Posted by Seth on November 19, 2011 under News, Screening Management SOP, TSA | 
Today is the TSA‘s 10th birthday and there are celebrations all around the country. Passengers everywhere are feting the organization for their polite, respectful and efficient screening of passengers and cargo. The ability of the organization to effectively discern the difference between legitimate threats and hyped theoretical attack avenues was praised by both Congressional leaders and law enforcement officials in a ceremony on Capitol Hill where agency head John Pistole accepted the warm acclaim with humility and deference to the tens of thousands of well-trained agents the organization has out in the field working each day.
If only any of the above were true.
Well, it actually is the 10th birthday of the agency, so I guess that’s something. And what better 10th birthday present to receive than a letter from your parents (Congress in this case) telling you everything you’re doing wrong. Because that’s what actually happened this week. Two Republican Congressmen issued a rather scathing report entitled "A Decade Later: A Call for TSA Reform" that excoriates the agency for being incompetent, overly bureaucratic and generally dysfunctional. Ouch.
Among the things the TSA is criticized for, some of my favorites include:
- Stopping the growth of the Screening Partnership Program (private screeners under TSA rules like at SFO) despite those screeners being as good or better than TSOs and at a lower cost, both for training and ongoing operations.
- The SPOT program (behavior detection officers) growing despite it lacking scientific credibility or any demonstrated efficacy, including a number of cases where known terrorists passed through airports where the program was in operation and avoided detection.
- Deploying 500 Advanced Imaging Technology (aka nude-o-scope) machines in a "haphazard and easily thwarted" manner despite a lack of evidence that they are ay more effective at detecting threats than the metal detectors they are replacing. There is evidence that they might cause cancer but that’s apparently of less concern.
- The failed deployment of the "puffer" machines at a cost of roughly $39MM which was eventually abandoned when it was determined that they simply didn’t work in the real world.
- There are more former TSA employees than there are current employees after only 10 years in existence, and there are over 65,000 active employees in the organization.
The report offers plenty more, but those are definitely the highlights.
The recommendations section offers a number of interesting suggestions. None of them are "disband and start over" but there are a few that could result in a significant change of direction for the organization. Little things, like trimming the $400MM administrative payroll overhead in DC or setting actual performance standards for passenger and baggage screening and then holding the employees to them are starters. Ditto for deploying some of the 2,800 pieces of screening gear that are in warehouses rather than at checkpoints.
The report is worth a read, or at least a skim, to see just how wasteful and incompetent the agency responsible for securing travel in the United States is. Really makes me happy every time I visit the airport.
Related Posts
Posted by Seth on November 17, 2011 under News, Screening Management SOP, TSA |
The European Union has issued a ruling this week prohibiting the use of one type of body-imaging scanners at airports. The ruling was handed down based on evidence that the machines are producing a type of ionizing radiation that would likely cause a small number of cancer cases in the passengers scanned. The EU has decreed that causing cancer in airline passengers is a step too far in the name of aviation security.
The TSA seems to disagree.
While not commenting directly on the topic the TSA spokesman indicated that all technology is rigorously tested and that only the most advanced technologies are used. But no direct comments on the fact that multiple scientific researchers claim the systems are harmful to passengers.
The same spokesman also noted this horribly depressing "success" statistic:
Since January 2010, advanced imaging technology has detected more than 300 dangerous or illegal items on passengers in U.S. airports nationwide.
I’m going to ignore, at least for the moment, that the TSA seems excited to claim credit for discovery of "illegal" items which are not a threat to aviation security and which is wholly outside the scope of their charter. Let’s pretend that every single one of the 300 items was actually a threat to aviation security. Even then, the numbers are only one detection every other day. That’s not actually all that many. Even more troubling, the statistic doesn’t reveal any details, particularly what specific threats were discovered and if they would have been discovered by a traditional metal detector. Odds are they would have been.
So we’ve got the TSA using hardware that increases the cancer risk in passengers at a level which is statistically significant enough that a block of major, developed nations has banned the gear. And they’re doing so to realize a diminutive number of "threats" of which many are actually nothing of the sort. And of which nearly all would have likely been similarly detected by the legacy equipment at a faster scanning rate.
