Boarding Pass Hacker Breaks Silence
Chris Soghoian, the Indiana University doctoral student whose online demonstration of serious flaws in airport security prompted an FBI investigation, broke his silence this week after the government terminated its investigation into the matter.
Soghoian had refused to talk to the media ever since the FBI visited his home in Bloomington, Ind., on Oct. 27 and carted away computers and other equipment. The federal action came in response to Soghoian's decision to post a tool on his Web site that would allow someone to print a fake boarding pass that could be used to evade the "no-fly" list -- a key government tool in keeping suspected terrorists off of airplanes.
In an interview with Security Fix on Saturday, Soghoian said he was ready to set the record straight now that the FBI had ended its investigation and the local U.S. attorney had declined to press charges. A spokesperson for the FBI's Indianapolis field office confirmed that the investigation was closed on Nov. 14.
Soghoian's boarding pass generator highlighted a loophole in the Transportation Security Administration's policy for screening passengers against the no-fly list. The problem is that boarding passes are compared to a person's ID only at initial airport security checkpoints, not at the gates where passengers board planes. And the boarding passes are scanned and verified only at departure gates, not security checkpoints.
In discussing the tool that he created, Soghoian said that even if the TSA plugged the security loophole -- by requiring ticket readers at the initial terminal security checkpoint and integrating the no-fly list with every airlines' computer systems -- the current legal status of the TSA's policy allows anyone to refuse to show ID at check-in if they consent to additional screening.
"Everyone focused on this issue of fake boarding passes, but no one touched on the issue of a person [telling airline security screeners] that they don't have any ID on them," Soghoian said.
To help put Soghoian's point in perspective, consider the case of John Gilmore, co-founder the Electronic Frontier Foundation. In 2002, Gilmore refused to show his ID while checking in for a cross-country flight. He was told he could fly if he agreed to a "secondary screening," which he also refused. Gilmore said he was told that there were security directives that mandated the showing of ID, but that he was not allowed to view said rules.
Gilmore later sued the government to gain access to the rules. The case wound its way up to the 9th Circuit Court of Appeals, which privately viewed the rules and decided that airline passengers could either present identification OR opt to be subjected to a more extensive search.
This summer, Gilmore challenged members of the Department of Homeland Security's privacy advisory committee to test the court's ruling -- i.e. to see if it's possible to fly domestically without an ID. Committee member Jim Harper, director information policy studies at the CATO Institute, a libertarian think tank, accepted the challenge. After a thorough screening that involved a slew of tests for traces of explosive materials, Harper made it through screening and was allowed to fly without showing ID. And he believes he made it through security faster than he would have had he showed an ID.
In a phone interview Monday, Harper said the whole ordeal demonstrates the ineffectiveness of identity-based screening at airports.
"You could fix all these holes in airline security screening and you still wouldn't have a secure, identity-based system," Harper said. "Identity doesn't tell you what someone plans to do, especially a person who has newly-adopted terrorist plans or who has just joined some terror-related organization recently. The 9/11 operation -- with two exceptions -- was carried out by people who weren't known to U.S. authorities and were already operating in a mode to defeat the watch list we've since put in place. So the current system merely requires al Qaeda to continue using techniques they were using in the past. So this -- like so many other security systems that we have post-9/11 -- start[s] from such a level of abstraction that they end up being total surveillance systems."
Indeed, Soghoian himself said he successfully tested the no-ID policy on four different flights over the past four months. The experience, he said, left him scratching his head as to why the government bothers with the no-fly list at all.
"There's the ability to get on a plane and do bad things and the ability to get on a plane to avoid the government knowing who you are. We as citizens have given up some of our rights to fly safely, and that takes care of the first issue," Soghoian said. "The question is whether we're willing to be searched and inconvenienced solely to protect the government's no-fly list, which doesn't make us any safer."
So what lessons should other people take away from this before they try to publicize loopholes in U.S. security checks?
One of Soghoian's attorneys, Stephen L. Braga, a partner with the Washington, D.C., law firm Baker & Botts, said doing the research to find such loopholes is fine. It's what you do with the information that matters.
"I think the clear takeaway from this is for people to go ahead and do their research, develop a thesis of what the flaw is and bring it to the attention of the authorities if it has any potential for misuse, but don't post it online," Braga said. "People really need to think twice about whether putting things like this out there might fall into the wrong hands and be used for illegal purposes."
Soghoian said that when he met with officials from the U.S. Attorney's office in Indianapolis to retrieve his computer equipment, he was told that the crisis might have been averted if he had pasted some sort of "SAMPLE" or "NOT FOR BOARDING" disclaimer watermark on his boarding pass generator -- to better illustrate that the tool was created merely to make a point, not to abet anyone trying to evade the no-fly list. But Soghoian said he believes that the issue would not have garnered the national attention that it did if he had included those disclaimers.
"The fact is that [the government] has been told about these vulnerabilities time and time again. When a U.S. Senator puts step-by-step instructions on how to fake boarding passes on his Web site and the problem isn't fixed, we have to ask ourselves what more will it take?" he said. "My hope is things will get fixed but my worry is they won't and this will all get get swept under the carpet again."
Posted by: Stony | November 28, 2006 10:03 AM | Report abuse
Posted by: TSA--Not | November 28, 2006 10:29 AM | Report abuse
Posted by: Gentry | November 28, 2006 10:57 AM | Report abuse
Posted by: Peter Roach | November 28, 2006 11:17 AM | Report abuse
Posted by: test | November 28, 2006 11:18 AM | Report abuse
Posted by: John N. | November 28, 2006 11:34 AM | Report abuse
Posted by: John | November 28, 2006 11:47 AM | Report abuse
Posted by: ES | November 28, 2006 12:09 PM | Report abuse
Posted by: TSA is a waste | November 28, 2006 12:10 PM | Report abuse
Posted by: TLAWRENCEVA | November 28, 2006 12:30 PM | Report abuse
Posted by: Down with the TSA | November 28, 2006 1:10 PM | Report abuse
Posted by: antibozo | November 28, 2006 1:19 PM | Report abuse
Posted by: cc | November 28, 2006 3:03 PM | Report abuse
Posted by: antibozo | November 28, 2006 3:18 PM | Report abuse
Posted by: cc | November 28, 2006 3:18 PM | Report abuse
Posted by: antibozo | November 29, 2006 2:56 AM | Report abuse
Posted by: Robin Lockhart | November 29, 2006 6:37 PM | Report abuse
Posted by: Ken L | November 30, 2006 1:09 PM | Report abuse
Posted by: Mark Odell | December 2, 2006 3:59 PM | Report abuse
Posted by: Mark Odell | December 2, 2006 4:05 PM | Report abuse
Posted by: antibozo | December 2, 2006 5:15 PM | Report abuse
Posted by: choiceinfo | December 14, 2006 2:25 AM | Report abuse
The comments to this entry are closed.