TSA Blows Off Inspector General's Suggestion Boarding Pass Information Be Encrypted

from the more-business-as-usual dept

The TSA's Secure Flight system apparently isn't all that secure, according to the barely-readable portions of the recently-released Inspector General's report. The TSA has a Pre-Check program that requires a ton of personal information and $85 to participate in. It also has "Secure Flight," which grants Pre-Check privileges on a case-by-case basis, for which travelers pay nothing. This simply means they won't always find themselves in the short line, but it does call into question the need to provide a ton of information up front, much less $85 for an experience others are getting for free.

Much like everything else the TSA is nominally in charge of, it has flaws. A whistleblower report to the TSA and the Office of the Inspector General claimed that the use of a "risk-based rule" led to a "vulnerability in aviation security" back in early 2014. (This would be before the Pre-Check system allowed a convicted murder with explosives experience to bypass more rigorous screening, simply because the boarding pass included the "wave me through" checkmark.)

What this "vulnerability" was is never openly explained. There's plenty of text in the report (28 pages of it, in fact), but everything specific is hidden under a thick layer of black ink. What we do know is that it involved boarding passes and the TSA's "risk-based assessment" program.

As a result of the report, the TSA suspended the redacted Secure Flight "rule". This rule was apparently linked to passengers' ability to print out their own boarding passes with the handy Pre-Check checkmark on them. Apparently, someone used someone else's ticket or found a way to print boarding passes without providing proper ID verification. Either way, this mysterious "rule" went away, and along with it, some Pre-Check passenger privileges.

Now, the TSA is planning to add additional layers of verification to the Pre-Check/Secure Flight system. But this won't fully go into effect until later this year. In the meantime, the "rule" remains suspended.

As a result of this redacted breach, the OIG's office made three recommendations -- which are also mostly redacted.


The first suggests the nature of the breach (or the problem with the rule) [or both].
Explore the feasibility of encrypting commercial aircraft carrier boarding passes [rest of sentence redacted].
The other two recommendations target the TSA's upgraded credential authentication program.

The TSA pretty much disagrees with the entirety of the OIG's assessment. Scattered between heavy redactions are various punchy odes to its pretty-much-infallible coin toss it calls "risk assessment." Scattered between other redactions are assertions that the TSA is pretty good about assessing threats and has been steadily improving for years without the OIG's constant nagging.

But before it heads into that, the OIG declares the TSA to be "responsive" to its first recommendation, even though it didn't do anything more than declare the recommendation too expensive and too difficult.
Management Response to Recommendation #1: TSA officials did not concur with Recommendation 1. In its response, TSA said in 2012 it explored the cost and feasibility of encrypting commercial aircraft carrier boarding passes [redacted]. After engaging industry stakeholders, TSA decided not to adopt this approach because of limited data fields in some air carrier systems and encrypting boarding pass barcodes is cost prohibitive. TSA said it decided to pursue a more practical and affordable solution using a digital signature.
Nothing's too good for the USofA! I mean, nothing's too practical and affordable. So, let's just use a "digital signature" because it's pretty much just as secure, right?

Now, we just have to assess the wisdom of the TSA's estimation of itself in light of this new (but very limited) information. It thinks it's doing a bang-up job making flying more secure. TSA head John Pistole frequently mentions the many programs it uses in addition to pre-flight scanning/screening, most of which have been determined by others to have a 50% hit rate.

On one hand, its screeners managed to miss 95 out 100 prohibited items during a recent assessment of its screening protocols. (But, man, it was all over that bag of cash, wasn't it!) On the other hand, its long-running ineptitude has yet to result in mass hijackings. It fails at the thing it does the most of (patdowns, screenings) and its more intangible efforts (risk assessment) haven't proven to be any more accurate than its in-person patdowns. In totality, we have a self-important entity whose presence is hardly justified. It appears air travel would be roughly as safe without the TSA's multiple encroachments. What it argues works well actually doesn't, and new issues are dismissed as not being worth the effort/expense to fix.

Filed Under: boarding passes, encryption, pre-check, secure flight, tsa


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    DannyB (profile), 10 Jul 2015 @ 8:55am

    TSA risk assessment

    Is the TSA as good at risk assessment as it is at assessing whether a passenger has cash or other valuable items, such as ipads, that should be removed from the passenger or their luggage?