But that’s OK, right? Because you’re probably not the passenger who is going to get cancer from their gear. That same gear that is supposedly "rigorously tested" and yet which the TSA initially wouldn’t release the test results for and which they had to re-test because of significant issues (not surprisingly the second set showed things to be much safer). Oh, and these same machines have the TSA employees concerned for their own safety as well.
So, yeah, I ask for the grope rather than subject myself to the nude-o-scope. At least I know that the agent feeling me up isn’t giving me cancer.
Posted by Seth on November 12, 2011 under Screening Management SOP, Trip Reports, TSA |
I know that expecting a consistent and coherent implementation of policy from the TSA is a pipe dream. Still, there are a few bits that it would seem it makes sense to keep consistent. Take the pseudo-secret Sensitive Security Information ("SSI") classification of documents, for example. This is a designation that generally requires a document to be kept away from public view as it is considered integral to TSA operations, though not quite secret enough that it really matters. Sortof.
All manner of information that probably shouldn’t be is covered under the SSI designation, allowing the TSA to avoid FOIA requests and to otherwise avoid scrutiny. And I’m sure there are reasonable things covered by the designation, too, such as the Screening Management SOP. Actually I know that one is covered because there was an enormous fiasco a little while back when the poorly redacted version was posted online in public view. Whoopsie.
So it seems to reason that the SSI designation actually has some teeth. Which makes me wonder why it is so poorly observed at the airport. Today’s trip out of LaGuardia was another great example of this lax implementation, with a document clearly marked as SSI sitting out in plain view of the passengers walking through the screening checkpoint. The document was the daily schedule for "unpredictable" random checks that the agents are supposed to do, such as swabbing passenger hands or checking additional bags more thoroughly. I can understand why you might not want folks generally seeing that, though it also shouldn’t really matter. Still, it is marked as such so I would assume that would be enforced. Today’s experience suggests otherwise.
After noticing the document on display I asked to speak with the supervisor on duty, just to point out that the SSI document probably shouldn’t be in public. His response was rather surprising. His claim was, essentially, that the SSI designation on that particular document didn’t really count because the schedule on it changes daily. And because it was on a clipboard it wasn’t really in public view since I wouldn’t have been able to walk away with it.
Neither of those explanations make much sense at all, but that’s apparently how the TSA operates at LaGuardia when Steve is working as the lead TSO.
Related Posts:
Posted by Seth on November 23, 2010 under News, Screening Management SOP, Trip Reports, TSA |
Part of me says that I should have seen this all coming. The TSA has been pretty good about demonstrating just how incompetent they are and their latest moves really are just a continuation of that trend. Still, I’ve found myself so completely dumbfounded over the past 3 weeks that I’ve not been able to form a coherent set of thoughts about just what specifically I find so objectionable. As National Opt-Out Day approaches tomorrow, however, I’m going to try.
It was about 50 weeks ago that I posted what I thought was a relatively tame post here on this blog: The TSA makes another stupid move. Just another example of the TSA being stupid, right? Actually, this one was worse then most. The story got some legs and before I knew it there were congressional hearings where I was excoriated as part of the problem (“Rest assured that we will hold the department to account”) while the Acting Director of the TSA sat there, smiled, declined to actually answer any of the questions posed and then went back to running the circus that is the TSA. Congress promised changes but no oversight of the agency materialized.
Fast forward 11 months and we’re dealing now with outrage and near revolt on the part of the passengers in many camps. The Director of the TSA has made statements effectively blaming us, the passengers, for causing the problems and reminding everyone that if they are delayed at security and miss their flight on Wednesday it is because other passengers have decided that being strip-searched was simply too much, not because the searches are happening.
I hear people say “Well, as long as it makes us safer,” as a justification for the searches. They do not. These searches are not based on any actionable intelligence report. They are based on random reactions to previous events and to extensive lobbying on the part of former DHS employees to score huge contracts to sell the strip-search machines.
I hear people suggest that doing it “Israel-style” will make us safer. Probably not, and even if it would our society is not willing to accept the costs – time or dollar – to go there. And we shouldn’t. The threats and the infrastructure being secured are very different.
Some airports (Orlando and Colorado Springs are the two most recent to suggest such) want the TSA out and replaced with private screeners. Sadly, however, the screening policies are still set by the TSA and ultimately it is these policies that cause the problems. Having transited security at SFO several times in the past couple years I can safely say that the private contractors performing the unreasonably invasive searches are no better than anyone else performing the same.
