Posted by Seth on February 21, 2010 under News, Screening Management SOP, TSA | 
In a report that should come as no surprise to anyone following the story, the Department of Homeland Security Inspector General has blasted the Transportation Security Administration (TSA) for a series of failures that let to the disclosure of data classified as Sensitive Security Information (SSI) last December. Among other things, the report identifies as “deficient” the TSA’s information handling policies. Even more damning, however, are some of the details in the back-story that explain how the TSA managed to get themselves into the situation they were in. Indeed, the whole issue stems from concerns about privacy and handling of personal data, something that the TSA has been blasted for in the past. And while changes have been promised in response to the report, it remains to be seen if actual change can come from this event.
In prior years the TSA controlled public access to information that was considered SSI – whether redacted or not – through the use of a password-protected intranet site available only for potential bidders on projects associated with the documents.
Prior to a 2007 solicitation for requests for proposals to implement privatized screening at the Key West Airport, TSA required potential vendors to sign a nondisclosure agreement before providing the SSI Screening Management SOPs via its SPPO web-board. The web-board controlled access via login/password to vendor personnel who had submitted a signed nondisclosure agreement.
TSA officials reported to us that over time, TSA’s Office of Privacy and the Office of Chief Counsel’s Information Law branch informed SPPO and the Office of Acquisitions (ACQ) that the program’s prior process for vetting vendors, which included completion of a nondisclosure agreement, violated their privacy rights. TSA does not have a Privacy Impact Assessment (PIA) in place for the collection of personally identifiable information provided through the nondisclosure agreements.
In other words, the TSA was inappropriately collecting information from potential vendors and was unable to assure those vendors that the information collected was being handled in a reasonable manner. At this point the TSA had a choice to make: establish a PIA or stop collecting the information. For reasons which are not particularly clear and which are not addressed in the report the TSA chose the latter. They simply stopped collecting the information in question and stopped providing access to SSI documents associated with contracts that were up for bid. This issue came to a head with the 2007 solicitation for security vendors in Key West.
…TSA released the solicitation to implement privatized screening at the Key West Airport with limited information, did not have vendors sign a nondisclosure agreement, and did not release the SSI Screening Management SOPs. After the contract award, one vendor that had proposed to undertake and perform these duties at Key West Airport conveyed to TSA that not having access to SSI Screening Management SOPs placed them at a disadvantage, as other vendors had those documents through previously signed nondisclosure agreements.
In reviewing the Key West solicitation, the Offices of Chief Counsel and ACQ determined that TSA provided too little information and risked receiving an award protest. The expressed view was that incumbent contractors who already possessed the Screening Management SOPs would have an unfair advantage.
That decision made to avoid the PIA led to the scenario where the bids solicited were uninformed and biased in favor of incumbent parties who had previously had access to the information. Bad policy begat bad decisions which begat a terrible blunder.
The TSA made the decision at this point – mid 2008 – to produce a redacted version of the Screening Management SOP document so that they could distribute it to vendors. This was, in theory, the best of both worlds. The TSA would have the information available and would not have the issues associated with collecting personal information and the need for a PIA. Unfortunately, however, the TSA failed to properly produce this document, resulting in the events of last December.
The instructions for producing such documents are pretty straightforward. Indeed, the report includes a pretty picture that describes the process. The key step comes in the box that is redacted in this image but that is described pretty clearly in the report itself, “
In <<Adobe Acrobat>>
the key step to ensure that document contents cannot be either manipulated or retrievable is to check <<Apply Redaction>>. (N.B. – the bits inside the << >> marks are actually properly redacted in the original report. I have inserted the text here based on a reasonably solid supposition as to what the contents likely are. As someone who has worked with the tools in question and from reading the other content of the document it seems pretty likely that the above is correct.)
So, essentially, the error came because someone forgot to click on a checkbox. It was furthered when that user chose to skip the second to last step in the flowchart, searching for known redacted content in the finished document. Moreover, the document was returned to the Office of SSI for clarification of the header/footer that stated the document was still considered SSI. At that time a new electronic document was produced following the same procedures as the first one, skipping the appropriate steps to correctly apply the redaction.
