TSA Lied About Pax Data?

DHS IG Report Snuck Out On Holiday Weekend

The Department of Homeland Security's Inspector General, in a report released late on Good Friday,admitted that the TSA systematically misled almost everybody: individual citizens and travelers, reporters, FOIA act information requestors, the US Senate, DHS's own Chief Privacy Officer (!), Congress, and the Government Accountability Office --about the TSA's CAPPS II system and TSA's use and abuse of private personal name record (PNR) data, throughout 2003 and 2004.

GAO unsure of Secure Flight screening program

The Transportation Security Administration has addressed fully only one of the 10 areas of congressional interest related to development of its Secure Flight airline passenger screening system, the Government Accountability Office said in a report released today.

As a result, it is unclear whether the new system will be effective in determining which passengers should undergo additional security scrutiny, GAO said.

Secure Flight was established in August 2004, after TSA cancelled development of the controversial Computer-Assisted Passenger Prescreening System II as a result of delays and concerns about its effectiveness and privacy protections. Congress mandated in October 2004 that the GAO report on 10 aspects of the development of Secure Flight.

As of March 15, TSA has met only one of the 10 requirements by establishing an internal oversight board, GAO said.

Progress in meeting the other nine conditions set by Congress is “Under way,” according to GAO. Those conditions include demonstrations of efficacy and accuracy, assessments of the accuracy of databases used, establishment of an effective system to oversee use and operation, and creation of safeguards to prohibit abuse and unauthorized access, among others, GAO said.

“Until TSA finalizes key program documents and completes additional system testing, it is uncertain whether Secure Flight will perform as intended, and whether it will be ready for initial operational deployment by August 2005,” the report said.    link

 "TSA officials made inaccurate statements regarding these transfers that undermined public trust in the agency," according to the report, signed by DHS Acting Inspector General Richard Skinner. The report resulted from widespread media reports of TSA misconduct in reference to the development of the CAPPS II screening database system.

Skinner danced with double-talk in an attempt to minimize the impact of these new revelations. "These misstatements were apparently not meant to mischaracterize known facts. Instead, they were premised on an incomplete understanding of the underlying facts." It's hard to cut to the core of what that statement is saying, but it appears to be, "they thought they were telling the truth but they were wrong." If that is truly what he meant, that conclusion is very, very hard to square with the facts in the report. (the actual report link is at at the end of this story, so you can see for yourself).

TSA Spokesman Mark O. Hatfield Jr was quoted by the AP as saying, "The core of our mission is preserving our freedoms, and that means doing the utmost to protect every American's privacy." This is boilerplate and frequently uttered by TSA talking heads. For example, former director Loy said in March 2004, "in carrying out the TSA mission to secure our nation's transportation systems, we must respect and protect the privacy rights of all individuals we serve."

The report made public by TSA is redacted, so some of the most sensitive evidence that convicts or clears TSA of misconduct may be missing. Despite that, there was plenty of detail in the report. In areas where the report danced around names of persons, publications, or contractors, it is possible to find out who they mean.

TSA has taken a few grudging steps towards protecting traveler privacy since Congress threatened to cut off funds for the massive Secure Flight (formerly CAPPS II) database, which has been a centerpiece project for all three TSA Administrators. This new report is likely to raise further concerns.

This report was carefully written and carefully timed to minimize damage to the TSA and to its Secure Flight program, which is the cornerstone of TSA plans for the future. Despite that, it is an extremely dismaying glimpse at the culture of the Agency. The TSA's response to the report's recommendations (which this article didn't even get into) was in places defensive, even truculent, in its insistence that the TSA and its people have done nothing wrong. They refused the reasonable request to review the procedures that led to over a year of lies about the Jet Blue data. It would not be reaching too far to infer that for many TSA leaders and spokesmen, who are convinced that they are on a righteous mission of great national importance, "the end justifies the means." Giving an agency with that sort of culture the fruits of a massive data-mining scheme is like giving rocket fuel to a firebug.

The timing of this report is one indicator that TSA and DHS are circling the wagons, and are determined to fight it out, having decided that the public is the savages. To release a negative report on the Friday of a long holiday weekend is a time-honored dodge in Washington. In this particular case, it indicates that DHS is flying cover for TSA and doesn't want TSA leaders to bear any of the consequences for their misconduct -- or their previous false statements to the Congress, the press, and the public. It remains to be seen whether all those entities will take this lying down.

A History Of Falsehood After Falsehood
The Department of Homeland Security's Inspector General, in a report released late on Good Friday, admitted that the TSA systematically misled almost everybody. Some of the specifics in the report are listed below.