When I can walk through the checkpoint and see a document out in plain view labeled “Unpredictable Screening Checklist” complete with the details on what types of events are considered “unpredictable” and how often each TSO is expected to perform such there is something VERY wrong with the SOP. When I explain to the folks running the checkpoint that they probably shouldn’t have those documents in plain view they generally shrug and move them somewhere else that is still in plain view of the passengers.
Lots of people suggesting lots of things, except the obvious solution: hold the TSA accountable. Elected officials are only just now starting to consider suggesting that the TSA isn’t perfect. Doing so when it was not clear that the public was opposed to the TSA was political suicide as their opponents would campaign against them on that front. But now that there is some political cover – hard for their not to be as the TSA is groping passengers, adult and child alike – the politicians are finally starting to speak up. Not enough, yet, but the movement is afoot.
Here’s hoping the uproar continues. Here’s hoping that passengers see the TSA for what they really are. Here’s hoping that our country can finally choose to not live in fear. These will be my thoughts as I travel this week, knowing that I have the right to not be strip-searched just to get on an airplane.
I will fly proud, not afraid. I will not let anyone terrorize me, including my own government.
Related Posts
Posted by Seth on February 21, 2010 under News, Screening Management SOP, TSA |
In a report that should come as no surprise to anyone following the story, the Department of Homeland Security Inspector General has blasted the Transportation Security Administration (TSA) for a series of failures that let to the disclosure of data classified as Sensitive Security Information (SSI) last December. Among other things, the report identifies as “deficient” the TSA’s information handling policies. Even more damning, however, are some of the details in the back-story that explain how the TSA managed to get themselves into the situation they were in. Indeed, the whole issue stems from concerns about privacy and handling of personal data, something that the TSA has been blasted for in the past. And while changes have been promised in response to the report, it remains to be seen if actual change can come from this event.
In prior years the TSA controlled public access to information that was considered SSI – whether redacted or not – through the use of a password-protected intranet site available only for potential bidders on projects associated with the documents.
Prior to a 2007 solicitation for requests for proposals to implement privatized screening at the Key West Airport, TSA required potential vendors to sign a nondisclosure agreement before providing the SSI Screening Management SOPs via its SPPO web-board. The web-board controlled access via login/password to vendor personnel who had submitted a signed nondisclosure agreement.
TSA officials reported to us that over time, TSA’s Office of Privacy and the Office of Chief Counsel’s Information Law branch informed SPPO and the Office of Acquisitions (ACQ) that the program’s prior process for vetting vendors, which included completion of a nondisclosure agreement, violated their privacy rights. TSA does not have a Privacy Impact Assessment (PIA) in place for the collection of personally identifiable information provided through the nondisclosure agreements.
In other words, the TSA was inappropriately collecting information from potential vendors and was unable to assure those vendors that the information collected was being handled in a reasonable manner. At this point the TSA had a choice to make: establish a PIA or stop collecting the information. For reasons which are not particularly clear and which are not addressed in the report the TSA chose the latter. They simply stopped collecting the information in question and stopped providing access to SSI documents associated with contracts that were up for bid. This issue came to a head with the 2007 solicitation for security vendors in Key West.
…TSA released the solicitation to implement privatized screening at the Key West Airport with limited information, did not have vendors sign a nondisclosure agreement, and did not release the SSI Screening Management SOPs. After the contract award, one vendor that had proposed to undertake and perform these duties at Key West Airport conveyed to TSA that not having access to SSI Screening Management SOPs placed them at a disadvantage, as other vendors had those documents through previously signed nondisclosure agreements.
In reviewing the Key West solicitation, the Offices of Chief Counsel and ACQ determined that TSA provided too little information and risked receiving an award protest. The expressed view was that incumbent contractors who already possessed the Screening Management SOPs would have an unfair advantage.
That decision made to avoid the PIA led to the scenario where the bids solicited were uninformed and biased in favor of incumbent parties who had previously had access to the information. Bad policy begat bad decisions which begat a terrible blunder.
