Posted by Seth on April 22, 2010 under Trip Reports | 
Dear woman at JFK T7 this morning:
Thank you for coming back at the very last minute and claiming the random black carry-on bag that had been sitting unattended near the TSA lines. I was particularly impressed with the remorse and fear you showed to the Port Authority PD officer who was busy roping off the area and moving people away from the bag. But next time, don’t wander off from the bag for 10 minutes. That really isn’t cool.
To the TSA folks, thanks for mostly just standing there and staring at the bag and not dumping the terminal. I’m quite happy that I didn’t have to miss my flight.
The whole incident does raise an interesting point, though. Having a bunch of people just standing around 15 feet from a potential danger isn’t really all that helpful. Better than 5 feet, I suppose, but still not great. Then again, odds of such a scenario actually playing out are low enough that I don’t mind at all that we didn’t all have to clear the building.
Posted by Seth on April 5, 2010 under News |
Why, oh why, do the airlines make it so hard to figure out the pricing for a ticket? Yes, there are rules about what does and does not have to be included, but even that doesn’t seem to be enough to make things easy in most cases. I was doing some research on a flight recently and was presented with this fare display:
Yes, I picked the “$243” ticket but, no, none of the prices I was then presented actually were that number. The ticket is actually either $226.05 or $253.70, not $243. But that’s the advertised price. What gives?
Sadly, I actually know the answer. It has to do with which fees do and do not have to be included in the initial advertised fare since they can vary depending on the airports traversed in the USA. These Passenger Facility Charges are levied by the airports and used to help fund their operations and capital improvements. There are also the “September 11th Security Fee” that goes to pay for having the TSA harass passengers randomly and a per-segment flight tax that also goes to the federal government. Without knowing the final routing the PFCs and per-segment taxes cannot be reasonably computed.
But it still is ridiculous that airlines can have so many different “prices” when the only thing that customers really care about is the amount they pay out the door. It is a shame that the US-based carriers aren’t required to simply share the full price and that the US government actually makes it more complicated with the fees they charge rather than enforcing simpler rules.
Posted by Seth on February 21, 2010 under News, Screening Management SOP, TSA |
In a report that should come as no surprise to anyone following the story, the Department of Homeland Security Inspector General has blasted the Transportation Security Administration (TSA) for a series of failures that let to the disclosure of data classified as Sensitive Security Information (SSI) last December. Among other things, the report identifies as “deficient” the TSA’s information handling policies. Even more damning, however, are some of the details in the back-story that explain how the TSA managed to get themselves into the situation they were in. Indeed, the whole issue stems from concerns about privacy and handling of personal data, something that the TSA has been blasted for in the past. And while changes have been promised in response to the report, it remains to be seen if actual change can come from this event.
In prior years the TSA controlled public access to information that was considered SSI – whether redacted or not – through the use of a password-protected intranet site available only for potential bidders on projects associated with the documents.
Prior to a 2007 solicitation for requests for proposals to implement privatized screening at the Key West Airport, TSA required potential vendors to sign a nondisclosure agreement before providing the SSI Screening Management SOPs via its SPPO web-board. The web-board controlled access via login/password to vendor personnel who had submitted a signed nondisclosure agreement.
TSA officials reported to us that over time, TSA’s Office of Privacy and the Office of Chief Counsel’s Information Law branch informed SPPO and the Office of Acquisitions (ACQ) that the program’s prior process for vetting vendors, which included completion of a nondisclosure agreement, violated their privacy rights. TSA does not have a Privacy Impact Assessment (PIA) in place for the collection of personally identifiable information provided through the nondisclosure agreements.
In other words, the TSA was inappropriately collecting information from potential vendors and was unable to assure those vendors that the information collected was being handled in a reasonable manner. At this point the TSA had a choice to make: establish a PIA or stop collecting the information. For reasons which are not particularly clear and which are not addressed in the report the TSA chose the latter. They simply stopped collecting the information in question and stopped providing access to SSI documents associated with contracts that were up for bid. This issue came to a head with the 2007 solicitation for security vendors in Key West.