Particularly damning in the report is the Inspector General’s review of the TSA’s training for its employees in the handling of SSI documents.
After our review of [the (SSI) Awareness] training course, we determined that this training does not contain instruction on handling redacted SSI material, the process of consulting with SSI coordinators, or discussion of any other quality control steps prior to the release of redacted information outside of DHS.
It is not clear what the training does cover but the fact that it doesn’t include anything about how to properly handle redacted material or to manage the release of the information to the public. Not comforting at all for the traveling public that the TSA’s training doesn’t actually cover things that seem critical to the topic in question.
Another of the findings in the Inspector General report is interesting, especially in light of some of the comments made by Acting Secretary of the TSA, Gale Rossides. Ms. Rossides testified during hearings before the House Subcommittee on Transportation Security and Infrastructure Protection that the leaked version was old and that many updated versions had been released in the interim months. While this is almost certainly true it belies a readily apparent fact: the main substance of the document didn’t change all that much. Indeed, the report suggests that over a span of 9 months – from the production of the original redacted version until the version was posted online – the “changes were determined to be insignificant” by the Screening Partnership Program Office and the same document was forwarded on to be included in the posting online.
Ultimately the failures associated with this document being published were many. The TSA made a decision to avoid responsibility associated with a Privacy Impact Assessment. An office worker chose to not follow the established process in creating a redacted document and also failed to check the document after producing it. And the Agency missed at least one other opportunity to discover the error and resolve it. As stated rather succinctly in the report:
We are concerned that an improperly redacted version of the SSI Screening Management SOPs passed through a number of TSA offices from June 7, 2008, to posting the document on FedBizOps.gov on March 3, 2009, and again on March 16, 2009, without any internal procedures to determine whether the document was redacted properly. As a result, TSA and department internal controls for reviewing, redacting, and coordinating the protection of SSI are deficient.
Related Posts
Posted by Seth on January 4, 2010 under News, Screening Management SOP, TSA |
Gotta love an Agency that can managed to violate their own rules when creating rules. I suppose if they never bothered to publically state either of the two contradicting policies they’d be fine. And up until the unredacted Screening Checkpoint SOP document turned up last month at least one of the policies was not particularly well known. This week, however, the TSA has issued a new directive (anyone taking bets on how long until a full copy is leaked or subpoenas served to the reporters??) as part of their follow-up to the failed bombing attempt on Christmas day. And the new policies are in violation of their own policies.
The new policy, according to several sources, requires that passengers originating from one of 14 countries are subject to a full search of their carry-on luggage and a pat-down when boarding flights bound for the United States. This policy is eerily similar to Section 2A-2 (C) (1) (b) (iv) of the Screening Checkpoint SOP. That section dictates that passengers presenting a passport from one of twelve countries be subjected to a full secondary screening (essentially the same bag check and pat-down). The main difference is the addition of two countries to the list, Saudi Arabia and Pakistan. And the rule now definitely applies at foreign ports rather than at TSA checkpoints.
The problem with this policy is that it violates the TSA’s stated Civil Rights Policy. That policy suggests that
[T]he public we serve are to be treated in a fair, lawful, and nondiscriminatory manner, without regard to … national origin.
So you’re not going to be subject to discriminatory screening based on national origin, unless you happen to be from one of 14 specific countries and then you will. Glad that they’ve cleared up that confusion.
On the plus side, the pat-downs conducted at most foreign checkpoints are much more thorough thatn the TSA-administered ones. Just this morning in Barcelona I watched a woman receive a rather thorough search at the WTMD that identified metal around her breasts and forced her to actually pull the necklace out from under her shirt to show the screening officer. I’m not so sure that such a thorough check would ever happen in the lawsuit-happy USA.
