TSA “Secure Flight”
May 18th, 2009 by sherri
On May 15, the first phase of TSA’s Secure Flight program took effect after years of development. By the end of the year, when you book a flight, the airline will send your name (as specified on your government-issued ID), birthdate, gender, and itinerary to TSA’s centralized Secure Flight system, where you will be checked against government watch lists. In other words, before you ever set foot in the airport, your travel can be denied.
TSA has stated that Secure Flight record system is exempt to multiple provisions of the Privacy Act. In particular, it claims:
- “Exemption from the Access and Amendment Requirements” which “relate to an individual’s ability to request access to and correction of records…”
- “Exemption from Requirement to Collect Only Relevant and Necessary Information”
- “Exemption from the Requirement of Maintaining All Records Used by the Agency in Making a Determination about an Individual with Accuracy, Relevance, Timeliness and Completeness”
- “Exemption from the Requirement of Judicial Review”
TSA’s transportation security strategy appears to be based on the logic that by tracking civilians en masse and maintaining secret “watch lists” we can somehow identify all people with potentially malicious intent and prevent them from accessing public transportation systems. (“Sorry sir, you’ve already committed three suicide bombings this year, so we can’t allow you on the plane.”)
Of course, air travel is just a small part of the picture. TSA is also “responsible for security in all modes of transportation.” This includes cars, buses, subway and rail. According to their mandate, presumably even bicyclists would fall under TSA’s purview. Ground transportation is arguably even more important than aviation security, particularly because so many phone and network cables run along railways and highways. Although TSA has thus far focused their most draconian regulations on the air, they have been asserting increasing control over ground public transportation.
Last September, TSA flexed their ground-transportation muscles when they mobilized TSA and Amtrak security teams “from approximately 100 commuter rail, state, and local police agencies… for the largest joint, simultaneous Northeast rail security operation of its kind, involving 150 railway stations between Fredericksburg, Virginia, and Essex Junction, Vermont.”
What prompted this massive security exercise?
“The morning rush-hour multi-force security deployment was NOT in response to any particular threat or incident, but rather a demonstration of an ongoing collaborative effort to expand counter-terrorism and incident response capabilities up and down the Northeast Corridor railway system,” wrote TSA in a press release.
I see.
Let’s follow the TSA’s strategy to its logical conclusion. If we accept Secure Flight as a valid security strategy, then in order to effectively and fully “secure” our transportation infrastructure, we would need to:
- Track everyone traveling on a highway, subway, bus, train, or plane;
- Track everyone in or near a transportation interchange;
- Accurately identify every person (ultimately, using biometrics or similar);
- Compare identification to meticulously-maintained “watch lists”;
- Selectively deny travel based on secret information stored in government databases
Even then, it only takes one sneaky attacker to dodge the system and cause havoc. Furthermore, tracking every citizen is an extremely high-impact, resource-intensive strategy, which will require deep, fundamental, rather frightening changes in our society. It requires the abolishment of free society, placing our freedom to travel in the hands of an un-auditable, un-elected elite.
By treating citizens as potential enemy combatants, we waste money and actually degrade our nation’s security. This concept is summarized neatly in the Tao Te Ching: “do not use arms to coerce the world, for these things tend to reverse– brambles grow where an army has been… Weapons are inauspicious instruments, not the tools of the enlightened.” (Translation: Thomas Cleary)
What is a more effective strategy? The key is to examine incentives that lead up to attacks. Millions of people around the world, including American citizens, feel that they have been treated unfairly by United States corporations and the government.
Rather than feeding the fire by treating innocent civilians like potential enemy combatants, perhaps we should spend that money on 1) actually improving quality of life for civilians; 2) diplomatically resolving conflicts; 3) genuinely improving the resilience of our critical infrastructure; 4) non-proliferation and weapons-tracking efforts.
“When welfare and justice embrace the whole people, when public works are sufficient to meet national emergenices, when the policy of selection for office is satisfactory to the intelligent, when planning is sufficient to know strengths and weaknesses, that is the basis of certain victory.” (Cleary, Translator’s Introduction to the Art of War)
| Sherri Davidoff |
| PGP-signed text: 2009-05-17 (current) |
1. Are we willing to die for freedom? If yes, then that must not just mean delegating that risk to soldiers, but we must also accept the risk that a terrorist incident could happen because we have chosen freedom. We were founded on the proposition that all humans are created free and we shouldn’t be giving it up just because we are afraid of terrorists. *Especially* not when we’ve got soldiers in harms way, supposedly fighting for freedom. Let’s not sell them out!
(I’m not, of course, advocating for terrorism or suggesting we take stupid risks, just that freedom is indeed worth taking a risk for and should not be given up lightly.)
2. We need to seriously think about the idea that we are partly responsible for terrorist incidents. Not that we are to blame, but that our actions overseas can set us up for problems – or make things better. This has been a forbidden area of discourse lately, but it shouldn’t be and it doesn’t mean one is unpatriotic.
Why is it that information-security professionals are cognizant of these issues like no other group? I noticed at work, in our group and among my peers, these types of topics, even though they are clearly not related specifically to the job we do, are discussed frequently and most of us reach the same conclusions you have.
Several years ago when the Real-ID Act was making its way through congress I wrote both of my senators asking them to specifically vote against this measure… it passed unanimously because it was tied to an Iraq-war funding bill. I wondered how, in good conscience, the people we have elected to represent our interests could have possibly been so careless with our freedoms. It was a faith-shaking moment and I find myself now questioning the motivations of the government and wondering if they are doing nothing other than filling a vacuum that we have created by remaining apathetic about broader issues and volatile regarding emotional “hot-button” issues such as abortion, gun control, and gay-marriage.
So since information security professionals appear to be more plugged into these issues than the average person, what can we do to educate people in a more effective manner? Hopefully we can be more successful in this regard than I have seen or experienced us be in regards to security-awareness training efforts.