‘”Its destruction left a deep and lasting wound in the architectural consciousness of the city. A famous photograph of a smashed caryatid in the landfill of the New Jersey Meadowlands struck a guilty chord.” (Wikipedia)
Patty King wrote in a comment a couple of days ago: “I remember a time about 10 years ago when flying was fun and so easy. Will it ever be like that again?”

Once upon a time, inspiring the traveler was important. The reactions of people in Penn Station were worth the enormous amount of time and effort placed into the space. Cultural and artistic expression were clearly strong and valued.

First impressions matter. Train stations and Airports are places where we welcome people from other countries or cities.

Perhaps someday we’ll remember the art, ambiance and culture that these important spaces brought to us. Perhaps someday we’ll once again decide to make our airports and train stations welcoming instead of paranoid, inspiring instead of intimidating, proud instead of afraid. Then flying will be fun again.

Today a traveler going through the Albuquerque airport was arrested after politely refusing to show his ID. Phil Mocek, a Seattle area native, was traveling with his friend Jesse Gallagos when he politely declined to show ID to TSA agents.

According to reports from friend Ben Livingston, “Phil politely refused to show ID to the TSA employee. The TSA employee then called in a supervisor, and Phil started recording with his digital camera, which caused the supervisor to “freak out” and call the airport police. Approximately six police showed up in force, asked no questions, and told Phil he was being arrested for disturbing the peace.”

Mr. Mocek had previously contacted TSA personnel at the Albuquerque International Sunport Airport(ABQ) to find out if photography was allowed, and was clearly told by local TSA officer Susanne Spencer that advance notification was recommended, but not required. “We only encourage individuals to contact TSA in advance so we can facilitate the photography,” she wrote in an April 10, 2009 email. She subsequently reiterated that statement to Mr. Mocek on April 14. (FlyerTalk)

After Mr. Mocek was detained, “[Police] asked if he was with anyone, and he indicated he was flying with Jesse,” said Mr. Livingston. “The police told Jesse he would also be arrested if he did not leave the compound. They demanded and received Jesse’s ID, then drove him in a police cruiser off the airport property, where they informed him that he was banned from the property for 24 hours.

“I spoke with the Albuquerque jail and Phil hasn’t been booked yet. He’s still in the hands of the airport police… We are actively seeking help from anyone in Albuquerque who might be able to help… I’m hoping a local lawyer, or anyone local, might be able to get a little further.”

Philosecurity contacted local authorities at 7:50PM on Sunday, Nov 15 2009, and confirmed that Mr. Mocek was still in custody and being “processed.” Friend Ben Livingston provided some further perspectives on the issue, as follows:

“As Americans, we have the right to travel freely between the states… In America, we’re supposed to defend against the government demanding our papers in order to travel. A lot of folks remember that in Germany, you had to show your papers in order to travel. Since 9/11, our government has implemented a policy that in order to make
things more ‘safe’ and ‘secure,’ they’re going to force people to show their papers to get into the terminal to board the plane. The airlines don’t necessarily require ID, although it’s their right to decide who they do business with.

“As far as the federal government goes, demanding our papers in order to travel from state to state is actually a violation of our civil rights. If you’re traveling into or out of the country, the federal government has a right to demand your papers. But if you’re  traveling interstate, you have a right to travel freely without interference from the federal government.

“In reality, ID checks don’t make us safer.  All of the terrorists on that 9/11 flight had valid ID. It’s a fake security measure designed make us to feel safer. It’s not actually intended to keep us safe. There are ways around it, too… Just last year TSA announced a new policy for the first time ever, which said that if you don’t have your ID but you cooperate with TSA, show them credit cards etc, you can fly. So if you say you screwed up, it’s cool. If you politely refuse for whatever reason to show ID, TSA will deny you access.”

The document reveals that the DHS is storing the reader’s:

• Credit card number and expiration (really)
• IP address used to make web travel reservations
• Hotel information and itinerary
• Full Name, birth date and passport number
• Full airline itinerary, including flight numbers and seat numbers
• Cruise ship itinerary
• Phone numbers, incl. business, home & cell
• Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation

Again, here is the full record. The anonymous reader obtained his/her travel history using Edward Hasbrouck’s excellent guides. Check out his site for more info!

Thanks a ton for sending this in. If anybody else gets a copy of their ATS travel record, send it in! We’d love to see them and compare.