Still, the policy doesn’t really address the main issue at hand. The TSA is constantly fighting the last war rather than looking to the next one. Their “intelligence” appears to be a rather unfortunate joke of a system. And there are insufficient resources – time, cash, human and space – to reasonably provide 100% manual screening. Besides, it isn’t necessary. The key is in having the appropriate information and acting on it in advance, not after the fact. IATA Director General Giovanni Bisignani, a man who knows a thing or two about air travel, sums the situation up quite clearly:
Instead of looking for bad things—nail clippers and rogue bottles of shampoo—security systems need to focus on finding bad people. …
Adding new hardware to an old system will not deliver the results we need. It is time for governments to invest in a process built around a check point of the future that combines the best of screening technology with the best of intelligence gathering. Such a system would give screeners access to important passenger data to make effective risk assessments
But that hasn’t stopped the TSA, Canada’s CATSA or the UK’s DfT from trotting out plans to increase the use of Whole Body Imaging – aka Strip Search – machines around the globe. Fighting the wrong fight in an expensive and inappropriate manner. Thanks, government. You’re real great there.
Related Posts
Update (1/5/2010 12:07am EST): Couple small typos in the original post that changed the meaning of a few key phrases. Whoopsie.
Posted by Seth on December 18, 2009 under Screening Management SOP, TSA |
I must admit that being admonished by a Congressman has never been particularly high on my list of things to do. I’ve generally tried to stay under the radar of Congress. That all went out the window a couple weeks ago when the TSA’s Screening Management SOP document was published online with the supposedly redacted text still in the body. I’ve been in contact with a number of Congressional staffers since then and have been trying to help them understand that this wasn’t the case of crazy hackers acting maliciously. It is copy and paste. Really quite simple.
I sat through about 90 minutes of hearings from the Subcommittee on Transportation Security and Infrastructure Protection on Wednesday, hoping to hear that the congressfolk were going to do something about this event. Instead I was treated to nuggets like this one from Congressman Charles Dent (R-PA):
To those who repost this security information on the internet you should share in the blame should security be breached as a result of this disclosure. In the future I would ask that you please, please use the whistleblower process congress has created for you. Call the department. call the inspector general. Call congress and its committees. But please do not circulate sensitive security documents. Rest assured that we will hold the department to account.
In essence he’s calling me out for sharing this document rather than using “internal” procedures to address the issue. While I can understand the Congressman’s point – ideally truly secret information should never be made public – I must respectfully disagree with his thoughts on this topic.
Many minutes were spent throughout the hearing listening to TSA Acting Director Gale Rossides explain to the Congressmen that she would not provide them with copies of the current version of the SOP document even though she is bound by law to do so when requested. She refused to provide a timeline under which such a delivery would be made. It is quite humorous that Congressman Dent feels Congress can “hold the department to account” when the Agency shows no signs of actually respecting the rule of law.
The published version of the SOP contains many sections that were redacted seemingly out of convenience rather than a need to legitimately hide information. Among other things, the Agency chose to hide the fact that their policies seem to be in violation of their own public policy on discrimination as well as international treaties and executive orders. Is that a matter of actual security or hiding legal wrongdoing?
The TSA continues to hide their policies behind the veil of SSI while refusing to be held accountable to anyone for their behavior. The Congressman may believe that the Agency can be controlled but all evidence thus far seems to prove otherwise. In the meantime, it seems completely reasonable to me to continue to share when the Agency misbehaves. Perhaps if more people did so they would actually be held accountable.
Related Posts
Posted by Seth on December 16, 2009 under New York, Screening Management SOP, TSA |
Nothing like calling the boss onto the mat in front of Congress to get some answers when a mess happens in government. Not that it is likely much will change – and certainly not quickly – but the Homeland Security Committee of the United States Congress held hearings this afternoon regarding the breach. The hearings are entitled “Has the TSA Breach Jeopardized National Security? An examination of What Happened and Why.” Sadly, there is virtually zero chance of actually getting an answer to the questions, and even less of a chance that real change will come out of this. Still, the government rolls slowly on.
After a full hour of testimony it does not appear that anyone – neither congressfolk nor TSA officials – actually understand the significance of what has happened. The hour of testimony featured a couple rather pointed questions and they went unanswered. I followed up with some public affairs folks regarding open inquiries I have and I was stonewalled. And the most pressing questions simply were not asked.
Why was the document published?
