Monday, January 29, 2007

Much fun at SFO airport

I arrived to the airport rather late last week when I flew from Indianapolis->San Francisco. With only 35 minutes to clear security, I didn't want to risk anything by refusing to show ID.

Thus, when I flew back from San Francisco this morning, it was my first attempt ever to fly on American Airlines without ID.
Every single time I've attempted to fly without ID, i've been able to successfully avoid showing TSA a single piece of ID - the tricky part is trying to get your boarding pass and check a bag without showing anything to the airline.

American demanded 'some' form of ID. I didnt' want to argue too much, so I whipped out a credit card and my Bloomingfoods Organic Food Co-Op membership card, gave it to the agent, and then she printed me out a special SSSS boarding pass - AA is high tech, and doesn't seem to resort to sharpie pens.

The fun started once I got to the TSA checkpoint.

I'm guessing it had something to do with the fact that I was in San Francisco - but this was no normal checkpoint. First off, it was highly understaffed. Only one employee was manning the SSSS lane, and so there was a baglog of 3-4 passengers being SSSS'd. One gentleman, who they wouldn't even let past the metal detector, was refusing to take off his shoes until they showed him the regulation in writing that enabled them to do so. I beamed him a huge smile, and attempted to give him my business card. TSA quickly stepped in, and I had to give my card to an agent, who passed it to a second agent, and finally to the gentleman. I asked him to email me the results of his protest.

Another gentleman was causing a big stink due to the fact that the trays containing all of our carry on items were sitting on a table quite a distance away from us, while we were stuck in line waiting to be SSSS'd. A TSA officer responded to the man's complaints by telling him to keep an eye on his objects, and they'd be fine - an exceedingly difficult task, given the distance, and the number of people milling past. Nefarious types wouldn't have too many problems lifting a laptop out of an airport line.


Now for my fun...

I'm a keen reader of the Flyertalk Travel Safety/Security forum - and a few of the members there make it a point to demand that TSA employees change their gloves before running any kind of chemical trace test on their bags - to avoid contamination. Thus, today, I decided to start doing the same.

I really felt bad for the poor TSA employee who was running the SSSS lane. I successfully refused to show ID, to go through the air puffer machine (instead opting for a hand pat down), and then got him to change his gloves. All was going well, until the chemical analysis machine started beeping.

His supervisor came over, they ran another test on a freshly wiped sample, and yet again, the explosive detector went off.

At this point, I started to worry. Had my constant probing of TSA finally gotten me into serious trouble - for something that they never would have detected had I not insisted on not showing ID? And worse, by making them change their gloves before they touched my bag, I instantly lost the ability to claim cross-contaimination.

After sweating it out for a few minutes, I was told that everything was fine - that my bag had tested positive for a chemical substance, but one that was common in households. Phew. I asked the TSA staffmember if I should throw away the backpack and get a new one, to avoid this experience, and he said I didn't need to worry about it.

The one cause for concern, however, is the fact that he pulled out a logbook, wrote my boarding pass/name/date in a log, and attached the printout from the chemical analysis machine (with a big spike midpoint through the graph) - which means that the data on that search will be kept somewhere deep in the bowels of TSA, potentially, forever.


I'm new to the law - however, I am taking a couple classes at the IU Law school this semester. From my couple weeks of classes, as well as chats with various lawyers over the past few months, I gather that "standing" is a rather important thing in the legal world.

The silver lining of today's experience, I think, is that I now have standing (should it be required) to find out exactly how long TSA is going to keep that printed out graph, what they're going to do with it, and who "owns" it (i.e. the government, or the citizen that the data is on).

For that, I'll need a FOIA request...

Tuesday, January 23, 2007

Why the government should embrace Tor

As security researchers keep saying, Tor really is useful.

And not just if you are worried about your employer firing you for looking up information on unions, or your husband finding out that you've been googling for information on spouse abuse laws....

If you're a government employee, and you're investigating someone, you really don't want server logs to betray who you are.

I -really- hope that the FBI has some kind of leased line/private DSL connection that they use when they investigate child porn cases....

At the very least, TSA clearly doesn't:

pnxuser1.tsa.dhs.gov - - [23/Jan/2007:05:58:32 -0800] "GET /chris/ HTTP/1.1" 200 2683 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"

Monday, January 22, 2007

My Lawyers respond to TSA

Jennifer Granick and her student Jessica Hubley have written a fantastic response to TSA.

The money quote, IMHO, is:

"Our client is in the business of studying security. He is neither the first nor the only individual to criticize flaws in the TSA’s security procedures nor the only person to describe flaws in the way that boarding passes are created and used. He should not be subjected to civil penalties because he did not violate the Federal Regulations cited in the TSA’s letter, because the regulations cannot be enforced against him or other passengers, because the civil damages provision cited in the TSA’s letter does not apply to the cited regulations, and because Mr. Soghoian’s website is protected by the First Amendment."

