Thursday, May 04, 2006

Airline passenger tracking and security

This Guardian article nicely demonstrates the security and privacy problems with airline passenger tracking systems.

"This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station...

The traveller's name was Mark Broer. I know this because the paper - actually a flimsy piece of card - was a discarded British Airways boarding-pass stub, the small section of the pass displaying your name and seat number...

It said Broer had flown from Brussels to London on March 15 at 7.10am on BA flight 389 in seat 03C. It also told me he was a "Gold" standard passenger and gave me his frequent-flyer number. I picked up the stub, mindful of a conversation I had had with a computer security expert two months earlier, and put it in my pocket.

If the expert was right, this stub would enable me to access Broer's personal information, including his passport number, date of birth and nationality. It would provide the building blocks for stealing his identity, ruining his future travel plans - and even allow me to fake his passport.

It would also serve as the perfect tool for demonstrating the chaotic collection, storage and security of personal information gathered as a result of America's near-fanatical desire to collect data on travellers flying to the US - and raise serious questions about the sort of problems we can expect when ID cards are introduced in 2008...

Clinton administration had decided it was time to devise a security system that would weed out potential terrorists before they boarded a flight. This was called Capps, the Computer Assisted Passenger Pre-screening System.

It was a prosaic, relatively unambitious idea at first. For example, in highly simplistic terms, if someone bought a one-way ticket, paid in cash and checked in no baggage, they would be flagged up as an individual who had no intention of arriving or of going home. A bomber, perhaps...

In 2003, one of the pioneers of the system, speaking anonymously, told me that the project, by now called Capps II, was being designed to designate travellers as green, amber or red risks. Green would be an individual with no criminal record - a US citizen, perhaps, who had a steady job and a settled home, was a frequent flyer and so on. Amber would be someone who had not provided enough information to confirm all of this and who might be stopped at US Immigration and asked to provide clearer proof of ID. Red would be someone who might be linked to an ever-growing list of suspected terrorists - or someone whose name matched such a suspect."

It's a nice summary of the story of airline passenger screening, CAPPS, CAPPS II, Secure Flight, APIS and the security problems associated with them. (There is a slight error in the reference to ID cards which says the government will be collecting 40 pieces of personal data when someone registers for the card. I believe it will be 59). Well worth a read. Thanks to HJ Affleck at FIPR for the link.

Update: From Wired, Feds' Watch List Eats Its Own
"What do you say about an airline screening system that tends to mistake government employees and U.S. servicemen for foreign terrorists?

Newly released government documents show that even having a high-level security clearance won't keep you off the Transportation Security Administration's Kafkaesque terrorist watch list, where you'll suffer missed flights and bureaucratic nightmares.

According to logs from the TSA's call center from late 2004 -- which black out the names of individuals to protect their privacy -- the watch list has snagged:

* A State Department diplomat who protested that "I fly 100,00 miles a year and am tired of getting hassled at Dulles airport -- and airports worldwide -- because my name apparently closely resembles that of a terrorist suspect."

* A person with an Energy Department security clearance.

* An 82-year-old veteran who says he's never even had a traffic ticket.

* A technical director at a science and technology company who has been working with the Pentagon on chemical and biological weapons defense.

* A U.S. Navy officer who has been enlisted since 1984.

* A high-ranking government employee with a better-than-top-secret clearance who is also a U.S. Army Reserve major.

* A federal employee traveling on government business who says the watch list matching "has resulted in ridiculous delays at the airports, despite my travel order, federal ID and even my federal passport."

* A high-level civil servant at the Federal Deposit Insurance Corporation.

* An active-duty Army officer who had served four combat tours (including one in Afghanistan) and who holds a top-secret clearance.

* A retired U.S. Army officer and antiterrorism/force-protection officer with expertise on weapons of mass destruction who was snared when he was put back on active-duty status while flying on a ticket paid for by the Army.

* A former Pentagon employee and current security-cleared U.S. Postal Service contractor.

Also held up was a Continental Airlines flight-crew member traveling as a passenger, who complained to TSA, "If I am safe enough to work on a plane then I should be fine to be a passenger sleeping.""

No comments: