Encryption Is the Issue In Case of Missing Laptop

The Transportation Security Administration (TSA) continues to investigate the circumstances surrounding the loss of a Clear®- owned laptop computer on July 26 that contained unencrypted data of approximately 33,000 customers. TSA has verified that a laptop was discovered by Clear® officials yesterday at San Francisco International Airport (SFO). It was voluntarily surrendered to TSA officials for forensic examination.

TSA’s regulatory role in this matter is as follows: Every commercial airport is required to have an approved airport security plan. So Registered Traveler is part of that comprehensive plan at the airports where it operates. Under the airport security plan, the sponsoring entity, (SFO in this case) is required to assure its vendors have an approved information security program. Because the computer at SFO was not encrypted it is in violation of the airport’s security plan.

TSA also has the ability to go directly to vendors when the plan is not being adhered to so TSA is conducting a broad review of all Registered Traveler providers’ information systems and data security processes to ensure compliance with security regulations.

Clear® needs to meet the information security requirements that they agreed to as part of the Register Traveler program before their enrollment privileges will be reinstated. Encryption is the wider issue as opposed to one incident with one laptop. So for now, Clear® enrollments remain curtailed.

Current customers will not experience any disruption when using Registered Traveler.

Eos Blog Team

Answers to Your Top 10 Questions

Here are the top ten questions we received from our recent request. We tallied the number of times we received each question or a similar version of it and noted the total for each question below. Thanks to the Office of Chief Counsel, Privacy Office and Kip for helping us provide you with the answers.

10) What immediate measures can a person take when encountering a less than friendly TSA agent? 12 of our readers asked this question.

First, you can request a lead or supervisor. If you're not satisfied after speaking with a lead or supervisor, you can request a manager. If you're in a hurry and don't have time to talk, or if you are not comfortable making your complaint in person, you can visit our new Got Feedback? web page. "Got Feedback?" is a new program that allows passengers to contact us via e-mail with very specific questions, comments, complaints, etc. Rather than your e-mail being sent to a single mail box where it sits in the queue waiting for a response, it is actually sent directly to the TSA Customer Support Manager at the airport your feedback concerns. Upon request, the Customer Service manager will contact you. Click here to read more about the "Got Feedback?" program.

Our officers have a tough job, and they are there to protect you and your family. Everyone at TSA appreciates the support of the traveling public, including those who express their support with their courteous behavior and words of support.

9) Do any members of the Blog team actively perform screening functions? 12 of our readers asked this question.

Not currently. When Bob joined the blog team, he was a Behavior Detection Officer based out of Cincinnati and a former Transportation Security Officer who performed screening duties. Bob eventually came to headquarters as a full-time blog team member. So, while Bob has 5 ½ years experience in various screening functions, he is no longer a TSO/BDO.

While not in a screening function, Jay is a Federal Security Director for an airport in the Midwest. He oversees screening operations at about 10 airports of varying sizes. Also, we had a TSO contribute as a guest blogger and write an article on Checkpoint Evolution.

There are currently many TSOs and other field employees actively involved commenting on the blog, and we appreciate their participation.

We will continue to invite members of the workforce to weigh in on the blog to keep it relevant to what is happening in airports. The blog will improve as we add new folks with various areas of expertise.

8) Why do you have access to my political affiliation? 13 of our readers asked this question.

"It's unequivocally not our policy to use political, religious, or other sensitive personal topics as identity validation. If it happened, it was wrong and will not be repeated." Administrator Kip Hawley

Perhaps you're asking this question because of a recent story about a person who said that their identity was verified at a checkpoint by asking their political affiliation. Early on, there was a case where the operations call center ran a passenger's information through their database (which includes commercial data) for a passenger without ID, and found no significant information to verify their identity. One thing that did come up was political donations for a person with the same name. Political donations are a matter of public record and accessible to anyone with basic Internet search skills. As a last ditch effort to help the passenger, a decision was made to ask them about their political affiliation. It was a mistake.

7) Why has TSA restarted the pointless gate screening? If the sterile area is in fact sterile, there's no need to screen those who have already been screened. 13 of our readers asked this question.

In reality, we do very little screening of bags at gates. We do, however, conduct a great deal of additional security in the sterile area. For instance, we have Behavior Detection Officers and K-9 teams on regular patrols as well as undercover Federal Air Marshals throughout the sterile area. Not to mention video coverage. We want to pick up on people who may be doing surveillance or attempting to prepare for a later attack. We are interested in activity around gates, but also restaurants, Duty Free shops, and other common areas.

As to gate screening itself, we have special purpose checks for specific items and behaviors. We may also have a particular interest in different flights. We layer in some random activities so as not to raise attention when we do have a specific interest. You may see our inspectors with new portable explosives detection devices that go onboard an aircraft ahead of boarding and check employees with access to the aircraft, including catering.

TSA’s overall strategy is to incorporate mobile, unpredictable, intelligence-driven security measures in ways that frustrate a terrorist planner seeking to engineer attacks against an easier, stationary target. We do not, as the question suggests, do gate screening of bags merely to re-do what we already did at the checkpoint.

Click here to watch a short video on gate screening.

6) I had a TSA agent tell me that each airport is free to implement security standards beyond those listed on the TSA site -- meaning that they could restrict items from being allowed in carry-on baggage that are explicitly allowed according to the TSA site. 14 of our readers asked this question.

There is a standard list of prohibited items that is available on our Web site to anybody with an internet connection, including terrorists. Clearly we have to pay attention to those items, since they are obvious tools of would-be attackers.

We cannot, however, fixate on those items and think that if we stop them, we're safe. Terrorists know TSA's standard operating procedures and work on how to engineer around them. Look no further than the August '06 London bomb plot with liquid sports drinks. If those terrorists had made it to the checkpoint, many of the items they were bringing would have been extremely hard to identify.

TSA is moving the focus of our officers from a checklist mentality to an empowered environment where officers use their experience and training -- and trust their instincts. The TSA workforce has screened more than 3 billion people, about half the population of the earth. We have a good handle on what "normal" looks like. Anything out of the "normal" range may get additional scrutiny, whether or not it is on the prohibited items list. That could mean a variety of things from a more thorough physical search to a seemingly casual conversation. It depends on what the anomaly might be. We know that with many layers of security the thinking, engaged and experienced TSO will be the one to stop an attack.

TSA is committed to using the judgment and experience of our officers to keep the security advantage. TSA is embarking on a two-day training for all officers that will tie together the latest intelligence analysis, more advanced explosives detection skills, and ways to engage with passengers in a way that promotes a calmer environment and better security result. It uses the physical checkpoint to our advantage to improve security.

5) Why doesn't TSA consider items being stolen from checked bags a security threat? Dangerous items could just as easily be ADDED to luggage. 15 of our readers asked this question.

We do! We consider every opportunity for someone to get a weapon or a bomb onto a plane and use a variety of methods to ensure there's something in place to mitigate that threat.

Specifically, there are video monitoring systems in places where individuals have access to checked bags, both airline baggage handling areas and TSA inspection stations.
Beyond that, we have a multi-layered approach to security, because if one layer gets breached, another layer or layers can step in to fill the gap. Let's focus on layers that directly affect your question.

TSA does background checks on and issues credentials to all employees who work in the secure area of the airport – which includes people handling baggage. TSA also conducts random employee screening every day in airports to ensure only people with proper and valid credentials get into the secure area.

TSA initiates internal investigations or ‘stings’ if we have a concern. When caught, arrests are made and serious federal charges are brought. Also, behavior detection officers are trained to spot suspicious behavior anywhere in the airport.

It's also important to note that employees who work in the airport often see the same people day in and day out, and know when something doesn't seem right. While they don't always work for TSA, they are another set of eyes and ears keeping watch for your safety.

4) Where is the Privacy Impact Assessment for the form that TSA provides to people who claim to be unable to present credentials at TSA airport checkpoints? 15 of our readers asked this question.

The Privacy Impact Assessment, or PIA, that covers the information collection and handling associated with identity verification is the Operations Center Information Management System PIA. Identity verification is one of several types of information associated with airport security efforts that fall within the coverage of this PIA.

For bonus points, we'll answer another question that some have asked: whether the form itself requires an OMB control number. Since the form entails no burden beyond identifying the individual and home address, it is exempt from Paperwork Reduction Act requirements pursuant to 5 CFR 1320.3(h)(1).

