Encryption Is the Issue In Case of Missing Laptop
The Transportation Security Administration (TSA) continues to investigate the circumstances surrounding the loss of a Clear®- owned laptop computer on July 26 that contained unencrypted data of approximately 33,000 customers. TSA has verified that a laptop was discovered by Clear® officials yesterday at San Francisco International Airport (SFO). It was voluntarily surrendered to TSA officials for forensic examination.TSA’s regulatory role in this matter is as follows: Every commercial airport is required to have an approved airport security plan. So Registered Traveler is part of that comprehensive plan at the airports where it operates. Under the airport security plan, the sponsoring entity, (SFO in this case) is required to assure its vendors have an approved information security program. Because the computer at SFO was not encrypted it is in violation of the airport’s security plan.
TSA also has the ability to go directly to vendors when the plan is not being adhered to so TSA is conducting a broad review of all Registered Traveler providers’ information systems and data security processes to ensure compliance with security regulations.
Clear® needs to meet the information security requirements that they agreed to as part of the Register Traveler program before their enrollment privileges will be reinstated. Encryption is the wider issue as opposed to one incident with one laptop. So for now, Clear® enrollments remain curtailed.
Current customers will not experience any disruption when using Registered Traveler.
Eos Blog Team
Labels: mission
posted by Bob at
6:56 PM
Subscribe in a reader
63 Comments:
So in other words after these people at Clear had no respect for anyone's information, the TSA would REINSTATE THEM? That is even scarier!
August 6, 2008 7:46 PM
So let's go thru TSA's examination this laptop:
No shoes: check.
No point objects: check.
No liquids, aerosols or gels: check.
Provided us its ID (checked name of the computer): check.
Is it on the No Fly® list? No. check.
Did what we asked it to do when we put in commands? check (no secondary needed).
Result: looks safe to us. Go back to "clearing" people. :D
August 6, 2008 8:07 PM
So who will step up to the plate and take responsibility for this having happened on their watch?
I suspect that it gets shoved under that ever growing rug and that the government hopes the issue goes away quietly/people forget.
August 6, 2008 8:22 PM
Why do so many organizations (government and private) insist on putting unencrypted sensitive data on mobile devices that are easily lost or stolen? In many cases, there wasn't even a legitimate need for the sensitive info in the first place (e.g. asking for a full SSN when the last four or some other data would be sufficient).
As for the "full review" TSA intends to do, great, but I want to know what sanctions will be instituted for this failure. A stern warning just won't cut it.
August 6, 2008 8:44 PM
"Boss.. I lost our top secret laptop."
"Did it have anything important on it?"
"Just 33,000 identities unencrypted."
"Don't worry about it."
Nine days pass.
"Boss.. I found our top secret laptop."
"Where was it?"
"On the shelf where it is supposed to sit all the time."
"Was it there yesterday?"
"Nope."
"Don't worry.. Forensics will figure out what happened."
HELLO! Anybody? Forensics ain't going to show anything. Sounds like it was a inside job, probably pulled a ghost image of the drive in read-only mode. Congratulations, the private information of 33,000 TSA 'customers' is, with all likelihood, now compromised.
If I did something this stupid at my job, I would not get a reprimand. I would be thrown into the deepest cell in a federal prison with no chance of parole, most likely in the Aldritch Ames or Walker wing.
TSA needs to clean up their act before the OPM does it for them.
August 6, 2008 9:36 PM
TSA needs to clean up their act before the OPM does it for them.
-----------------------
This is the type of thing that makes me crazy. The TSA just told you on their very own blog that they did not lose this laptop. Either there are tons of daft folks on the internets or you arm chair security proffesionals just believe whaqt you want to belive, facts be damned...
Rick
August 6, 2008 9:47 PM
Anonymous writes:
This is the type of thing that makes me crazy. The TSA just told you on their very own blog that they did not lose this laptop. Either there are tons of daft folks on the internet or you arm chair security professionals just believe what you want to believe, facts be damned...
Not quite. One way or another, a laptop with extensive private information on U.S. citizens could not be located for several days. Perhaps it was mislaid, and no harm done; on the other hand, perhaps it was removed from the building, its data copied, and then returned to the building. We won't know which possibility is more likely without the forensics folks working on it. Either way, not being able to find a laptop with highly sensitive data on it for several days is a Very Bad Thing ... precisely because you don't know the difference between something being mislaid and something being stolen.
In either case, in the process of trying to find the laptop, TSA discovered that the data on the laptop, which should've been encrypted, wasn't. Clear(R) didn't do what it promised it would do, and so it's being suspended until it gets its collective act together.
For all the slamming we do on TSA here, they deserve a (small) break on this one. They discovered the breach on the part of one of their contractors, shut down the breach until the contractor fixes it, and made a public disclosure of the whole incident. (Granted, it'd be better if the whole thing had been prevented in the first place, but this is a pretty decent second-best.)
Aside: the libertarian side of me, of course, must point out that such a breach wouldn't have happened if there wasn't a need for collecting all of that data in the first place. But that's a much larger debate ...
August 6, 2008 10:02 PM
The laptop "reappeared" in the locked room 10 days after disappearing, right?
