In a major change of policy, the Transportation Security Administration has announced that passengers refusing to show ID will no longer be able to fly. The policy change, announced on Thursday afternoon, will go into force on June 21, and will only affect passengers who refuse to produce ID. Passengers who claim to have lost or forgotten their proof of identity will still be able to fly.
As long as TSA has existed, passengers have been able to fly without showing ID to government agents. Doing so would result in a secondary search (a pat down and hand search of your carry-on bag), but passengers were still permitted to board their flights. In some cases, taking advantage of this right to refuse ID came with fringe benefits--being bumped to the front of the checkpoint queue.
For a few years after September 11, 2001, TSA's policies when it came to flying without ID were somewhat fuzzy. The agency, like many other parts of the Bush Administration, has hidden behind the shroud of classification--in TSA's case, labeling everything Sensitive Security Information.
Seeking to clarify the rules, activist John Gilmore took the U.S. government to court in 2004. Gilmore chose to take a particularly hard line, by refusing to show ID to TSA and also by refusing to undergo the more thorough "secondary screening" search. He eventually lost his case before the 9th Circuit of the U.S. Court of Appeals.
While the judges were not willing to let Gilmore avoid the secondary screening search, they did at least recognize the right to travel without showing ID--providing that passengers are willing to be subject to a pat down and a bit of probing:"The identification policy requires that airline passengers either present identification or be subjected to a more extensive search. The more extensive search is similar to searches that we have determined were reasonable and consistent with a full recognition of appellants constitutional right to travel."
Since then, in at least two letters to citizens, TSA has re-affirmed this right. In March 2008, a TSA official wrote that:
"If a traveler is unwilling or unable to produce a valid form of ID, the traveler is required to undergo additional screening at the checkpoint to gain access to the secured area of the airport."
A change in policy
In a press release issued on Thursday with little fanfare, TSA announced a major change in its rules.
"Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity."
This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures."
To clarify: Passengers who refuse to show ID, citing a constitutional right to fly without ID will be refused passage beyond the checkpoints. Passengers who say they have left their ID at home, will be searched, and then permitted to board their flights.
While TSA's announcement stated that the goal of the change was to "increase safety," this blogger disagrees. The change of rules seems to be a pretty obvious case of security theater. Real terrorists do not refuse to show ID. They claim to have lost their ID, or they use a fake.
TSA's new rules only protect us from a non-existent breed of terrorists who are unable to lie.
Fixing flaws vs. security theater
In a research paper published in 2007, I outlined a number of glaring loopholes allowing the total circumvention of the much criticized no-fly lists. The two main flaws were that passengers can modify boarding passes, and that they can refuse to show ID.
In December 2007, TSA began testing out a secure, authenticated, tamper-proof boarding pass scheme. It has since been rolled out to a number of major airports around the country.
With hundreds of millions of dollars having already been spent on the various no-fly lists, it is at least interesting to see that someone at TSA is now spending time on fixing the loopholes in the system. The most glaring of this has long been the fact that passengers can refuse to show (or claim to have forgotten) their ID. Simply put, without being able to know who is walking through a checkpoint, there is no way to know that the "bad guys" have been caught by the no-fly list.
TSA's new rule, while perhaps motivated by a desire to beef up security, is significantly flawed. Terrorists will lie, and claim to have lost their ID--while law-abiding citizens wishing to assert their rights will be hassled, and refused flight.
Of course, all of this is premised on the idea that the no-fly list is actually a useful safety tool--something that I, and a number of other prominent security experts, strongly disagree with. Simply put, terrorists do not pre-register their intent.
As Bruce Schneier has noted before, the no-fly list is a collection of hundreds of thousands of people who are too dangerous to fly, but not guilty enough to be charged with a crime.
These are interesting times, indeed.
Thanks to Gary @ View from the Wing for spotting TSA's announcement.
Disclosure: I am supposed to be on a hiatus, but this topic was too important to leave alone. I am currently an intern at the American Civil Liberties Union of Northern California. These opinions are my own, and do not reflect anyone that pays me.
For the last few years, frequent travelers have had the option to sacrifice their privacy (as well as some money) for speed at the airport. Now, thanks to some keen deal-spotting by bloggers, passengers can skip to the front of the airport security line for free. The question to be asked is: even when such services are free, are they worth the price?
(Credit:
Courtesy CLEAR/Verified Identity Pass)
Verified Identity Pass is one of three companies that participate in TSA's Registered Traveler program. The company offers separate lines leading to TSA checkpoints for its subscribers. Passengers passing through one of these lines get to skip to the front of TSA's security checkpoint -- although they still must take off their shoes and belts.
Verified Identity Pass, and its CLEAR program, has been the subject of much hype since its launch a couple years ago . However, it has received quite a bit of criticism from the security community, as well as from TSA's head honcho Kip Hawley. In a statement last year explaining why CLEAR customers still had to take off their shoes and belts, Hawley told Congress:
"The technology is not yet there to provide significant screening benefits to members," Hawley said today before the House Committee on Homeland Security, adding that providers need to tweak such systems before TSA grants full approval. He did not specify the modifications TSA seeks.
