August 31, 2016

avatar

Secure Flight Mothballed

Secure Flight, the planned next-generation system for screening airline passengers, has been mothballed by the Transportation Security Administration, according to an AP story by Leslie Miller. TSA chief Kip Hawley cited security concerns and questions about the program’s overall direction.

Last year I served on the Secure Flight Working Group, a committee of outside technology and privacy experts asked by the TSA to give feedback on Secure Flight. After hearing about plans for Secure Flight, I was convinced that TSA didn’t have a clear idea of what the program was supposed to be doing or how it would work. This is essentially what later government studies of the program found. Here’s the AP story:

Nearly four years and $200 million after the program was put into operation, Hawley said last month that the agency hadn’t yet determined precisely how it would work.

Government auditors gave the project failing grades – twice – and rebuked its authors for secretly obtaining personal information about airline passengers.

The sad part of this is that Secure Flight seems to have started out as a simpler program that would have made sense to deploy.

Today, airlines are given a no-fly list and a watch-list, which they are asked to check against their passenger lists. There are obvious security drawbacks to distributing the lists to airlines – a malicious airline employee with access to the lists could leak them to the bad guys. The 9/11 Commission recommended keeping the lists within the government, and having the government check passengers’ names against the lists.

A program designed to do just that would have been a good idea. There would still be design issues to work out. For example, false matches are now handled by airline ticket agents, but that function would probably have to moved into the government too, which would raise some logistical issues. There would be privacy worries, but they could be handled with good design and oversight.

Instead of sticking to this more modest plan, Secure Flight became a vehicle for pie-in-the-sky plans about data mining and automatic identification of terrorists from consumer databases. As the program’s goals grew more ambitious and collided with practical design and deployment challenges, the program lost focus and seemed to have a different rationale and plan from one month to the next.

What happens now is predictable. The program will officially die but will actually be reincarnated with a new name. Congress has directed TSA to implement a program of this general type, so TSA really has no choice but to try again. Let’s hope that this time they make the hard choices they avoided last time, and end up with a simpler program that solves the easier problems first.

(Fellow Working Group member Lauren Gelman offers has a similar take on this story. Another member, Bruce Schneier, has also blogged extensively about Secure Flight.)

Comments

  1. avatar the zapkitty says:

    Having just read an MPAA mouthpiece reiterating the same old “This is really for your benefit!” crap…

    http://www.digitmag.co.uk/features/index.cfm?FeatureID=1413

    … I couldn’t help but wonder when the government will start saying “If you don’t let us data mine the hell out of your personal life, then the terrorists will!”

  2. I am surprised you think a no-fly list could work. Would not the only folks without fake ID be law abiding citizens? The false positive rate has already been show excessive. Further, folks are placed on the list without a warrant for their arrest existing. News stories exist about toddlers, nuns, and Ted Kennedy being detaind or delayed by the no-fly list. I fail to see these problems subsiding by simply making access to the list itself more secure.

  3. cdmiller:
    Moving the list checking task to the government would not, by itself, help with the false positive issue as you point out. The main thing it protects against is that the
    list (which is sensitive information) would not have to be disseminated to the airlines. As Ed points out, there are several privacy and logistical issues that would have to be addressed if the TSA were to adopt such a scheme.

  4. My name (as stated in my passport) has non-ASCII characters in it, and once upon a time when they had the directive to check character-for-character match between ticket and passport (presumably to enable relying on data mining ticket information alone), some foreign-language-challenged security person made a big fuss of not letting me through. (Never mind the whole non-US world has non-ASCII characters.) The saving grace of the moment was that my passport has a machine readable part that spells out the ASCII transliteration of my name, and he was content with that. I’m still unsure whether he was being semi-reasonable, or the whole thing was a butt-covering activity, and he was happy to have an excuse to let me through without a major commotion.

  5. My question is why haven’t we heard from anyone on the list who’s NOT a false positive, just a person falsely labeled as a terrorist? The legal issue here is obvious.

    We may be better off if we subjected people who match the list to the kind of “random screening” that we used earlier. It’d be annoying, but not nearly as bad as refusing to issue a normal person (or infant) a boarding pass. They need a reasonable way to let someone through as a false positive.

    Photos or descriptions with each name could also help that process.

  6. @V,

    There are two lists: the no-fly list and the watchlist. People on the no-fly list aren’t given boarding passes. People on the watchlist get designated for secondary search (the extra pat-down, wanding, and/or bag search) every time.

    In practice, if somebody matches the no-fly list, they have to go to the ticket counter to check in, and the ticket agent decides whether it’s a false positive. So many false positives end up getting to fly after some extra hassle. Some people have to go through this every time they fly.

    Part of Secure Flight was to have been a recourse procedure by which a person who repeatedly triggered false positives could get put on a special exception list, saying that they were okay. As far as I know, the recourse procedure has not been implemented yet.

  7. The best summary of secure flight that I heard was: “So, these people are too dangerous to be allowed to fly yet safe enough to be allowed to roam free and buy shotguns at WalMart?”

  8. The no-fly list is utterly misleading. Frankly, I couldn’t careless who I sit next to on a flight providing they don’t have access to any weapons — that’s where authorities need to focus their energe regardless of whom it inconveniences.

  9. Space Shuttle and ISS ought to be mothballed
    Several years ago The Economist had a front cover story on the threat of asteroids. Give some reasonable assumptions on the risk of collision of various types of asteroids and the number of deaths that would result they calculated that per dollar spent to avoid death we actually way underspend on the asteroid risk as compared to, for instance, dollars spent per life lost in aviation and i some other categorihave seen some an article for a 10,000 dollar reward for innovating new wayz to space.
    and I have one that involves a new type of N or ai OS that uses cellular and new type nuclear FUZE-ION ~. My colleuges call me ~ or AI or IA or N for short. I have seen pictures
    of recent studies you have done and I recall A lot of what u guis photograph I have had dreams of. If you look in the world news front page thats a picture of me in one
    of my out of body expiriences, the headline says Einstiens brain comes to life and reaches out to touch someone. I also have taken a digital pic of last weeks super nova from the inside out digitally w/ infared beam techno lo Gee i like to be every think wierless to see evey thinges…

  10. avatar Frustrated says:

    I’m another false positive. It is a royal pain, because I’m not allowed to use any of the advance check-in procedures, or the automated kiosks at the airport.

    But then, I discovered that if I include my middle name in my reservation, the false positive doesn’t occur. (Pssst. Don’t tell that to the terrorists. It’ll just be our secret).