Reverse of the United States Great Seal Novus Ordo Seclorum “A New Order of the Ages”

“Death of Anonymous Travel”
DEFCON 2009 – PDF
MD5sum: c772681c37c9ad5d210c19c12eb43095

Thanks to everyone who sent in comments, suggestions, and encouragement. (Special thanks to the EFF lawyers for reviewing this beforehand– you guys rock!)

I’ll have the full list of references (vendor marketing materials, news articles, FOIA docs, etc) up in the next week, so check back!

Abstract:
Worldwide, people who use cars, buses, trains, and carry cell phones are tracked in increasingly centralized corporate and government databases. This capability is still in its infancy, and has been facilitated by communication and payment systems which are linked to identification and refer to centralized electronic databases.

* Collate and disseminate information about current known travel monitoring practices;
* Discuss technical and social solutions for maintaining personal privacy and the freedom to assemble;
* Encourage greater transparency and public control over data collection and use.

“I recently requested my “file” from the Dept of Homeland Security – Customs. It was interesting to see that they not only knew every flight I took, but also all of the hotels I stayed at too. This surprised me because I didn’t understand how they knew where I was staying.

“I researched this and realized that when I had stayed at hotels that were not booked in advance, they did not have the information on my record. It seems that when you book through Sabre or other services that use Sabre, your entire itinerary become part of the DHS record also. I think this is what they compare your passport stamps to when you come back into the country and the Customs guy is sitting there staring at the computer screen and your passport.”

Sabre is used to book reservations for railways, car rentals, cruises, lodging and airlines around the world.

The Bush Turnpike in Texas no longer accepts cash as of July 1, 2009. Based on the federal Coinage Act of 1965, I believe this is illegal.

The Coinage Act (31 U.S.C. 5103) states: “United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues.”

The Treasury Department has made it clear that “Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills.” However, I would argue that the NTTA is now operating as a “creditor.” “ZipCash is the NTTA’s “drive now, pay later” option for customers without TollTags,” reads their advertising literature. “High-speed cameras take pictures of the license plates of vehicles without TollTags. Invoices for the tolls are then sent to the registered owner of each vehicle.”

The time at which payment is collected matters a lot. Stores are not required to accept US cash for products and services paid up front, because no debt is incurred. However, “restaurants that do not collect payment until after a meal is served would have to accept that legal tender for the debt incurred in purchasing the meal.” (Wikipedia) Based on this logic, the NTTA (“a political subdivision of the State of Texas”) would presumably not be required to accept cash for payment as a driver is getting onto the highway, but once he or she has driven the stretch of road, the debt has been incurred and US cash monies must be accepted.

There currently appears to be no way for a driver on the Bush Turnpike who is not the registered owner to directly receive and pay an invoice from the NTTA (according to Texas law, the owner is responsible). The NTTA sends “ZipCash” invoices only to the registered vehicle owner, and TxTolls are not transferable between vehicles. What’s more, the NTTA has no instructions (at least, none that I could find) on their web site which indicate how a driver could pay their ZipCash invoice in, well, real cash.

With the advent of “ZipCash” the North Texas Tollway Authority (NTTA) now falls under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) definition of “creditor” as “any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services.”

This means that the NTTA is also regulated by the FTC’s new Red Flags Rules, which apply to any “creditor” that “offers or maintains ‘covered accounts.’ A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions…” The NTTA’s “Toll Tags” accounts fit squarely into that definition. (I wonder how hard the NTTA has worked on their required Red Flag Identity Theft Protection Program…)

According to the US Treasury, the Coinage Act ensures that “all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor.”

“Self-Service Check-In: You Will Need a Major Credit Card”
and then in small print:
“For Identification Only”

Yes, apparently American Airlines will only give boarding passes to individuals who have been thoroughly vetted according to the strict standards of American Express, Mastercard, or VISA (and perhaps Discover).

TSA has stated that Secure Flight record system is exempt to multiple provisions of the Privacy Act. In particular, it claims:

• “Exemption from the Access and Amendment Requirements” which “relate to an individual’s ability to request access to and correction of records…”
• “Exemption from Requirement to Collect Only Relevant and Necessary Information”
• “Exemption from the Requirement of Maintaining All Records Used by the Agency in Making a Determination about an Individual with Accuracy, Relevance, Timeliness and Completeness”
• “Exemption from the Requirement of Judicial Review”

TSA’s transportation security strategy appears to be based on the logic that by tracking civilians en masse and maintaining secret “watch lists” we can somehow identify all people with potentially malicious intent and prevent them from accessing public transportation systems. (“Sorry sir, you’ve already committed three suicide bombings this year, so we can’t allow you on the plane.”)

