In a major change of policy, the Transportation Security Administration has announced that passengers refusing to show ID will no longer be able to fly. The policy change, announced on Thursday afternoon, will go into force on June 21, and will only affect passengers who refuse to produce ID. Passengers who claim to have lost or forgotten their proof of identity will still be able to fly.
As long as TSA has existed, passengers have been able to fly without showing ID to government agents. Doing so would result in a secondary search (a pat down and hand search of your carry-on bag), but passengers were still permitted to board their flights. In some cases, taking advantage of this right to refuse ID came with fringe benefits--being bumped to the front of the checkpoint queue.
For a few years after September 11, 2001, TSA's policies when it came to flying without ID were somewhat fuzzy. The agency, like many other parts of the Bush Administration, has hidden behind the shroud of classification--in TSA's case, labeling everything Sensitive Security Information.
Seeking to clarify the rules, activist John Gilmore took the U.S. government to court in 2004. Gilmore chose to take a particularly hard line, by refusing to show ID to TSA and also by refusing to undergo the more thorough "secondary screening" search. He eventually lost his case before the 9th Circuit of the U.S. Court of Appeals.
While the judges were not willing to let Gilmore avoid the secondary screening search, they did at least recognize the right to travel without showing ID--providing that passengers are willing to be subject to a pat down and a bit of probing:"The identification policy requires that airline passengers either present identification or be subjected to a more extensive search. The more extensive search is similar to searches that we have determined were reasonable and consistent with a full recognition of appellants constitutional right to travel."
Since then, in at least two letters to citizens, TSA has re-affirmed this right. In March 2008, a TSA official wrote that:
"If a traveler is unwilling or unable to produce a valid form of ID, the traveler is required to undergo additional screening at the checkpoint to gain access to the secured area of the airport."
A change in policy
In a press release issued on Thursday with little fanfare, TSA announced a major change in its rules.
"Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity."
This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures."
To clarify: Passengers who refuse to show ID, citing a constitutional right to fly without ID will be refused passage beyond the checkpoints. Passengers who say they have left their ID at home, will be searched, and then permitted to board their flights.
While TSA's announcement stated that the goal of the change was to "increase safety," this blogger disagrees. The change of rules seems to be a pretty obvious case of security theater. Real terrorists do not refuse to show ID. They claim to have lost their ID, or they use a fake.
TSA's new rules only protect us from a non-existent breed of terrorists who are unable to lie.
Fixing flaws vs. security theater
In a research paper published in 2007, I outlined a number of glaring loopholes allowing the total circumvention of the much criticized no-fly lists. The two main flaws were that passengers can modify boarding passes, and that they can refuse to show ID.
In December 2007, TSA began testing out a secure, authenticated, tamper-proof boarding pass scheme. It has since been rolled out to a number of major airports around the country.
With hundreds of millions of dollars having already been spent on the various no-fly lists, it is at least interesting to see that someone at TSA is now spending time on fixing the loopholes in the system. The most glaring of this has long been the fact that passengers can refuse to show (or claim to have forgotten) their ID. Simply put, without being able to know who is walking through a checkpoint, there is no way to know that the "bad guys" have been caught by the no-fly list.
TSA's new rule, while perhaps motivated by a desire to beef up security, is significantly flawed. Terrorists will lie, and claim to have lost their ID--while law-abiding citizens wishing to assert their rights will be hassled, and refused flight.
Of course, all of this is premised on the idea that the no-fly list is actually a useful safety tool--something that I, and a number of other prominent security experts, strongly disagree with. Simply put, terrorists do not pre-register their intent.
As Bruce Schneier has noted before, the no-fly list is a collection of hundreds of thousands of people who are too dangerous to fly, but not guilty enough to be charged with a crime.
These are interesting times, indeed.
Thanks to Gary @ View from the Wing for spotting TSA's announcement.
Disclosure: I am supposed to be on a hiatus, but this topic was too important to leave alone. I am currently an intern at the American Civil Liberties Union of Northern California. These opinions are my own, and do not reflect anyone that pays me.
The Transportation Security Administration is joining the 21st century. Just 5 years after security experts first outlined methods for faking boarding passes (and 2 years after the FBI raided my home for automating the process), TSA is finally testing out technology to neutralize this security threat. The only problem? The new authenticated boarding passes lay the groundwork for a surveillance state, enforceable all-points-bulletins, and most scary of all, data discrimination.
Can TSA be trusted to do the right thing?
A sample secure boarding pass
(Credit: Continental Airlines)For the last 4 months, Continental Airlines and TSA have been running a pilot project, which permits passengers to pass through security using mobile-phone based boarding passes. After the user checks in online 24 hours before travel, the airline will send a dense 2D bar code to the passenger's mobile phone. The program is open to anyone flying on a non-stop Continental Airlines flight out Houston.