…TSA released the solicitation to implement privatized screening at the Key West Airport with limited information, did not have vendors sign a nondisclosure agreement, and did not release the SSI Screening Management SOPs. After the contract award, one vendor that had proposed to undertake and perform these duties at Key West Airport conveyed to TSA that not having access to SSI Screening Management SOPs placed them at a disadvantage, as other vendors had those documents through previously signed nondisclosure agreements.
In reviewing the Key West solicitation, the Offices of Chief Counsel and ACQ determined that TSA provided too little information and risked receiving an award protest. The expressed view was that incumbent contractors who already possessed the Screening Management SOPs would have an unfair advantage.
That decision made to avoid the PIA led to the scenario where the bids solicited were uninformed and biased in favor of incumbent parties who had previously had access to the information. Bad policy begat bad decisions which begat a terrible blunder.
The TSA made the decision at this point – mid 2008 – to produce a redacted version of the Screening Management SOP document so that they could distribute it to vendors. This was, in theory, the best of both worlds. The TSA would have the information available and would not have the issues associated with collecting personal information and the need for a PIA. Unfortunately, however, the TSA failed to properly produce this document, resulting in the events of last December.
The instructions for producing such documents are pretty straightforward. Indeed, the report includes a pretty picture that describes the process. The key step comes in the box that is redacted in this image but that is described pretty clearly in the report itself, “
In <<Adobe Acrobat>>
the key step to ensure that document contents cannot be either manipulated or retrievable is to check <<Apply Redaction>>. (N.B. – the bits inside the << >> marks are actually properly redacted in the original report. I have inserted the text here based on a reasonably solid supposition as to what the contents likely are. As someone who has worked with the tools in question and from reading the other content of the document it seems pretty likely that the above is correct.)
So, essentially, the error came because someone forgot to click on a checkbox. It was furthered when that user chose to skip the second to last step in the flowchart, searching for known redacted content in the finished document. Moreover, the document was returned to the Office of SSI for clarification of the header/footer that stated the document was still considered SSI. At that time a new electronic document was produced following the same procedures as the first one, skipping the appropriate steps to correctly apply the redaction.
Particularly damning in the report is the Inspector General’s review of the TSA’s training for its employees in the handling of SSI documents.
After our review of [the (SSI) Awareness] training course, we determined that this training does not contain instruction on handling redacted SSI material, the process of consulting with SSI coordinators, or discussion of any other quality control steps prior to the release of redacted information outside of DHS.
It is not clear what the training does cover but the fact that it doesn’t include anything about how to properly handle redacted material or to manage the release of the information to the public. Not comforting at all for the traveling public that the TSA’s training doesn’t actually cover things that seem critical to the topic in question.
Another of the findings in the Inspector General report is interesting, especially in light of some of the comments made by Acting Secretary of the TSA, Gale Rossides. Ms. Rossides testified during hearings before the House Subcommittee on Transportation Security and Infrastructure Protection that the leaked version was old and that many updated versions had been released in the interim months. While this is almost certainly true it belies a readily apparent fact: the main substance of the document didn’t change all that much. Indeed, the report suggests that over a span of 9 months – from the production of the original redacted version until the version was posted online – the “changes were determined to be insignificant” by the Screening Partnership Program Office and the same document was forwarded on to be included in the posting online.
Ultimately the failures associated with this document being published were many. The TSA made a decision to avoid responsibility associated with a Privacy Impact Assessment. An office worker chose to not follow the established process in creating a redacted document and also failed to check the document after producing it. And the Agency missed at least one other opportunity to discover the error and resolve it. As stated rather succinctly in the report:
We are concerned that an improperly redacted version of the SSI Screening Management SOPs passed through a number of TSA offices from June 7, 2008, to posting the document on FedBizOps.gov on March 3, 2009, and again on March 16, 2009, without any internal procedures to determine whether the document was redacted properly. As a result, TSA and department internal controls for reviewing, redacting, and coordinating the protection of SSI are deficient.
Related Posts
Posted by Seth on February 19, 2010 under News |
The State Department has published a proposed rule in the Federal Register announcing their intentions to change the rates charged for a number of consular services that they render around the world. Among these services are the issuance of passports and visas for travelers. Unsurprisingly, these fees are being increased to “ensure that fees for consular services reflect costs to the United States of providing the services.”