A rather significant chunk of the discussion was focused on why the document was public at all. Ignoring the redaction problems that came up that should be a non-issue. Having the SOP in public is a good thing for the traveling public. In fact, having all the screening SOPs out there is the only fair and reasonable way to treat the public. The current approach treats all potential passengers as criminals and leaves them at the whim of the TSO they interact with at any particular moment. Having the actual rules in the open would permit the public to actually know their rights and exercise them rather than be subjected to a power-tripping agent having a bad day. Acting TSA Administrator Gale Rossides acknowledged that there are a dozen other SOP documents that the TSA currently uses for passenger screening operations. All are considered SSI and therefore are more or less unknown to the public.
Despite media claims to the contrary the document is not a roadmap to anything. Sure, there are a couple things that probably didn’t need to be out in the open, but they are not creating an inherently more dangerous travel environment at all. Legitimate security doesn’t depend on the ignorance of those being policed. It depends on well-trained folks responding to legitimate threats and acting on real intelligence information. Sadly the TSA does not provide that and having this document out in public does not change that situation.
Moreover, the TSA has essentially committed to not using the Internet for dissemination of redacted documents in the future. Any SSI document that needs to be shared with potential contractors will likely be held in a “reading room” or other similar facility at a TSA office. This will increase the burden on the contractors trying to fill these contracts and provide no reasonable increase in security or any other palpable benefits to the American people.
Information lockdown
In a move that can only be described as knee-jerk and over-the-top Rossides testified that TSA has instituted a “full operational lockdown” regarding the further sharing of SSI information. This lockdown applies to all documents containing SSI data. Most troubling, this lockdown also includes a restriction on sharing the appropriate information with members of the Congressional committees that have oversight of the TSA. Not only do they not want the public to see the documents, they also will not allow the congressmen and women who have a direct responsibility to review and understand the operations access to the current version of the SOP documents.
The TSA has held briefings and information sessions with congressional staffers and provided “access” in that way but no real access. When pressed on this issue Rossides acknowledged that she was aware of the legal obligation the department was under to share such information but insisted that she could not do so at this time. Congressmen Dent (R-PA) pressed the Acting Director on this issue quite aggressively. He suggested that the TSA was not willing to share the information because they felt congressfolks were likely to leak it or for some other similar reason. He also noted that this is the first time such a request has not been affirmatively responded to in a timely manner. Why now? Why is this one different? Rossides wouldn’t say, but she was insistent that such action was necessary. Equally troubling was that Congresswoman Jackson-Lee (D-TX) – the chair of the subcommittee – was supportive of the Acting Director’s decision to not provide the document in a timely manner. It was not immediately clear why
Targeting the wrong issues
A significant portion of the testimony focused on the IDs that were published in the document and what changes, if any, would need to be made to the IDs or processes surrounding them. Sorry, Congresswoman Jackson-Lee, but you’re barking up the wrong tree on this one. The pictures in the document were nowhere close to detailed enough to allow someone to make passable fakes from them. And that isn’t even considering the part of the “layers of security” the TSA uses that never actually verifies that the person on the photo ID is really the person traveling or that the ticket is really valid. Quite simply, checking IDs isn’t providing any security and even if it did someone desiring a fake would have better luck on Canal Street in New York City than dealing with those images.
Another significant line of questioning was focused on the use of contractors in the handling of SSI data inside the TSA. Specifically, it seems that one of the folks at the heart of producing the document for publication was a contractor at the time it was posted online (he has since become a full-time employee). Congresswoman Jackson-Lee was rather caught up on the idea that somehow there is a difference between a contractor and a full-time employee. There didn’t seem to be much rhyme or reason behind that distinction but she was more than willing to make it. Several times. Indeed, we can expect to see legislation in the new year restricting the handling of SSI from contractors. So very, very unnecessary.
Who has the document?