I'm posting the letter here (see below).

If you'd rather view a pdf offline, you can find one here.
















Sunday, January 21, 2007

A clearer picture of how to fly with no ID

I flew from Philly back to Indianpolis today on Continental, and again got to try out the no ID experience (putting me up to a grand total of 5 flights without any ID at all, and 1 flight with my student ID).

I used the easy check-in machine at the airport to print out my boarding pass (by punching in my confirmation code - no credit card/ID necessary). I then told the Continental employee behind the counter that I had lost my ID at a bar the night before, and that I wasn't going to be able to produce any ID. One key question she (and her supervisor) seemed to find important was if this was my outgoing, or return flight. It seems they're more willing to be a bit flexible if you're 'stranded' somewhere.

Like last time, I told them I had read in the New York times that you can fly without ID if you get a special "SSSS" boarding pass. They didn't seem to be too happy to know that I knew their secret SSSS code...

I had handed over my boarding pass to them, and as she read me the rules, it seemed clear that she wasn't going to give it back to me without any ID. In the end, I handed over my Library of Congress 'reader' photo ID, and she wrote "SSS" (her mistake, not mine) on the boarding pass in ink.

Once I got to the TSA checkpoint, I told them I didn't have a single piece of ID - which worked just fine. Sure, I got checked, but I didn't have to show them anything at all, other than the marked boarding pass.

After I had gone through security, I asked some of the TSA guys a few questions:

Q: If I don't have SSSS on my boarding pass, will you let me go through security without any ID?
A: No.

Q: Will TSA write SSSS on my boarding pass if I don't have any ID?
A: No. You must get it done by the airline.

Q: What happens if I show up to a TSA checkpoint without any ID and a vanilla boarding pass
A: We will send you back to the airline.

My absolute favourite question during this chat was the following:

Q: How do you know if I didn't just write the letters "SSSS" on the boarding pass myself
A: We know. There are secret things that the airline staff will write that you won't recognize.

Q: But the woman at Continental forgot one of the S's on this boarding pass. Are you sure they know your secret signals?
A: Move along.


---------

As you can see, I am essentially engaged in a delicate form of black-box testing of the airport security system - an extremely delicate form - where half of the tests I'd like to (but do not) run may land me in jail.

A few things now seem to be clear:

You can easily travel without showing a single piece of ID to TSA. However, you will need to have a boarding pass marked with the magic letters "SSSS".

Some airlines - like Northwest - will quite happily give you a special, machine-printed SSSS pass if you tell them you have forgotten ID.

Other airlines - like Continental - will require 'some' form of ID. This can be satisfied with some pretty weak forms of ID, such as a credit card, or a library card.

Let us, for the sake of discussion, imagine a scenario where you are unable to fly on Northwest airlines (or another no-ID friendly airline), and thus have to deal with an airline that requires ID. Let us also assume that you do not want to have to procure a library card in a fake name.

What can you do?

Check-in online, 24 hours before the flight, and print out your own boarding pass.

or

Use one if the easy check-in terminals at the airport, and punch in your flight confirmation number.

If you do not try to check a bag, you will never have to interact with an airline employee.

Ok - so you now have a vanilla boarding pass, but since the letters SSSS haven't been written on it, TSA won't let you pass. What can you do?

The obvious answer, of course, would be to write the letters "SSSS" on the boarding pass yourself - using a sharpie pen. The problem with this, is that I'm guessing it's probably illegal. As the Gilmore case demonstrated, TSA is extremely tight-lipped regarding their ID requirements. Once things calm down with my case, I'll write TSA a nice friendly letter to see what they say. In the mean time - let me be as clear as possible - I am in no way encouraging anyone to write "SSSS" on their own boarding pass. It is probably very very illegal.

However, as things currently stand, unless I've missed something, it seems that the only thing stopping you from flying without any ID on continental airlines, is a sharpie pen, and a willingness to break a couple rules.

By taking down my fake boarding pass website a few months back, TSA was able to successfully stop a would be computer-owning terrorist from avoiding the no-fly list with a fake pass. Well, that is, a terrorist who didn't have the skills to google to find the other boarding pass generators that are still out there.

Luckily, we're safe. Terrorists have not yet been spotted with sharpie pens.

Thursday, January 18, 2007

No ID with Continental?

Yesterday, en-route to DIMACS, I flew from Indianapolis to New Jersey.

Given that all of my previous no-ID experiences were with Northwest, I thought that this trip - on Continental Airlines - would be a fantastic chance to see how things work for other airlines.