The TSA made the decision at this point – mid 2008 – to produce a redacted version of the Screening Management SOP document so that they could distribute it to vendors. This was, in theory, the best of both worlds. The TSA would have the information available and would not have the issues associated with collecting personal information and the need for a PIA. Unfortunately, however, the TSA failed to properly produce this document, resulting in the events of last December.
The instructions for producing such documents are pretty straightforward. Indeed, the report includes a pretty picture that describes the process. The key step comes in the box that is redacted in this image but that is described pretty clearly in the report itself, “
In <<Adobe Acrobat>>
the key step to ensure that document contents cannot be either manipulated or retrievable is to check <<Apply Redaction>>. (N.B. – the bits inside the << >> marks are actually properly redacted in the original report. I have inserted the text here based on a reasonably solid supposition as to what the contents likely are. As someone who has worked with the tools in question and from reading the other content of the document it seems pretty likely that the above is correct.)
So, essentially, the error came because someone forgot to click on a checkbox. It was furthered when that user chose to skip the second to last step in the flowchart, searching for known redacted content in the finished document. Moreover, the document was returned to the Office of SSI for clarification of the header/footer that stated the document was still considered SSI. At that time a new electronic document was produced following the same procedures as the first one, skipping the appropriate steps to correctly apply the redaction.
Particularly damning in the report is the Inspector General’s review of the TSA’s training for its employees in the handling of SSI documents.
After our review of [the (SSI) Awareness] training course, we determined that this training does not contain instruction on handling redacted SSI material, the process of consulting with SSI coordinators, or discussion of any other quality control steps prior to the release of redacted information outside of DHS.
It is not clear what the training does cover but the fact that it doesn’t include anything about how to properly handle redacted material or to manage the release of the information to the public. Not comforting at all for the traveling public that the TSA’s training doesn’t actually cover things that seem critical to the topic in question.
Another of the findings in the Inspector General report is interesting, especially in light of some of the comments made by Acting Secretary of the TSA, Gale Rossides. Ms. Rossides testified during hearings before the House Subcommittee on Transportation Security and Infrastructure Protection that the leaked version was old and that many updated versions had been released in the interim months. While this is almost certainly true it belies a readily apparent fact: the main substance of the document didn’t change all that much. Indeed, the report suggests that over a span of 9 months – from the production of the original redacted version until the version was posted online – the “changes were determined to be insignificant” by the Screening Partnership Program Office and the same document was forwarded on to be included in the posting online.
Ultimately the failures associated with this document being published were many. The TSA made a decision to avoid responsibility associated with a Privacy Impact Assessment. An office worker chose to not follow the established process in creating a redacted document and also failed to check the document after producing it. And the Agency missed at least one other opportunity to discover the error and resolve it. As stated rather succinctly in the report:
We are concerned that an improperly redacted version of the SSI Screening Management SOPs passed through a number of TSA offices from June 7, 2008, to posting the document on FedBizOps.gov on March 3, 2009, and again on March 16, 2009, without any internal procedures to determine whether the document was redacted properly. As a result, TSA and department internal controls for reviewing, redacting, and coordinating the protection of SSI are deficient.
Related Posts
Posted by Seth on December 18, 2009 under Screening Management SOP, TSA |
I must admit that being admonished by a Congressman has never been particularly high on my list of things to do. I’ve generally tried to stay under the radar of Congress. That all went out the window a couple weeks ago when the TSA’s Screening Management SOP document was published online with the supposedly redacted text still in the body. I’ve been in contact with a number of Congressional staffers since then and have been trying to help them understand that this wasn’t the case of crazy hackers acting maliciously. It is copy and paste. Really quite simple.
I sat through about 90 minutes of hearings from the Subcommittee on Transportation Security and Infrastructure Protection on Wednesday, hoping to hear that the congressfolk were going to do something about this event. Instead I was treated to nuggets like this one from Congressman Charles Dent (R-PA):
To those who repost this security information on the internet you should share in the blame should security be breached as a result of this disclosure. In the future I would ask that you please, please use the whistleblower process congress has created for you. Call the department. call the inspector general. Call congress and its committees. But please do not circulate sensitive security documents. Rest assured that we will hold the department to account.
In essence he’s calling me out for sharing this document rather than using “internal” procedures to address the issue. While I can understand the Congressman’s point – ideally truly secret information should never be made public – I must respectfully disagree with his thoughts on this topic.
