The Transportation Security Administration is joining the 21st century. Just 5 years after security experts first outlined methods for faking boarding passes (and 2 years after the FBI raided my home for automating the process), TSA is finally testing out technology to neutralize this security threat. The only problem? The new authenticated boarding passes lay the groundwork for a surveillance state, enforceable all-points-bulletins, and most scary of all, data discrimination.
Can TSA be trusted to do the right thing?
For the last 4 months, Continental Airlines and TSA have been running a pilot project, which permits passengers to pass through security using mobile-phone based boarding passes. After the user checks in online 24 hours before travel, the airline will send a dense 2D bar code to the passenger's mobile phone. The program is open to anyone flying on a non-stop Continental Airlines flight out Houston.
The bar codes contain all of the information that would ordinarily appear on a boarding pass, plus one other important thing: a digital signature.
The system doesn't seem too bad, security wise. The airlines each create a PGP cryptographic key pair, a private key which they use to sign each boarding pass, and a public key which they give to TSA.
When a passenger shows up at a TSA checkpoint, the boarding pass is scanned by TSA agents with a handheld device. The device will verifies the cryptographic signature, and if the boarding pass hasn't been modified, it'll display the passenger's information, which the agent can then compare to the passenger's ID. (Click here to see a picture of the boarding pass being read by the handheld device.)
Privacy safeguardsThe Department of Homeland Security released a detailed Privacy Impact Report on the boarding pass system in late 2007. The report reveals a number of interesting details, and surprisingly, that the system was designed with passenger privacy in mind. The report (pdf) notes that:
The [Boarding Pass Scanning System (BPSS)] equipment is a handheld 2-D Bar Code scanning device and should be considered standalone as it will not be connected to any network - via wireless or ethernet connection.....
When [the passenger's] information is collected, it is immediately displayed on the device screen, in order for TSA screeners to screen the passengers against their photo identification. Once this is completed, the information is immediately and permanently deleted from the system....
The BPSS device application does not maintain a transaction log with bar code scan content; the application does not save or store the bar code scan data to a file, database, etc.
As many of my readers may know, I caused a bit of a panic at TSA in 2006, when I created a website that made fake boarding passes. Once the FBI dropped their investigation, and TSA decided not to come after me, the Feds became a lot nicer to me. I've flown out to Washington DC a couple times since to meet with TSA officials, and I know for a fact that a number of people inside DHS have read my research paper. Thus, it's not terribly surprising that the system in trial at Houston airport closely follows the design I outlined.
The authors of the privacy report were even nice enough to give me props, and mention my boarding pass security research as a motivation for the technology in the second paragraph of the document.
The makings of a surveillance state
TSA has clearly done a good job in designing this system, and making sure to include privacy analysis at the early design stages. The main problem though, is that it creates the foundations of a surveillance state. A world where TSA agents will be able to read through your digital dossier in detail as they decide how strictly to prod and probe you. This system, essentially, sets the stage for data discrimination at checkpoints.
When a passenger goes through a TSA checkpoint right now, the agent only has a few bits of information in front of him or her: The passenger's reported name, ID documents and the the physical features of the passenger (race, gender, dress, accent). Yes, it is possible for an airline to flag a passenger (), if the passenger's name appears on one of the watchlists. However, this is still very little information.
Imagine if, when going through a TSA checkpoint, the agents had a full dossier on each passenger - detailing everywhere you'd ever flown, any past criminal records, credit history, parking tickets and heck, even which books you've been seen reading in the airport. It's not such a wild fantasy, as US Customs Officers already have this information, and look at it when you enter the country.
What if ....
While the pilot program that TSA is using in Houston is privacy preserving, passengers will have no way of knowing if a future administration decides to update the software or hardware of the handheld devices. It would be very easy to add a wireless card to the devices, and no passenger would ever be the wiser. Suddenly, TSA agents would have a wealth of information at their fingertips, information that could help agents "fight the war on terror."
Such a change, if it did happen, would probably not require that TSA notify the public. Moreover, I doubt if it'd even have to tell the entire Congress. It would simply hold a closed briefing for the Intelligence Committees -- including the same gutless "gang of 8" who knew about the NSA's Warrantless Spying program for years, and didn't do anything about it.
To be clear, I'm not accusing TSA of doing anything wrong. All I'm saying is that once agents start scanning in bar codes with hand held devices, we the public will have no way of knowing what happens to the data. TSA is, afterall, rather trigger-happy when it comes to pseudo-classifying data as Sensitive Security Information.
Remember the National Security Letter powers that the FBI was given by the Patriot Act? Congress and the public were assured that there would be safeguards, and that they would be used correctly. Fast forward a few years, and we find out that National Security Letters have been widely abused, time and again.
I don't have an easy solution to recommend here. The current boarding pass system is easy evade, and digitally signed bar codes do solve this problem. However,(and thus totally avoid the watchlists), I'm not really sure what is the main goal of this pilot. Why spend millions to beef up boarding passes, when passengers can still slip through the system with no ID?
Perhaps the real solution, as crazy as it may sound, is for TSA to do their job - and screen passengers. As experts have noted over and over, a valid ID and boarding pass are not proof that someone is not a terrorist. Instead of wasting money and time trying to verify documents and ID cards, why not reallocate these resources to searching bags and patting down old ladies?
Thanks to Adam Shostack for tipping me off to the NYT article on the TSA pilot.