TSA has taken another couple of steps to improve air security. For starters, airline ID checkers are actually checking IDs -- with black lights and magnifying glasses. And now they're getting ready to scan boarding passes in order to make it harder to use a fake boarding pass.
You'd think the agency would get a bit of praise for trying to improve security without slowing travelers. Instead, among privacy advocates, there is only one possible response to TSA security measures: condescension. They have to sneer, even if they make themselves look a lot dumber than the agency in the process.
To take one example, Matt Blaze, a well-known privacy advocate and security buff, is criticizing TSA's new boarding-pass scanners as "ineffective" and "ill-conceived" with "little actual gain in security". Matt's a pretty smart guy, but his criticism is inexplicable. TSA has fixed a real security hole and deserves credit for the new security. Instead, in an effort to sneer at TSA, Matt has invented a fake security hole and then criticized the agency for not fixing the fake hole too.
Let's remember the security concern that got this started. A student named Chris Soghoian demonstrated that a terrorist could avoid the no-fly list with a five-step process: (1) he buys his tickets in a fake name (2) he gets a boarding pass in that name and stuffs it in his pocket (3) he then pulls out a fake boarding pass in his real name that he prepared on a home printer (4) he shows his real ID plus the fake boarding pass at the TSA checkpoint, and (5) he uses the real boarding pass with the fake name to board the plane.
Or, as put more succinctly by the Washington Post,"the loophole is that boarding passes are compared to a person's ID only
at initial security checkpoints, not at the gates where passengers
board planes. Also, the passes are scanned and verified only at
departure gates, not security checkpoints."
(Long double-pointed aside: to be fair, the hole had been pointed out before, by Bruce Schneier. Soghoian's contribution was irresponsible but attention-getting. He created a website where anyone, including terrorists who needed a little technical help, could generate fake boarding passes. Soghoian was investigated for criminal violations by the FBI and for civil violations by TSA. Rep. Edward J. Markey (D-Mass.) first called for Soghoian's arrest but later called the stunt a public service. "He picked a lousy way of doing it, but he should not go to jail for
his bad judgment," Markey said. In the end, no charges were pressed.)
Okay, back to the thread: If the security hole is that "the passes are scanned and verified only at
departure gates, not security checkpoints," doesn't TSA's new approach actually close that hole -- by, you know, scanning and verifying the passes at the security checkpoint? Seems like this really will keep people from using a fake boarding pass to get past security.
So how can Matt Blaze call TSA's new measure "ineffective" and "ill-conceived" with "little actual gain in security"?
Only by changing the subject.
Blaze recasts the security problem from avoiding the no-fly list to "anonymous flying." Blaze says "it's still as easy for a bad guy to get on a plane without the government knowing his or her true name." But he means that in a very special way apparently comprehensible only to privacy advocates. When he says that the government won't know the bad guy's true name, he means that the government actually will know the bad guy's true name, but that it might not know which plane the bad guy got on.
Here's how Blaze says you can avoid the new security measure. First buy two real tickets, one in a fake name and one in your real name. You then use your real-name boarding pass and ID to get past the security check, at which point you can board the other flight using your fake-name boarding pass.
Well, that might be a devastating hole -- if TSA's job were to prevent "anonymous flying." But it's not. TSA's new measure is meant to keep people on the no-fly list from, well, from flying. If the only way for bad guys to beat the system is to buy tickets in their own names, then they'll be caught by the no-fly list.
The whole point of the Soghoian caper and the Schneier critique was that you never needed to give your real name to the airlines, so your real name wouldn't be checked against the no-fly list. Now you do, and now it will will be.
Matt can only describe the new measures as "ineffective" by ignoring the security hole that Soghoian was trying to dramatize and that TSA is trying to fix.
Moral: Sneering at TSA may seem like shooting fish in a barrel, but first make sure your foot isn't under the barrel.