3) Given that it's trivially easy to forge a boarding pass, how does presentation of validated IDs do anything to ensure that people on selectee/no-fly lists don't enter the sterile area? 16 of our readers asked this question.

An excellent question. TSA's document checkers are looking at IDs and boarding passes. They are aware of the techniques that forgers use and are looking out for them. We are working with the airlines both in the U.S. and world-wide on this issue. There are encryption and other methods of validating a boarding pass. Some are sophisticated, some are very low-tech and simple. Some airlines are now using encrypted electronic boarding passes that appear on a passenger's cell phone or PDA. The International Air Transport Association, which secures international cooperation and uniformity in aviation regulations and standards, is moving all of its members to use this technology by the end of 2010.

Even so, it is important to remember that the different layers of security work together. We're not only checking IDs and boarding passes at the checkpoint, we have measures throughout the airport, at the gate, and on the aircraft, that identify someone who may be dangerous.

Lastly, one of the other Top Ten questions dealt with random gate screening, which is another way of closing the loophole. The random check can also be used to ensure additional security measures when our information suggests it is warranted.

2) In the context of ensuring air travel safety, what is the difference between two people, both of whom are willing to cooperate with TSA's invasive interrogations, one of whom politely declines to show ID, the other of whom claims he lost or misplaced his ID? 20 of our readers asked this question.


Bottom line is identity matters. We need to verify who is getting on the plane.
The best and quickest way for us to assure identity is with a photo ID issued by a federal or state government. We work with passengers who have something less than that, including no ID. Most passengers in that situation help us quickly resolve the matter by sharing whatever information they have, sometimes verified through our Ops Center in Virginia. Someone declining to show an ID that they have on them endures a lot of hassle for not much of a point since it is far more intrusive for us to resolve it through the Ops Center than showing a legitimate ID up front. It is only when someone refuses to identify themselves or attempts to use fake ID that we would deny entry to the sterile area based on ID.

Ever since airport security started decades ago, it was based on "things" – making sure a bad thing like a gun or a bomb didn't get on a plane. Problem is, terrorists kept finding new ways to disguise their tools to be almost identical to ordinary objects; most recently, bottles of sports drinks and batteries with explosives inside. They will continue to find more novel threats. That is why the additional layer of identity verification matters more now than ever. Watch lists are a valuable tool in keeping people with known ties to terror plotting off planes.

1) TSA cites 49 C.F.R. § 1540.107 and 1540.105(a)(2) as the law giving them authority to demand identification as a condition of granting access to a sterile area of an airport. 49 C.F.R § 1540.5 appears to limit such passenger screenings to searches for weapons, explosives, and incendiaries as the only requirement for granting access to the sterile area. How does TSA reconcile this conflict? 27 of our readers asked this question.

There is no conflict to reconcile. It is true that 49 C.F.R Section 1540.5 describes screening functions and screening locations in terms of the inspection of individuals and property for weapons, explosives, and incendiaries. However, 49 C.F.R. Section 1540.105(a)(2) doesn't use the word 'screening' at all. Section 1540.105(a)(2) simply states that persons may not enter the sterile area without complying with the systems, measures, or procedures being applied to control access to that area. TSA's identification requirement is one such system, measure or procedure that is used to determine who is permitted to access the sterile area.

By citing 49 C.F.R. § 1540.107 in our original post, we were trying to illustrate one of the ways (and indeed, the most visible way) in which TSA has used its statutory authority to establish security procedures at airports. But, it's important to note that TSA's responsibility for aviation security is not just limited to checkpoint screening. TSA has broad authority to develop policies, strategies, and plans for dealing with the changing threats to aviation security. See, for example, 49 U.S.C. §§ 114(d) and (f) (addressing TSA functions, duties, and powers); id. § 114(h) (addressing notification procedures concerning persons who may pose risk of air piracy or terrorism or a threat to the airline or passenger safety). This authority is in addition to TSA's responsibility for the screening of passengers and property. See, for example, 49 U.S.C. §§ 114(e) (addressing screening operations), 44901(a) (addressing screening of passengers and property).

Thanks,

Bob

EoS Blog Team

"Got Feedback?"

