Security: Airport: August 2007 Archives


August 13, 2007

Just looked over DHS's new Secure Flight proposal. (By the way, it's a scanned printout, which is super-annoying.) Some initial reactions:
  • The big change is that currently the carriers get a copy of the black (no-fly) and gray (selectee) lists and evaluate your name against the list. In the proposed system, the airline would send your PNR to TSA, which would make the evaluation itself. From a privacy perspective, this is substantially inferior; TSA would have a record of every flight you took. They claim that the vast majority of records will be deleted within 7 days. However, if you're a potential match (whatever that means) your records will be retained for 7 years. Remember when people got upset because JetBlue was sending PNR data to the government? This proposal would basically institutionalize that practice.
  • The airlines are required to ask for your name, DOB, and gender, but the only information you're required to provide is your name. However, if the airlines have that information (plus a bunch of other stuff) then they have to provide it. Two notes here:
    • There's a big incentive to provide this data because it's being used to disambiguate you from terrorists who happen to share your name. And even if there aren't any terrorists, you can expect that the first thing that happens when you complain is that it's suggested that you provide this info.
    • It's probably irrelevant anyway because if you're a frequent flier it's likely your airline knows this information and they'll be required to provide it to TSA.
  • If you feel you're being subjected to too much screening, there's (already) some program you can use to complain. They won't tell you if you're on the watch list but they might (or might not) issue you a number which yu can provide with your reservation and which might (or might not) lower the false positive rate.
  • DHS is considering having a machine-readable indicator on each boarding pass. The idea would be to block tampering. Strangely, they say it won't contain any personally identifying information, which makes it a little unclear how it would work. The natural thing here is a digital signature over your name and maybe a picture, but the proposal isn't specific, and of course that would be personally identifying.
  • There's some hints that TSA is planning on taking a harder line on letting you fly without ID if you get searched. On the other hand, the document does suggest there will still be exceptions so it's not clear what those will be.
Of course, like any name-based blacklist, the security of this system depends on (1) the quality of the algorithm generating the blacklist and (2) the level of difficulty required to obtain fake ID that will be accepted by the blacklist enforcers. It's not clear that either of these is really adequate at this time.

August 9, 2007

DHS is revamping the no-fly/watchlist yet again. I haven't read this yet, so no useful comments, other than my general suspicion of name-based passenger screening.

One interesting point, though:

TSA is also proposing that each boarding pass will have a unique, scannable mark, which could be authenticated by a TSA employee with a wireless device at the head of the screening line. While the TSA hasn't chosen what technologies to use for this system, the move starts to eliminate a long-standing hole in the current system. That hole allows a watch listed person to avoid being banned from flying or encountering extra screening by modifying a print-at-home boarding pass.

Well, extra screening, perhaps, but not banned from flying, since you can just make up a fake name and then say you forgot your ID.


August 4, 2007

I recently renewed my driver's license. Normally you can just renew my mail but after you've had two renewals by mail you have to go back into the DMV (carrying the form they send you). There seem to be two purposes here:
  • Make sure you can still see.
  • Get an updated picture.

Here's the weird part: they didn't check my current license (though as I remember, the form they send you say you need to bring it). They just took my money, checked my vision (in that order, which is also kind of weird) and then gave me the provisional license printout. You then walk over to a different window where they take your thumbprint and picture.

Assuming this is standard practice, and not just an error by the clerk, then attacker who pulled the form out of your mail, could just walk in and complete this process. In theory, they might catch you by comparing your existing biometrics (photo, thumbprint) against the newly captured biometrics. I don't know if they do that or not, but it seems like it would be relatively easy to bypass: people's looks change a lot in 15 years and while thumbprints don't change, there are also known techniques for cheating thumbprint scanners--assuming they check this stuff at all.

Obviously, if you went to the DMV and found someone else had already renewed your license, that might be something you'd notice, but it's not clear what the State would do about it. The wrong person would still have an ID in your name. There's no normal procedure for revoking driver's licenses. This isn't catastrophic, of course, unless you have some system that depends on positive identification of people, like say, a no-fly list.1

1. And of course if the person who's identity you were stealing was cooperating, then they wouldn't even have to report it. This doesn't make sense ordinarily, but you could use it to exchange the identity of someone who was on a no-fly list for a plant who was not.