In September 2003, news reports indicated that TSA had acquired millions of passenger records from JetBlue. The agency's FOIA staff was deluged with press and passenger inquiries, which they answered by denying that the agency had any JetBlue records -- at first, briefly, in good faith, but by May 2004 they discovered that the reports were true. In fact, by that time the FOIA staff had a complete copy of the records, and "locked them in the office document room, where they remain" [Report, p. 44.] FOIA and PR staff maintained their denials, now deliberately falsely, until release of this report; and as the IG report hit print their denial was still on the TSA website; they hastily pulled it down, their one substantive response to the report's recommendations.

Also in September 2003, a TSA spokesman told a Wired News reporter, in answer to a direct question, that fake data, not real passenger data, were used in development and testing of the CAPPS II system. The reporter and spokesman were not identified in the report, but were Ryan Singel of the technology news site Wired, and Brian Turmail of TSA. Turmail's statement was not true. Turmail also told Singel that the release of data was, in Singel's paraphrase, "for a Pentagon proof-of-concept program related to improving security on military bases." This statement was also false. Turmail, says the IG report, "denied that four contractors had used real passenger records...." This statement was false. In fact, the contractors had received that data; there may have been more than four contractors involved. As the IG report sums up the whole sad case of Turmail, "the responses that the TSA spokesmen provided to Wired News were not accurate."

The data Torch Concepts secured included 5 million passenger itineraries and matching credit information from JetBlue, plus social security numbers and credit-reporting database information. Torch had individual income information, but apparently did not succeed in getting complete IRS data. Privacy activist Bill Scannell said at the time, ""Anyone who flew JetBlue before September 2002 should be aware and very scared that there is a dossier on them."

Loy Misleads
On November 18, 2003, TSA director Admiral James Loy testified under oath to the US Senate Governmental Affairs Committee that TSA did not provide JetBlue passenger data to a contractor, Torch Concepts, which had leaked some of the data onto the Internet. Loy swore that "TSA provided assistance '...only in the form of an introduction for DOD to JetBlue Airlines [sic]." [Report, p.44] This statement was false. The reason that Torch had the data, the report recounts, is that TSA told JetBlue to hand it over.

The report is silent on whether Loy knew he was feeding the Senate a lie, or was himself misled by subordinates, who are only identified in the report as "TSA employees [who] assisted in preparing responses to a ... questionnaire." [ibid]. In 2004, Loy did correct the record with a terse note to the Senate committee: "In a July 30, 2002 memorandum, TSA requested that JetBlue provide archived passenger data to the DOD." [Report, p. 45] Even this corrected statement was false, because, as recounted above, the airline had been directed to give the data not to DOD but to a non-government firm, a non-secure contractor.

Why these repeated falsehoods? If Loy wasn't in on it, why were underlings feeding him repeated doses of false information? Was it bad faith, or just bad management? The IG was not able to get an answer: "TSA staff did not provide a clear explanation." [p. 45]

Loy... Again
In the same November 18, 2003, testimony, Loy told the Senate that TSA was using data from volunteers, not the involuntarily gathered "PNR data," to test CAPPS II. Loy: "TSA has not used any PNR data to test any of the functions of CAPPS II. TSA is using certain information provided by volunteers, many are DHS employees," -- according to the report, "including senior DHS officials." The problem with this statement was that it was also false. Along with the JetBlue data recounted above, sensitive PNR data involuntarily collected from tens of thousands of Delta passengers was provided to IBM, Infoglide, and some eight unidentified "RAE (Risk Assessment Engine) Prototype Vendors." [p.45, 46]

GAO Questions
When the GAO testified in February, 2004, that "TSA has only used 32 simulated passenger records -- created by TSA from the itineraries of its employees and contractor staff who volunteered to provide the data -- to conduct [passenger risk assessment] testing," they were going on what the TSA's Office of National Risk Assessment (ONRA) had told them. The statement was wildly, enormously, false. The carefully worded IG report says that, "we have found no evidence that TSA provided misleading or inaccurate information to the GAO." But if you read the evidence that the report based this conclusion on, you might not reach the same conclusion. "GAO specifically asked about ONRA's access to airline passenger data," but the ONRA folks just didn't tell them that they had and were using millions of individuals' data. Yes, viewed as a narrow technicality, they did not provide misleading information. Unless you call a blanket denial of having information they had misleading. Maybe you need to work in Washington to understand the IG's conclusions on this one.

GAO is not blameless, however, because records show that ONRA did admit to GAO that they had data from Delta Airlines and were trying to get data from the multi-airline Sabre reservations system.