Passengers wishing to join the CLEAR program will need to fork over $100 per year, plus $28 for the background check that TSA will run. As part of the application, customers are asked for their social security and drivers license numbers, although these are clearly marked as optional information.
The real sticking point, at least for me, is that passengers are required to give up a copy of their fingerprints and a retina scan. This information will then be used to authenticate you when you go through a CLEAR checkpoint. Of course, should the FBI write a national security letter and decide that it would also like a copy of that biometric information, Verified Identity Pass will be forced to hand it over. Creepy.
Thanks to some keen spotting by Gary over at View from the Wing, suckers passengers willing to hand over this information to a central database can now join CLEAR for free, at least for the first year.
First: go and sign up to be a member of the Hyatt Hotels Platinum Program (valid until March 31).
Second: with your new Hyatt platinum number in hand, go over to the CLEAR site and sign up for a one year free membership.
I've thought it over, and even when it's free, I still can't convince myself that it's a good idea to do this. However, for those of you who fly frequently (or who have been arrested before, and thus already have your paw-prints on file), perhaps you may find this useful.
For those more adventurous travelers, as I've discussed before, there is another way to jump to the front of the security line - refuse to show ID.
(Credit:
QinetiQ)
The Transportation Security Administration has purchased a dozen cameras that use millimeter wave technology and sophisticated algorithms to screen crowds of rapidly moving travelers for weapons from up to 20 meters away.
The SPO threat detection system made by QinetiQ measures waves "naturally emitted by the human body," exposing "cold" objects such as metal, plastic, or ceramics concealed under clothing. A red light on the system's display alerts the operator if you're packing, so there's no need to rely on interpreting images on a screen. It also means no one is ogling your naked body, which was one of the objections when similar technology was deployed at Phoenix Sky Harbor Airport last October.
(Credit:
TSA)
This imaging technology is safe; the "passive" millimeter wave system generates no emissions itself, but creates an image from reflected body energy, according to the company. Still, if you're nostalgic for the vintage, step-through experience, you can always try this personal fold-up portable metal detector by CI Tech.
UPDATE: See below for TSA's response.
A scathing congressional report released Friday confirms that security flaws in a Transportation Security Administration site put thousands of Americans at risk of identity theft.
The report (PDF) also reveals that a no-bid contract to create the site was awarded to an outside company by a TSA employee who had previously worked for that company. Was this just business as usual at TSA?
TSA: Security ain't its forte
(Credit: CNET)In October 2006, the TSA launched a Web site to help travelers whose names were erroneously listed on airline watch lists. This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers.
The report notes that TSA's chief information security officer conducted a detailed security accreditation review of the traveler redress site before it went live. He/she did not notice any of the glaring holes that I highlighted in my initial blog post on the subject. The report does not note whether the chief information security officer was ever punished for this failure to detect obvious flaws.
For the four months that the site was up, thousands of people visited it, and 247 travelers submitted highly personal information (including their Social Security number and place of birth) through an insecure, non-SSL encrypted form. TSA's lax security practices resulted in thousands of Americans being put at a direct risk of identity theft.
The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site.
In addition to noting the security problems on the site, I also expressed significant skepticism regarding Desyne Web Services, the Virginia-based Web site design firm that was running and operating the site. In my original blog post, I wrote:
"This begs the question: Who are these guys, why don't they know how to use SSL and how were they awarded this sweet contract? Why can't TSA do a simple form submission themselves?"
My initial concern seems to be well founded, as the newly released report reveals. The TSA official in charge of the project awarded the contract--without competition--to one of his former employers, a company owned by one of his high school buddies.
Proving that this is just business as usual for TSA, the report notes that "neither Desyne nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."
UPDATE: When reached for comment, TSA spokesman Christopher White stated that "every issue that the committee brought up has been addressed many months ago. We are not interested in rehashing last year's issues."
When asked whether TSA is concerned with the ethical concerns that surrounded the no-bid sweetheart contract, he stated that there are "no ethical issues (to be) brought up. We hold ourselves to very high ethical standards. It is useless for the American public to rehash this old garbage that doesn't exist today."
He also stated that "many many months ago, when this was a legitimate issue, TSA did notify each person who may have been affected." However, he said, TSA "did not offer to pay for credit monitoring" for those passengers. He stressed that, "we have absolutely no indication that anyone's identity has been misused as a result of this incident."
White could not immediately answer questions related to the complete lack of sanctions for the TSA employee managing the contract and promised to get back to me after looking into the issue.
For those readers who are not aware, the FBI conducted a 2 a.m. raid of my home back in October 2006, after I created a Web site demonstrating the ease with which passengers could create fake boarding passes. After the FBI dropped its investigation, the TSA investigated me for six months and threatened me with tens of thousands of dollars in civil fines. No charges were ever filed.
I discovered the initial security flaws in TSA's redress Web site, and the congressional investigation is a direct result of a blog post that I wrote in February 2007. I'd be lying if I said that I wasn't grinning from ear to ear with the news of this report.
It's poetic justice, if you will, for the unpleasantness that TSA put me through.