As of today, passenger/airport communications will be turned on its head. We’ve read your comments on the blog regarding checkpoints not having comment cards. We’ve cringed when we read that you were asked for an ID in order to receive a comment card. We’ve seen the oftentimes weak boilerplate letters that go out to passengers from TSA.

Well, in the spirit of striving for improvement today we’re launching the "Got Feedback?" program nationwide at all airports. We’re including a capability for passengers to contact us with very specific questions, comments, complaints, etc.

To get travelers attention, we are strategically placing “Got Feedback?” stickers in highly viewed areas on equipment and tables. The stickers contain the TSA Blog’s address.

When a passenger visits the blog, they’ll see a hyperlinked image of the “Got Feedback?” logo. After clicking on the image, the site will redirect to a map where you can click on the exact airport where you want to leave feedback.

After clicking on a specific airport, an e-mail form will open automatically addressed to that airport’s TSA Customer Support Manager. After submitting, the form will be delivered directly to the Customer Support Manager. The form will be similar to the comment cards that are currently in use.

Customer Support Managers will receive and respond to “Got Feedback?” e-mails for their airport. We are steering towards a more personal response rather than the cold, soulless response of a form letter.

The information the Customer Support Manager receives will be used to not only address concerns, but will also serve as content for local training and shift briefings directly with local TSOs and management.

As an alternative to leaving specific feedback with a Customer Support Managers, a link on the “Got Feedback?” page will be provided to the blog where passengers can also leave general feedback.

Many passengers have asked for a secret shopper type program and that’s basically what this is. We’re really excited about implementing it. We’re only as strong as our weakest link, and this will help us discover those links that need to be polished and repair them.

Got Feedback is not replacing the blog. It is simply allowing passengers to communicate directly with airport Customer Support Managers. Keep using the blog to discuss TSA-wide issues.


Edited at 1600 EDT to add: Coming Monday, look for the answers to your top 10 questions.
Bob

EoS Blog Team

Leave your shoes on?

Wouldn’t it be great to show up at a checkpoint and just when you were reaching down to untie your shoes, you heard an officer say “You can leave your shoes on.”

The TSA is well aware that the removal of shoes is not our most popular policy. In fact, it probably ranks up there with root canals and doing your taxes.

What you’ve seen up until now has been our officers enforcing an unpopular policy that is based on the unfortunate truth that intelligence tells us that terrorists are still very interested in hiding items in their shoes.


Today, the X-ray is simply the quickest, most effective way to ensure nothing is hidden inside. What you haven’t seen is all the hard work that’s been going on behind the scenes trying to find an alternative. Our experts and the private sector have been looking for ways to screen footwear while allowing passengers to keep their shoes on for quite some time.

Last year, TSA tested a shoe scanner from General Electric in Orlando. Today, we’re testing shoe scanning technology at Los Angeles International Airport (LAX) from L3 Communications. If all goes well, these tests could lead the way to quelling of one of our most unpopular policies.

LAX received two units from L3 Communications last week. Since this is a test to collect data, passengers will still need to remove their shoes prior to walking through the magnetometer. Hey, don’t kill the messenger. I’m just giving you a heads up! :)

DHS Science and Technology, a sister agency of TSA, is also testing this shoe scanner and will collaborate with us on their findings.

Programs like the shoe scanner, the checkpoint friendly laptop bag and diamond lanes are not only good for passenger convenience but they help to reduce the chaos and frustration at checkpoints. This is good for security because it allows more than 2,000 Behavior Detection Officers to better focus on passengers with harmful intent.

And yes, we are going to answer your top 10 questions. :)

Bob

EoS Blog Team

Pay For Performance; Good For Security

The next time you’re in the security line at your local airport, contemplating the 3-1-1 liquids rule or the possibility of making it home in time to tuck your kids into bed, take a quick look at the officers at the checkpoint.

Right there in front of you are some of the most tested professionals inside or outside of government. At any time, 24/7/365 TSA, DHS or GAO testers can and do test our officers’ ability to detect items that could be used in an attack. Our belief is that rewarding excellent performers is one way to motivate a workforce with a deadly serious job to do. Conversely, not rewarding mediocre performance based solely on seniority is a way to motivate people to step up or consider other career options.