Of course, air travel is just a small part of the picture. TSA is also “responsible for security in all modes of transportation.” This includes cars, buses, subway and rail. According to their mandate, presumably even bicyclists would fall under TSA’s purview. Ground transportation is arguably even more important than aviation security, particularly because so many phone and network cables run along railways and highways. Although TSA has thus far focused their most draconian regulations on the air, they have been asserting increasing control over ground public transportation.

Last September, TSA flexed their ground-transportation muscles when they mobilized TSA and Amtrak security teams “from approximately 100 commuter rail, state, and local police agencies… for the largest joint, simultaneous Northeast rail security operation of its kind, involving 150 railway stations between Fredericksburg, Virginia, and Essex Junction, Vermont.”

What prompted this massive security exercise?

“The morning rush-hour multi-force security deployment was NOT in response to any particular threat or incident, but rather a demonstration of an ongoing collaborative effort to expand counter-terrorism and incident response capabilities up and down the Northeast Corridor railway system,” wrote TSA in a press release.

I see.

Let’s follow the TSA’s strategy to its logical conclusion. If we accept Secure Flight as a valid security strategy, then in order to effectively and fully “secure” our transportation infrastructure, we would need to:

• Track everyone traveling on a highway, subway, bus, train, or plane;
• Track everyone in or near a transportation interchange;
• Accurately identify every person (ultimately, using biometrics or similar);
• Compare identification to meticulously-maintained “watch lists”;
• Selectively deny travel based on secret information stored in government databases

Even then, it only takes one sneaky attacker to dodge the system and cause havoc. Furthermore, tracking every citizen is an extremely high-impact, resource-intensive strategy, which will require deep, fundamental, rather frightening changes in our society. It requires the abolishment of free society, placing our freedom to travel in the hands of an un-auditable, un-elected elite.

By treating citizens as potential enemy combatants, we waste money and actually degrade our nation’s security. This concept is summarized neatly in the Tao Te Ching: “do not use arms to coerce the world, for these things tend to reverse– brambles grow where an army has been… Weapons are inauspicious instruments, not the tools of the enlightened.” (Translation: Thomas Cleary)

What is a more effective strategy? The key is to examine incentives that lead up to attacks. Millions of people around the world, including American citizens, feel that they have been treated unfairly by United States corporations and the government.

Rather than feeding the fire by treating innocent civilians like potential enemy combatants, perhaps we should spend that money on 1) actually improving quality of life for civilians; 2) diplomatically resolving conflicts; 3) genuinely improving the resilience of our critical infrastructure; 4) non-proliferation and weapons-tracking efforts.

“When welfare and justice embrace the whole people, when public works are sufficient to meet national emergenices, when the policy of selection for office is satisfactory to the intelligent, when planning is sufficient to know strengths and weaknesses, that is the basis of certain victory.” (Cleary, Translator’s Introduction to the Art of War)

The coupon is similar to a credit card, with a serial number and expiration date printed on the front (as well as a nifty hologram that reads “Security”). It also has a magnetic stripe. Curious, I borrowed a coupon and swiped it through my trusty mag-stripe reader. The output was as follows (name/number have been changed for privacy):

%B5897320630985200^SMITH/FRANK ^0903121000000000000000798000000?
;5897320630985200=09031210000079800000?

Much to my surprise, the applicant’s name was encoded on the coupon, in addition to the serial number and expiration date.

Consumers are clearly not aware that their names are encoded on the cards. Although National Telecommunications and Information Administration (NTIA) documents refer to “identifying serial numbers,” (NTIA 2006) there is no mention of the fact that names themselves are encoded on the cards. Since the name is not printed on the face of the card itself, there’s no way for recipients to tell it is there without special card-reader equipment.

As a result, over 24 million Americans have now unknowingly submitted their names into the tracking systems of nationwide corporate retailers such as Wal-Mart and Best Buy. “There are federal privacy laws that say what the government can do with your information, but once that information is given to private industry, it’s theirs,” commented senior security consultant Jonathan Ham.

What’s more, the NTIA itself tracks the location, date and time of each purchase. Retailers are required to “provide NTIA electronically with redemption information and payment receipts related to coupons used in the purchase of converter boxes, specifically tracking each serialized coupon by number with a corresponding [certified converter box] purchase.” (NTIA retailer site.) Each week, the NTIA publishes statistics indicating the number of cards used in each zip code.