Many minutes were spent throughout the hearing listening to TSA Acting Director Gale Rossides explain to the Congressmen that she would not provide them with copies of the current version of the SOP document even though she is bound by law to do so when requested. She refused to provide a timeline under which such a delivery would be made. It is quite humorous that Congressman Dent feels Congress can “hold the department to account” when the Agency shows no signs of actually respecting the rule of law.
The published version of the SOP contains many sections that were redacted seemingly out of convenience rather than a need to legitimately hide information. Among other things, the Agency chose to hide the fact that their policies seem to be in violation of their own public policy on discrimination as well as international treaties and executive orders. Is that a matter of actual security or hiding legal wrongdoing?
The TSA continues to hide their policies behind the veil of SSI while refusing to be held accountable to anyone for their behavior. The Congressman may believe that the Agency can be controlled but all evidence thus far seems to prove otherwise. In the meantime, it seems completely reasonable to me to continue to share when the Agency misbehaves. Perhaps if more people did so they would actually be held accountable.
Related Posts
Posted by Seth on December 16, 2009 under Screening Management SOP, TSA |
Nothing like calling the boss onto the mat in front of Congress to get some answers when a mess happens in government. Not that it is likely much will change – and certainly not quickly – but the Homeland Security Committee of the United States Congress held hearings this afternoon regarding the breach. The hearings are entitled “Has the TSA Breach Jeopardized National Security? An examination of What Happened and Why.” Sadly, there is virtually zero chance of actually getting an answer to the questions, and even less of a chance that real change will come out of this. Still, the government rolls slowly on.
After a full hour of testimony it does not appear that anyone – neither congressfolk nor TSA officials – actually understand the significance of what has happened. The hour of testimony featured a couple rather pointed questions and they went unanswered. I followed up with some public affairs folks regarding open inquiries I have and I was stonewalled. And the most pressing questions simply were not asked.
Why was the document published?
A rather significant chunk of the discussion was focused on why the document was public at all. Ignoring the redaction problems that came up that should be a non-issue. Having the SOP in public is a good thing for the traveling public. In fact, having all the screening SOPs out there is the only fair and reasonable way to treat the public. The current approach treats all potential passengers as criminals and leaves them at the whim of the TSO they interact with at any particular moment. Having the actual rules in the open would permit the public to actually know their rights and exercise them rather than be subjected to a power-tripping agent having a bad day. Acting TSA Administrator Gale Rossides acknowledged that there are a dozen other SOP documents that the TSA currently uses for passenger screening operations. All are considered SSI and therefore are more or less unknown to the public.
Despite media claims to the contrary the document is not a roadmap to anything. Sure, there are a couple things that probably didn’t need to be out in the open, but they are not creating an inherently more dangerous travel environment at all. Legitimate security doesn’t depend on the ignorance of those being policed. It depends on well-trained folks responding to legitimate threats and acting on real intelligence information. Sadly the TSA does not provide that and having this document out in public does not change that situation.
Moreover, the TSA has essentially committed to not using the Internet for dissemination of redacted documents in the future. Any SSI document that needs to be shared with potential contractors will likely be held in a “reading room” or other similar facility at a TSA office. This will increase the burden on the contractors trying to fill these contracts and provide no reasonable increase in security or any other palpable benefits to the American people.
Information lockdown
In a move that can only be described as knee-jerk and over-the-top Rossides testified that TSA has instituted a “full operational lockdown” regarding the further sharing of SSI information. This lockdown applies to all documents containing SSI data. Most troubling, this lockdown also includes a restriction on sharing the appropriate information with members of the Congressional committees that have oversight of the TSA. Not only do they not want the public to see the documents, they also will not allow the congressmen and women who have a direct responsibility to review and understand the operations access to the current version of the SOP documents.