If that is true, it almost has to be an "inside job" and some employee with access to that secure area not only removed the laptop, but returned it when it got too intense with the feds checking every aspect of the company and its employees...
Occam's razor really says this was an actual theft of the laptop and it's contents, most likely by an insider. Protestations otherwise must explain how all the folks looking for the laptop couldn't find it in that confined space over a period of ten days.
But, if the problem should turn out to be that the company, airport security, local police, and federal agents were unable to find a laptop in a locked room, given ten days to look for it, there are even deeper problems in this entire event...
I have a question:
If Verified Identity Pass Inc. did not, as required, keep Customer Proprietary Information including names, addresses, birth dates and some applicants' driver's license numbers and passport information encrypted, can anyone explain why the company might be allowed to resume collecting information in this program at ANY point in the future?
(I understand that at this point TSA/DHS and all the other alphabet agencies involved probably don't have a clear answer, but please understand also that we will expect updates and results.)
Tom
(One of the 5 or 6 regulars...)
August 6, 2008 10:04 PM
But, if the problem should turn out to be that the company, airport security, local police, and federal agents were unable to find a laptop in a locked room, given ten days to look for it, there are even deeper problems in this entire event...
Depends on how messy that room might have been, but I suspect that someone took the laptop thinking that they just got a free laptop when the heat was turned up and the laptop 'mysteriously' turned up. Wonder if any of the security cameras caught anyone returning the laptop?
I have a question:
If Verified Identity Pass Inc. did not, as required, keep Customer Proprietary Information including names, addresses, birth dates and some applicants' driver's license numbers and passport information encrypted, can anyone explain why the company might be allowed to resume collecting information in this program at ANY point in the future?
This is security at any cost that people just want to have. They now have it at the potential cost of their identities (depending on what was done with that information). Is the cost of potential identity theft worth the security at any cost? I don't think so. Those people trusted their government to do the right thing and the government (through a government hired contractor) failed them again.
Who will stand up and take responsibility for this security breach? Beuller? Beuller? Anyone?
August 6, 2008 10:41 PM
This incident is a perfect example of one of many reasons DHS/TSA's privacy invading ideas of CAPPSII/Secure-Flight, registered traveler, or just plain keeping logs of every passenger on every flight is a bad idea. In addition to the serious civil liberties issues (papers please? Are we in East Germany now?), each of these ideas creates a massive database of personal information about large numbers of individuals. Such a database begs to be compromised and stolen, either by criminal private interests (i.e., ID thieves) or criminal government interests (i.e., the inevitable department that "for our safety" will decide to use the database to identify people engaging in Constitutionally-protected activities like free association, free assembly, and protest, that happen to disagree with the government of the time).
TSA does not deserve a break on this one. They created the situation/program that led to this theft, and now are trying to push it under the rug. What they should be doing is apologizing to the victims, offering compensation for any inconvenience/losses, transparently explaining their failures and punishing those responsible, and explaining a plan to shut down all of these privacy-invading programs and destroy all associated personal information.
August 7, 2008 6:30 AM
I would like to live in your world for just a day.
August 7, 2008 8:19 AM
So, why is it that a private company can issue me an id (which enables entry to a shorter security line) but the federal government, having done a far more in depth background check, can issue me an ID which is good enough to get into the west wing, but not good enough to get on an airplane in the regular line?
(and its HSPD-12 compliant too!)
Of course DHS badges aren't good enough either.
August 7, 2008 9:23 AM
Step 1. Steal laptop
Step 2. Clone disk
Step 3. Replace laptop
Step 4. Profit!!!
August 7, 2008 9:49 AM
Another reason to restrict who has access to your private information. Without the ridiculous efforts to "ID" travelers this wouldn't have happened.
ID doesn't equal Security.
August 7, 2008 9:56 AM
ID doesn't equal Security
...but it can lead to a nice, tidy profit.
August 7, 2008 11:55 AM
Quote from idisntsecurity: "So, why is it that a private company can issue me an id (which enables entry to a shorter security line) but the federal government, having done a far more in depth background check, can issue me an ID which is good enough to get into the west wing, but not good enough to get on an airplane in the regular line?
(and its HSPD-12 compliant too!)
Of course DHS badges aren't good enough either."
Add that to the fact that somehow being able to pass a driver's test and be able to parallel park makes an ID acceptable but being able to pass a background check with a polygraph for a lot of federal ID's isn't acceptable enough.
Anyone else see something wrong with that?
August 7, 2008 1:57 PM
Robert Johnson said...
Add that to the fact that somehow being able to pass a driver's test and be able to parallel park makes an ID acceptable but being able to pass a background check with a polygraph for a lot of federal ID's isn't acceptable enough.
Anyone else see something wrong with that?
Oh, it's even worse than that. All it takes is a willingness to pay and minimal documentation for a state ID. Not only that, but due ease of which the required documentation (birth certificate and social security card) can be forged, you can get a perfectly valid ID using forged documents. And even with valid documents, the state of Ohio *still* managed to screw mine up, and kept renewing the ID with incorrect information until I decided to get a driver's license 10 years later. And the TSA would have allowed that perfectly valid, yet incorrect, state ID, but not my federally-issued one that, as you mentioned, required a background check? I thought identity mattered? I guess not, and the proof is in the pudding, so they say...
