DHS IG Report Snuck Out On Holiday Weekend
The Department of Homeland Security's Inspector General, in a report
late on Good Friday,admitted that the TSA systematically misled almost everybody: individual
citizens and travelers, reporters, FOIA act information requestors, the
US Senate, DHS's own Chief Privacy Officer (!), Congress, and the
Government Accountability Office --about the TSA's CAPPS II system and
TSA's use and abuse of private personal name record (PNR) data,
throughout 2003 and 2004.
GAO unsure of Secure Flight screening program
The Transportation Security Administration has addressed fully only one
of the 10 areas of congressional interest related to development of its
Secure Flight airline passenger screening system, the Government
Accountability Office said in a report released today.
As a result, it is unclear whether the new system will be effective in
determining which passengers should undergo additional security
scrutiny, GAO said.
Secure Flight was established in August 2004, after TSA cancelled
development of the controversial Computer-Assisted Passenger
Prescreening System II as a result of delays and concerns about its
effectiveness and privacy protections. Congress mandated in October 2004
that the GAO report on 10 aspects of the development of Secure Flight.
As of March 15, TSA has met only one of the 10 requirements by
establishing an internal oversight board, GAO said.
Progress in meeting the other nine conditions set by Congress is “Under
way,” according to GAO. Those conditions include demonstrations of
efficacy and accuracy, assessments of the accuracy of databases used,
establishment of an effective system to oversee use and operation, and
creation of safeguards to prohibit abuse and unauthorized access, among
others, GAO said.
“Until TSA finalizes key program documents and completes additional
system testing, it is uncertain whether Secure Flight will perform as
intended, and whether it will be ready for initial operational
deployment by August 2005,” the report said.
"TSA officials made inaccurate statements regarding these transfers that
undermined public trust in the agency," according to the report, signed
by DHS Acting Inspector General Richard Skinner. The report resulted
from widespread media reports of TSA misconduct in reference to the
development of the CAPPS II screening database system.
Skinner danced with double-talk in an attempt to minimize the impact of
these new revelations. "These misstatements were apparently not meant to
mischaracterize known facts. Instead, they were premised on an
incomplete understanding of the underlying facts." It's hard to cut to
the core of what that statement is saying, but it appears to be, "they
thought they were telling the truth but they were wrong." If that is
truly what he meant, that conclusion is very, very hard to square with
the facts in the report. (the actual report link is at at the end of
this story, so you can see for yourself).
TSA Spokesman Mark O. Hatfield Jr was quoted by the AP as saying, "The
core of our mission is preserving our freedoms, and that means doing the
utmost to protect every American's privacy." This is boilerplate and
frequently uttered by TSA talking heads. For example, former director
Loy said in March 2004, "in carrying out the TSA mission to secure our
nation's transportation systems, we must respect and protect the privacy
rights of all individuals we serve."
The report made public by TSA is redacted, so some of the most sensitive
evidence that convicts or clears TSA of misconduct may be missing.
Despite that, there was plenty of detail in the report. In areas where
the report danced around names of persons, publications, or contractors,
it is possible to find out who they mean.
TSA has taken a few grudging steps towards protecting traveler privacy
since Congress threatened to cut off funds for the massive Secure Flight
(formerly CAPPS II) database, which has been a centerpiece project for
all three TSA Administrators. This new report is likely to raise further
This report was carefully written and carefully timed to minimize damage
to the TSA and to its Secure Flight program, which is the cornerstone of
TSA plans for the future. Despite that, it is an extremely dismaying
glimpse at the culture of the Agency. The TSA's response to the report's
recommendations (which this article didn't even get into) was in places
defensive, even truculent, in its insistence that the TSA and its people
have done nothing wrong. They refused the reasonable request to review
the procedures that led to over a year of lies about the Jet Blue data.
It would not be reaching too far to infer that for many TSA leaders and
spokesmen, who are convinced that they are on a righteous mission of
great national importance, "the end justifies the means." Giving an
agency with that sort of culture the fruits of a massive data-mining
scheme is like giving rocket fuel to a firebug.
The timing of this report is one indicator that TSA and DHS are circling
the wagons, and are determined to fight it out, having decided that the
public is the savages. To release a negative report on the Friday of a
long holiday weekend is a time-honored dodge in Washington. In this
particular case, it indicates that DHS is flying cover for TSA and
doesn't want TSA leaders to bear any of the consequences for their
misconduct -- or their previous false statements to the Congress, the
press, and the public. It remains to be seen whether all those entities
will take this lying down.