    Is the TSA's risk assessment as good as it's ability to assess whether an attractive person needs to be groped?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jul 2015 @ 8:56am

    C'mon, everyone knows if you encrypt a boarding pass only terrorists and pedophiles will board planes. Think of the non-extremist children.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jul 2015 @ 9:29am

    Lethal knowledge

    > allowed a convicted murder with explosives experience ...

    So we should also put software engineers, demolitions experts, and high energy physicists (because who knows, right?) through more rigorous screening simply because of what they know?

    Should we also forbid martial artists from boarding a plane with their fists and feet?

    If you're going to start triaging people because of what they know, let's be thorough about it, shall we?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jul 2015 @ 9:34am

      Re: Lethal knowledge

      > So we should also put software engineers, demolitions experts, and high energy physicists (because who knows, right?) through more rigorous screening simply because of what they know?

      It's not the "explosives experience" alone, it's the "explosives experience" combined with the documented lack of moral restrictions against killing fellow humans.

      Most "software engineers, demolitions experts, and high energy physicists" have moral restrictions against killing fellow humans, so they wouldn't misuse their knowledge in the ways the TSA is supposed to be worried about.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Jul 2015 @ 11:00am

        Re: Re: Lethal knowledge

        Really?
        That is your rational - amazing.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Jul 2015 @ 12:03pm

        Re: Re: Lethal knowledge

        Let us not forget anyone with military experience in the combat MOSes.

        reply to this | link to this | view in chronology ]

      • identicon
        Bollocks, 11 Jul 2015 @ 10:39am

        Re: Re: Lethal knowledge

        'Most "software engineers, demolitions experts, and high energy physicists" have moral restrictions against killing fellow humans, so they wouldn't misuse their knowledge in the ways the TSA is supposed to be worried about.'


        You obviously don't know too many 'software engineers, demolitions experts, and high energy physicists'

        reply to this | link to this | view in chronology ]

    • icon
      FF (profile), 10 Jul 2015 @ 10:40am

      Re: Lethal knowledge

      That reads like speculative theory about who is more of a risk. Do you have data?
      Unless the person is under court supervision, such as parole, there should not be discrimination in the USA. If the person really is a threat, TSA can use due process and go to court for an order against the person. Enough of this secret discrimination by the government, as it will only expand to others.

      reply to this | link to this | view in chronology ]

  • identicon
    John Cressman, 10 Jul 2015 @ 10:35am

    Oh great... REAL bullets!

    I'm not suprised they disagree with the report at all. Let's face it, SOME of them have to realize they're really just there as "security theater" and providing no useful function.

    So why start pretending now?

    It's like asking an actor who plays a soldier to start doing REAL SOLDIER things.

    Come on guys... THEY'RE ACTORS! It's what they do!

    reply to this | link to this | view in chronology ]

    • icon
      FF (profile), 10 Jul 2015 @ 10:46am

      Re: Oh great... REAL bullets!

      It is a giant scam and we are taxed to pay for it.
      Anyone visited denver lately? The airport concession workers have a special door they use to bypass all of TSA. Flight crews literally get more screening than mcdonald workers.

      Look closely in denver, south screening the special portal for workers dumps out in front of the police podium, after screening.

      reply to this | link to this | view in chronology ]

      • icon
        Derek Kerton (profile), 10 Jul 2015 @ 12:34pm

        Re: Re: Oh great... REAL bullets!

        ...and you know the route of the hallways that you can't see? And you know that that is not a secured area which has only screened people in it?

        I'll bet you have not spotted a breach. But your imagination and your indignation-engine got the best of you.

        TSA sucks, but baseless accusations of scary doors with mcdonalds workers coming out just seem silly.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Jul 2015 @ 4:14pm

          Re: Re: Re: Oh great... REAL bullets!

          Actually, s/he's correct. And it's not just Denver. It's also Philly, and Atlanta, and Dallas, just to name a few.

          Certainly you remember the pilot who was reprimanded for pointing out this glaring loophole at SJC from a few years ago? We can't have people pointing out that the emperor has no clothes, now can we?

          By and large, the people with access to do the most damage to aircraft receive no screening whatsoever. None. Nada. Zip. Merely a 10-year background check and they're good.

          Some airports like MSP, BNA, and PHX do require airport workers to go through screening. Most do not. These aren't baseless accusations. It's true: there is this glaring hole in the process and yet nothing has gone boom.

          Did you ever stop to wonder how DL flight attendants and pilots based in ATL seem to keep showing up at other airports with guns in their in-cabin luggage? Or baggage handlers run drug and gun rings from ATL up to NYC? Maybe you should connect those dots before you get offended next time.

          reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.