Yesterday, our Deputy Administrator, Gale Rossides testified before members of Congress on TSA’s pay-for-performance compensation system. Along side colleagues from the intelligence and law enforcement communities, she clearly explained that our system provides incentives to the best performing officers. Nowhere is this more important than on the frontlines of our nation’s efforts to keep its citizens safe. We thought you might find her opening statement interesting and thought provoking. For her more comprehensive, written testimony, click here.

UNITED STATES DEPARTMENT OF HOMELAND SECURITY
TRANSPORTATION SECURITY ADMINISTRATION
Oral Statement
of
GALE ROSSIDES
DEPUTY ADMINISTRATOR, TSA
Before the
UNITED STATES SENATE
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
SUBCOMMITTEE ON OVERSIGHT OF GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE DISTRICT OF COLUMBIA
JULY 22, 2008

Good afternoon, Chairman Akaka, Ranking Member Voinovich, and distinguished members of the Subcommittee. I am pleased to be here today to discuss TSA's progress on our pay-for-performance system, known as PASS [Performance Accountability and Standards System].

I am honored to appear and represent the thousands of TSA employees, our Transportation Security Officers [TSOs], who serve to ensure the safety and security of 2 million passengers a day. These women and men are dedicated security professionals with one of the most difficult jobs in government. These Officers are the most tested in the Federal workforce. Contrary to what so often is the headline grabber about attrition, 22,000 of our Officers have been with TSA from the beginning. They have participated in the largest stand-up of a Federal agency in fifty years. They have stayed with us as we responded to the evolving threat by continuously enhancing the security process, while also building the infrastructure and the human capital system to properly pay, train, reward, and recognize their performance. They stayed for the mission.

There are two reasons TSA relies on pay for performance. Security is the first and foremost. Second, it is to instill a culture of high performance and accountability in our workforce.

Performance on the job has a special meaning for us. Let me be very direct. Our job is to stop a terrorist attack. Our Officers work in an environment in which 99.9 percent of the people they see every day are not a threat, but the threats against our aviation system remain. TSOs want to get passengers through the security checkpoint with a high degree of confidence that they have stopped anyone seeking to do harm—your safety is their priority.

How does PASS improve security? When you get paid more to do a better job, you do a better job. PASS is targeted to reward excellent performance. That is an incentive to perform at the highest level to which you are capable. PASS rewards the individual performance necessary to achieve TSA's organizational goals and that increases security.

TSA's pay-for-performance system is driven by validated data. Its performance metrics are standardized, measurable, observable and almost completely objective. PASS has been adjusted based on feedback from our Officers about what the real job is.

Our Officers have told us they want a pay-for-performance system because they know what is at stake: they want to know that their fellow officers are equally competent. But building a pay-for-performance system takes time. It takes employee engagement. It takes leadership. It takes flexibilities in the human capital system. It takes continuous improvement and it takes constant communication. But for us, it is essential. In my thirty years of Federal service, twenty-three of them with the General Schedule, I have never been more sure of anything: The pay-for-performance system is the best way in this post 9/11 environment, for TSA to manage and ensure the quality of persons on the front line.

The effectiveness of PASS is proven by the statistics. More than half of our TSO workforce has been on the job for four years or more. The 2007 DHS Annual Employee Survey validates that 94 percent of TSOs said the work they do is important. Eighty-three percent said they know how their work relates to the agency's goals and priorities.

TSA supervisors have a significant stake in the PASS program as well, and they are evaluated on how effectively and fairly they administer it. Successful implementation of the program is a component of their own PASS ratings.

At TSA, pay for performance ensures the technical proficiency of the people on the front line. Our goal is for our Officers to be switched on and always at the ready. Pay for performance drives their higher level of performance because their earning power is directly tied to their learning power.
The Senior Leadership Team of TSA is passionately dedicated to our people and the principles of pay-for-performance. We are committed to using the flexible human capital system provided under ATSA to make TSA a model performance-based organization. We are building a culture in which our workforce is actively engaged. It is through listening and working collaboratively with all of our Officers to find solutions that we will continue to meet our challenges.

While significant advances are being made in our technology and security processes, each day's success begins and ends with our Officers. They are TSA's greatest investment. They are everyday heroes. In this war on terror, the individual motivation of our Officers to excel is critical to our success. We rely on the best to do the best at this security job. Pay-for-performance is vital to sustaining this top performing workforce.

Christopher
TSA Blog Team