Consumers are not explicitly informed of the coupon tracking on the TV Converter Coupon Program web site or application. Buried in the NTIA’s web site is the statement that “to keep track of the number of coupons issued, used and redeemed, as well as to minimize fraud and counterfeiting, NTIA intends to place identifying serial numbers on the coupons.” (NTIA 2006)

I went to Best Buy to get a retailer’s perspective on the TV Converter Coupon Program. Like most retailers, Best Buy likes to track their customers. With cash or check, this is difficult, but with credit cards and similar systems (such as the DTV coupons), customers can be automatically added to their database.

Rob Hooper, the helpful manager on duty, explained, “[The DTV coupon] would probably have their name, a number, and they probably have to put in their phone number for us to ring out the remainder of the transaction. As soon as that number gets rung through a Best Buy retailer or a Wal-Mart retailer or anywhere else, [NTIA can] probably break it down underneath the ID of the retailer, and then also the ID of the individual who applied for that particular card number. Not only do they have demographics, they also have geographics– where each card is used.”

In other words, the government receives detailed information about precisely where and when each card is used, and each card is explicitly linked to a name. What’s more, since the names are stored on the coupon’s magnetic stripe itself, the retailer also receives and can store personal information about the consumer. The consumer may never even be aware that his or her name has been given to the retailer.

My mother, who applied for the program by phone, was shocked to learn that her name was encoded on the card and her purchases were tracked. “The government should have made me aware of the information they would be collecting about me if I used the card,” she said. “They’re taking away my freedom. If they decide they need to collect information, they should do so with the people they are collecting the information from volunteering to give it, not being forced.”

Presumably the names encoded on the coupon’s magnetic stripe can be used to prevent fraud, but in practice this has not been occurring. Even if the name on the coupon doesn’t match the consumer, retailers still accept the coupons.

“We generally don’t check IDs against the card,” said Rob. “If someone’s out there stealing digital converter box cards and they’re just hoarding boxes of those cards, that’s not on the top priority list for Best Buy’s loss prevention.”

“We haven’t really seen too much fraud whatsoever with these coupon cards,” he added. “It would be a really interesting thing to try to steal $40 converter box cards, because you’re basically getting paid off in technology that will be antiquated.”
 
Millions of Americans using the DTV converter coupons have unknowingly had their shopping habits tracked and names given to third parties such as Best Buy and Wal-Mart. What is the value of our privacy? Is watered-down “fraud protection” really worth giving away millions of American’s names to retailers? Would my mother really want her shopping habits recorded in an obscure government database, even to save $40?

“I like to shop for a product without Big Brother watching over me,” said Mom.

Oddly enough, all the pump handles were covered with plastic bags. The guy from the car in front of us came up to our truck and tapped on the glass. “Pumps are closed,” he said. “I used this one anyway, and they came out and told me they were bagged off for a reason. Guess it works, but they don’t want you to use them.” He shrugged. “Cheapest place around, though.”

Strange. We thanked him, and headed into the station to find out if we could use the pumps. “Excuse me,” I said to the man behind the counter. “We noticed that the pumps are covered with bags. Are any of them open?”

“Computers are down,” he said. “Can’t take credit cards. Sorry.”

“We can pay cash.”

“We can’t control the systems. Computers are down. Sorry. No gas.”

As we drove away, we saw that all twenty of the gas pumps were covered with plastic bags. “Every gas pump must be an autonomous point-of-sale system,” commented Jonathan. “That gentleman in front of us was able to fuel up, presumably with a credit card. What was offline was the store’s ability to communicate with the sales systems.”

We drove back onto the highway in search of another gas station, our money burning holes in our pockets.

Jon Warner of Argonne National Laboratories set out to examine GPS security one Saturday afternoon. Jon is part of the Vulnerability Assessment Team (VAT), a small group whose goal is to uncover flaws in our systems so that they can be fixed. “We try to think like the bad guys,” Jon said, “so that we can plug the holes they might use.”

To test out GPS security, Roger Johnston, head of the VAT, challenged the team to demonstrate how to steal a cargo truck and get away with it. Cargo trucks generally contain a GPS tracking device which relays position and speed information to a central office. This enables freight companies to track their drivers’ locations and ensure that trucks are on course. If a truck veers off course, it sets off an alarm at headquarters. If an attacker could falsify or “spoof” GPS information, he or she could hijack the truck and steal the cargo without being noticed.