The bar codes contain all of the information that would ordinarily appear on a boarding pass, plus one other important thing: a digital signature.
The system doesn't seem too bad, security wise. The airlines each create a PGP cryptographic key pair, a private key which they use to sign each boarding pass, and a public key which they give to TSA.
When a passenger shows up at a TSA checkpoint, the boarding pass is scanned by TSA agents with a handheld device. The device will verifies the cryptographic signature, and if the boarding pass hasn't been modified, it'll display the passenger's information, which the agent can then compare to the passenger's ID. (Click here to see a picture of the boarding pass being read by the handheld device.)
Privacy safeguards
The Department of Homeland Security released a detailed Privacy Impact Report on the boarding pass system in late 2007. The report reveals a number of interesting details, and surprisingly, that the system was designed with passenger privacy in mind. The report (pdf) notes that:The [Boarding Pass Scanning System (BPSS)] equipment is a handheld 2-D Bar Code scanning device and should be considered standalone as it will not be connected to any network - via wireless or ethernet connection.....
When [the passenger's] information is collected, it is immediately displayed on the device screen, in order for TSA screeners to screen the passengers against their photo identification. Once this is completed, the information is immediately and permanently deleted from the system....
The BPSS device application does not maintain a transaction log with bar code scan content; the application does not save or store the bar code scan data to a file, database, etc.
As many of my readers may know, I caused a bit of a panic at TSA in 2006, when I created a website that made fake boarding passes. Once the FBI dropped their investigation, and TSA decided not to come after me, the Feds became a lot nicer to me. I've flown out to Washington DC a couple times since to meet with TSA officials, and I know for a fact that a number of people inside DHS have read my research paper. Thus, it's not terribly surprising that the system in trial at Houston airport closely follows the design I outlined.
The authors of the privacy report were even nice enough to give me props, and mention my boarding pass security research as a motivation for the technology in the second paragraph of the document.
The makings of a surveillance state
TSA has clearly done a good job in designing this system, and making sure to include privacy analysis at the early design stages. The main problem though, is that it creates the foundations of a surveillance state. A world where TSA agents will be able to read through your digital dossier in detail as they decide how strictly to prod and probe you. This system, essentially, sets the stage for data discrimination at checkpoints.
When a passenger goes through a TSA checkpoint right now, the agent only has a few bits of information in front of him or her: The passenger's reported name, ID documents and the the physical features of the passenger (race, gender, dress, accent). Yes, it is possible for an airline to flag a passenger (the dreaded SSSS on a boarding pass), if the passenger's name appears on one of the watchlists. However, this is still very little information.
Imagine if, when going through a TSA checkpoint, the agents had a full dossier on each passenger - detailing everywhere you'd ever flown, any past criminal records, credit history, parking tickets and heck, even which books you've been seen reading in the airport. It's not such a wild fantasy, as US Customs Officers already have this information, and look at it when you enter the country.
What if ....
While the pilot program that TSA is using in Houston is privacy preserving, passengers will have no way of knowing if a future administration decides to update the software or hardware of the handheld devices. It would be very easy to add a wireless card to the devices, and no passenger would ever be the wiser. Suddenly, TSA agents would have a wealth of information at their fingertips, information that could help agents "fight the war on terror."
Such a change, if it did happen, would probably not require that TSA notify the public. Moreover, I doubt if it'd even have to tell the entire Congress. It would simply hold a closed briefing for the Intelligence Committees -- including the same gutless "gang of 8" who knew about the NSA's Warrantless Spying program for years, and didn't do anything about it.
To be clear, I'm not accusing TSA of doing anything wrong. All I'm saying is that once agents start scanning in bar codes with hand held devices, we the public will have no way of knowing what happens to the data. TSA is, afterall, rather trigger-happy when it comes to pseudo-classifying data as Sensitive Security Information .
Remember the National Security Letter powers that the FBI was given by the Patriot Act? Congress and the public were assured that there would be safeguards, and that they would be used correctly. Fast forward a few years, and we find out that National Security Letters have been widely abused, time and again.
I don't have an easy solution to recommend here. The current boarding pass system is easy evade, and digitally signed bar codes do solve this problem. However, given that passengers can still refuse to show ID when they fly (and thus totally avoid the watchlists), I'm not really sure what is the main goal of this pilot. Why spend millions to beef up boarding passes, when passengers can still slip through the system with no ID?
Perhaps the real solution, as crazy as it may sound, is for TSA to do their job - and screen passengers. As experts have noted over and over, a valid ID and boarding pass are not proof that someone is not a terrorist. Instead of wasting money and time trying to verify documents and ID cards, why not reallocate these resources to searching bags and patting down old ladies?
Thanks to Adam Shostack for tipping me off to the NYT article on the TSA pilot.
- prev
- 1
- next