August 7, 2008 3:44 PM
I was actually favorably impressed by the Clear document laying out all the protections for privacy, etc. However, official policies and procedures are no good if they're not followed.
Two years ago, OMB mandated that all gov't laptops, etc. with sensitive information use encrypted disks. All over the executive branch, reviews are done of what "PII" - Personally Identifiable Information - exists and how it is protected. Breaches are supposed to be reported to US CERT within an hour. Was the contractor required to follow these same standards?
What kind of plan was the Airport Security Plan? Was it a FISMA SSP? Those require "continuous monitoring" and independent validation that the plan is followed. Does the TSA audit/spot check/"secret shop" the contractor? They should. Particularly in this case of this kind of data, they should follow the X-Files line: Trust No One.
August 7, 2008 4:23 PM
I think it is a good thing that your fancy high security clearance cards aren't as big as your egos or you would need to ship them as cargo when you traveled.
How hard is it to put your ego on hold for a few seconds while somebody checks your DL.
It is OK. You can remain important in your own little world, but I doubt the guy checking IDs wants to see your fancy alphabet soup creds.
Get over your self 007.
August 7, 2008 4:50 PM
Anonymous said...
I think it is a good thing that your fancy high security clearance cards aren't as big as your egos or you would need to ship them as cargo when you traveled.
How hard is it to put your ego on hold for a few seconds while somebody checks your DL.
It is OK. You can remain important in your own little world, but I doubt the guy checking IDs wants to see your fancy alphabet soup creds.
Get over your self 007.
FYI, this is the type of anonymous poster as I refer to as a TSA apologist. Note that the post does not address the silliness of the situation that has been argued, but attacks the commenters themselves. Had he said "it isn't valid because..." and attacked the argument, he would not be labeled as such ;)
Also note that I did not say that my federally-issued ID was from a TLA (three-letter agency), or that I even still had it. I simply stated that my state-issued card was issued with mistakes, but would have been valid for the TSA, but my federally-issued one would not. Does this not indicate that the TSA says they believe that identity matters, but acts as though it does not?
August 7, 2008 5:02 PM
wintermute said
FYI, this is the type of anonymous poster as I refer to as a TSA apologist. Note that the post does not address the silliness of the situation that has been argued, but attacks the commenters themselves.
But it's OK for you to attack the commenter as an apologist.
August 7, 2008 5:25 PM
Quote from Wintermute: "FYI, this is the type of anonymous poster as I refer to as a TSA apologist. Note that the post does not address the silliness of the situation that has been argued, but attacks the commenters themselves. Had he said "it isn't valid because..." and attacked the argument, he would not be labeled as such ;)"
I agree.
Also note that I did not say that my federally-issued ID was from a TLA (three-letter agency), or that I even still had it. I simply stated that my state-issued card was issued with mistakes, but would have been valid for the TSA, but my federally-issued one would not. Does this not indicate that the TSA says they believe that identity matters, but acts as though it does not?"
Additionally, the fact of the matter should show that possessing such an ID should indicate being LESS of a threat due to the background checks required to get them. I think this just symptomatic of the turf wars in government ... none of the agencies trust each other. If the DHS ID isn't accepted, it shows TSA doesn't even trust its parent.
I shouldn't have to produce a driver's license to board a plane anyway. I'm not trying to drive a car. I'm trying to board a plane. My ability to drive a car is irrelevant.
Funny thing is, prior to this mess a few years back, I was able to travel with no problems using my federal ID (don't have it anymore). Now I just use my passport as it has very little information on it ... much less than DL. The less information TSA has on me, the better.
Robert
August 7, 2008 5:25 PM
Anonymous wrote
I think it is a good thing that your fancy high security clearance cards aren't as big as your egos or you would need to ship them as cargo when you traveled.
How hard is it to put your ego on hold for a few seconds while somebody checks your DL.
It is OK. You can remain important in your own little world, but I doubt the guy checking IDs wants to see your fancy alphabet soup creds.
Get over your self 007.
I dont think any of us who work for the federal government are "boasting" about our credenitals, rather pointing out a rather silly incongruity.
A couple years back, President Bush issued Homeland Security Presidential Directive (HSPD) 12
Policy for a Common Identification Standard for Federal Employees and Contractors.
see
http://www.whitehouse.gov/news/
releases/
2004/08/20040827-8.html
HSPD-12 makes sense to have a common standard for government identification as laid out in portions from HSPD-12 below"
(1) Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).
(3) "Secure and reliable forms of identification" for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process.
Now with that said, the amount of information that one has to provide to the government in order to posses a federal employee ID card is far more involved than for a drivers license. Even for a basic sf85 (non sensitive position)
http://www.opm.gov/forms/
pdf_fill/SF85.pdf
This includes where you have lived for the past few years, where you went to school, people who know you. This is the miniumn. For anyone who is in a trusted position, or higher GS grade or a new hire you need to disclose finanical information, and your background, credit history, medical history will be investigated, and your neighbors/references may be interviewed. This is true for non-clearance positions.