The Department conducted a study of their operational costs for a two year period, August 2007 through June 2009 and have concluded that they are not appropriately recovering the costs for performing these activities through the fees they are charging to the public. The issuance of passports, visas and other consular services is based on the following principle:
[E]ach recipient should pay a reasonable user charge for government services, resources, or goods from which he or she derives a special benefit, at an amount sufficient for the U.S. Government to recover the full costs to it of providing the service, resource, or good
For the most part the fee changes are trivial. The cost for a new or renewed Passport Book is increasing by $35 to $110. That is a 46% increase and the new number breaks a somewhat mythical $100 barrier, but the total dollar amount difference is still tolerable in most regards. Of this increase, $20 is attributed to the increased costs of producing the passport books with increased biometric capabilities. These are the RFID chip passports that the US Government has been issuing for about four years now. They are the same passport books that have been the subject of controversy for at least two years. Passport books that are being sold to the Department of State at a huge markup from the actual production costs – a full 100% – and now the State Department has decided to finally account for that largesse. By passing the costs on to the consumer.
Similarly the costs for issuance of Passport Cards are increasing, but not nearly as significantly nor in a manner that actually covers the production costs. Based on the reasoning that, “the card is intended to be a substantially less expensive document than the passport book, for the convenience of citizens who live close to land borders and cross back and forth frequently,” the Passport Card fee is increasing to only $30, well below the cost of about $77. It is worth noting that the cost-basis for Card and the Book are calculated to be different numbers even though both documents are issued based on the same credentials. Gotta love government math.
I’ve previously documented some of the adventures I’ve gone through trying to get extra visa pages in my passport and at least I could take solace in the fact that I was only out time to make that happen. That will change in a big way as part of the proposed changes. Having additional pages inserted into passports apparently doesn’t happen particularly frequently. The expectation is that there will be only 218,000 requests for this service in Fiscal Year 2010 compared to 11.9MM passport books and 1.56MM passport cards issued. Apparently this rarity contributes to the costs of performing the actions. The new fee for this service will ring in at $82 per instance.
[T]he cost of the pages themselves, of having the pages placed in the book in a secure manner by trained personnel, and of completing the required security checks results in a cost to the U.S. Government of $82.48 based on a projected FY10 workload of 218,000. Therefore, the Department will charge $82 for this service.
I can’t figure out which bit actually costs so much. The pages shouldn’t be too expensive as they don’t have the RFID chip that makes the book cost so much. And the “security checks” shouldn’t be much more than swiping the passport like at immigration to make sure that it is still valid and hasn’t been reported lost or something similar. Yet the cost is increasing dramatically. Not good at all.
The most significant dollar amount change for any service is that for the renunciation of citizenship. This process used to be fee-free for folks seeing citizenship elsewhere. It will now ring in at $450. Yikes!
Like many other things the government does these days the fee increases are repeatedly labeled as based on increased costs to comply with “security” changes instituted by Congress. There are “increased costs related to new passport agencies serving border communities,” “costs of increased border security,” and “costs of the enhanced security screening requirements associated with fingerprint collection.” Even worse, is this claim with respect to the increased costs for Passport Book issuance:
[T]his fee incorporates the costs of meeting the increased demand for passports as a result of actions taken to comply with section 7209(b) of the Intelligence Reform and Terrorism Prevention Act of 2004, Public Law 108-458 (reproduced at 8 U.S.C. 1185 note).
In other words, the government is requiring all citizens to use passports for travel because of the Western Hemisphere Travel Initiative (WHTI) rules. And those rules mean that more folks will need passports. Yet the cost to produce the passports isn’t going down as the volume increases. In fact, the per unit processing cost somehow managed to increase. That seems quite backwards from the way things work in the rest of the world.
The worst part of all these fees is that encouraging global travel amongst its citizens is a good thing for the country. Insularity and ignorance of global cultures are bad things for any society. And now the US Government has decided – again – to make it even harder for folks to overcome those limits. Bummer.
