Later today Pratheek Rebala reached out to mention that this data is available publicly, and there were 8 other payments as part of the same award, totaling $1.4 million; the document I have is one part, totaling $336,000. Furthermore, there were 4 bids for the contract and IBM won the bidding.
Here's a blurry photo of the app in use, overseen by a TSA agent wearing the regulation genital-fondling gloves.
The TSA -- presumably appropriately shamed for spending $1.4 million on an app someone could build for several hundred thousand dollars less/without IBM's awesome computing power during their spare time -- began reaching out to those covering this story with a correction.
Taxpayers: the $1.4 million may have been blown on a left/right arrow app in total, but only ~$50,000 went directly to the development of the TSA's random number generator.
The total development cost for the randomizer app was $47,400, a TSA spokesperson told Mashable, which was part of the $336,413.59 contract.No further details were provided. This clarification suggests the TSA only comically overpaid for its "randomizer" rather than tragicomically overpaid for its digital coin flipper.
It's not that the app doesn't serve a purpose -- although it does so in an overpriced, underwhelming fashion. The TSA had two concerns to address. First, it didn't want to be viewed as "profiling" when "randomly" selecting people for extra scrutiny, as it had in the past.
You're OK.Second, it had to actually randomize the outcome to deter would-be terrorists from gaming the system and bypassing the Director's Cut of the TSA's Security Theater.
You're OK.
You're… brown. Come this way.
You're OK.
You're OK.
You're… an infant. Please follow me.
So, it handled it as government agencies are supposed to. It made a list of requirements, opened up the floor for bidding, awarded the contract, and (most likely) watched deadlines and budget targets sail past like passengers granted instant Pre-Check approval just because the lines were getting a little long.
Now, it's probably not quite as ridiculous as it first appears -- all of this money devoted to a left/right arrow generator. The app would need to be both tamper-proof and idiot-proof and combining the TSA and IBM on a project is going to generate a lot of overhead costs. The total may also include the purchase of a few hundred iPads, which aren't exactly easy on the wallet.
But in the end, it's $50,000 for a random number generator with a lackluster front-end being run by a Wal-Mart greeter but for potential terrorists. And to date, it has yet to direct a would-be terrorist into the waiting arms of secondary screeners.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
mas o menos
Of course ignoring tariffs*, trade-agreements, credit-exchanges, and other regulatory mechanisms that entirely make the above false, we get to the crux of the thing.
We love it when we can get a great deal on a new car because we did our homework. We love it when we find a great special at Macy's on that crystal photo frame we just didn't get as a gift at wedding number one. We love it when we can get five limes for a dollar instead of three.
On the flip side we're proud when we sold our used VW Bug for a few thousands of dollars over the estimated price. We love seeing that Blac Chyna will likely get one million dollars for "starring" in a KUWTK episode. We love it if our worthless script for "Time Tunnel 1980" (starring Barry Van Dyke and Kent McCord) is purchased for a million dollars.
So we love getting something for less than what it's worth.
We love selling something for more than what it's worth.
This thing isn't a failure on IBM's part. IBM did their shareholders proud by collecting an amazing ("tragicomical"?) amount of money for a one-line app any schoolkid can code in under a minute. That someone put a graphical user interface (GUI) on it that's a big arrow, and someone else made it "tamper-proof"* is awesome.
What IS the problem is that our government -- which is supposed to have accountability and checks and balances -- not only happily approved this whole mess, but then tries to explain it's not as bad as we think it is.
So good on IBM and its shareholders for maintaining a profit margin on every app. Bad on the TSA for this. You can, however, consider that after fondling children, searching baby diapers, making people take out colostomy bags and various other things, having a mother drink her own breast milk, and holding travelers hostage for 15 years... this isn't even sweet icing on that cake.
Ehud
* Those blue regulation "genital fondling" gloves mean they can't hack anything. They don't trigger a response from capacitative-touch screens.
[ link to this | view in chronology ]
The Price Is Right-ish.
46k for a the software that includes the randomizer actually ain't very expensive at all. Remember, that is the whole APP, and not just the generator.
[ link to this | view in chronology ]
Re: The Price Is Right-ish.