Now since the federal government has invested considerable time and money in verifying who I am and if I can be trusted, doesn't it seem silly to disregard that trust?
Previously when ID's were all different designs/standards I can understand why it would be difficult to verify the authenticity, but with a common standard (which can be verified electronically) it does not make a whole lot of sense. Nor does it make sense why a civilian CAC is no good for ID when a military CAC is ok when they are the same card issued by the same people, with the same format.
August 7, 2008 5:56 PM
"But it's OK for you to attack the commenter as an apologist."
An accurate description is not an attack.
August 7, 2008 7:18 PM
Since a drivers license true purpose is to show that one is legally permitted to operate a motor vehicle, not be an internal passport, what about people who don't drive due to age or disabilty? Also, if someone's license has been revoked for DUI or some other traffic offense, but still has to travel by air?
August 7, 2008 7:49 PM
IDisntSecurity wrote:
Nor does it make sense why a civilian CAC is no good for ID when a military CAC is ok when they are the same card issued by the same people, with the same format.
Nope, it sure doesn't, and personally this is something that I would like to see changed - Huntsville International Airport is in very close proximity to Redstone Arsenal, so we have a whole bunch of folks moving in and out on government credentials. The prohibition of using civilian CACs has caused... ah... a fair bit of flyers to become upset - we even scored our own thread over at FT!
That doesn't change what the regulations are though.
Incidentally, there is one different aspect of the format between the military CACs and the civilian CACs, and that is the absence of a birthdate on the civilian CACs. The "authorized forms of ID" list TSA gives us for use in the TDC procedures lists a final one on the Federal level, making it pretty open-ended. Paraphrased, it's something to the nature of any other Federal identification credentials that include the bearer's photograph, name, birthdate, expiration date... and maybe a couple of other things that I can't pluck out of my brain just at the moment. It's entirely plausible under those definitions that, if civilian CACs were issued bearing their owner's birthdate, that civilian CACs would be totally and completely acceptable forms of ID under that clause given that they're issued on the Federal level.
It's silly, but there it is.
August 7, 2008 7:50 PM
Anonymous wrote...
Since a drivers license true purpose is to show that one is legally permitted to operate a motor vehicle, not be an internal passport, what about people who don't drive due to age or disabilty? Also, if someone's license has been revoked for DUI or some other traffic offense, but still has to travel by air?
In my state (Washington) the solution is to get a state ID Card which looks identical to our driver's license, contains all the same information, but is titled "IDENTIFICATION CARD" instead of "DRIVER LICENSE."
The DL and ID are BOTH available either in "standard" form or in "enhanced" form with biometrics and RFID.
I assume that most, if not all, other states have ID Cards for those without driver's licenses.
August 7, 2008 9:26 PM
Actually, this type of system is a disaster just waiting to happen. Too many points of failure. A secure system should use a single server at a remote, secure location with secure datacom links. The client systems should be "dumb" systems, thus helping to prevent hacking problems.
Going further, the passengers should have rfid tags such as this that would trigger positive identification without having to resort to cards.
To ensure security we have to think outside the box.
August 7, 2008 9:31 PM
Quote from HSVTSO Dean: "
Incidentally, there is one different aspect of the format between the military CACs and the civilian CACs, and that is the absence of a birthdate on the civilian CACs. The "authorized forms of ID" list TSA gives us for use in the TDC procedures lists a final one on the Federal level, making it pretty open-ended. Paraphrased, it's something to the nature of any other Federal identification credentials that include the bearer's photograph, name, birthdate, expiration date... and maybe a couple of other things that I can't pluck out of my brain just at the moment. It's entirely plausible under those definitions that, if civilian CACs were issued bearing their owner's birthdate, that civilian CACs would be totally and completely acceptable forms of ID under that clause given that they're issued on the Federal level.
It's silly, but there it is."
Yes, it is silly. If the purpose of this whole exercise is to "identify" people, the lack of a birthdate doesn't change who the person is.
If the FEDERAL government can issue a card to someone stating that's who it is, it's ridiculous that TSA won't accept it without a birthdate.
Robert
August 7, 2008 10:14 PM
Just to add to the comments being posted already. When our officers fly for whatever reason, we can't use or DHS/TSA identification.
August 7, 2008 11:59 PM
Anonymous said...
Since a drivers license true purpose is to show that one is legally permitted to operate a motor vehicle, not be an internal passport, what about people who don't drive due to age or disabilty? Also, if someone's license has been revoked for DUI or some other traffic offense, but still has to travel by air?
Every department of motor vehicles has an ID that can be issued for people who don't drive. Its still a state issued ID and just as valid as a drivers license.
August 8, 2008 6:59 AM
Robert Johnson wrote:
Yes, it is silly. If the purpose of this whole exercise is to "identify" people, the lack of a birthdate doesn't change who the person is.
True, but we're also trained to verify someone's approximate age by the birthdate compared to their face (not the one on the ID card, but themselves). It's one of several things we do in the 8-10 seconds we have to look at the card.
If someone's wrinkle-faced and their ID says that they were born in 1989, then that'd warrant some additional scrutiny as per the TDC procedures.