The TSA has held briefings and information sessions with congressional staffers and provided “access” in that way but no real access. When pressed on this issue Rossides acknowledged that she was aware of the legal obligation the department was under to share such information but insisted that she could not do so at this time. Congressmen Dent (R-PA) pressed the Acting Director on this issue quite aggressively. He suggested that the TSA was not willing to share the information because they felt congressfolks were likely to leak it or for some other similar reason. He also noted that this is the first time such a request has not been affirmatively responded to in a timely manner. Why now? Why is this one different? Rossides wouldn’t say, but she was insistent that such action was necessary. Equally troubling was that Congresswoman Jackson-Lee (D-TX) – the chair of the subcommittee – was supportive of the Acting Director’s decision to not provide the document in a timely manner. It was not immediately clear why
Targeting the wrong issues
A significant portion of the testimony focused on the IDs that were published in the document and what changes, if any, would need to be made to the IDs or processes surrounding them. Sorry, Congresswoman Jackson-Lee, but you’re barking up the wrong tree on this one. The pictures in the document were nowhere close to detailed enough to allow someone to make passable fakes from them. And that isn’t even considering the part of the “layers of security” the TSA uses that never actually verifies that the person on the photo ID is really the person traveling or that the ticket is really valid. Quite simply, checking IDs isn’t providing any security and even if it did someone desiring a fake would have better luck on Canal Street in New York City than dealing with those images.
Another significant line of questioning was focused on the use of contractors in the handling of SSI data inside the TSA. Specifically, it seems that one of the folks at the heart of producing the document for publication was a contractor at the time it was posted online (he has since become a full-time employee). Congresswoman Jackson-Lee was rather caught up on the idea that somehow there is a difference between a contractor and a full-time employee. There didn’t seem to be much rhyme or reason behind that distinction but she was more than willing to make it. Several times. Indeed, we can expect to see legislation in the new year restricting the handling of SSI from contractors. So very, very unnecessary.
Who has the document?
Congressman James A. Himes (D-CT) was rather blunt in the one question he asked, “No organization doesn’t make mistakes. The question is how well an organization learns from the mistakes. Is anyone looking to see who has downloaded it?” That’s right…forget about how it got out there, let’s focus on who is reading it and what we can do about that. Other congressfolk have inquired about any potential legal recourse that can be pursued to force websites hosting the document to remove it. That horse has already left the barn, but there’s no reason Congress can’t go out and start shooting horses randomly on the plains, or something like that. Except that there is a VERY good reason they cannot. It is 44 U.S.C. 3506(d)(4)(B). It states:
With respect to information dissemination, each agency shall—
(4) not, except where specifically authorized by statute—
(B) restrict or regulate the use, resale, or redissemination of public information by the public;
That’s the truncated version of the code but it basically means that the neither the TSA nor anyone else can do anything about it once the document is out in the open. That hasn’t stopped the congressfolk from posturing but nothing will come of it.
In that same vein, the actual reply to Congressman Himes’s query was rather chilling. Acting Director Rossides stated that The Department of Homeland Security’s Inspector General office – the same folks conducting the inquiry into the TSA’s publication of the document – has compiled a list of who downloaded the document from the Commerce Department website and that they are working to reconcile that list against other lists they might have. They are also working on lists of who is hosting the document. It isn’t entirely clear what these lists will be used for since possession and distribution of the document is completely legal, but the DHS is compiling lists, just in case. This is a rather disturbing admission on the part of the TSA and DHS.
When asked what could be done about the copies of the document that are floating about the Acting Director offered the following suggestion: “I would hope out of their patriotic sense of duty to their fellow countrymen [people hosting copies] would take [the document] down. Good luck with that. Patriotism means acting for the good of the country, not for the good of a few folks who have made mistakes in running an organization which seeks to deny basic liberties covered by the Constitution when it is convenient for them.
Two useful questions
Lest the above make it seem that the hearing did not address anything useful it is worth noting one specific line of questioning that appeared to catch the Acting Director a bit off-guard and to really drive to the point of the charade that the TSA seems to be playing with this event. Congressman Emanuel Cleaver (D-MO) noted that, as is the case with any government document, the new versions build on the old versions. So the fact that there have been six revisions since the redaction mistake came out might not really be significant. The only reply that the Acting Director could muster is that the bulk of the information in the document is not SSI so that doesn’t really matter.
Congressman Cleaver also asked a very pointed question when Rossides noted that she felt the air travel system was safe. Specifically he asked if she would have actually admitted in an open session that she thought the answer was no. They parried a bit over words and there was never a “true” answer, but it definitely caught the Acting Director off-guard.
