TSA Blows Off Inspector General's Suggestion Boarding Pass Information Be Encrypted

from the more-business-as-usual dept

The TSA’s Secure Flight system apparently isn’t all that secure, according to the barely-readable portions of the recently-released Inspector General’s report. The TSA has a Pre-Check program that requires a ton of personal information and $85 to participate in. It also has “Secure Flight,” which grants Pre-Check privileges on a case-by-case basis, for which travelers pay nothing. This simply means they won’t always find themselves in the short line, but it does call into question the need to provide a ton of information up front, much less $85 for an experience others are getting for free.

Much like everything else the TSA is nominally in charge of, it has flaws. A whistleblower report to the TSA and the Office of the Inspector General claimed that the use of a “risk-based rule” led to a “vulnerability in aviation security” back in early 2014. (This would be before the Pre-Check system allowed a convicted murder with explosives experience to bypass more rigorous screening, simply because the boarding pass included the “wave me through” checkmark.)

What this “vulnerability” was is never openly explained. There’s plenty of text in the report (28 pages of it, in fact), but everything specific is hidden under a thick layer of black ink. What we do know is that it involved boarding passes and the TSA’s “risk-based assessment” program.

As a result of the report, the TSA suspended the redacted Secure Flight “rule”. This rule was apparently linked to passengers’ ability to print out their own boarding passes with the handy Pre-Check checkmark on them. Apparently, someone used someone else’s ticket or found a way to print boarding passes without providing proper ID verification. Either way, this mysterious “rule” went away, and along with it, some Pre-Check passenger privileges.

Now, the TSA is planning to add additional layers of verification to the Pre-Check/Secure Flight system. But this won’t fully go into effect until later this year. In the meantime, the “rule” remains suspended.

As a result of this redacted breach, the OIG’s office made three recommendations — which are also mostly redacted.

The first suggests the nature of the breach (or the problem with the rule) [or both].

Explore the feasibility of encrypting commercial aircraft carrier boarding passes [rest of sentence redacted].

The other two recommendations target the TSA’s upgraded credential authentication program.

The TSA pretty much disagrees with the entirety of the OIG’s assessment. Scattered between heavy redactions are various punchy odes to its pretty-much-infallible coin toss it calls “risk assessment.” Scattered between other redactions are assertions that the TSA is pretty good about assessing threats and has been steadily improving for years without the OIG’s constant nagging.

But before it heads into that, the OIG declares the TSA to be “responsive” to its first recommendation, even though it didn’t do anything more than declare the recommendation too expensive and too difficult.

Management Response to Recommendation #1: TSA officials did not concur with Recommendation 1. In its response, TSA said in 2012 it explored the cost and feasibility of encrypting commercial aircraft carrier boarding passes [redacted]. After engaging industry stakeholders, TSA decided not to adopt this approach because of limited data fields in some air carrier systems and encrypting boarding pass barcodes is cost prohibitive. TSA said it decided to pursue a more practical and affordable solution using a digital signature.

Nothing’s too good for the USofA! I mean, nothing’s too practical and affordable. So, let’s just use a “digital signature” because it’s pretty much just as secure, right?

Now, we just have to assess the wisdom of the TSA’s estimation of itself in light of this new (but very limited) information. It thinks it’s doing a bang-up job making flying more secure. TSA head John Pistole frequently mentions the many programs it uses in addition to pre-flight scanning/screening, most of which have been determined by others to have a 50% hit rate.

On one hand, its screeners managed to miss 95 out 100 prohibited items during a recent assessment of its screening protocols. (But, man, it was all over that bag of cash, wasn’t it!) On the other hand, its long-running ineptitude has yet to result in mass hijackings. It fails at the thing it does the most of (patdowns, screenings) and its more intangible efforts (risk assessment) haven’t proven to be any more accurate than its in-person patdowns. In totality, we have a self-important entity whose presence is hardly justified. It appears air travel would be roughly as safe without the TSA’s multiple encroachments. What it argues works well actually doesn’t, and new issues are dismissed as not being worth the effort/expense to fix.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “TSA Blows Off Inspector General's Suggestion Boarding Pass Information Be Encrypted”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Lethal knowledge

> allowed a convicted murder with explosives experience

So we should also put software engineers, demolitions experts, and high energy physicists (because who knows, right?) through more rigorous screening simply because of what they know?

Should we also forbid martial artists from boarding a plane with their fists and feet?

If you’re going to start triaging people because of what they know, let’s be thorough about it, shall we?

Anonymous Coward says:

Re: Lethal knowledge

So we should also put software engineers, demolitions experts, and high energy physicists (because who knows, right?) through more rigorous screening simply because of what they know?

It’s not the “explosives experience” alone, it’s the “explosives experience” combined with the documented lack of moral restrictions against killing fellow humans.

Most “software engineers, demolitions experts, and high energy physicists” have moral restrictions against killing fellow humans, so they wouldn’t misuse their knowledge in the ways the TSA is supposed to be worried about.

Bollocks says:

Re: Re: Lethal knowledge

‘Most “software engineers, demolitions experts, and high energy physicists” have moral restrictions against killing fellow humans, so they wouldn’t misuse their knowledge in the ways the TSA is supposed to be worried about.’

You obviously don’t know too many ‘software engineers, demolitions experts, and high energy physicists’

FF (profile) says:

Re: Lethal knowledge

That reads like speculative theory about who is more of a risk. Do you have data?
Unless the person is under court supervision, such as parole, there should not be discrimination in the USA. If the person really is a threat, TSA can use due process and go to court for an order against the person. Enough of this secret discrimination by the government, as it will only expand to others.

John Cressman (profile) says:

Oh great... REAL bullets!

I’m not suprised they disagree with the report at all. Let’s face it, SOME of them have to realize they’re really just there as “security theater” and providing no useful function.

So why start pretending now?

It’s like asking an actor who plays a soldier to start doing REAL SOLDIER things.

Come on guys… THEY’RE ACTORS! It’s what they do!

FF (profile) says:

Re: Oh great... REAL bullets!

It is a giant scam and we are taxed to pay for it.
Anyone visited denver lately? The airport concession workers have a special door they use to bypass all of TSA. Flight crews literally get more screening than mcdonald workers.

Look closely in denver, south screening the special portal for workers dumps out in front of the police podium, after screening.

Derek Kerton (profile) says:

Re: Re: Oh great... REAL bullets!

…and you know the route of the hallways that you can’t see? And you know that that is not a secured area which has only screened people in it?

I’ll bet you have not spotted a breach. But your imagination and your indignation-engine got the best of you.

TSA sucks, but baseless accusations of scary doors with mcdonalds workers coming out just seem silly.

Anonymous Coward says:

Re: Re: Re: Oh great... REAL bullets!

Actually, s/he’s correct. And it’s not just Denver. It’s also Philly, and Atlanta, and Dallas, just to name a few.

Certainly you remember the pilot who was reprimanded for pointing out this glaring loophole at SJC from a few years ago? We can’t have people pointing out that the emperor has no clothes, now can we?

By and large, the people with access to do the most damage to aircraft receive no screening whatsoever. None. Nada. Zip. Merely a 10-year background check and they’re good.

Some airports like MSP, BNA, and PHX do require airport workers to go through screening. Most do not. These aren’t baseless accusations. It’s true: there is this glaring hole in the process and yet nothing has gone boom.

Did you ever stop to wonder how DL flight attendants and pilots based in ATL seem to keep showing up at other airports with guns in their in-cabin luggage? Or baggage handlers run drug and gun rings from ATL up to NYC? Maybe you should connect those dots before you get offended next time.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...