Based on this, Jon developed two cargo truck hijack test scenarios:

1) Hijack the truck, and then use GPS to send a false position signal to headquarters. Headquarters would see that the truck had stopped, but once the fake GPS signal was deployed, they would think the the truck was back en route.

2) Send a counterfeit signal before ever hijacking the truck. This way, even if the driver panicked and sent an alert, the attacker could make it appear that the truck was at a different location. This would require that the attacker disrupt and spoof the truck’s GPS signals from a distance, without close range contact.

Demo: “Hijacking” the Truck

“It does not take a great deal of time or effort to spoof a GPS signal,” said Roger. The GPS system consists of 24 to 32 satellites orbiting the earth, which relay microwave signals to the ground. GPS receivers on the ground can use these signals to determine absolute position and precise timing information.

“If the adversary controls the signal that the truck is receiving, then the false position calculated by the receiver will be relayed to headquarters regardless of the encryption algorithms or communication protocols used. In other words, garbage in, garbage out.”¹

Jon used a desktop computer attached to a GPS satellite simulator to create a fake GPS signal. Portable GPS satellite simulators can fit in the trunk of a car, and are often used for testing. They are available as commercial off-the-shelf products. You can also rent them for less than $1K a week– peanuts to anyone thinking of hijacking a cargo truck and selling stolen goods.

In his first experiments, Jon placed his desktop computer and GPS satellite simulator in the cab of his small truck, and powered them off an inverter. The VAT used a second truck as the victim cargo truck. “With this setup,” Jon said, “we were able to spoof the GPS receiver from about 30 feet away. If our equipment could broadcast a stronger signal, or if we had purchased stronger signal amplifiers, we certainly could have spoofed over a greater distance.”

During later experiments, Jon and the VAT were able to easily achieve much greater GPS spoofing ranges. They spoofed GPS signals at ranges over three quarters of a mile. “The farthest distance we achieved was 4586 feet, at Los Alamos,” said Jon. “When you radiate an RF signal, you ideally want line of sight, but in this case we were walking around buildings and near power lines. We really had a lot of obstruction in the way. It surprised us.” An attacker could drive within a half mile of the victim truck, and still override the truck’s GPS signals.

The GPS spoofing attack consisted of three parts, as detailed in the VAT’s initial 2002 paper:²

1) “The existing GPS receiver signal lock must be broken.” Initially, Jon thought that the adversary would have to “wait until the target truck drove under a bridge, forest cover, or some similar type of obstruction” to break the real GPS signal. During later experiments, Jon discovered that if his fake GPS signal was strong enough, it would also function as a jammer, overriding the real signal from distances over 4,000 feet without any need for physical disruption. “Our GPS satellite simulator was strong enough that it just overrode the regular signal.”

2) “The GPS tracking device in the target truck must be locked onto the counterfeit signal.” The receiver simply accepted the strongest signal, which was coming from Jon’s GPS simulator.

3) “The final step is to continue broadcasting the fake GPS signal.” This could be accomplished from the attacker’s truck, driving nearby. Even better, portable GPS simulator equipment could simply be placed inside the hijacked truck.

Protecting Against GPS Attacks

“We’ve come up with seven different ways to detect if the incoming signal is real,” said Jon. “These won’t stop the spoofing, but they would at least let you know that you’re being spoofed.” Below are a few simple remediations that the VAT suggested:³

1) Signal Strength

The signal strength of a normal GPS signal on the surface of the earth is fairly low: about -163 dBw. The signal coming from a GPS simulator is much higher. Unusually high GPS satellite signals should be considered suspect.

2) Signal Consistency Across Multiple Satellites

Normally, the signal strength of GPS satellites varies. Using a GPS simulator, engineers can typically simulate 10 or 24 satellites. This is used legitimately by engineers who build GPS satellite receivers for
phones, surveying devices, time synchronizing devices, and other equipment. However, by default GPS simulators send out the same signal strength for all satellites. As a result, the fake signal strength is much more consistent than in real life.

3) Noise

Simulated GPS signals have unusually low noise levels. If the GPS receiver detects a nice, crisp, clean signal, that should raise red flags.

4) Satellite Numbers

Each GPS satellite is numbered. “If we were sitting in the parking lot,” said Jon,” our GPS receiver might see GPS satellites 1, 2, 3, 4, 5 and 6. #24 might be on the other side of the earth.” A GPS simulator might not send the correct satellite numbers for a given location. “I’ve done this before, and sent satellite signals for Australia when I was in New Mexico.”