Related Posts
Posted by Seth on January 4, 2010 under News, Screening Management SOP, TSA |
Gotta love an Agency that can managed to violate their own rules when creating rules. I suppose if they never bothered to publically state either of the two contradicting policies they’d be fine. And up until the unredacted Screening Checkpoint SOP document turned up last month at least one of the policies was not particularly well known. This week, however, the TSA has issued a new directive (anyone taking bets on how long until a full copy is leaked or subpoenas served to the reporters??) as part of their follow-up to the failed bombing attempt on Christmas day. And the new policies are in violation of their own policies.
The new policy, according to several sources, requires that passengers originating from one of 14 countries are subject to a full search of their carry-on luggage and a pat-down when boarding flights bound for the United States. This policy is eerily similar to Section 2A-2 (C) (1) (b) (iv) of the Screening Checkpoint SOP. That section dictates that passengers presenting a passport from one of twelve countries be subjected to a full secondary screening (essentially the same bag check and pat-down). The main difference is the addition of two countries to the list, Saudi Arabia and Pakistan. And the rule now definitely applies at foreign ports rather than at TSA checkpoints.
The problem with this policy is that it violates the TSA’s stated Civil Rights Policy. That policy suggests that
[T]he public we serve are to be treated in a fair, lawful, and nondiscriminatory manner, without regard to … national origin.
So you’re not going to be subject to discriminatory screening based on national origin, unless you happen to be from one of 14 specific countries and then you will. Glad that they’ve cleared up that confusion.
On the plus side, the pat-downs conducted at most foreign checkpoints are much more thorough thatn the TSA-administered ones. Just this morning in Barcelona I watched a woman receive a rather thorough search at the WTMD that identified metal around her breasts and forced her to actually pull the necklace out from under her shirt to show the screening officer. I’m not so sure that such a thorough check would ever happen in the lawsuit-happy USA.
Still, the policy doesn’t really address the main issue at hand. The TSA is constantly fighting the last war rather than looking to the next one. Their “intelligence” appears to be a rather unfortunate joke of a system. And there are insufficient resources – time, cash, human and space – to reasonably provide 100% manual screening. Besides, it isn’t necessary. The key is in having the appropriate information and acting on it in advance, not after the fact. IATA Director General Giovanni Bisignani, a man who knows a thing or two about air travel, sums the situation up quite clearly:
Instead of looking for bad things—nail clippers and rogue bottles of shampoo—security systems need to focus on finding bad people. …
Adding new hardware to an old system will not deliver the results we need. It is time for governments to invest in a process built around a check point of the future that combines the best of screening technology with the best of intelligence gathering. Such a system would give screeners access to important passenger data to make effective risk assessments
But that hasn’t stopped the TSA, Canada’s CATSA or the UK’s DfT from trotting out plans to increase the use of Whole Body Imaging – aka Strip Search – machines around the globe. Fighting the wrong fight in an expensive and inappropriate manner. Thanks, government. You’re real great there.
Related Posts
Update (1/5/2010 12:07am EST): Couple small typos in the original post that changed the meaning of a few key phrases. Whoopsie.
Posted by Seth on January 1, 2010 under TSA |
I really wish that these stories would stop cropping up. Don’t get me wrong – they give me something to write about – but they are truly depressing when I realize that these are the folks I entrust my live with a hundred times every year. I know that the numbers are still very much in my favor, but it is really quite sad that they are able to continue to operate like this.
The failure today comes in the form of another PDF document containing SSI that has been published online without the appropriate redaction applied. Last time this happened there were hearings and a decent amount of general outrage. Here’s hoping that something similar happens again. Actually, here’s hoping that something more happens this time. It would be nice to see the Acting Director of the TSA actually required to answer questions rather than to simply say that she’ll get back to the folks driving the inquest. It would be nice to hear that the organization will actually be held responsible rather than simply allowing the talking head to say that she is taking full responsibility, government speak for nothing will happen.
The document in question this time is a ruling from the US Merit Systems Protection Board. These are the folks responsible for handling whistleblower claims from government employees and ruling on whether the claimant actually has a case against the government. In this particular case the case is about a TSA employee responsible for testing the checked baggage screening procedures at airports around the country. He made a claim that a change to the screening procedure would negatively affect the safety of the traveling public and was reprimanded. The TSA claims that the reprimand was for other failures in his job, not for the claims made about the changes to the screening process.