Congressman James A. Himes (D-CT) was rather blunt in the one question he asked, “No organization doesn’t make mistakes. The question is how well an organization learns from the mistakes. Is anyone looking to see who has downloaded it?” That’s right…forget about how it got out there, let’s focus on who is reading it and what we can do about that. Other congressfolk have inquired about any potential legal recourse that can be pursued to force websites hosting the document to remove it. That horse has already left the barn, but there’s no reason Congress can’t go out and start shooting horses randomly on the plains, or something like that. Except that there is a VERY good reason they cannot. It is 44 U.S.C. 3506(d)(4)(B). It states:
With respect to information dissemination, each agency shall—
(4) not, except where specifically authorized by statute—
(B) restrict or regulate the use, resale, or redissemination of public information by the public;
That’s the truncated version of the code but it basically means that the neither the TSA nor anyone else can do anything about it once the document is out in the open. That hasn’t stopped the congressfolk from posturing but nothing will come of it.
In that same vein, the actual reply to Congressman Himes’s query was rather chilling. Acting Director Rossides stated that The Department of Homeland Security’s Inspector General office – the same folks conducting the inquiry into the TSA’s publication of the document – has compiled a list of who downloaded the document from the Commerce Department website and that they are working to reconcile that list against other lists they might have. They are also working on lists of who is hosting the document. It isn’t entirely clear what these lists will be used for since possession and distribution of the document is completely legal, but the DHS is compiling lists, just in case. This is a rather disturbing admission on the part of the TSA and DHS.
When asked what could be done about the copies of the document that are floating about the Acting Director offered the following suggestion: “I would hope out of their patriotic sense of duty to their fellow countrymen [people hosting copies] would take [the document] down. Good luck with that. Patriotism means acting for the good of the country, not for the good of a few folks who have made mistakes in running an organization which seeks to deny basic liberties covered by the Constitution when it is convenient for them.
Two useful questions
Lest the above make it seem that the hearing did not address anything useful it is worth noting one specific line of questioning that appeared to catch the Acting Director a bit off-guard and to really drive to the point of the charade that the TSA seems to be playing with this event. Congressman Emanuel Cleaver (D-MO) noted that, as is the case with any government document, the new versions build on the old versions. So the fact that there have been six revisions since the redaction mistake came out might not really be significant. The only reply that the Acting Director could muster is that the bulk of the information in the document is not SSI so that doesn’t really matter.
Congressman Cleaver also asked a very pointed question when Rossides noted that she felt the air travel system was safe. Specifically he asked if she would have actually admitted in an open session that she thought the answer was no. They parried a bit over words and there was never a “true” answer, but it definitely caught the Acting Director off-guard.
The Acting Director Responds
Acting Director Rossides made a couple statements during the hour-long session that suggested she might actually understand the gravity of the situation. That, or she’s been in Washington long enough to know what to say. Among the responses she offered:
I regret this occurred and take full responsibility for the mistake. Our response was swift, decisive and comprehensive. Passengers will fly safely…because of the layers of security in place.
We need better processes in place and tighter controls on how we handle sensitive information. We’re going to have to make sure that we have designated personnel…who are trained and really truly understand.
The actions of one or a few can … seriously impact the credibility of the agency.
Perhaps most significant because of what it implies about the previous behavior of the agency, the Acting Director offered up this nugget: the agency has asked the National Security Agency (NSA) to come in and work with them. The NSA has had documents published publicly for many years now explaining the importance of proper redaction and how to correctly accomplish it. Now that they’ve messed it up once the TSA has apparently decided to ask the NSA to come in and teach them how to do redaction correctly. It is great that they are finally (apparently) getting it right, but this has been a long time coming.
Ultimately the Congressional inquest does not appear to have had much affect on the behavior of the TSA. They’re still doing whatever they want and even when pressed on the issues they simply decline to answer. This is not good at all.
Related Posts
Posted by Seth on December 9, 2009 under Screening Management SOP, TSA |
On Monday the TSA made it very clear that the version of the Screening Management SOP that was posted to the fbo.gov website was not a version that was ever actually placed into active use. This was part of the statement made on their blog on Monday:
The version of the document that was posted was neither implemented nor issued to the workforce. In fact, there have been six newer versions of the document since this version was drafted.
It seems that the words are changing, however, as other questions have cropped up suggesting that the TSA’s stance might be troubling for them. Here’s what they’ve got in a statement on their webpage this afternoon:
This version of the document was not the everyday screening manual used by Transportation Security Officers at airport checkpoints. As TSA is constantly adapting to address evolving threats, there have been six newer versions of the procedures since the version posted was approved.