The Acting Director Responds
Acting Director Rossides made a couple statements during the hour-long session that suggested she might actually understand the gravity of the situation. That, or she’s been in Washington long enough to know what to say. Among the responses she offered:
I regret this occurred and take full responsibility for the mistake. Our response was swift, decisive and comprehensive. Passengers will fly safely…because of the layers of security in place.
We need better processes in place and tighter controls on how we handle sensitive information. We’re going to have to make sure that we have designated personnel…who are trained and really truly understand.
The actions of one or a few can … seriously impact the credibility of the agency.
Perhaps most significant because of what it implies about the previous behavior of the agency, the Acting Director offered up this nugget: the agency has asked the National Security Agency (NSA) to come in and work with them. The NSA has had documents published publicly for many years now explaining the importance of proper redaction and how to correctly accomplish it. Now that they’ve messed it up once the TSA has apparently decided to ask the NSA to come in and teach them how to do redaction correctly. It is great that they are finally (apparently) getting it right, but this has been a long time coming.
Ultimately the Congressional inquest does not appear to have had much affect on the behavior of the TSA. They’re still doing whatever they want and even when pressed on the issues they simply decline to answer. This is not good at all.
Related Posts
Posted by Seth on December 9, 2009 under Screening Management SOP, TSA |
On Monday the TSA made it very clear that the version of the Screening Management SOP that was posted to the fbo.gov website was not a version that was ever actually placed into active use. This was part of the statement made on their blog on Monday:
The version of the document that was posted was neither implemented nor issued to the workforce. In fact, there have been six newer versions of the document since this version was drafted.
It seems that the words are changing, however, as other questions have cropped up suggesting that the TSA’s stance might be troubling for them. Here’s what they’ve got in a statement on their webpage this afternoon:
This version of the document was not the everyday screening manual used by Transportation Security Officers at airport checkpoints. As TSA is constantly adapting to address evolving threats, there have been six newer versions of the procedures since the version posted was approved.
Note the ending of the two statements. We’ve gone from “drafted” to “approved,” suggesting that the version on the internet was, in fact, in play at some point. OK, I actually expected that to some extent. I’m still waiting to hear what other backtracking they’ll be doing later on, and also if the Honorable David Heyman knows that he told a small fib during his testimony, suggesting that the document was no longer online at the fbo.gov webpage. But, at least for now, they don’t seem to be on the hook for Contempt of Congress which was a very real risk based on the previous statements and being called to testify today.
If you’re interested in the testimony check it out here. It starts around minute 72 of that video.
Related Posts
Posted by Seth on December 9, 2009 under Screening Management SOP, TSA |
As it so happens there were hearings scheduled for this morning in Congress for some TSA officials. Certainly they probably would have been much happier to discuss the White House party crashers – the original primary topic – than how a supposedly secret document wound up online for the world to read. Alas, it was not meant to be. Instead they faced down Senators grilling them about how the error occurred.
Watching the TSA folks squirm is interesting, though I’m still waiting for further pressure to come down regarding an answer about the potential that a FOIA response was inappropriate.
Related to the leak, an unknown number of TSA employees have been placed on leave pending the outcome of the internal investigation. Interesting how the TSA is willing to share details of their internal investigations when they think it will help to calm the masses but that they have not been during previous events where there were questionable actions by their staff.
Posted by Seth on December 9, 2009 under Screening Management SOP, TSA |
I suppose that it was inevitable that the TSA would eventually fall on their face and do something like this. “Secure” documents have a habit of slipping out every now and then and the TSA has been around long enough at this point that the odds were no longer in their favor. What is interesting to me is how this particular action actually blossomed into a full-blown media event. A TSO shows up to work with a gun in his pocket and the media eventually gets bored and walks away. But this is a juicy one. It has “secrets” in it and who doesn’t like discovering a secret?
Watching the story grow through web statistics has been interesting for me over the past couple days. This isn’t the first time I’ve posted about the TSA doing something stupid but it is most certainly the first time it has grown legs. So just exactly how did it happen? Here’s the timeline as best as I can recreate it.