The meat of the case is actually rather boring and reading the document is somewhat sleep inducing. Still, there are a number of bits that are listed as SSI and that are “redacted” in the same manner as the last document was. A black box was drawn over the affected text but the underlying text was not removed from the document. Reading the original text is a trivial matter; it does not require any special computer ‘hacker” skills.
What is important in this document is that it clearly outlines some of the policies that the TSA uses to define the screening of checked bags. It describes the process and frequency with with bags will be swabbed for traces of explosive residues (ETD check) and what the follow-on actions are should the test come back positive. Most notably, it describes situations where a positive ETD might not require further inspection. Properly redacted this information wouldn’t be there.
Ironically, the initial action came about because the TSA agent thought that the changes to the search policies were decreasing the safety of the traveling public. Through their failed PDF skills the government has ensured such an outcome.
The document is dated May 4, 2009. It is not clear if the procedures described are from that time-frame or from around 2007. If the latter we will almost certainly hear the TSA claim that there is no risk because the policies have changed several times since this information was in play. But they always build on previous versions of their SOP so it isn’t possible for us to really know just how much of the “redacted” policies are still in play.
You’ve failed again, TSA. How many more times can we expect this to happen before true, positive change comes to the organization? Why are you gambling with my life?
Related Posts
Posted by Seth on December 28, 2009 under News, TSA |
Of course the TSA decides to change the rules on me when I’m thousands of miles from home. Just like last time. I was quite happily enjoying my honeymoon, diving off the coast of Palau in August 2006 when the liquids ban went into effect. It was a mess, to be certain, but we survived. That “temporary” measure has had legs so news of this new “temporary” set of rules so soon on its heels was certainly worrisome. And all that much more confusing since there are tons of rumors floating around, very few hard facts and I’m quite far from home with a slew of flights coming up in the next week.
The lack of solid information is probably the worst part. The TSA managed to come up with a set of rules that can be defied by any 4 year old who has learned to read a wrist watch or look out the window to see when the land shows up again. Or, you know, listens to the flight attendants make the announcement that there is only one hour of flight left so no getting out of your seat. Yeah, that is really hard to counteract. And not only have they come up with these ridiculous rules, they seem to be changing their mind with great frequency.
There have been reports of no carry-on bags of any sort (WestJet flights from Canada), no laptops at all throughout the flight (likely just overzealous flight attendants) and just no in-flight entertainment systems if there is live TV or maps for flights headed to the United States. Glad that is so clear. Like mud.
Then, around 10 EST on the 28th, more than 48 hours before the TSA Security Directive was set to expire jetBlue reported in their twitter feed that “We’re pleased to say that our LiveTV service has resumed on JetBlue flights. Happy Channel Surfing!” Sounds like having live television and maps in flight is no longer banned.
I know that the TSA like the idea of keeping the public guessing but at some point you really have to tell folks what to expect so they know what they are getting themselves into when they travel. Changing the rules every 30 minutes doesn’t actually create a secure environment. Having reasonable rules does.
So when a guy’s father rats him out to the FBI as being a loose cannon with homicidal tendencies and extremist views, maybe he shouldn’t be getting on airplanes. Or at least he should be subject to additional screening. Instead the watch list has my neighbor’s wife on it. I’m pretty certain she’s not going to cause any trouble.
Using the Whole Body Imaging (WBI) machines on everyone isn’t the answer. There is no need to subject every passenger to a strip search simply to get on the plane. Systems exist today to detect traces of explosive residue. They are used all over the world, including at every TSA checkpoint. Remember that the goal is to find unstable people with weapons. There are plenty of ways to do that without exposing every passenger, either to undue risk or to the screeners.
But the TSA definitely needs to get its act together. They look like a bunch of amateurs running around here “reacting” to the new situation at hand. Yes, there should be a reaction, but not a knee-jerk one. If you have to change it so quickly because you realize what idiots you look like odd are you did something wrong to begin with.
Posted by Seth on December 18, 2009 under Screening Management SOP, TSA |
I must admit that being admonished by a Congressman has never been particularly high on my list of things to do. I’ve generally tried to stay under the radar of Congress. That all went out the window a couple weeks ago when the TSA’s Screening Management SOP document was published online with the supposedly redacted text still in the body. I’ve been in contact with a number of Congressional staffers since then and have been trying to help them understand that this wasn’t the case of crazy hackers acting maliciously. It is copy and paste. Really quite simple.