In my previous experience with NWA, I was instructed by a check-in desk supervisor to simply present myself at their check-in desks, and tell them that I had forgotten my ID. This happens often enough, I was told, that they had a clear procedure for it..

And sure enough, every time I flew NWA (either out of Indianapolis, or Reagan airport in Washington DC), the check-in employee would happily print out a special "SSSS" boarding pass after being told I didn't have ID. Simple enough.

Continental is different.

Armed with a legitimate print-at-home boarding pass, I told the check-in desk employee that I had forgotten my drivers license, and had no other government ID on me. He read me their full rules regarding ID's, and said without an ID, there was no way they'd let me fly today. I asked him what happened when other passengers forget their ID, and he told me that in such cases, they rebook the passenger to fly another day. I also asked what happened when someone's wallet was lost/stolen on vacation - and he said they would only let them fly with a police report. I told him I had read in the newspaper that you were allowed to fly without ID if you submitted yourself to a more strict search. He asked which newspaper, and I responded with "The New York Times" - he rolled his eyes.

Shocking stuff.

The best (and most amusing) part of my interaction with the check-in employee was at the very end of the conversation:

Him: Since then, everything has changed. We've gotta be careful now. Thats why we check ID.
Me: Since when?
Him: More people died on 9/11 than Pearl Harbor
Me: Yes, but more Americans have died in Iraq than on 9/11.
Him: *thinking*... We gave them 2 or three chances before we attacked, and they didn't stop.
Me: "them"? most of the hijackers were from Saudi Arabia, and we're still buying oil from them. There were no Iraqi 9/11 attackers.
Him: They're all the same....

At this point, I turned around and left... It wasn't going anywhere, and I was going to get myself in trouble if I started an argument.

So - it seems clear that if you want to fly without ID, then flying on Continental Airlines could be difficult. To do so, you're going to need to interact with TSA - and tell them that you don't have any ID... This is always a dangerous thing, since TSA can be so unpredictable (and rather arbitrary in their decisions).

I didn't to risk being denied entry to the gate by TSA, so instead, I tried to fly with an alternate ID.

I'd read somewhere that the ID given by a state-university (like IU) counts as government ID.

I walked up to the TSA checkpoint, presented my IU Student ID to the rent-a-cop checking ID's before the TSA checkpoint. She looked at it and then asked me for my drivers license... After I told her I didn't have one on me, she asked me for a second piece of ID. I showed her my credit card, after which, she promptly wrote "SSSS" and "ID" in big letters on my print-at-home boarding pass.

From that point on, it was the usual heavy duty search. Every item in my bag searched, and swabbed, etc.

Interesting Times.

Wednesday, January 17, 2007

New location for This American Life Mp3s

Summary: The episodes can be found by going here:

http://audio.thisamericanlife.org/jomamashouse/ismymamashouse/EPISODENUMBER.mp3




Up until mid 2006, This American Life (a popular and awesome radio show on NPR) had "streaming" mp3 files of their archived shows on their website. They had struck a deal with iTunes/Audible.com to sell the shows for download - so they didn't have any great incentive to make free podcasts/.xml feeds available.

Then some enterprising Internet user created an unofficial .xml feed of their archived shows, so that you could download the "streaming" mp3 files to your ipod. It's worth noting of course, that it's almost impossible to make a mp3 file streaming only. All you can do, is make it difficult to download.

And so, for much of 2006, you could either manually download the shows from this address (http://audio.wbez.org/tal/SHOWNUMBER.mp3), which no longer works, or you could use the ultra-nifty unofficial podcast (http://www.redjar.org/radio/tal/archive/).

This American Life's lawyers (or someone there) didn't seem to like this, and sent the podcast guy a cease and desist letter. Stop it, or else. While his unofficial podcast feed went down, their directory structure/naming scheme persisted, and so savvy Internet users were still able to download all the old TAL eposides with a few issues of the "wget" command.

In October of 2006, This American Life announces that they're going to offer free podcasts of their 2 most recent shows. All the old shows will still be available for free, streaming online, or for podcast purchase from the Itunes store/Audible.com

It seemed like a happy compromise.

The only problem was, in the process of doing this, they replaced their streaming mp3 links with a sneaky flash plugin - which made is particularly difficult to figure out where the files are kept - at least by doing a "view source" in the browser...

Today, I wanted to load up my ipod (since I'm flying to New Jersey later) with the TAL episodes that I missed over Xmas... the old method of using 'wget' didn't work, so I fired up wireshark - a packet sniffer - and discovered that TAL has moved to a new directory structure..

I'm happy to share this useful tidbit of info.

This American Life episodes may now be downloaded at http://audio.thisamericanlife.org/jomamashouse/ismymamashouse/
EPISODENUMBER.mp3

Clearly, someone over there has a sense of humor.