Note the ending of the two statements. We’ve gone from “drafted” to “approved,” suggesting that the version on the internet was, in fact, in play at some point. OK, I actually expected that to some extent. I’m still waiting to hear what other backtracking they’ll be doing later on, and also if the Honorable David Heyman knows that he told a small fib during his testimony, suggesting that the document was no longer online at the fbo.gov webpage. But, at least for now, they don’t seem to be on the hook for Contempt of Congress which was a very real risk based on the previous statements and being called to testify today.
If you’re interested in the testimony check it out here. It starts around minute 72 of that video.
Related Posts
Posted by Seth on December 9, 2009 under Screening Management SOP, TSA |
As it so happens there were hearings scheduled for this morning in Congress for some TSA officials. Certainly they probably would have been much happier to discuss the White House party crashers – the original primary topic – than how a supposedly secret document wound up online for the world to read. Alas, it was not meant to be. Instead they faced down Senators grilling them about how the error occurred.
Watching the TSA folks squirm is interesting, though I’m still waiting for further pressure to come down regarding an answer about the potential that a FOIA response was inappropriate.
Related to the leak, an unknown number of TSA employees have been placed on leave pending the outcome of the internal investigation. Interesting how the TSA is willing to share details of their internal investigations when they think it will help to calm the masses but that they have not been during previous events where there were questionable actions by their staff.
Posted by Seth on December 9, 2009 under Screening Management SOP, TSA |
I suppose that it was inevitable that the TSA would eventually fall on their face and do something like this. “Secure” documents have a habit of slipping out every now and then and the TSA has been around long enough at this point that the odds were no longer in their favor. What is interesting to me is how this particular action actually blossomed into a full-blown media event. A TSO shows up to work with a gun in his pocket and the media eventually gets bored and walks away. But this is a juicy one. It has “secrets” in it and who doesn’t like discovering a secret?
Watching the story grow through web statistics has been interesting for me over the past couple days. This isn’t the first time I’ve posted about the TSA doing something stupid but it is most certainly the first time it has grown legs. So just exactly how did it happen? Here’s the timeline as best as I can recreate it.
Around 3pm on Saturday, December 5th a link was posted on FlyerTalk.com to the FBO.GOV website where there were details of a contract for screening services in Montana that had been out for bid (the FBO link is dead now; there is a cached copy here). In that bid package there were a number of attachments including two different “redacted” copies of the TSA’s Screening Management SOP. The copies were actually slightly different but the general content was substantially the same. That post was out there for almost 24 hours before I stumbled upon it and decided to see what was in the document. Three clicks later I was reading a “redacted” copy of the SOP, something that the TSA meant to put online. About 10 minutes and a couple more clicks later, however, I was one of a couple folks who realized just what we were looking at and what the situation was. It took me another hour to get a blog post together and at 4:16pm EST on Sunday afternoon the post went online.
My blog doesn’t have all that many readers regularly so I’m honestly not really sure how it went from there. What I do know is that someone thought it was worthy enough to put a link up on http://news.ycombinator.com/, a self-described “Hacker News” social media site. From there the story made it to the Wired Threat Level blog as well as BoingBoing.net (two sites that I really enjoy, FWIW) and Jaunted. On Monday The Register in the UK picked up the story as well, noting how foolish security through obscurity generally is in the process. Chris Elliott, a syndicated travel writer also picked up on it during a chat on Monday afternoon and posted a blurb about it on his blog. US News & World Reports had a piece as well.
At that point the story probably could have died. But it didn’t. Tuesday saw the story picked up by SlashDot in the morning and Gothamist in the afternoon. Fortunately the site is hosted by systems that can handle the resulting SlashDot effect and the blog has stayed online.
And then, it went mainstream. The Cleveland Plain-Dealer had an article out on the story on Tuesday afternoon. ABC’s World News Tonight led off their broadcast with the story (and some really bad computer stock images). The Washington Post followed up on the story as well. That story was published late Tuesday evening online and is on the front page, below the fold, of today’s print edition. The Associated Press put together a piece that was been picked up by a number of outlets on Tuesday evening, including USAToday, Yahoo! and MSNBC.