I sat through about 90 minutes of hearings from the Subcommittee on Transportation Security and Infrastructure Protection on Wednesday, hoping to hear that the congressfolk were going to do something about this event. Instead I was treated to nuggets like this one from Congressman Charles Dent (R-PA):
To those who repost this security information on the internet you should share in the blame should security be breached as a result of this disclosure. In the future I would ask that you please, please use the whistleblower process congress has created for you. Call the department. call the inspector general. Call congress and its committees. But please do not circulate sensitive security documents. Rest assured that we will hold the department to account.
In essence he’s calling me out for sharing this document rather than using “internal” procedures to address the issue. While I can understand the Congressman’s point – ideally truly secret information should never be made public – I must respectfully disagree with his thoughts on this topic.
Many minutes were spent throughout the hearing listening to TSA Acting Director Gale Rossides explain to the Congressmen that she would not provide them with copies of the current version of the SOP document even though she is bound by law to do so when requested. She refused to provide a timeline under which such a delivery would be made. It is quite humorous that Congressman Dent feels Congress can “hold the department to account” when the Agency shows no signs of actually respecting the rule of law.
The published version of the SOP contains many sections that were redacted seemingly out of convenience rather than a need to legitimately hide information. Among other things, the Agency chose to hide the fact that their policies seem to be in violation of their own public policy on discrimination as well as international treaties and executive orders. Is that a matter of actual security or hiding legal wrongdoing?
The TSA continues to hide their policies behind the veil of SSI while refusing to be held accountable to anyone for their behavior. The Congressman may believe that the Agency can be controlled but all evidence thus far seems to prove otherwise. In the meantime, it seems completely reasonable to me to continue to share when the Agency misbehaves. Perhaps if more people did so they would actually be held accountable.
Related Posts
Posted by Seth on December 16, 2009 under New York, Screening Management SOP, TSA |
Nothing like calling the boss onto the mat in front of Congress to get some answers when a mess happens in government. Not that it is likely much will change – and certainly not quickly – but the Homeland Security Committee of the United States Congress held hearings this afternoon regarding the breach. The hearings are entitled “Has the TSA Breach Jeopardized National Security? An examination of What Happened and Why.” Sadly, there is virtually zero chance of actually getting an answer to the questions, and even less of a chance that real change will come out of this. Still, the government rolls slowly on.
After a full hour of testimony it does not appear that anyone – neither congressfolk nor TSA officials – actually understand the significance of what has happened. The hour of testimony featured a couple rather pointed questions and they went unanswered. I followed up with some public affairs folks regarding open inquiries I have and I was stonewalled. And the most pressing questions simply were not asked.
Why was the document published?
A rather significant chunk of the discussion was focused on why the document was public at all. Ignoring the redaction problems that came up that should be a non-issue. Having the SOP in public is a good thing for the traveling public. In fact, having all the screening SOPs out there is the only fair and reasonable way to treat the public. The current approach treats all potential passengers as criminals and leaves them at the whim of the TSO they interact with at any particular moment. Having the actual rules in the open would permit the public to actually know their rights and exercise them rather than be subjected to a power-tripping agent having a bad day. Acting TSA Administrator Gale Rossides acknowledged that there are a dozen other SOP documents that the TSA currently uses for passenger screening operations. All are considered SSI and therefore are more or less unknown to the public.
Despite media claims to the contrary the document is not a roadmap to anything. Sure, there are a couple things that probably didn’t need to be out in the open, but they are not creating an inherently more dangerous travel environment at all. Legitimate security doesn’t depend on the ignorance of those being policed. It depends on well-trained folks responding to legitimate threats and acting on real intelligence information. Sadly the TSA does not provide that and having this document out in public does not change that situation.
Moreover, the TSA has essentially committed to not using the Internet for dissemination of redacted documents in the future. Any SSI document that needs to be shared with potential contractors will likely be held in a “reading room” or other similar facility at a TSA office. This will increase the burden on the contractors trying to fill these contracts and provide no reasonable increase in security or any other palpable benefits to the American people.