The VAT estimates that implementing these strategies would greatly enhance GPS security, at minimal cost. “It’s mostly a software solution,” commented Jon. “It amazes me that right now, if you look at
any receiver, it doesn’t compare the signal from moment to moment. If the GPS signal shoots up in the next second, the receiver won’t pick up on that.”

Satellites for the military GPS include authentication, meaning that receivers can verify through cryptographic exchange that the signal they are receiving is from a real GPS satellite. Civilian GPS doesn’t include that, but if it did, this would enable appropriately equipped receivers to verify that a GPS signal is legitimate.

“Back in the 70s,” Jon reflected, “Civilian GPS was more of an afterthought. It wasn’t really designed with security in mind. The military set it up to be nice. Nobody knew that it would take off like
this. Just like the Internet– it was completely unexpected.”

 
Sherri Davidoff

I believe the public’s next battleground is to gain control over what happens to our data, and how it’s used. Right now there is very little transparency. Transportation organizations are collecting a lot of information about people, and there is very little public input or disclosure regarding uses, length of storage time, or standards for securing this data.

Boston’s MBTA, for example, does not consider the CharlieCard’s serial number to be personal information, and it therefore reserves the right to store rider histories associated with each card indefinitely. Even when CharlieCards are obtained “anonymously” (not the majority) they can
always be linked to the financial transactions database which also stores the card serial number (ie. if you even once pay with credit card, your CharlieCard is not anonymous any more). The specifics aren’t publicized; this is information I obtained by doggedly calling the MBTA’s IT department.

I believe the public should have the following rights:

• Transportation organizations should be required to publicly disclose what data is collected about individuals, and how long that data is stored.
• Disabled people and senior citizens should have access to the same level of privacy as everyone else. (Right now in Boston, they cannot obtain a CharlieCard without having their personal information and photograph associated with the card and permanently stored by the MBTA.)
• The public should have regular input on how long personal data is stored and how it is managed.
• Individuals should be able to easily find out who has accessed their travel histories and the purpose of disclosure.
• Transportation organizations that store personal data should be subject to regular external audits to ensure that they are in compliance with standards, and that they have implemented appropriate measures to secure personal data. A summary of these results should be made public.

Personally, I don’t want to have a history of my travel stored in any database. Right now, purchasing a one-time CharlieTicket is a 30 cent surcharge per ride, but it is the only way to take the subway in Boston without creating a travel history. Privacy in public transportation should be equally accessible to all citizens, regardless of financial resources.
 
 
Sherri Davidoff

“The Transportation Security Administration has collected records on thousands of passengers who went to airport checkpoints without identification, adding them to a database of people who violated security laws or were questioned for suspicious behavior… The database has 16,500 records of such people and is open to law enforcement agencies, according to the TSA.”

But! Yesterday afternoon TSA “called the newspaper to say the agency is changing its policy effective today and will stop keeping records of people who don’t have ID if a screener can determine their identity.”

Kudos to the TSA for taking a step in the right direction.
 
(Hat tip to Kurt Opsahl.)

I was curious to learn more about the TSA’s new practices for ID-less travelers. As a security professional, I decided to research TSA’s latest security screening procedures. Below is a recounting of my experiment.

What Happened

[Names have been changed. This account was written an hour after the events, and is accurate within the limits of my memory.]

I last saw my wallet on Monday, August 4, 2008 at the FedEx counter in Cambridge, where I dropped it into the envelope marked “Las Vegas, Nevada.” On Wednesday around 4PM, I arrived at Boston Logan airport without my wallet.

Without an ID, JetBlue’s All Services line was my only hope for checking bags. The long line moved interminably slowly. A JetBlue representative with long blonde hair moved down the line, talking to
each passenger.

“Boarding pass? Anyone have a boarding pass?” She stopped at me. “Ah! You have a boarding pass.”

“I don’t have my wallet,” I looked at her, wide-eyed. “Is there any way I can get on the plane?”

“Oh, don’t worry,” she said. “They’ll just send you through special screening. It’ll be fine. ”

“Really?” I said. “Am I in the right line?”

“Yup, this is the right line. You’ll be fine.”

After about a half hour, I got up to the JetBlue counter. I handed my boarding pass to the woman behind the counter and explained, “I don’t have my wallet. Do you think I’ll make it on the plane?”

“Oh,” she said. “You’ll make it. But go to the gate right away, because now they have to make a phone call.”

“A phone call?”

“They call someone in Washington, I think.”

“Washington?”