But I'd bet $46k that they didn't do anything fancier than built in random functions. Or, at most, stock IBM functions that they've had sitting around.
[ link to this | view in chronology ]
Re: Re: The Price Is Right-ish.
[ link to this | view in chronology ]
Re: Re: Re: The Price Is Right-ish.
You can, as you say, select RNGs that have very similar statistical characteristics with actual randomness for a finite run, but they are not producing truly random numbers.
But all of that is irrelevant, since what is needed for an app like this isn't anything close to randomness anyway. Just using the standard library RNG combined with reseeding every so often would be more than adequate.
[ link to this | view in chronology ]
Re: Re: Re: Re: The Price Is Right-ish.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: The Price Is Right-ish.
If that's what the TSA was paying for, then one would think that they would have said so. Also, I don't see any hardware plugged into those tablets.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: The Price Is Right-ish.
[ link to this | view in chronology ]
Re: Re: Re: Re: The Price Is Right-ish.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: The Price Is Right-ish.
Computer engineers are very aware of the difference between random numbers and pseudorandom numbers, and it is not a philosophical distinction.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: The Price Is Right-ish.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: The Price Is Right-ish.
If by philosophical you mean academic or semantic, I'm fine with that. If you mean arbitrary or subjective, then no.
[ link to this | view in chronology ]
Re: Re: Re: The Price Is Right-ish.
If the TSA wants a random number generator that's statistically more accurate than a regular computer's random number generator, then what is the probability this system will catch a terrorist, based on all the past evidence of catching any terrorist at the TSA line? If the number of terrorists to be caught is statistically 0, then there's no need for a random number generator with a higher level of precision.
Or Occam's razor:
What are the chances that a terrorist will take the time to determine that the TSA is using RNG-1 Alpha 3 and that the randomization pattern is 0-1-1-1-0-0 and he's able to slip into the wrong line? Compare that to a terrorist who just says "f this- I'm in the wrong line so I'll blow up the airport"?
In other words, this is another $47,000 spent to make it look like the TSA is "doing something".
[ link to this | view in chronology ]
Re: Re: Re: Re: The Price Is Right-ish.
> In other words, this is another $47,000 spent to make it look like the TSA is "doing something".
Absolutely. All this talk of math is missing the forest for the trees.
The TSA's job is to prevent hazardous materials and dangerous people from crossing into the sterile area of a public airport. All the rest of this discussion is about a trivial piece of waving shiny object with an arrow on it which is all just a part of The Security Theater.
Ehud
[ link to this | view in chronology ]
One line.....
return Math.random() > 0.5 ? "RIGHT" : "LEFT" ;
}
[ link to this | view in chronology ]
Re: One line.....
[ link to this | view in chronology ]
Re: Re: One line.....
[ link to this | view in chronology ]
Re: Re: One line.....
[ link to this | view in chronology ]
Re: Re: One line.....
But the solution to that is simple. Add the pseudorandom number to the human input you're getting. If the user presses the "next" button and the milliseconds are even, take the psuedorandom result. If the milliseconds are odd, take the opposite.
For an application like this, that's more than enough. You can't get a reliable read on the pseudorandom sequence if the numbers are sometimes flipped. And even if you somehow could, there's no way you could know to the millisecond when the TSA guy was going to press the button when it was your turn.
This should still take less than a day to make.
[ link to this | view in chronology ]
Re: Re: One line.....
When the screening is not likely to catch any weapons anyway, what difference does it make?
[ link to this | view in chronology ]
Re: Re: Re: One line.....
It also why they rotate the workers around frequently and not on schedule so that it's harder to know where any employee or group of employees may be at any given them.
In the world of what you guys would call "security theater" the random line selection software is actually something that adds to security in a small but real way.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
In Defense of Walmart
[ link to this | view in chronology ]
Price isn't that far off
For a simple custom web app that is being deployed in a (hopefully) controlled environment, this isn't a terrible price. My guess would have been around 10-20k from a similarly sized developer. But the government contracting/requirements process by itself probably adds 50-100% to the cost, even before a line of code has been written.
I'm sure Joe developer could do it at home for less, but IBM's not gouging them and the government isn't overpaying any more than normal for this.
[ link to this | view in chronology ]
Re: Price isn't that far off
I remember a certain defence company being forced to go through a full requirements, tendering and evaluation process to buy two radios....not two types, count them, two actual radios (one of the requirements being they had to be off the shelf). One of the bidders commented that it would have cost them less to just ignore the bid process and just send the two radios.
[ link to this | view in chronology ]
"True Random" vs "Pseudo Random"
See http://www.2uo.de/myths-about-urandom/ for a much more thorough discussion.
However, whatever random function they used, it's still a huge chunk of change...
[ link to this | view in chronology ]
Coins
[ link to this | view in chronology ]
Bidding?
Was there was actually a competitive bidding process?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
You're OK.
You're… brown. Come this way.
You're OK.
You're OK.
You're… an infant. Please follow me.
You're wearing a turban. OMFG!. That's sort of like a Muslim. Evacuate the terminal, call the SWAT team.
[ link to this | view in chronology ]
I for one would not be shocked is that app just uses the built in random number generator everyone is complaining about. I would love to see a study showing how well they did at really making this random.
[ link to this | view in chronology ]
Why do they even need an app?
They don't trust their own staff.
They don't trust agents to divide people to proper lines to maximize traffic flow.
They don't trust agents to not divert hot chicks to their buddies.
They don't trust agents to not divert valuables to their cohorts for pilfering.
They don't trust agents to not inappropriately scrutinize people (racist, etc).
They don't trust that they will divert an unsavory person over to the line with a willing cohort avoid detecting things.
The only reason that makes sense why the TSA would spend $50K on an App to direct people randomly between two lines - is they are not able to trust their own agents.
[ link to this | view in chronology ]
Re: Why do they even need an app?
Hell, I'd be surprised if they don't have problems keeping them from getting their heads stuck in the cereal boxes in the morning.
[ link to this | view in chronology ]
Re: Re: Why do they even need an app?
[ link to this | view in chronology ]
Re: Why do they even need an app?
[ link to this | view in chronology ]
A truly random system can have a long run of the same or similar results but on a long enough time scale will still show an even distribution of the possibilities. Imagine what a disaster it would be if the app selected LEFT a thousand times in a row, while the right lane stayed empty. And does the app support checkpoints with more than two lines?
They probably wanted a combination of randomness and even distribution on a short to medium timeframe so all lanes are utilized to capacity but no one can claim that they were profiled. You have to be random, but not too random. This might not have been the world's most complicated software, but it isn't trivial either. There's plenty to criticize the TSA about; I'm not sure this is worth as much bluster as other things they do.
[ link to this | view in chronology ]
Re:
If I understand right, this is not to optimize traffic flow. People will mostly even out the length of lines if left to their own devices. This is to decide who should get random additional (useless) screening. So it should choose one direction most of the time, and only divert someone now and then.
[ link to this | view in chronology ]
But yeah, a normal company with streamlined / sane requirements could've had it build for a fraction of the cost.
[ link to this | view in chronology ]
Re:
As in, one developer in less than a day.
[ link to this | view in chronology ]
New Tech for Old Tech
Green light, you went straight out the door, red light you were searched on your way out.
Probably just as random as this app, but in addition, there may have been someone watching the queue and overriding any random light selection!
[ link to this | view in chronology ]
Re: New Tech for Old Tech
That isn't random at all, just "distant" selection.
[ link to this | view in chronology ]
Re: Re: New Tech for Old Tech
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Missing the point.
The point, is that by putting it on a screen, the perp/vic can't tell who picked him. Which makes litigation more difficult. And lessens the likely-hood of a direct conflict at the time of selecting said perp/vic.
Yep. It would be one line of code if it worked as described. No it isn't one line of code.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
They're not in the contract, they're in some other document that I don't think has been made public.
[ link to this | view in chronology ]
$1.4M?
I am a professional software engineer with 30+ years experience in the field. I could write this program in about 15 minutes! At $200/hour (my consulting rate - may have to increase that), and a 1 day (8 hour) minimum, ok - $1600 bucks. That is almost 3 orders of magnitude (1000x) less than IBM charged!
[ link to this | view in chronology ]
Missing the point
[ link to this | view in chronology ]