(Image is in the Public Domain)

Bruce Schneier explains how easy it is to get past security and fly on a plane even if you're on the supposed "no fly list"

Buy a ticket in some innocent person's name. At home, before your flight, check in online and print out your boarding pass. Then, save that web page as a PDF and use Adobe Acrobat to change the name on the boarding pass to your own. Print it again. At the airport, use the fake boarding pass and your valid ID to get through security. At the gate, use the real boarding pass in the fake name to board your flight.

His article on why the no-fly-list and photo ID checks are useless against terrorists here.

Whoops.

(Image is in the Public Domain)

The TSA's CLEAR program where people can spend $100 to be "pre-screened" at airports and bypass security had a security hit recently when a laptop (doesn't this get old) with customer data was stolen.

Well gosh, how could they ever have seen that coming?

Anyway, Schneier covers the story and links to the TSA's response as well as taking a moment to denounce the program again along with most of what the TSA is doing for airport security. Since I've met the privacy officer for the TSA and know he knows what he's doing, the only reason I can come up with for this is that they're not listening to him when he's telling them not to put this kind of data on laptops unencrypted.

(Image is in the Public Domain)

Schneier on the terrorist watch list:

The U.S terrorist watch list has hit one million names. I sure hope we're giving our millionth terrorist a prize of some sort. Who knew that a million people are terrorists. Why, there are only twice as many burglars in the U.S. And fifteen times more terrorists than arsonists. Is this idiotic, or what?

(Image is in the Public Domain)

By putting tons of cameras at different angles on an airplane and carefully inspecting everyone's faces and movements, the EU hopes to identify terrorists before they strike.

There's only a few problems to work out:

1. There's no way to know what a terrorist looks like
2. Removing privacy with no gain is a vast waste of money and resources
3. Mass surveillance hurts everyone and doesn't actually work.

(Image used under: Creative Commons 2.0 [SRC])

It seems that wearing a t-shirt with a gun on it is grounds for a ban from flying. I know there's "always two sides", but this is just plain stupid.

(Image is in the Public Domain)

I ended up sitting next to Peter Pietra, the head of the privacy department at the TSA. This gave me an interesting opportunity to talk about issues of privacy when dealing with their agency and the first thing I asked was about the pornographic backscatter x-ray devices.

He was clearly frustrated (and I don't blame him) as I'm sure this is a topic that assaults him regularly. The issue is that backscatter CAN see through your clothes, but the TSA orders the devices preconfigured at a level that prevents them from seeing pictures such as these one on the Internet. They are also unable to modify the configuration. In fact what they actually see, as shown on their site, is smeared blob that highlights objects, but not skin.

The issue that I have here is that if the TSA's claims of how they use the technology are true, then what the hell was all the hype about?

Images will be deleted immediately once viewed and will never be stored, transmitted or printed (the passenger imaging units have zero storage capability) Metallic and non-metallic objects are displayed, including all items that a passenger may be carrying on his/her person

Also, according to the website, you can always choose to have a pat-down instead.

I asked Peter about this because it seems to me most people aren't going to know to go to the website and read about Backscatter before being faced with it at an airport, but he said that the sample picture on the web is printed right on the machine and people are supposed to be shown the picture and told of the option for pat down prior to being scanned.

Final Thoughts

I notice that the picture on the TSA site is from behind so probably doesn't fairly show how much frontal detail they would see so for full disclosure, they should show a frontal picture. However, I can understand why someone wouldn't want to show what amounts to nudity on these machines for propriety reasons and don't necessarily consider that evasive.

What more can you ask for than clear disclosure and a reasonable choice? Granted the technology can be used for worse things, but the devices is about as small and conspicuous as a casket so you'll never be scanned without your knowledge. If they are configured correctly, store nothing, and you can opt for a pat down, then perhaps some have been too harsh on both the technology and the agency.

Speaking of, EPIC's article that led me to write about backscatter in the first place unfairly show the capabilities of backscatter ignoring the actual use of the technology by the TSA. I'm sure there's someone from EPIC around the conference somewhere and I'll be sure to ask them about it.

What TSA Sees

What EPIC Shows

(Image is in the Public Domain)

A British company has developed a camera that can see through clothes, but unlike Backscatter, it doesn't provide pornographic photos of the target.

Depending on the material, the signature of the wave is different, so that explosives can be distinguished from a block of clay and cocaine is different from a bag of flour.

It shoots some rays at the target and reads the response. It's more like a sonar device than a camera and it if works, this will be not only more effective at detecting threats, but also much better for personal privacy.

(Image is in the Public Domain)

I talked last week about how the TSA has opened a blog and allowed the public en masse to attack them outright through comments blasting them for all their varied foibles.

Well it turns out that it's working well! The TSA has changed a policy that at least one airport put into effect that required passengers to remove all their electronics. It seems that the TSA didn't know it was happened, but stopped the practice.

(Image is in the Public Domain)

In what appears to be an attempt to counter the black hole that is their reputation, the TSA has launced a blog called "Evolution of Security". Like most things Bushian, it starts out by inflating their viewpoint somehow implying that they are right about everything they do just in the title.

And their tagline:

Terrorists Evolve. Threats Evolve. Security Must Stay Ahead. You Play A Part.

(Image is in the Public Domain)

Reading the wikipedia page, you can find that the No-fly list was implemented on 9/11 2001 and ballooned from 16 names to over 40,000. There have been many false positives including children and some famous people (fortunately some of whom are congress members).

According to this story, all the millions of dollars, the time wasted, and the frustration cast doubt whether the program was worth it. The man described in this article is actually Gerry Adams, a spokesman for the Irish Republican Movement.

It's because of suspected past ties to the IRA that he has been flagged eternally for extra security checks and constant harrassment. Read the story for a well written example of such which includes this awesome quote:

I hand the FBI young gun a copy of my travel schedule – a document that has been in the possession of the US state department for the past month or so.

"Huh," he says. "Why are you going to the White House, sir?"

"To see the president."

"Huh. Why?"

"He asked me," I say evenly.