“To check your identity.” She conferred with the woman next to her. “Yes, Washington. CIA or FBI or something, I guess. So you want to go through right away. Could take a while.”

I checked my bag, thanked her, and headed to the security screening.

At the end of the roped-off walkway, two TSA officers stood at a wooden podium, checking IDs and boarding passes. I handed one TSA officer my boarding pass. “ID?” he said.

“I don’t have my ID.”

He looked me in the eye. “You have to have ID to get through security.”

“I don’t have my wallet.”

“You need to have ID to go through security.”

“I really don’t have it.” I said.

Pause. “Well,” the officer said, “Hold on.”

Another white-uniformed TSA officer approached with a clipboard. He was a short, middle-aged man with a badge that read “Andrew,” followed by a number. He led me a few feet away, to a shiny metal table just next to the entrance, and put the clipboard down.

“You don’t have your ID?”

“No, I don’t have my wallet,” I said.

“You know, you need to have ID to fly,” he said.

There was another awkward silence.

“I really don’t have it,” I said.

“What happened to it?” he asked.

“I don’t know where it is,” I said.

“Do you have anything with your name on it?” he asked.

I thought a moment. “Nope. Everything I have was in my wallet.”

“Are you sure?” he asked. “Credit cards, anything?”

I poked through my purse, and flipped through my journal. “No… I’m sorry. It was all in my wallet.”

The officer looked at me sternly. “You know, two and a half months ago TSA took over this, and now our policy is that you have to have identification to get through security. Either a passport, if you’re a foreigner, or federal identification.”

“Ah,” I said. “Passport. That would have been a good idea.”

Another awkward silence.

“They’re going to have to interview you to verify your identity. I can’t guarantee that you’ll get through. It depends on your situation, and,” he emphasized, “your reasons for not having identification.” He looked me straight in the eye. “It could take a while. You may not get
on the plane.”

Silence. I nodded.

After a moment, he gestured to the clipboard. “You’ll need to fill out this form.”

There was a stack of white single-sided forms on the clipboard. I bent down to fill out the top one. It was very simple, and looked something like this:

Full Name:

Current Address:

Previous address (if no current address):

Signature:

Date:

Then there was a block of legalese which indicated that my disclosure of this information was voluntary, but failure to disclose it might prevent me from being granted access to the secured area. Finally, there was a block of text which indicated that falsifying information was
punishable by imprisonment or fines.

I printed my name and address, read the block of text carefully, and then signed the document.

A man in a dark suit with a TSA pin approached. The name on his badge was Peters. He introduced himself as John Peters.

“How old are you?” he asked.

“Twenty-seven.”

“And you don’t have identification?”

I shook my head. “I don’t have my wallet.”

“What happened to it?”

“I’m not sure where it is.”

“You need to have identification to pass through security.”

“I’m sorry,” I said. “I really don’t have it.”

At that point a large woman tried to walk past us, between the security workers and the silver table. Mr. Peters turned around and stopped her. “I’m sorry, ma’am, are you a passenger?”

“No,” said the woman, “I just dropped off my 90-year-old parents, and I need to go back there to help my mother find her cell phone.”

“I’m afraid I can’t let you through,” he said. “You’ll have to talk to the JetBlue staff.”

She argued with him for a little while, but he politely insisted, each time becoming visibly more frazzled. Finally, she repeated, “Go to the JetBlue counter.” He nodded. She left.

He returned. I smiled wanly. “Busy day.”

Mr. Peters nodded, and then looked down at the sheet which I had filled out and signed. “I’m going to have to make some calls to verify your identity.”

I nodded.

He pulled out a cell phone. I had assumed that we would be going to some separate screening room, but that wasn’t the case. He stood facing the silver table, and I leaned back against it. So this was the dreaded interview. People walked past us with bags and luggage.

“Hello,” he said. “Security.” Long pause. It sounded like he was transferred. He said a number that I think had the same number of digits as a phone number. Then he said a shorter number. “No, she
doesn’t.” He wrote something in small letters on the form. Then he spelled my name over the phone. “D-A-V-I-D-O-F-F. That’s Indigo Delta… yes.”

He looked at me. “What’s the name of a street that you lived on prior to your current address?”

“Inman.”

“Inman,” he repeated. There was a pause. “Where did you live in 2004?”

“Hmm…” I said. “New Mexico? I think? Maybe Massachusetts.”

He conferred with the person on the phone. “That’s fine.” He hung up.

