Bruce Schneier on the TSA: it is completely worthless

September 15th, 2008

From Bruce Schneier’s Cryptogram, yet another crystal clear explanation of why the TSA’s list of ‘terrorists’ is completely bogus:

The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to secondary screening. Then the Transportation Security Administration realized that meant someone on the government’s no-fly list — the list that is supposed to keep our planes safe from terrorists — could just fly with no ID.

Now, people without ID must also answer personal questions from their credit history to ascertain their identity. The TSA will keep records of who those ID-less people are, too, in case they’re trying to probe the system.

This may seem like an improvement, except that the photo ID requirement is a joke. Anyone on the no-fly list can easily fly whenever he wants. Even worse, the whole concept of matching passenger names against a list of bad guys has negligible security value.

How to fly, even if you are on the no-fly list: Buy a ticket in some innocent person’s name. At home, before your flight, check in online and print out your boarding pass. Then, save that web page as a PDF and use Adobe Acrobat to change the name on the boarding pass to your own. Print it again. At the airport, use the fake boarding pass and your valid ID to get through security. At the gate, use the real boarding pass in the fake name to board your flight.

The problem is that it is unverified passenger names that get checked against the no-fly list. At security checkpoints, the TSA just matches IDs to whatever is printed on the boarding passes. The airline checks boarding passes against tickets when people board the plane. But because no one checks ticketed names against IDs, the security breaks down.

This vulnerability isn’t new. It isn’t even subtle. I wrote about it in 2003, and again in 2006. I asked Kip Hawley, who runs the TSA, about it in 2007. Today, any terrorist smart enough to Google “print your own boarding pass” can bypass the no-fly list.

This gaping security hole would bother me more if the very idea of a no-fly list weren’t so ineffective. The system is based on the faulty notion that the feds have this master list of terrorists, and all we have to do is keep the people on the list off the planes.

That’s just not true. The no-fly list — a list of people so dangerous they are not allowed to fly yet so innocent we can’t arrest them — and the less dangerous “watch list” contain a combined 1 million names representing the identities and aliases of an estimated 400,000 people. There aren’t that many terrorists out there; if there were, we would be feeling their effects.

Almost all of the people stopped by the no-fly list are false positives. It catches innocents such as Ted Kennedy, whose name is similar to someone’s on the list, and Yusuf Islam (formerly Cat Stevens), who was on the list but no one knew why.

The no-fly list is a Kafkaesque nightmare for the thousands of innocent Americans who are harassed and detained every time they fly. Put on the list by unidentified government officials, they can’t get off. They can’t challenge the TSA about their status or prove their innocence. (The U.S. 9th Circuit Court of Appeals decided this month that no-fly passengers can sue the FBI, but that strategy hasn’t been tried yet.)

But even if these lists were complete and accurate, they wouldn’t work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway bombers and most of the 9/11 terrorists weren’t on any list before they committed their terrorist acts. And if a terrorist wants to know if he’s on a list, the TSA has approved a convenient, $100 service that allows him to figure it out: the Clear program, which issues IDs to “trusted travelers” to speed them through security lines. Just apply for a Clear card; if you get one, you’re not on the list.

In the end, the photo ID requirement is based on the myth that we can somehow correlate identity with intent. We can’t. And instead of wasting money trying, we would be far safer as a nation if we invested in intelligence, investigation and emergency response — security measures that aren’t based on a guess about a terrorist target or tactic.

That’s the TSA: Not doing the right things. Not even doing right the things it does.

My previous articles on the subject:
http://www.schneier.com/crypto-gram-0308.html#6
http://www.schneier.com/blog/archives/2006/11/forge_your_own.html
http://www.schneier.com/interview-hawley.html

This article originally appeared in the L.A. Times:
http://www.latimes.com/news/opinion/la-oe-schneier28-2008aug28,0,3099808.story or http://tinyurl.com/6dmcl4

All true, all correct.

What the article does not do however, is to explain the irrational TSA policy and how they can continue to do what they are doing unchallenged. TSA admins must know that what they are doing is incorrect and innefective in every way; they are not that stupid to believe the fairy story that they give as the pretext for their procedures.

There therefore must be another reason why they are persisting with this nonsense, instead of abandoning it completely as a big mistake.

Once explanation is that they want to put everyone in the country, and I mean every single man woman and child, on a new ‘Clean’ list, not for the purposes of anti terrorism, but for control of every aspect of life. I am talking about a national ID card that is needed for every transaction, no matter how small, as we have written about so many times.

We all know that the ‘security’ measures they are trying to roll out world-wide are not about security. It is high time that everyone start trying to figure out (for themselves) what the real agenda of all of this is. They will find that any conclusion they can come to is not pretty.

Trying to second guess the final maneuver and true agenda will also help us force the people who are trying to do this to state explicitly why they are doing it; if they cannot give a satisfactory answer they will be forced to shut it all down permanently.

Either way, we are fast approaching the point where the road forks, and they will either get away with rolling out the global police state or they are utterly destroyed.

Leave a Reply

You must be logged in to post a comment.