TSA Blows Off Inspector General’s Suggestion Boarding Pass Information Be Encrypted

The TSA’s Secure Flight system apparently isn’t all that secure, according to the barely-readable portions of the recently-released Inspector General’s report. The TSA has a Pre-Check program that requires a ton of personal information and $85 to participate in. It also has "Secure Flight," which grants Pre-Check privileges on a case-by-case basis, for which travelers pay nothing. This simply means they won’t always find themselves in the short line, but it does call into question the need to provide a ton of information up front, much less $85 for an experience others are getting for free.

Much like everything else the TSA is nominally in charge of, it has flaws. A whistleblower report to the TSA and the Office of the Inspector General claimed that the use of a "risk-based rule" led to a "vulnerability in aviation security" back in early 2014. (This would be before the Pre-Check system allowed a convicted murder with explosives experience to bypass more rigorous screening, simply because the boarding pass included the "wave me through" checkmark.)

What this "vulnerability" was is never openly explained. There’s plenty of text in the report (28 pages of it, in fact), but everything specific is hidden under a thick layer of black ink. What we do know is that it involved boarding passes and the TSA’s "risk-based assessment" program.

As a result of the report, the TSA suspended the redacted Secure Flight "rule". This rule was apparently linked to passengers’ ability to print out their own boarding passes with the handy Pre-Check checkmark on them. Apparently, someone used someone else’s ticket or found a way to print boarding passes without providing proper ID verification. Either way, this mysterious "rule" went away, and along with it, some Pre-Check passenger privileges.

Now, the TSA is planning to add additional layers of verification to the Pre-Check/Secure Flight system. But this won’t fully go into effect until later this year. In the meantime, the "rule" remains suspended.

As a result of this redacted breach, the OIG’s office made three recommendations — which are also mostly redacted.

The first suggests the nature of the breach (or the problem with the rule) [or both].

Explore the feasibility of encrypting commercial aircraft carrier boarding passes [rest of sentence redacted].

The other two recommendations target the TSA’s upgraded credential authentication program.

The TSA pretty much disagrees with the entirety of the OIG’s assessment. Scattered between heavy redactions are various punchy odes to its pretty-much-infallible coin toss it calls "risk assessment." Scattered between other redactions are assertions that the TSA is pretty good about assessing threats and has been steadily improving for years without the OIG’s constant nagging.

But before it heads into that, the OIG declares the TSA to be "responsive" to its first recommendation, even though it didn’t do anything more than declare the recommendation too expensive and too difficult.

Management Response to Recommendation #1: TSA officials did not concur with Recommendation 1. In its response, TSA said in 2012 it explored the cost and feasibility of encrypting commercial aircraft carrier boarding passes [redacted]. After engaging industry stakeholders, TSA decided not to adopt this approach because of limited data fields in some air carrier systems and encrypting boarding pass barcodes is cost prohibitive. TSA said it decided to pursue a more practical and affordable solution using a digital signature.

Nothing’s too good for the USofA! I mean, nothing’s too practical and affordable. So, let’s just use a "digital signature" because it’s pretty much just as secure, right?

Now, we just have to assess the wisdom of the TSA’s estimation of itself in light of this new (but very limited) information. It thinks it’s doing a bang-up job making flying more secure. TSA head John Pistole frequently mentions the many programs it uses in addition to pre-flight scanning/screening, most of which have been determined by others to have a 50% hit rate.

On one hand, its screeners managed to miss 95 out 100 prohibited items during a recent assessment of its screening protocols. (But, man, it was all over that bag of cash, wasn’t it!) On the other hand, its long-running ineptitude has yet to result in mass hijackings. It fails at the thing it does the most of (patdowns, screenings) and its more intangible efforts (risk assessment) haven’t proven to be any more accurate than its in-person patdowns. In totality, we have a self-important entity whose presence is hardly justified. It appears air travel would be roughly as safe without the TSA’s multiple encroachments. What it argues works well actually doesn’t, and new issues are dismissed as not being worth the effort/expense to fix.

Permalink | Comments | Email This Story

via Techdirt.
TSA Blows Off Inspector General’s Suggestion Boarding Pass Information Be Encrypted