Also keep in mind that it wasn't definitive. That thing about the birthdate was pure speculation on my part comparing the civilian CACs with the military CACs, and knowing what I know about what the guidelines are. It's entirely possible that even if civilian CACs are issued with a birthdate, they might not be allowed because of the first mention of government credentials on the acceptable forms of ID list, specifically where it says that they're only allowable with a second form of ID.
So, to be safe, if you're not wanting to use your State-issued ID card, then pack your CostCo card with your CAC, and you should be good to go. :)
August 8, 2008 8:34 AM
Anonymous said...
Every department of motor vehicles has an ID that can be issued for people who don't drive. Its still a state issued ID and just as valid as a drivers license.
Yes, and as I said, the documentation that are required to obtain on are easily forged, making the whole situation even sillier. And, also as mentioned, the state of Ohio issued mine with incorrect information and refused to correct it for 10 years. And, because it was "valid," the TSA would have accepted it under their current rules. While my federally-issued ID card would not have been accepted, simple because it didn't show one of the pieces of incorrect information from my state ID?
An anonymous TSO (I assume) said...
Just to add to the comments being posted already. When our officers fly for whatever reason, we can't use or DHS/TSA identification.
This strengthens the argument that the TSA could care less about identity.
Anonymous said...
But it's OK for you to attack the commenter as an apologist.
As already pointed out, a statement of fact is not an attack. And it is a fact that someone who contributes nothing to the conversation except to attack the TSA detractors fits the definition of an "apologist," just as "lowly TSO" is not an insult but a statement of fact about the position a TSO holds within the TSA. It speaks nothing of the character of the TSOs themselves.
August 8, 2008 9:12 AM
"Yes, it is silly. If the purpose of this whole exercise is to "identify" people, the lack of a birthdate doesn't change who the person is."
................................
Again, if a person is on the "Do Not Fly List" then they wwould not get a ticket. Some TLA would have already taken them into custody and charges would have been filed.
Past that point if a passenger has been divested of all prohibited materials what difference does the identity matter?
TSA has not made a very good case regarding ID. In fact I would call it POOR!
Kip refuses to discuss this issue as his post a few weeks back stated.
Of course when TSA cannot justify the abuse foisted on the travelers of this country the best tack seems to be silence instead of thoughtful, intelligent discussion.
ID does not matter!
One of the other 5 or 6........
August 8, 2008 9:40 AM
Regarding the silliness of not accepting federal ID...
As this post obfuscatingly explains, TSA does not care about identity of people, just that their names do not match the aliases of the identities of people on "the list".
If, bottom line, identity mattered, the high quality of federal IDs would mean something, but since the TSAs policies have only a theatrical association with real security, we get inanities like this.
August 8, 2008 10:42 AM
Quote from Anonymous: Actually, this type of system is a disaster just waiting to happen. Too many points of failure. A secure system should use a single server at a remote, secure location with secure datacom links. The client systems should be "dumb" systems, thus helping to prevent hacking problems.
Going further, the passengers should have rfid tags such as this that would trigger positive identification without having to resort to cards.
To ensure security we have to think outside the box."
Actually, what you just described is a disaster waiting to happen.
RFID tags have already been shown to be exploitable, with the supposedly unclonable e-passports being offered now are already being hacked and cloned. That opens anyone with a chip up to anyone with an RFID reader nearby. No thanks.
But worse than that, do you really want to be tracked everywhere by the government? You say it provides security ... security for whom? The people, or an oppresive government wanting to monitor people and keep dissidents in check?
Pitch that to Kim Jong-Il. I'm sure he'd love that idea as it'd make his job a lot easier. America should institute something like that only if it wants to renounce freedom and join the likes of states like North Korea.
Robert
Robert
August 8, 2008 11:21 AM
What is it with the CostCo card? How did this become a form of valid ID??
August 8, 2008 3:35 PM
The flaw with driver's licenses that one can "drive a truck through" is that Pennsylvania, Delaware, Tennessee, Indiana, Michigan, Wisconsin, Iowa, Idaho, Washington, Oregon, Utah and New Mexico accept the rountinely counterfeit Mexican Matricula Consular identification card for the issuance of driver's licenses.
So, if one of the bloggers would like to comment, how is it that identification based upon widely distredited Mexican Matricula Consular identification cards can be the basis for passing thorugh YOUR screening, but that identification cards issued by the same United States federal government that you allegedly work for are insufficient?
Consider that question #11 with a star. (I'd say bullet but that wold probably lead to additional screening of this post)
August 8, 2008 4:54 PM
Sorry, guys but the issue is not encryption, but it is responsibility for maintaining sensitive information. The people responsible for that information were derelict in their duties and should be fired.
Want to keep the information on a laptop then you yank the hard drive before going home and lock that drive in a safe. That way you don't mess with encryption, but instead maintain physical custody of the information.
Program directors ultimately have the responsibility for how their staff perform. Time for heads to roll (figuratively).
August 8, 2008 5:19 PM
True, but we're also trained to verify someone's approximate age by the birthdate compared to their face (not the one on the ID card, but themselves). It's one of several things we do in the 8-10 seconds we have to look at the card.