Around 3pm on Saturday, December 5th a link was posted on FlyerTalk.com to the FBO.GOV website where there were details of a contract for screening services in Montana that had been out for bid (the FBO link is dead now; there is a cached copy here). In that bid package there were a number of attachments including two different “redacted” copies of the TSA’s Screening Management SOP. The copies were actually slightly different but the general content was substantially the same. That post was out there for almost 24 hours before I stumbled upon it and decided to see what was in the document. Three clicks later I was reading a “redacted” copy of the SOP, something that the TSA meant to put online. About 10 minutes and a couple more clicks later, however, I was one of a couple folks who realized just what we were looking at and what the situation was. It took me another hour to get a blog post together and at 4:16pm EST on Sunday afternoon the post went online.
My blog doesn’t have all that many readers regularly so I’m honestly not really sure how it went from there. What I do know is that someone thought it was worthy enough to put a link up on http://news.ycombinator.com/, a self-described “Hacker News” social media site. From there the story made it to the Wired Threat Level blog as well as BoingBoing.net (two sites that I really enjoy, FWIW) and Jaunted. On Monday The Register in the UK picked up the story as well, noting how foolish security through obscurity generally is in the process. Chris Elliott, a syndicated travel writer also picked up on it during a chat on Monday afternoon and posted a blurb about it on his blog. US News & World Reports had a piece as well.
At that point the story probably could have died. But it didn’t. Tuesday saw the story picked up by SlashDot in the morning and Gothamist in the afternoon. Fortunately the site is hosted by systems that can handle the resulting SlashDot effect and the blog has stayed online.
And then, it went mainstream. The Cleveland Plain-Dealer had an article out on the story on Tuesday afternoon. ABC’s World News Tonight led off their broadcast with the story (and some really bad computer stock images). The Washington Post followed up on the story as well. That story was published late Tuesday evening online and is on the front page, below the fold, of today’s print edition. The Associated Press put together a piece that was been picked up by a number of outlets on Tuesday evening, including USAToday, Yahoo! and MSNBC.
Overnight Tuesday night/Wednesday morning the BBC got into the game and USAToday had an original piece in their Today in the Sky blog. It was on page A22 of the dead tree edition of the NY Times, running the AP wire piece as well.
Yeah, to say that this one has legs is a bit of an understatement.
I’m sure I’ve missed a number of the sources covering the story at this point. The good news is that this is out there. Hopefully the correct questions are asked as a result of the leak and hopefully we can move towards a system that actually represents security rather than security theatre. I’m not holding my breath. Oh, and I’m still waiting to hear back from the TSA on a number of open questions about this issue. Conversations with elected officials will be my next step as hopefully they can actually compel the TSA to answer the questions that they seem likely to brush me off on.
Posted by Seth on December 8, 2009 under Screening Management SOP, TSA |
I’m not a legal scholar. I didn’t even stay in a Holiday Inn Express last night. But I am pretty good about spotting what appears to be a felonious act, especially when it jumps off the computer screen and smacks you right in the face. And after reading through the various non-responses from the TSA regarding this leak one bit seems to stand out more than the others. The TSA appears to be playing down the breach in part because:
The version of the document that was posted was neither implemented nor issued to the workforce.
That’s the direct quote from the TSA’s blog entry regarding the matter. The problem with that statement is that the document appears, in fact, to have been issued. At least once.
In May 2009 the Identity Project posted on their website the results of a Freedom of Information Act (FOIA) request that they originally submitted in June 2008, right around the time that the document in question is dated. The document that was returned in reply to the FOIA reads 100% the same as the document uncovered over the weekend. It has the same revision number. And it has the same date. It is very, very difficult for me to believe that there is any way that document previously released to the ID Project is not the exact same document that was published on the fbo.gov website and then found to have been improperly redacted.
 |
| The FOIA document |
 |
| The fbo.gov document |
What does that mean?
Either the TSA is lying about the fact that this document was never actually implemented or they issued a false reply to a FOIA request. They’re stupid or felonious. I wonder which one.
I reached out to the TSA Public Affairs office and even tried to get an answer from their “breaking news” duty officer. I didn’t get very far in either of those efforts. But I know that a number of major news organizations are covering the story now and I’ve been feeding bits of information to a few of them. Hopefully one or more of them will be able to push the TSA harder for a legitimate answer than I can.
(For those concerned about possibly having been exposed to SSI documents but reading here anyways, both bits above are considered public and not really SSI in any way.)
Related Posts