A History Of Falsehood After Falsehood
The Department of Homeland Security's Inspector General, in a report
released late on Good Friday, admitted that the TSA systematically
misled almost everybody. Some of the specifics in the report are listed
In September 2003, news reports indicated that TSA had acquired millions
of passenger records from JetBlue. The agency's FOIA staff was deluged
with press and passenger inquiries, which they answered by denying that
the agency had any JetBlue records -- at first, briefly, in good faith,
but by May 2004 they discovered that the reports were true. In fact, by
that time the FOIA staff had a complete copy of the records, and "locked
them in the office document room, where they remain" [Report, p. 44.]
FOIA and PR staff maintained their denials, now deliberately falsely,
until release of this report; and as the IG report hit print their
denial was still on the TSA website; they hastily pulled it down, their
one substantive response to the report's recommendations.
Also in September 2003, a TSA spokesman told a Wired News reporter, in
answer to a direct question, that fake data, not real passenger data,
were used in development and testing of the CAPPS II system. The
reporter and spokesman were not identified in the report, but were Ryan
Singel of the technology news site Wired, and Brian Turmail of TSA.
Turmail's statement was not true. Turmail also told Singel that the
release of data was, in Singel's paraphrase, "for a Pentagon
proof-of-concept program related to improving security on military
bases." This statement was also false. Turmail, says the IG report,
"denied that four contractors had used real passenger records...." This
statement was false. In fact, the contractors had received that data;
there may have been more than four contractors involved. As the IG
report sums up the whole sad case of Turmail, "the responses that the
TSA spokesmen provided to Wired News were not accurate."
The data Torch Concepts secured included 5 million passenger itineraries
and matching credit information from JetBlue, plus social security
numbers and credit-reporting database information. Torch had individual
income information, but apparently did not succeed in getting complete
IRS data. Privacy activist Bill Scannell said at the time, ""Anyone who
flew JetBlue before September 2002 should be aware and very scared that
there is a dossier on them."
On November 18, 2003, TSA director Admiral James Loy testified under
oath to the US Senate Governmental Affairs Committee that TSA did not
provide JetBlue passenger data to a contractor, Torch Concepts, which
had leaked some of the data onto the Internet. Loy swore that "TSA
provided assistance '...only in the form of an introduction for DOD to
JetBlue Airlines [sic]." [Report, p.44] This statement was false. The
reason that Torch had the data, the report recounts, is that TSA told
JetBlue to hand it over.
The report is silent on whether Loy knew he was feeding the Senate a
lie, or was himself misled by subordinates, who are only identified in
the report as "TSA employees [who] assisted in preparing responses to a
... questionnaire." [ibid]. In 2004, Loy did correct the record with a
terse note to the Senate committee: "In a July 30, 2002 memorandum, TSA
requested that JetBlue provide archived passenger data to the DOD."
[Report, p. 45] Even this corrected statement was false, because, as
recounted above, the airline had been directed to give the data not to
DOD but to a non-government firm, a non-secure contractor.
Why these repeated falsehoods? If Loy wasn't in on it, why were
underlings feeding him repeated doses of false information? Was it bad
faith, or just bad management? The IG was not able to get an answer: "TSA
staff did not provide a clear explanation." [p. 45]
In the same November 18, 2003, testimony, Loy told the Senate that TSA
was using data from volunteers, not the involuntarily gathered "PNR
data," to test CAPPS II. Loy: "TSA has not used any PNR data to test any
of the functions of CAPPS II. TSA is using certain information provided
by volunteers, many are DHS employees," -- according to the report,
"including senior DHS officials." The problem with this statement was
that it was also false. Along with the JetBlue data recounted above,
sensitive PNR data involuntarily collected from tens of thousands of
Delta passengers was provided to IBM, Infoglide, and some eight
unidentified "RAE (Risk Assessment Engine) Prototype Vendors." [p.45,
When the GAO testified in February, 2004, that "TSA has only used 32
simulated passenger records -- created by TSA from the itineraries of
its employees and contractor staff who volunteered to provide the data
-- to conduct [passenger risk assessment] testing," they were going on
what the TSA's Office of National Risk Assessment (ONRA) had told them.
The statement was wildly, enormously, false. The carefully worded IG
report says that, "we have found no evidence that TSA provided
misleading or inaccurate information to the GAO." But if you read the
evidence that the report based this conclusion on, you might not reach
the same conclusion. "GAO specifically asked about ONRA's access to
airline passenger data," but the ONRA folks just didn't tell them that
they had and were using millions of individuals' data. Yes, viewed as a
narrow technicality, they did not provide misleading information. Unless
you call a blanket denial of having information they had misleading.
Maybe you need to work in Washington to understand the IG's conclusions
on this one.
GAO is not blameless, however, because records show that ONRA did admit
to GAO that they had data from Delta Airlines and were trying to get
data from the multi-airline Sabre reservations system.