Overnight Tuesday night/Wednesday morning the BBC got into the game and USAToday had an original piece in their Today in the Sky blog. It was on page A22 of the dead tree edition of the NY Times, running the AP wire piece as well.
Yeah, to say that this one has legs is a bit of an understatement.
I’m sure I’ve missed a number of the sources covering the story at this point. The good news is that this is out there. Hopefully the correct questions are asked as a result of the leak and hopefully we can move towards a system that actually represents security rather than security theatre. I’m not holding my breath. Oh, and I’m still waiting to hear back from the TSA on a number of open questions about this issue. Conversations with elected officials will be my next step as hopefully they can actually compel the TSA to answer the questions that they seem likely to brush me off on.
Posted by Seth on December 8, 2009 under Screening Management SOP, TSA |
I’m not a legal scholar. I didn’t even stay in a Holiday Inn Express last night. But I am pretty good about spotting what appears to be a felonious act, especially when it jumps off the computer screen and smacks you right in the face. And after reading through the various non-responses from the TSA regarding this leak one bit seems to stand out more than the others. The TSA appears to be playing down the breach in part because:
The version of the document that was posted was neither implemented nor issued to the workforce.
That’s the direct quote from the TSA’s blog entry regarding the matter. The problem with that statement is that the document appears, in fact, to have been issued. At least once.
In May 2009 the Identity Project posted on their website the results of a Freedom of Information Act (FOIA) request that they originally submitted in June 2008, right around the time that the document in question is dated. The document that was returned in reply to the FOIA reads 100% the same as the document uncovered over the weekend. It has the same revision number. And it has the same date. It is very, very difficult for me to believe that there is any way that document previously released to the ID Project is not the exact same document that was published on the fbo.gov website and then found to have been improperly redacted.
 |
| The FOIA document |
 |
| The fbo.gov document |
What does that mean?
Either the TSA is lying about the fact that this document was never actually implemented or they issued a false reply to a FOIA request. They’re stupid or felonious. I wonder which one.
I reached out to the TSA Public Affairs office and even tried to get an answer from their “breaking news” duty officer. I didn’t get very far in either of those efforts. But I know that a number of major news organizations are covering the story now and I’ve been feeding bits of information to a few of them. Hopefully one or more of them will be able to push the TSA harder for a legitimate answer than I can.
(For those concerned about possibly having been exposed to SSI documents but reading here anyways, both bits above are considered public and not really SSI in any way.)
Related Posts
Posted by Seth on December 8, 2009 under Screening Management SOP, TSA |
Since the discovery and publication of the non-redacted TSA Screening Management SOP this past Sunday the TSA has been working to clean up the mess. Hardly a surprise and you’d think that they would be used to such situations by now. They’re moving with amazing speed, actually. First, they managed to get the document offline in relatively record time on a Sunday afternoon. Then they were able to actually get a public statement out to inquiring press within about 5 hours – more than an hour per paragraph and the last one shouldn’t really count since it is just the same closing they use every time something comes up. And then they realized, and mentioned in a post on their blog yesterday afternoon, that the version in the wild was never actually implemented. Or at least that is what they’d have us believe.
Sure, I’m willing to go out on a limb and say that they’re telling the truth on that aspect (and believe me, it is a stretch to go there). That version was never implemented nor was it ever distributed to the workforce. Fine. But it was used to define the job responsibilities of a multi-million dollar annual contract (the deal was signed for just over $11MM) for a company that will be performing screening in seven Montana airports. So either that version is substantially similar to the actual SOP in play at that time (it is dated May 2008 and was posted online in March 2009, a span of 9 months) or the contractor was asked to bid based on false specifications. I don’t know which is worse. Incompetence or fraud.
It is also interesting to note that the time span that the document in question was supposedly not implemented roughly matches the time span from when it was posted online until now. In the recent span the TSA claims that six new version have been published and distributed to their workforce for implementation. Yet in the previous nine month window apparently not too much changed. At least not enough for the TSA to be concerned about the requirements they were asking contractors to bid on.
I’ve reached out to the TSA for clarification on this issue and I’ll share what I get. I’m betting on a lot of “no comment” but I’m hoping for a surprise.