Information lockdown
In a move that can only be described as knee-jerk and over-the-top Rossides testified that TSA has instituted a “full operational lockdown” regarding the further sharing of SSI information. This lockdown applies to all documents containing SSI data. Most troubling, this lockdown also includes a restriction on sharing the appropriate information with members of the Congressional committees that have oversight of the TSA. Not only do they not want the public to see the documents, they also will not allow the congressmen and women who have a direct responsibility to review and understand the operations access to the current version of the SOP documents.
The TSA has held briefings and information sessions with congressional staffers and provided “access” in that way but no real access. When pressed on this issue Rossides acknowledged that she was aware of the legal obligation the department was under to share such information but insisted that she could not do so at this time. Congressmen Dent (R-PA) pressed the Acting Director on this issue quite aggressively. He suggested that the TSA was not willing to share the information because they felt congressfolks were likely to leak it or for some other similar reason. He also noted that this is the first time such a request has not been affirmatively responded to in a timely manner. Why now? Why is this one different? Rossides wouldn’t say, but she was insistent that such action was necessary. Equally troubling was that Congresswoman Jackson-Lee (D-TX) – the chair of the subcommittee – was supportive of the Acting Director’s decision to not provide the document in a timely manner. It was not immediately clear why
Targeting the wrong issues
A significant portion of the testimony focused on the IDs that were published in the document and what changes, if any, would need to be made to the IDs or processes surrounding them. Sorry, Congresswoman Jackson-Lee, but you’re barking up the wrong tree on this one. The pictures in the document were nowhere close to detailed enough to allow someone to make passable fakes from them. And that isn’t even considering the part of the “layers of security” the TSA uses that never actually verifies that the person on the photo ID is really the person traveling or that the ticket is really valid. Quite simply, checking IDs isn’t providing any security and even if it did someone desiring a fake would have better luck on Canal Street in New York City than dealing with those images.
Another significant line of questioning was focused on the use of contractors in the handling of SSI data inside the TSA. Specifically, it seems that one of the folks at the heart of producing the document for publication was a contractor at the time it was posted online (he has since become a full-time employee). Congresswoman Jackson-Lee was rather caught up on the idea that somehow there is a difference between a contractor and a full-time employee. There didn’t seem to be much rhyme or reason behind that distinction but she was more than willing to make it. Several times. Indeed, we can expect to see legislation in the new year restricting the handling of SSI from contractors. So very, very unnecessary.
Who has the document?
Congressman James A. Himes (D-CT) was rather blunt in the one question he asked, “No organization doesn’t make mistakes. The question is how well an organization learns from the mistakes. Is anyone looking to see who has downloaded it?” That’s right…forget about how it got out there, let’s focus on who is reading it and what we can do about that. Other congressfolk have inquired about any potential legal recourse that can be pursued to force websites hosting the document to remove it. That horse has already left the barn, but there’s no reason Congress can’t go out and start shooting horses randomly on the plains, or something like that. Except that there is a VERY good reason they cannot. It is 44 U.S.C. 3506(d)(4)(B). It states:
With respect to information dissemination, each agency shall—
(4) not, except where specifically authorized by statute—
(B) restrict or regulate the use, resale, or redissemination of public information by the public;
That’s the truncated version of the code but it basically means that the neither the TSA nor anyone else can do anything about it once the document is out in the open. That hasn’t stopped the congressfolk from posturing but nothing will come of it.
In that same vein, the actual reply to Congressman Himes’s query was rather chilling. Acting Director Rossides stated that The Department of Homeland Security’s Inspector General office – the same folks conducting the inquiry into the TSA’s publication of the document – has compiled a list of who downloaded the document from the Commerce Department website and that they are working to reconcile that list against other lists they might have. They are also working on lists of who is hosting the document. It isn’t entirely clear what these lists will be used for since possession and distribution of the document is completely legal, but the DHS is compiling lists, just in case. This is a rather disturbing admission on the part of the TSA and DHS.
When asked what could be done about the copies of the document that are floating about the Acting Director offered the following suggestion: “I would hope out of their patriotic sense of duty to their fellow countrymen [people hosting copies] would take [the document] down. Good luck with that. Patriotism means acting for the good of the country, not for the good of a few folks who have made mistakes in running an organization which seeks to deny basic liberties covered by the Constitution when it is convenient for them.