When The DHS Chief Privacy Officer requested documents about the Jet
Blue/Torch Concepts data leak for a report to the public (issued Feb 20,
2004), the TSA provided some documents but sat on others for six weeks,
until Feb. 17th. "The CPO said that... gave the impression that TSA had
withheld the documents." Further, the CPO said that she requested
information about any other airline data transfer and "TSA responded
that the JetBlue matter was unique and suggested that TSA did not have a
role in any other airline data transfers." If TSA made this statement,
it was both false, and consistent with the false information TSA was
retailing elsewhere. However, the report does its best to whitewash the
TSA: "We have been unable to find documentation that unequivocally
corroborates this account and TSA staff..." of course, deny everything.
New Revelations Of TSA Data Mining
The report also contains pointers to some of the other data mining the
TSA has been doing, which is far greater than even the old revelations
that the TSA so vigorously, and falsely, denied. The report traces some
14 transfers of data involving at least 12 million records. In no case
were passengers asked or even informed that their data was being used by
government agencies or, more often, unsupervised contractors.
Airlines that gave or sold sensitive passenger data to the TSA or its
Data was furnished to the US Secret Service, various in-house TSA
constituencies, and a laundry list of contractors: Ascent, HNC Software,
IBM, Infoglide, Lockheed Martin, Torch Concepts, and possibly their
subcontractors. Some of the data was furnished with confidentiality
agreements, some without. Ironically, the data that Torch Concepts
mishandled and compromised was subject to such an agreement. Some data
is reported destroyed, some is still held by the contractors or TSA, and
the disposition of some is unknown.
Secure Flight/CAPPS II: Will it work?
The inner workings of the TSA's "Secure Flight/CAPPS II" Database are
considered secret by the TSA, but the general architecture, and several
components of the system, are known. Because the system is designed to
identify individual travelers who may pose a threat, its basic unit is
the individual, who is identified with a unique number which can be
cross-referenced to other databases' keys, like social security numbers,
telephone numbers, and credit card numbers. The system is believed to
contain over a thousand data points on every individual, including data
from airline records, government databases, telecom records, public
directories, and the massive commercial databases maintained by
This database would be El Dorado for an identity thief, but of course
the only people that have access to the information are TSA employees
(how many times have we written the words "TSA theft ring" in the last
-- but pay no attention to that, for are they not honorable men?),
contractors (some of whom outsource to third world nations), and anyone
with an Internet connection when, as happens from time to time, one of
these contractors springs a leak. Nothing to worry about.
Some of the factors that make the TSA take notice of a traveler include
the type of flight, whether this fits in that person's historic pattern
of travel, whether the person's name is on a terrorist watchlist, even
whether the person owns or rents his or her home (the theory is, suicide
bombers won't be thinking about a 30-year mortgage). There are many
other factors, each secret. Each factor is given a certain weight by the
system, which is also secret. Finally, each traveler is assigned a "TSA
which determines the type and nature of the scrutiny he or she will
require -- these thresholds are also, you guessed it, secret. Because
numbers are hard things, the output of this system to the line-level
screeners who have to implement the data is reportedly a simple color
code: red, yellow or green.
Data will be retained for at least fifty years.
For many people, the loss of privacy and risk of identity theft will be
seen as a fair trade against the possibility of another terrorist
attack. But while the CAPPS II (now Secure Flight) system is based on
the assumption that studying data will reveal potential terrorists, it
fails to account for the likelihood that terrorists, who are after all
evil, not necessarily stupid, will react to CAPPS by selecting or
preparing terrorists who are likely to pass the system's scrutiny.
It's interesting to note that in 2002, when MIT students Samidh
Chakrabarti and Aaron Strauss subjected the concept of passenger
prescreening to a mathematical, computer simulation, they found that any
passenger prescreening system was vulnerable to an exploit they called
the "Carnival Booth" algorithm. They concluded that random searches were
a much greater threat to terrorists' success than prescreened searches.
"The results are clear. The less a system relies on profiling and the
more advanced its administrative searching, the more terrorists it will
catch," Chakrabarti and Strauss wrote. If a terrorist makes a dry run
and is not flagged by CAPPS, his odds of being flagged the next time
decrease. Indeed, the more times a terrorist passes through the system
the closer his probability of being selected approaches zero.
The most disturbing thing is that, if the TSA has any answer to the MIT
report, they aren't talking about it. There don't appear to be any
technical data which support the CAPPS II approach, just that it makes
-- which the two young MITers show to be a logical fallacy. It would be
nice to hear TSA say that their approach is better, and the scientists
have it wrong.
But then, if they said that, how would we know they were telling the
truth this time?
GAO REPORT at