“All right,” he said. “You’re going to go through full security screening.” He wrote “SSSS” in red marker on my printed boarding pass. He handed my form to one of the officers at the podium, and then gestured to the first screening line. “Right here.”

Almost through. I got into the security screening line as usual, pulled my laptop out and placed it into the gray bin. Instead of my usual hacker stickers, this time a sickeningly cute picture of puppy dogs gazed up at me. I had hurridly taped it over the hacker stickers before leaving for the airport, figuring I shouldn’t push my luck. I placed my flip flops and purse in the other gray bins and walked beside them down the conveyor belt.

When I got up to the metal detectors, I handed my red-scribbled boarding pass to the TSA employee. The big officer looked down at me and said something like, “Female assist, full screening, no alarm.”

A female officer named Menendez brought me to the end of the line, and another male officer carried my backpack, purse and laptop along with us. He placed my belongings on a counter next to explosives detection equipment.

Officer Menendez politely indicated that I should place my feet right on top of the painted yellow footprints, and then raise my arms straight out. She patted down my torso, legs and ran a detector over my body. Meanwhile, I watched the other officer check each of my bags for explosives. He used metal tongs to pick up a small white square which looked like paper, and then he ran the square it across the inside pocket of my backpack. Then he put it in the machine. The machine said, “Analyzing….” and then, in yellow, “Passed.” He did the same thing for my purse, and finally, my computer.

Apparently my computer was filled with explosives. The officers conferred with an older man who seemed to be the explosives machine expert, and then they picked up my laptop and it back to the X-ray machine a second time.

The puppy dogs looked a little sad rolling down the conveyor belt a second time. “Does it alert for computers a lot?” I asked officer Menendez.

“Oh, different things,” she said. “Computers, backpacks. We just run it through a second time.” The male officer brought my computer to the back counter. “You’re done.”

I stepped forward to pick up my stuff. The older explosives machine gentleman was standing next to me, tinkering with the machine.

“So what happened?” I said. “Why did my computer alert?”

He shrugged. “It happens. As long as it’s clean the second time, you’re fine.” I wasn’t sure he realized that they hadn’t run it through the explosives machine a second time, only the X-ray
machine. Not that it really mattered.

“Well, thanks!” I said.

“Have a wonderful evening.”

Analysis

• Recall that to indicate that I required extra screening, staff wrote in red Sharpie on my boarding pass. If I had simply printed off a second boarding pass at home, I could have presented that instead of the marked one, and gone through the metal detector as usual. In other words, passengers without ID can travel without undergoing any extra screening other than “identity verification.” A lawyer friend of mine commented that “if TSA marked ‘SSSS’ on a person’s hand rather than a piece if paper…the airport’s security would at least be as good as a bar’s.”

• Since the answers to the identification verification questions are so widely known, someone could easily have impersonated me and traveled under my name. Many people know that I lived in New Mexico, and the name of the street where I used to live.  As a private citizen, I would much rather that the TSA allow anonymous travel than create a system where identity “verification” is required, but it is very easy to impersonate other people.

• Real attackers will just use fake IDs or identities and pass through unnoticed. Thanks to the age restrictions on alcohol, America has a flourishing ID forgery and resale industry, and faking federal identification is not difficult.

• It’s interesting to know that there’s an on-call system which TSA agents can use to do a quick background check on passengers. What information is in this system? If an attacker were to remember or record the numbers used by the TSA officer during the call, could they later gain access?

Rather than increasing security, the new policy change merely ensures that private citizens who express the wish to travel anonymously are punished for doing so. As Bruce Schneier says, “I don’t think any further proof is needed that the ID requirement has nothing to do with security, and everything to do with control.”

It’s important for private citizens to be able to travel without being tracked if they wish. I am not a criminal. I just don’t believe it’s anybody’s business where I go. I understand the need for ensuring the safety of our transportation infrastructure, and as such, searching passengers before boarding makes sense.

The freedom to travel anonymously also underlies our right to peacefully assemble.  When a government tracks its citizens and can arbitrarily decide to limit or cut off travel, that threatens our democracy. This is especially true in our global society, where many people rely on air travel, trains and the highway just to see their families.

TSA’s new policy, which is to focus on finding “dangerous people” rather than objects, poses enormous challenges. It requires that the agency make sweeping judgments about travelers with very little information, and in a very short amount of time. It is simply not feasible to accomplish this accurately.

We need to make sure our airports are safe, but at the same time, we have to be very careful not to destroy the very thing we are trying to protect: our free country.