Tuesday, November 28, 2006

Good news and bad news

The Good.

One of my lawyers flew into Indianapolis on Nov 14th and we met with two FBI cybercrime agents, as well as an assistant US Attorney. The short version of things, is that they've stopped the investigation, due to a lack of evidence of criminal intent on my part. They've given me back my passports, my computers, and I'll be getting the rest of my stuff back shortly. Essentially, I'm a free man - with no charges filed. I've been represented by two amazing lawyers throughout this mess - Stephen Braga and Jennifer Granick. Without them - this would not have ended so quickly, or with such a fantastic outcome.

The Feds (at least those that I met) fundamentally disagree with me on many subjects - the role that researchers, academics, and common citizens take in studying, criticizing and pointing out the flaws in our security systems. I have been laying the groundwork for some Tor related research at Indiana University (pending approval from the University Counsel) - in fact, two of Tor's designers are visiting researchers at IU this year. It was made perfectly clear during the meeting that parts of the US government, at least the two represented at the meeting, strongly disapprove of Tor - and in particular, thought that research universities such as IU, MIT, Georgia Tech, Harvard and others have no business supporting such projects.

It is difficult for me to properly express how deep the divide was at this meeting - between the positions and opinions expressed by the feds, and of the "common values" shared by most researchers in my field and those taught to me in university settings. However, in spite of this, after talking for a few hours, they came to understand that although in my own way, I'm trying to work towards the same thing as them: A safer flying experience.

Also - my lawyers tell me that it's now OK to do interviews.

The Bad.

The forced take down of my website a few weeks ago has not improved airport security. The bigger and more interesting question, is if putting the site up in the first placed made airport security any more vulnerable.

There are currently multiple goals of the airport security system in the US.

1. Make sure there are no weapons/bombs on-board an airplane.
2. Make sure that the people who 'should not' be flying do not get on airplanes.

Goal number one is easy enough:

TSA representatives have stated multiple times since my boarding pass generator went live that passengers are not placed at any additional risk when fake boarding passes are used. This is true. As long as the TSA checkpoint staff do their jobs, then evil-doers should not be able to bring bad things on-board. Recent reports seem to indicate that TSA is having a bit of trouble with their screening process, but at least for this discussion, let us imagine a world where TSA is able to actually stop every single knife, gun, binary chemical explosive device and box cutter from being smuggled on-board.

Goal number two - the no-fly list - is problematic for a number of reasons.

1. Terrorists do not pre-register themselves before committing their crimes. There are no repeat offender suicide bombers - and thus it should not be too difficult for terrorist organizations to recruit people with clean criminal records.

2. Terrorists evolve to avoid detection. If ethnic profiling is used, they recruit from local mainstream, or less-suspected ethnic groups (for example, the Jamaician/British "shoe bomber" and then the use of British born, south Asian Muslims in the London attacks). When gender profiling is used, women are recruited (see: Palestine, Sri Lanka, Chechnya). If we rely upon a watch list to find terrorists, they'll conduct 'dry runs' before the real event, to figure out who will be forbidden from participating in the real attack itself. The futility of using ethnic profiling to detect terrorists has been discussed at length by researchers from MIT, where they prove that random searches are far more effective.

3. You can legally refuse to show ID at the airport. They will let you board the plane, without a single piece of ID.

4. The implementation of the no-fly and mandatory-selectee lists is flawed, secretive and in no way transparent. Senator Ted Kennedy was put on the list for a while, Cat Stevens, the wife of the Senator made famous for stating that the "Internet is a series of tubes" has been repeatedly delayed at airports, due to the fact that she shares a name with the now-Muslim singer, and any passenger named Robert Johnson or John Smith is severely inconvenienced when they fly. Yet, at the same time, the 9/11 hijackers, all of whom are dead, are still on the list, while the names of the London liquid bombers were not placed on the list - due to the chance a boarding denial at the airport could tip them off to the fact that they were under investigation.

What to do with the no-fly list?

We, as a nation, must decide a few things. If we want no-fly, and mandatory search lists, we have to decide how effective we want them to be.

If we want to bar those who are on the no-fly list from boarding a plane, we must institute checks of ID at the gate. Airport staff, or TSA agents with access to the airlines' computers, must be able to scan a boarding pass, look at the name on the computer, and see that it matches the name on the passenger's ID. Looking at the printed boarding pass is not enough - the name in the reservation system must be verified and matched. This, will, of course, cost money - as someone will have to be paid to perform this check.

If we want to bar those no-fly list passengers from boarding the plane and from getting into the 'secure' area past the TSA checkpoint, then the TSA must be able to match the boarding pass and ID to a computer reservation at the security checkpoint. This would require barcode scanners/ticket readers at the checkpoint. Furthermore, TSA would either need to find a way to interface with every airlines' computer systems, or the airlines would need to get together, publish the data, and agree upon a common, computer readable and verifiable standard for boarding passes (Hint: this is where a bit of government guidance/regulation could be useful).

Each of these two computer based boarding pass/ID checks would make impossible the current and widely reported airport security vulnerability, which has been documented at length on Senator Schumer's website.

Let us imagine that the government rolls out computer boarding pass checks at the TSA checkpoint. One problem remains: You can fly without ID. You can either refuse to show ID, citing a right affirmed by the US appeals court, or tell the TSA staff that you've forgotten your ID. Sure, you will be subjected to a more vigorous search - but if your aim is to bypass the no-fly list (and not to sneak a weapon past security), then you'll have succeeded in your goal.

The domestic no-fly list and the ability to fly without ID simply cannot co-exist. The former is made completely useless by the latter. If we want to have a no-fly list, we must require ID to be shown. Otherwise, a passenger simply purchases a ticket in a fake name, refuses to show ID at the checkpoint, and then can successfully board the plane.

As things stand right now, Checking ID at the security checkpoint does nothing to stop people who are on the no-fly list from actually flying. It merely inconveniences regular passengers who play by the rules. A security system that "keeps the honest honest" doesn't work when the attackers you're worried about are intelligent, well funded and willing to kill themselves to get the job done. The question of forcing passengers to show ID for domestic flights is one that is currently working its way up to the US Supreme Court. This issue, and a larger discussion surrounding the no-fly list should be publicly debated by Congress and in the newspapers. The ability, right now, to fly without ID creates a gigantic loophole in a no-fly list that arguably wasn't doing so well to begin with. We need to figure out, as a nation where the majority of people do not support a national ID, if we want a no-fly list in the first place and if we are willing to be forced to present our papers when we want to fly/ride a train/get on a greyhound bus. How many 4-year old children, and countless John Smiths and Robert Johnsons are we willing to let the government search and inconvenience in the name of "security".

Takedown orders

After a significant delay (which I apologize for), I am putting the takedown order that TSA sent to me online. The main reason I'm posting this is to aid legal scholars, and the online community in general. I believe that I'm the first person who has ever had TSA force them to take a website down. This is interesting enough in itself to warrant further investigation by people who know the law.

Interestingly enough, the guy who signed it, Rich Adams, is the same person who I spoke to at TSA a few months back when I asked to see the policies regarding when a passenger can refuse to go through the air puffer machines (which he denied me, as the rules are Sensitive Security Information - i.e. a secret law that we have to trust they are implementing and enforcing correctly). More info on that conversation can be found here