Deny Everything?
When The DHS Chief Privacy Officer requested documents about the Jet Blue/Torch Concepts data leak for a report to the public (issued Feb 20, 2004), the TSA provided some documents but sat on others for six weeks, until Feb. 17th. "The CPO said that... gave the impression that TSA had withheld the documents." Further, the CPO said that she requested information about any other airline data transfer and "TSA responded that the JetBlue matter was unique and suggested that TSA did not have a role in any other airline data transfers." If TSA made this statement, it was both false, and consistent with the false information TSA was retailing elsewhere. However, the report does its best to whitewash the TSA: "We have been unable to find documentation that unequivocally corroborates this account and TSA staff..." of course, deny everything.

New Revelations Of TSA Data Mining

The report also contains pointers to some of the other data mining the TSA has been doing, which is far greater than even the old revelations that the TSA so vigorously, and falsely, denied. The report traces some 14 transfers of data involving at least 12 million records. In no case were passengers asked or even informed that their data was being used by government agencies or, more often, unsupervised contractors.

Airlines that gave or sold sensitive passenger data to the TSA or its contractors included:

American Airlines
America West
Frontier, and
Data was furnished to the US Secret Service, various in-house TSA constituencies, and a laundry list of contractors: Ascent, HNC Software, IBM, Infoglide, Lockheed Martin, Torch Concepts, and possibly their subcontractors. Some of the data was furnished with confidentiality agreements, some without. Ironically, the data that Torch Concepts mishandled and compromised was subject to such an agreement. Some data is reported destroyed, some is still held by the contractors or TSA, and the disposition of some is unknown.

Secure Flight/CAPPS II: Will it work?

The inner workings of the TSA's "Secure Flight/CAPPS II" Database are considered secret by the TSA, but the general architecture, and several components of the system, are known. Because the system is designed to identify individual travelers who may pose a threat, its basic unit is the individual, who is identified with a unique number which can be cross-referenced to other databases' keys, like social security numbers, telephone numbers, and credit card numbers. The system is believed to contain over a thousand data points on every individual, including data from airline records, government databases, telecom records, public directories, and the massive commercial databases maintained by credit-reporting services.

This database would be El Dorado for an identity thief, but of course the only people that have access to the information are TSA employees (how many times have we written the words "TSA theft ring" in the last couple years?
-- but pay no attention to that, for are they not honorable men?), contractors (some of whom outsource to third world nations), and anyone with an Internet connection when, as happens from time to time, one of these contractors springs a leak. Nothing to worry about.

Some of the factors that make the TSA take notice of a traveler include the type of flight, whether this fits in that person's historic pattern of travel, whether the person's name is on a terrorist watchlist, even whether the person owns or rents his or her home (the theory is, suicide bombers won't be thinking about a 30-year mortgage). There are many other factors, each secret. Each factor is given a certain weight by the system, which is also secret. Finally, each traveler is assigned a "TSA Curiosity Quotient"
which determines the type and nature of the scrutiny he or she will require -- these thresholds are also, you guessed it, secret. Because numbers are hard things, the output of this system to the line-level screeners who have to implement the data is reportedly a simple color code: red, yellow or green.

Data will be retained for at least fifty years.

For many people, the loss of privacy and risk of identity theft will be seen as a fair trade against the possibility of another terrorist attack. But while the CAPPS II (now Secure Flight) system is based on the assumption that studying data will reveal potential terrorists, it fails to account for the likelihood that terrorists, who are after all evil, not necessarily stupid, will react to CAPPS by selecting or preparing terrorists who are likely to pass the system's scrutiny.

It's interesting to note that in 2002, when MIT students Samidh Chakrabarti and Aaron Strauss subjected the concept of passenger prescreening to a mathematical, computer simulation, they found that any passenger prescreening system was vulnerable to an exploit they called the "Carnival Booth" algorithm. They concluded that random searches were a much greater threat to terrorists' success than prescreened searches. "The results are clear. The less a system relies on profiling and the more advanced its administrative searching, the more terrorists it will catch," Chakrabarti and Strauss wrote. If a terrorist makes a dry run and is not flagged by CAPPS, his odds of being flagged the next time decrease. Indeed, the more times a terrorist passes through the system the closer his probability of being selected approaches zero.

The most disturbing thing is that, if the TSA has any answer to the MIT report, they aren't talking about it. There don't appear to be any technical data which support the CAPPS II approach, just that it makes intuitive sense
-- which the two young MITers show to be a logical fallacy. It would be nice to hear TSA say that their approach is better, and the scientists have it wrong.

But then, if they said that, how would we know they were telling the truth this time?

GAO REPORT at this link


to Hot off the PRESS