Two useful questions
Lest the above make it seem that the hearing did not address anything useful it is worth noting one specific line of questioning that appeared to catch the Acting Director a bit off-guard and to really drive to the point of the charade that the TSA seems to be playing with this event. Congressman Emanuel Cleaver (D-MO) noted that, as is the case with any government document, the new versions build on the old versions. So the fact that there have been six revisions since the redaction mistake came out might not really be significant. The only reply that the Acting Director could muster is that the bulk of the information in the document is not SSI so that doesn’t really matter.
Congressman Cleaver also asked a very pointed question when Rossides noted that she felt the air travel system was safe. Specifically he asked if she would have actually admitted in an open session that she thought the answer was no. They parried a bit over words and there was never a “true” answer, but it definitely caught the Acting Director off-guard.
The Acting Director Responds
Acting Director Rossides made a couple statements during the hour-long session that suggested she might actually understand the gravity of the situation. That, or she’s been in Washington long enough to know what to say. Among the responses she offered:
I regret this occurred and take full responsibility for the mistake. Our response was swift, decisive and comprehensive. Passengers will fly safely…because of the layers of security in place.
We need better processes in place and tighter controls on how we handle sensitive information. We’re going to have to make sure that we have designated personnel…who are trained and really truly understand.
The actions of one or a few can … seriously impact the credibility of the agency.
Perhaps most significant because of what it implies about the previous behavior of the agency, the Acting Director offered up this nugget: the agency has asked the National Security Agency (NSA) to come in and work with them. The NSA has had documents published publicly for many years now explaining the importance of proper redaction and how to correctly accomplish it. Now that they’ve messed it up once the TSA has apparently decided to ask the NSA to come in and teach them how to do redaction correctly. It is great that they are finally (apparently) getting it right, but this has been a long time coming.
Ultimately the Congressional inquest does not appear to have had much affect on the behavior of the TSA. They’re still doing whatever they want and even when pressed on the issues they simply decline to answer. This is not good at all.
Related Posts
Posted by Seth on December 9, 2009 under Screening Management SOP, TSA |
On Monday the TSA made it very clear that the version of the Screening Management SOP that was posted to the fbo.gov website was not a version that was ever actually placed into active use. This was part of the statement made on their blog on Monday:
The version of the document that was posted was neither implemented nor issued to the workforce. In fact, there have been six newer versions of the document since this version was drafted.
It seems that the words are changing, however, as other questions have cropped up suggesting that the TSA’s stance might be troubling for them. Here’s what they’ve got in a statement on their webpage this afternoon:
This version of the document was not the everyday screening manual used by Transportation Security Officers at airport checkpoints. As TSA is constantly adapting to address evolving threats, there have been six newer versions of the procedures since the version posted was approved.
Note the ending of the two statements. We’ve gone from “drafted” to “approved,” suggesting that the version on the internet was, in fact, in play at some point. OK, I actually expected that to some extent. I’m still waiting to hear what other backtracking they’ll be doing later on, and also if the Honorable David Heyman knows that he told a small fib during his testimony, suggesting that the document was no longer online at the fbo.gov webpage. But, at least for now, they don’t seem to be on the hook for Contempt of Congress which was a very real risk based on the previous statements and being called to testify today.
If you’re interested in the testimony check it out here. It starts around minute 72 of that video.
Related Posts
Posted by Seth on December 9, 2009 under Screening Management SOP, TSA |
As it so happens there were hearings scheduled for this morning in Congress for some TSA officials. Certainly they probably would have been much happier to discuss the White House party crashers – the original primary topic – than how a supposedly secret document wound up online for the world to read. Alas, it was not meant to be. Instead they faced down Senators grilling them about how the error occurred.
Watching the TSA folks squirm is interesting, though I’m still waiting for further pressure to come down regarding an answer about the potential that a FOIA response was inappropriate.
Related to the leak, an unknown number of TSA employees have been placed on leave pending the outcome of the internal investigation. Interesting how the TSA is willing to share details of their internal investigations when they think it will help to calm the masses but that they have not been during previous events where there were questionable actions by their staff.
