The AirSafe.com News

↑ Grab this Headline Animator

09 December 2009

TSA Releases Extremely Sensitive Security Information Online

The latest TSA controversy involves an inadvertent release of a document containing very sensitive security information that resulted in making key security procedures available to the public. The document, “Screening Procedures: Standard Operating Procedures,” provided standard procedures for TSA screening personnel in airports. It was the third revision, and was dated 28 May 2008. The document contained a range of information, including some sensitive security information that was redacted by the TSA.

The TSA posted it on the web site FedBizOpps.gov in March 2009, and it was removed from the site this past Sunday after the TSA realized, with the help of a number of blogs including Wanderingaramean.com, that the blacked out portion did not hide the information. You can download the redacted version and see for yourself.

It appears that the part of the TSA responsible for releasing the document to the FedBizOpps.gov site had a fundamental misunderstanding of how electronic documents work. It's likely that when the TSA 'redacted' areas of sensitive information in the original word processing document, black rectangles were placed over those areas, covering the information, but not deleting it. By selecting the blackened areas in the PDF document, copying it, and pasting it into a word processing file in a program like MS Word, Notepad, or OpenOffice Writer, anyone can recover the information that was within those blackened areas.

By the time the TSA had the document removed from the FedBizOpps.gov web site, it was too late. Copies of the redacted and unredacted information were now widely available online, and the information that was once hidden from the pubic is now out in the open.

Potential Security Impacts
The aviation security manual included details on TSA procedures for screening passengers, special rules for handling the diplomats, law enforcement officials, and CIA employees, and the technical settings and tolerances used by metal and explosive detectors used at airports.

Some of the more sensitive details in the TSA document were not widely known prior to the release of this document. Clearly, anyone attempting to do harm to the US air transportation system may use this information to attempt to fraudulently gain access to airliners or to secure areas of an airport terminal, or to take prohibited items through TSA security. This breach of security may force the TSA to change one or more procedures, and may make current security procedures and technology either less effective, or completely ineffective against some threats.

Because details about aviation security procedural or policy changes are typically not released to the public or subject to Freedom of Information Act requests, it is unlikely that the public will be made aware of any TSA changes, unless of course such information is accidentally released.

Highlights of Redacted Information
The redacted sections of the document contained a range of information, some of it mundane, and others frightening. The highlights, with page numbers from the 93-page document, are below:

  • There exists an explosives trace detection screening protocol in which a percentage of checked baggage is screened using closed bag search (40%), limited open bag search (40%), and full open bag search (20%) procedures (page 9).

  • Transportation Security Officers should not handle explosives, incendiaries, or weapons if such items are discovered during the screening process (page 20).

  • There are specific procedures to follow to check the credentials of law enforcement officers and other armed government employees (page 21).

  • Calibration testing procedures for walk-through metal detectors (page 27).

  • Daily testing procedures for walk-through metal detectors (page 28).

  • Operational test procedure for x-ray systems (page 29).

  • Contamination control procedures for explosives trace detection devices (page 30).

  • Procedures for clearing armed security officers into the secure area of the terminal (pages 28-40).

  • Procedures for the screening of foreign dignitaries being escorted by the Central Intelligence Agency (page 43-44).

  • Screening exemptions for TSA employees (page 45).

  • Categories of passengers who are to be exempted from closer scrutiny after initially being selected for extra screening (page 47).

  • Alternate screening procedures go into effect when primary screening devices are not working (page 52).

  • Matrix of special screening procedures for law enforcement officers ( pages 54-55).

  • Photos and graphics of with sample credentials for Federal Air Marshals, ATF employees, CIA employees, and members of the US Congress (pages 57-60).

  • Procedures to use if explosives trace detection devices or x-ray devices are are unavailable or have limited function (page 77).

  • Explosives trace detection exemptions for persons with disabilities (page 78).

  • Allowing explosives trace detection procedures for bags and containers while using physical searches for all other items (page 78).

  • Unless exempted by the airline or the TSA security director, passengers with passports issued by the following countries are to be selected for extra screening: Cuba, Iran, North Korea, Libya, Syria, Sudan, Afghanistan, Lebanon, Somalia, Iraq, Yemen, and Algeria (page 81).

  • Characteristics of suspect identification (page 82).

  • Alternative methods for checking travel documents (page 83).

Lessons Learned
Perhaps the most important lesson to be learned here is that electronic documents are not like printed documents. Depending on the document, what you see is not necessarily what you get. The version that you see may have coded within the document data about previous edits, formatting information, and hidden characters. There may also be several layers of information, such as the case with the TSA document where the blacked out portion did not eliminate the sensitive information, but merely covered it up.

A more effective method for redacting a document would have been to delete the sensitive information from the original document before turning it into a PDF file. Perhaps this TSA security controversy will be a lesson to anyone who works with electronic documents that they should be careful when 'redacting' documents.

Resources
Full TSA Report
Redacted TSA Report
TSA Prohibited and Restricted Items

Follow Up Articles
How the TSA Could Have Easily Avoided Its Recent Security Problem
Continued Fallout from TSA Release of Sensitive Security Information

Survey and Comments
Given the security implications of this TSA release of information, AirSafeNews.com would be particularly interested in any comments that you may have. Please take the time to fill out the survey below:

The survey is now closed. The results of the survey are available here.

No comments:

Post a Comment