..........................
Hey, maybe you can use that training for a real job, like Carnival Barker at the Weight and Age Guessing Game.
Would have as much impact on air safety there as at an airport!
August 8, 2008 6:01 PM
Dean said: "If someone's wrinkle-faced and their ID says that they were born in 1989, then that'd warrant some additional scrutiny as per the TDC procedures."
I am a wrinkle free person born in the ear;y 70's who is routinely considered to be at most 20. Can't help it. I'm small. Is that why I am always mistreated? What do you recommend? Should I dye my hair gray?
August 8, 2008 6:09 PM
Anonymous said...
What is it with the CostCo card? How did this become a form of valid ID??
The gentleman who was asked his political affiliation (which Kip has promised won't happen again, but has failed to say what sanctions will be taken when it does) was asked if he had a CostCo card as a last ditch effort to verify his identity before being moved into the invasive secondary interrogation. They even told the guy they'd accept a credit card if it was one of the ones which had his photo on it. Great to know that they'd accept one of those forms of "ID" before a federally-issued one, isn't it?
August 8, 2008 7:23 PM
"...do you really want to be tracked everywhere by the government?"
Most people just don't care. I don't do anything wrong. Let them track me. They'll die of boredom. If the "great decider" wants me tracked, so be it.
Actually, the leadership of this country differs from Kim Jong-Il only in degree, not philosophy. We may as well get over it.
August 8, 2008 7:55 PM
http://www.tsa.gov/travelers/airtravel/acceptable_documents.shtm
The link above states that a person 18 or older MUST present ID.
We all know that is simply not true.
Please correct your "Information for Travelers" to display the correct information.
Or does TSA consider it ok to not be truthful (read honest)?
Speaking of honesty, is that not a requirement to have access to sensitive information?
August 8, 2008 10:06 PM
Gunner wrote:
So, if one of the bloggers would like to comment, how is it that identification based upon widely distredited Mexican Matricula Consular identification cards can be the basis for passing thorugh YOUR screening, but that identification cards issued by the same United States federal government that you allegedly work for are insufficient?
We were actually told specifically about this card. Prior to the acceptable list of IDs having been thinned out, we were told that we have to accept them, even though just to look at them would spark all sorts of red flags about being counterfeit, because despite the shoddy design and nonexistent security features, it was a legitimate foreign government ID card.
Now that the list is shortened, I don't think we can accept them anymore. To my knowledge, the only foreign media we accept now are foreign passports and Canadian driver's licenses.
Beyond that, I can't really comment any further due to the fact that the remainder of the question continues to go stratospherically above my paygrade. As I've written before, I have no idea why government credential cards aren't acceptable as primary forms of ID, excepting the speculation of the date of birth.
Anonymous wrote, probably tongue-in-cheek:
Should I dye my hair gray?
It couldn't hurt. :) Gray hair on young faces is also hip these days, too. :D
August 9, 2008 12:19 AM
Off-topic from the laptop discussion, but on-topic with the citizen's discussion:
Long post, incoming! Most of this is nothing I haven't said before, though, but I'm trying to be complete in my explanation. Since it cleared SSI muster the first time, it should clear SSI muster this time. I also added something new - something that any passenger who came to the checkpoint without one of the authorized forms of ID would find out, so that couldn't possibly get me into SSI trouble.
You people are lucky I give a crap about my fellow citizens. :P
Anonymous wrote:
What is it with the CostCo card? How did this become a form of valid ID??
The specific reference to the CostCo card is kind of a joke based off of the citizens' derision of the ID policy in general. It reaches back to one of the first reports of the identification process being posted on the Internet, though I'm too lazy to look it up right now.
The identification policy is... a lot more complex than people think it is. At first, it was announced that you would either provide a form of ID from a list of acceptable IDs, or you have your identification established for you. If you refused to show ID, you weren't allowed to fly. This started on June 21.
What then happened without absolute no announcement made at all to the public, is that these polices were changed, and indeed lightened, probably because they were so draconian. The actual date that they first started changing escapes me, but the latest change to the policy happened on June 30. I was told, specifically, that the date of it's release is not, in itself, SSI, so I don't have any problems saying that.
(...I think it was June. I looked it up at work, but since I'm at home right now I have only my memory to go by for the date attached to the MD. The 30 is definitely right, though it may have been July instead of June. I'm still leaning toward June, though - I can write another comment tomorrow morning when I get to the airport to clarify this.)
Basically, it works like this:
You walk up to the security checkpoint. There are a number of things that could happen.
A. You refuse to show ID.
1. If you are willing to cooperate with the ID verification process, the ID process moves forward and, pending a successful outcome of the verification process, you're processed through screening normally. If you're considered by a BDO to be acting suspicious (whatever that means), you're designated a selectee and processed through screening.
One of the reasons why this particular concept is so hard for the TSA folks to figure out (and, indeed, just yesterday I had to whip out the black-and-white and show it to no less than two supervisors, a lead, and the local training coordinator before they would believe me that this is the policy for refusing to show ID) is that most people seem to sensibly connect refusing to show ID with being uncooperative. According to the procedures -- THIS IS NOT THE CASE. The specific scenario of Question Two, of refusing to show ID but being willing to go through the ID verification process, is very, very improbable because anyone who refuses to show their ID is, ninety-nine billion out of a hundred billion times, not going to be cooperative to filling out the ID verification form. However, despite the improbability of the scenario, the fact remains that there is no difference whatsoever in someone who lost their ID, and someone who politely refuses to show their ID.
Moving on.
B. You have authorized form of ID, and show it.
1. You proceed through screening normally.
...D'uh. No real explanation or clarification required on this one.
C. You do not have an authorized form of ID, but you have two "other" forms of ID.
1. This is where the CostCo card thing comes from. If you don't have an acceptable form of ID from "the list," then any two other forms of ID are, technically, permissible. The exact interpretation varies, but the way I understand it (i.e.; the way it's been interpreted here at Huntsville) is that preference is given to photo IDs and government-issued IDs on some level. A CAC card and a CostCo card combination is good enough (CAC has photo, and is government ID, CostCo has name). A utility bill and a credit card combination is good enough. TSA should feel free to correct us if this is an improper interpretation.
p.s.:
Wintermute wrote:
It speaks nothing of the character of the TSOs themselves.
Some people seem to think it does, though. :(
August 9, 2008 1:49 AM
Wintermute said:
"An anonymous TSO (I assume) said...
Just to add to the comments being posted already. When our officers fly for whatever reason, we can't use or DHS/TSA identification.
This strengthens the argument that the TSA could care less about identity."
I agree completely. This, in fact, is about pushing through Chertoff's REAL ID fiasco.
August 9, 2008 7:58 AM
If someone's wrinkle-faced and their ID says that they were born in 1989, then that'd warrant some additional scrutiny as per the TDC procedures.
So you're saying, Dean, that if someone who has been through an illness and possibly surgery, chemo, whatever, whose looks have changed from their ID, you're going to harass them further. Nice.
I have a relative who is 10 years older than I am but I could still get through your documentation check using that relative's drivers license. That says that either I look 10 years older than I am or my relative looks 10 years younger. You'd still never know.
August 9, 2008 8:33 AM
Wintermute said"
Anonymous said...
Every department of motor vehicles has an ID that can be issued for people who don't drive. Its still a state issued ID and just as valid as a drivers license.
Yes, and as I said, the documentation that are required to obtain on are easily forged, making the whole situation even sillier. And, also as mentioned, the state of Ohio issued mine with incorrect information and refused to correct it for 10 years. And, because it was "valid," the TSA would have accepted it under their current rules. While my federally-issued ID card would not have been accepted, simple because it didn't show one of the pieces of incorrect information from my state ID?
Wintermute please do not use my answer out of context. This answer was for the person who asked what someone should do if they can not obtain a drivers license. Not for the question you asked.
August 9, 2008 8:47 AM
Here is an example of 'officials' losing laptops with sensitive data from msnbc news.
"March 24, 2008 A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy."
And another....
"The handling of the incident is reminiscent of a 2006 theft from the home of a Department of Veterans Affairs employee of a laptop with personal information about veterans and active-duty service members. In that case, VA officials waited 19 days before announcing the theft. Which contained sensitive personal information about 26.5 million veterans and military service members."
Failure to secure the laptop is irresponsible and careless. These people obviously aren’t fit to handle sensitive data. They should be fired. To take it one step further, these people have a fiduciary duty to handle our data with care. To not do so, in my opinion, is criminal.
This is getting ridiculous. How do you lose a laptop? My laptop has been all over the world with me and I've never once lost it, misplaced it, dropped it or had it stolen. It’s an expensive piece of equipment that requires vigilance and care.
August 10, 2008 8:50 AM
Oh My lord! How is it that SFO, a privitized airport, and CLEAR, a private company messing up is being blamed on the TSA? WOW! You guy's just want to find anything and everything to blame on the TSA, when they are the ones looking out for your PII (Personally Identifiable Information). Get with it.
August 10, 2008 12:44 PM
"Since a drivers license true purpose is to show that one is legally permitted to operate a motor vehicle, not be an internal passport, what about people who don't drive due to age or disabilty? Also, if someone's license has been revoked for DUI or some other traffic offense, but still has to travel by air?"
An ID is required. There are several forms of valid ID; not just a driver license. A driver license is just the most common form most people have.
And to the guy/gal who says he only shows his passport because his DL shows more personal info. and you don't want TSA having your personal info.: do you think the people checking IDs have a photographic memory or a micro-camera imbedded in their eyes? How would they possibly retain all that information? Help me, the paranoids are coming.
August 10, 2008 5:35 PM
I've really been thinking about how to respond to this since it was posted but I just an still shocked by this post...
Absolutely no response from the TSA bloggers CHECK
TSA employees stealing TSA laptops (stop kidding yourselves) CHECK
TSA and TSA vendor violating federal law CHECK
ID you simply pay for is valid CHECK
License to operate a car is internal passport CHECK
ID allowing access to real top secret information (not SSI) is not sufficient to fly CHECK
Unfortunately your more concerned with the fact that security protocal was broken as opposed to the 33,000 people whos ID was potentially stolen. But thats not even the case really...If you really were concerned about security you would be cancelling the Registered Travel customers to the last single only one. Because otherwise, its possible someobdy is using the reistered traveler program as a stepping stone to getting past your security you boneheads.
