[Infowarrior] - Schneier: The TSA's useless photo ID rules

Richard Forno rforno at infowarrior.org
Sat Aug 30 21:34:17 UTC 2008 

The TSA's useless photo ID rules
No-fly lists and photo IDs are supposed to help protect the flying  
public from terrorists. Except that they don't work.
By Bruce Schneier
August 28, 2008
http://www.latimes.com/news/opinion/la-oe-schneier28-2008aug28,0,3099808.story

The TSA is tightening its photo ID rules at airport security.  
Previously, people with expired IDs or who claimed to have lost their  
IDs were subjected to secondary screening. Then the Transportation  
Security Administration realized that meant someone on the  
government's no-fly list -- the list that is supposed to keep our  
planes safe from terrorists -- could just fly with no ID.

Now, people without ID must also answer personal questions from their  
credit history to ascertain their identity. The TSA will keep records  
of who those ID-less people are, too, in case they're trying to probe  
the system.

This may seem like an improvement, except that the photo ID  
requirement is a joke. Anyone on the no-fly list can easily fly  
whenever he wants. Even worse, the whole concept of matching passenger  
names against a list of bad guys has negligible security value.

How to fly, even if you are on the no-fly list: Buy a ticket in some  
innocent person's name. At home, before your flight, check in online  
and print out your boarding pass. Then, save that web page as a PDF  
and use Adobe Acrobat to change the name on the boarding pass to your  
own. Print it again. At the airport, use the fake boarding pass and  
your valid ID to get through security. At the gate, use the real  
boarding pass in the fake name to board your flight.

The problem is that it is unverified passenger names that get checked  
against the no-fly list. At security checkpoints, the TSA just matches  
IDs to whatever is printed on the boarding passes. The airline checks  
boarding passes against tickets when people board the plane. But  
because no one checks ticketed names against IDs, the security breaks  
down.

This vulnerability isn't new. It isn't even subtle. I first wrote  
about it in 2006. I asked Kip Hawley, who runs the TSA, about it in  
2007. Today, any terrorist smart enough to Google "print your own  
boarding pass" can bypass the no-fly list.

This gaping security hole would bother me more if the very idea of a  
no-fly list weren't so ineffective. The system is based on the faulty  
notion that the feds have this master list of terrorists, and all we  
have to do is keep the people on the list off the planes.

That's just not true. The no-fly list -- a list of people so dangerous  
they are not allowed to fly yet so innocent we can't arrest them --  
and the less dangerous "watch list" contain a combined 1 million names  
representing the identities and aliases of an estimated 400,000  
people. There aren't that many terrorists out there; if there were, we  
would be feeling their effects.

Almost all of the people stopped by the no-fly list are false  
positives. It catches innocents such as Ted Kennedy, whose name is  
similar to someone's on the list, and Islam Yusuf (formerly Cat  
Stevens), who was on the list but no one knew why.

The no-fly list is a Kafkaesque nightmare for the thousands of  
innocent Americans who are harassed and detained every time they fly.  
Put on the list by unidentified government officials, they can't get  
off. They can't challenge the TSA about their status or prove their  
innocence. (The U.S. 9th Circuit Court of Appeals decided this month  
that no-fly passengers can sue the FBI, but that strategy hasn't been  
tried yet.)

But even if these lists were complete and accurate, they wouldn't  
work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London  
subway bombers and most of the 9/11 terrorists weren't on any list  
before they committed their terrorist acts. And if a terrorist wants  
to know if he's on a list, the TSA has approved a convenient, $100  
service that allows him to figure it out: the Clear program, which  
issues IDs to "trusted travelers" to speed them through security  
lines. Just apply for a Clear card; if you get one, you're not on the  
list.

In the end, the photo ID requirement is based on the myth that we can  
somehow correlate identity with intent. We can't. And instead of  
wasting money trying, we would be far safer as a nation if we invested  
in intelligence, investigation and emergency response -- security  
measures that aren't based on a guess about a terrorist target or  
tactic.

That's the TSA: Not doing the right things. Not even doing right the  
things it does.

Bruce Schneier, chief security technology officer of BT Global  
Services, is author of the forthcoming book "Schneier on Security."

More information about the Infowarrior mailing list