Related Posts
Posted by Seth on December 7, 2009 under Screening Management SOP, TSA |
Apparently the TSA really believes in the guidance provided by mothers everywhere in the winter: multiple layers will keep you warm and cozy. I reached out to the Office of Public Affairs this morning regarding the accidental release of the non-redacted Screening Management SOP document. The initial call received a “no comment” with a promise of follow-up. Apparently the copy-and-paste crew were double checking things for quite some time because the eventual answer I got from the OPA wasn’t particularly useful:
The Transportation Security Administration (TSA) has become aware that an outdated version of a Standard Operating Procedures document was improperly posted by the agency to the Federal Business Opportunities Web site wherein redacted material was not properly protected.
TSA takes this matter very seriously and took swift action when this was discovered. A full review is now underway.
TSA has many layers of security in place to keep the traveling public safe and to constantly adapt to evolving threats. TSA has put appropriate measures in place to effectively screen passengers at airport security checkpoints nationwide.
Yup, it is all about the layers. The layers will protect you.
Sure, they had to revise the opening paragraph of the statement but the rest of it is boiler-plate and pretty worthless. Sadly, it seems that this is likely to be the last of their comments on this gross breach.
Sure, some of the content is likely outdated. I get that it isn’t the most current version of the document. The information about selectee screening and exemptions is fun to read but since most selectee designations went away earlier in the year it isn’t quite so relevant. But knowing the specific thickness of wires that will and will not show up on the x-ray machines seems like something they probably didn’t want out in the open. Ditto for the process by which they test the calibration of the magnetometers with pseudo-guns. And I’m betting that most of that content is still current, even if they tend to lead the conversation in the other direction.
Nothing new, really. They screwed up and they’ll take care of it internally. I wonder if they have the cojones to actually charge someone with leaking SSI information. They had no compunction about prosecuting a guy who shared information that was only deemed classified after he shared it. This one was marked up pretty good on every page. But, of course, it “is an internal matter” and we just have to trust that they’ll do everything correctly to follow up. Just like we were supposed to trust them before despite the fact that they’ve done nothing to earn that trust.
The security theatre that the TSA performs is a joke and their internal enforcement seems to be a joke as well. Hardly a surprise.
Related Posts
Posted by Seth on December 7, 2009 under Screening Management SOP, TSA |
It is amazing how time can flow in the federal government. The TSA Screening Management SOP document that I posted about yesterday had been online since March. Sure, apparently not many people knew about it and even fewer knew that it actually contained the content that was assumed by TSA’s legal department to be redacted. Once that was noticed, however, the proverbial cat was out of the bag. Apparently having the document online actually wasn’t that big a deal. Properly redacted it was no longer considered SSI and was useful for the purpose of its original publishing – to allow contractors to bid on providing screening services for airports in Montana.
But once the lack of redaction was exposed the gears of government started to turn with great speed. Just hours after the reports started circulating on the internet the file was gone. From a Department of Commerce website. On a Sunday evening.
Who says that the government is glacial?
Seriously, though, apparently they are concerned about the general public knowing the correct procedure for TSOs washing the table and changing gloves following a positive reading on the ETD machine. Or the frequency with which the black-light and loupe are supposed to be used in the screening process (here’s a hint: it is WAY higher than what I’ve ever experienced at an airport). Or the list of folks exempt from the selectee screening even if their boarding pass is noted as such? Actually that last one is a pretty good read (Section 4.3.15 (B)).
The good news is that plenty of people have copies of the document, including WikiLeaks.org and Cryptome.org. The version available from the latter is actually quite nice since it has the black boxes removed for easier reading. So the original link I shared is dead but there are plenty of other sources out there.
I’ve put in a call to the Office of Public Affairs for a comment on the release and have thus far been stonewalled. I’m planning on calling back later this afternoon in an effort to get something – anything – from them. We’ll see how that goes.
Related Posts
The instructions for producing such documents are pretty straightforward. Indeed, the report includes a pretty picture that describes the process. The key step comes in the box that is redacted in this image but that is described pretty clearly in the report itself, “