You instituted this program to make business travelers happy because if you pissed them off your done as an agency. So you can't risk screwing them even if it ACTUALLY PUTS SECURITY AT RISK.
At some point we're going to need to put helmets on the people making decisions before they hurt themselves.
Or better yet get rid of you entirely and put some real security in place as opposed somebody protecting nothing but the airlines ticket revenue.
August 11, 2008 2:54 AM
Now that we have established that a driver's license is not a valid form of ID for anyone by TSA, let's look at what else they consider valid:
They even told the guy they'd accept a credit card if it was one of the ones which had his photo on it. Great to know that they'd accept one of those forms of "ID" before a federally-issued one, isn't it?
It gets even worse. The banks that allow vanity photos on debit and credit card products not not accep tthe photos as identification. Why, you might ask? Simple, because the photo can be uploaded by the customer and there is no (none, nada, nyet) verification as to whose photo it is. I could upload a photo of the Kipster himself if I chose.
So, we have the TSa, which is screeching as loud as it can that identity matters, accepting cards based on fraudulent mexican Id, or self-loaded, self-identified photos, before it will accept Federally issued ID.
...and they expec tus to take them seriously.
August 11, 2008 2:17 PM
Um, blog team. I just noticed THIS.
The TSA is going to start doing security at private airports and for private planes. As of now the TSA is stopping short of screening passengers ... for now.
When we told you to close the biggest security hole, we meant the unattended luggage, not the private airports.
August 11, 2008 3:00 PM
Lack of timely updates will kill this blog...though perhaps that is what you are after...
August 11, 2008 3:21 PM
so nothing has been approved since Friday...bloggers taking the day off?
August 11, 2008 4:48 PM
3 days without comments? Heh, the blog is as broken as TSA itself.
August 11, 2008 5:04 PM
Quote from Anonymous: Most people just don't care. I don't do anything wrong. Let them track me. They'll die of boredom. If the "great decider" wants me tracked, so be it.
Actually, the leadership of this country differs from Kim Jong-Il only in degree, not philosophy. We may as well get over it."
Here's a good read. For those that think "I have nothing to hide."
'I've Got Nothing to Hide' and Other Misunderstandings of Privacy by Daniel Solove.
These people didn't have anything to hide either. Yet the police burst into their house, guns blazing, because they thought the mayor of Berwyn Heights, Maryland, was dealing drugs. Turns out the shipment wasn't his. Yet his life has been hell because of it:
http://www.baltimoresun.com/news/local/bal-mayor0807,0,4563211.story
Think having nothing to hide makes you safe? Think again. If the powers that be have the wrong information or if an over zealous analyst thinks saying something like "I walked my dog around the block again" translates to "There's more info in the drop box," you're in for a really rough go of it.
Security and privacy aren't mutually exclusive. Arguably, lack of privacy makes us a lot less secure than having it.
Robert
August 11, 2008 8:51 PM
All Blog Ops toss in the towel?
Surely someone has left a message to be posted.
August 11, 2008 9:09 PM
Anonymous said...
Oh My lord! How is it that SFO, a privitized airport, and CLEAR, a private company messing up is being blamed on the TSA? WOW! You guy's just want to find anything and everything to blame on the TSA, when they are the ones looking out for your PII (Personally Identifiable Information). Get with it.
In this case TSA would be considered a general contractor, responsible for everything that sub contractors do on the job. TSA is responsible for this breach because it is their show.
August 11, 2008 10:03 PM
Fliers without ID placed on TSA list---USA Today
http://www.usatoday.com/tech/news/surveillance/2008-08-12-tsa_N.htm?loc=interstitialskip
"The agency then began adding names of people who were questioned by police but not necessarily charged after an airport screener saw them acting suspiciously."
Wow. Classic retaliation and persecution based on an individuals opinion. Even with the flip-flop by Kip, this is a nasty bit of data-gathering and persecution by the agency.
The article also says that the TSA "has been expanding an electronic database that started a couple of years ago to keep track of people..." I though the TSA didn't claim ownership of the don't fly or watch list. Just how many of those are there?
Please address this topic in an upcoming blog entry.
August 13, 2008 10:13 AM
Wow. Classic retaliation and persecution based on an individuals opinion. Even with the flip-flop by Kip, this is a nasty bit of data-gathering and persecution by the agency.
The article also says that the TSA "has been expanding an electronic database that started a couple of years ago to keep track of people..." I though the TSA didn't claim ownership of the don't fly or watch list. Just how many of those are there?
So what do you expect from a government agency that answers to no one? We keep seeing obfuscation, deception, smoke and mirrors, etc coming from TSA. Shut down one data mining operation and they open another while expecting the traveling public to accept the 'we won't do it again' comments.
I wish that one of the alphabet soup agencies would rein in TSA.
August 13, 2008 6:51 PM
Post a Comment
Links to this post:
Create a Link
<< Home