Desyne, the firm that created the Web site, could not be immediately reached for comment.
If you don't want to lose your spare lithium batteries for your camera, notebook or cell phone, you might want to pack carefully for your next flight.
New rules from the Transportation and Security Administration that take effect on January 1 ban travelers from carrying loose lithium batteries in checked baggage. Passengers are allowed to pack two spare batteries in their carry-on bag, as long as they're in clear plastic baggies.
Fortunately, you don't have to worry about the batteries that are already installed in the devices you're bringing. The TSA has said it's safe to check in items like a laptop or iPhone that already have the batteries in place.
The agency said that loose lithium batteries not installed in devices pose a fire risk to passenger planes. Recently, the National Transportation Safety Board could not rule out the possibility that lithium batteries started a fire in a plane at the Philadelphia National Airport last year, according to the Associated Press.
If you do plan on bringing spare batteries in your carry-on bag, be aware of some other rules: You can only bring batteries with an equivalent of up to 8 grams of lithium content. (Most batteries for cell phones and laptops meet this requirement.) And for lithium metal batteries, whether carried as a spare or installed in a device, batteries are limited to 2 grams of lithium metal.
(Credit:
IDO Security)
When it comes to gentility and airline security, we may have something to learn from Nairobi International, where they have the decency, and the equipment, to allow you to keep your shoes on.
Nairobi joins Madrid, Prague, and Budapest in deploying the MagShoe, a "high-speed, shoes-on, portable footwear weapons detection system," at their respective airports. U.K. and U.S. airports may be next.
The MagShoe is a metal detector designed to test shoes and ankles in the ongoing fight against foot-borne threats. A passenger simply steps on what looks like a twin mud scraper/shoe buffer, and within an average of 1.2 seconds an audio-visual signal either alerts the operator to concealed metal or gives the all-clear.
Development of the device was initiated by the technical branch of the Israeli Security Agency in response to 9/11 and the Richard Reid "shoe bomber" incident, according to the manufacturer, IDO Security. In both cases the weapons were smuggled in shoes, and in both cases the terrorists went through an Arch Metal Detector (Magnetometer Gates) without being detected.
MagShoe is being evaluated by TSA for the Department of Homeland Security and is expected to receive the seal of approval soon, according to the company. But not in time for the holidays.
Attempts to assert your right to fly without ID can often be very frustrating, due to Transportation Security Administration and airport officials not knowing their own rules.
With any luck, this should no longer be an issue because the TSA has, at last, clarified things.
Passengers with tickets for domestic flights are under no obligation to present ID to TSA. Passengers may be required to show ID to airline employees, but that is a contractual matter between the airlines and their passengers. U.S. government employees cannot, however, require you to show ID in order to pass through the security checkpoints.
Poster at Burning Man '06
(Credit: Christopher Soghoian)I have personally flown over a dozen times without showing a single form of ID. A number of others have documented similar success stories. Unfortunately, some TSA employees are not aware of their own rules, and at times, have forced passengers to produce ID. Blogger Jake Appelbaum has documented one such experience. Something similar happened to me earlier this year when TSA agents brought over an airport police officer who then compelled me to produce an ID.
The 9th Circuit Federal Court of Appeals clarified a passenger's right to travel without showing ID in its ruling in Gilmore v. Gonzales. Expecting that a TSA screening agent be able to parse a court opinion is often a losing battle. It is for that reason that I've spent the last few months sending letters back and forth to TSA, via my senator, which at least guarantees a reply. Eventually, I was able to get something from TSA in writing that confirms passengers are able to legally fly without showing ID. For those of you who'd like to give it a shot, print out this letter and take it with you. It should (hopefully) reduce any push-back you get from TSA agents.
For those of you who don't get a kick out of asserting your rights, you may wonder why you would ever want to do this. After all, those passengers who decline to provide ID to TSA will instead be forced to go through an invasive "secondary screening" process--a five-minute-or-so procedure in which passengers are patted down, poked, prodded and have their carry-on bag thoroughly searched by hand.
There is a little known, but extremely useful side effect of refusing to show ID: In many airports, you get bumped to the front of the security line. As illogical as it may seem, you can often get through security faster by refusing or "forgetting" your ID at home than if you followed the normal security process.
So, the next time you fly, use my letter and repeat after me: "I hereby assert my right to fly without showing an identification document to any government official." With any luck, you should get through without any problems, and more than likely, you'll get bumped to the front of the queue. If you get any push-back at all, remember the magic words, "I'd like to speak to a supervisor please."
For further reading on the subject: I have a research paper documenting (and fixing) security flaws in the boarding pass system and no-fly lists that'll be published at the IDMAN workshop in October. A pre-print copy of the paper is available online: Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists. Researchers from MIT analyzed the benefits of racial profiling in airport security back in 2002. I highly recommend their paper, Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System. Bruce Schneier has been talking about airport security flaws for years, and most recently published a must-read interview with TSA chief Kip Hawley.
Letter from TSA
(Credit: Christopher Soghoian)Click to see a full-size copy (pdf).
- prev
- 1
- next
