Incident of the Week: Twitter Used In Sting Operation To Find Out Who Leaked TSA Security Directive

Posted on January 8, 2010 by Gabriel M. Helmer

Rumors are circulating that Special Agents from the Transportation Security Administration (TSA) have been posing as a Connecticut blogger on Twitter to find out who leaked airport security screening procedures put in place after the recent attack by the "underwear bomber."  This is a new twist in what some are describing as an overzealous investigation of government documents posted online.

As many of us found out on Christmas Day, a 23 year old Nigerian man identified as Umar Farouk Abdulmutallab apparently ignite an incendiary or explosive device in his lap while he was sitting on Northwest Airlines Flight 253 to Detroit.  While no passengers were harmed, the same cannot be said for the would-be bomber's lap, which combusted.  In reaction to the attack, issued Security Directive 1544-09-06 directing TSA airport officers to pat down 100% of all passengers, "concentrating on upper legs and torso," with the notable exception of heads of state. 

Two days later on December 27, 2009, the TSA Security Directive was posted to the Flying with Fish blog run by Steven Frischling and Chris Elliot's blog at Elliot.org.  TSA was not pleased with this attention.  Apparently, the TSA considered the Security Directive secret, even though it was sent to thousands of airports and airlines around the world and arguably was somewhat obvious to anyone in an airport around Christmas-time.  The agency launched an immediate investigation, sending agents and subpoenas to Frishling's and Elliot's homes (the text of which is available at his blog). 

Frischling ultimately cooperated with the probe, gave them access to his BlackBerry, iPhone and computers and let TSA agents know that his source had contacted him anonymously using a free email service. 

Then an unusual message appeared on blogger Steven Frischling's Twitter account:

To the gentleman who sent Flying With Fish the TSA Security Directive … Thank You! Can you drop me an email?I have a question. Thanks-Fish.

According to sources interviewed by Wired, a TSA agent took possession of Frischling's BlackBerry, typed the Twitter update into the device and then directed Frischling to click on the “send” button to post the message to his Twitter page.  According to Wired's source, this was an attempt to induce the anonymous informer to send Frischling an email and draw him or her out of hiding.  Of course, implicit in this strategy is that the TSA already had or expected to gain access to Frischling's email, as well.  The TSA deny this account.  Other bloggers, such as TechCrunch's Michael Arrington, have pointed the finger at Frischling and have criticized him for caving to government pressure and cooperating in the effort to oust his own confidential source.

No doubt, the TSA is under considerable pressure to heighten its security since early December, when an employee inadvertently posted online the agency's highly classified airport security operating manual.

Tags: , , , , , , , , ,

Federal Judge Prevents Sale of CLEAR Customers' Personal Data

Posted on August 25, 2009 by Stacy Anderson

On August 18, a federal judge in the Southern District of New York entered an injunction forbidding Verified Identity Pass, Inc. (VIP) to sell or transfer any of the confidential customer information it compiled while operating the CLEAR express airport check-in program.  The CLEAR program collected a range of customer biographic information (e.g., name, address, etc.) as well as biometric information, including the customer's fingerprints and iris scan.  This information was used to expedite the airport check-in process.

In June, VIP announced that it would be discontinuing the program due to its inability to “negotiate a settlement” with its creditor.  At the time, VIP assured its customers that “[t]he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”

Despite this assurance from VIP, many customers expressed concern over the handling of the personal data they had provided to CLEAR.  In addition, customers objected to VIP's statement that it would not issue refunds to customers, some of whom had paid in advance for years of service.

A week after VIP’s announcement of its discontinuation of the program, CLEAR customers brought a putative class action against VIP in the Southern District of New York.  As amended, plaintiffs’ claims include breach of contract, negligence, and unjust enrichment.  Plaintiffs also sought a preliminary injunction,  explaining that "VIP’s cessation of the CLEAR program and other factors indicate a significant risk that the confidential information of Plaintiffs . . . will be compromised.”  Plaintiffs expressed concern that VIP would not honor its contractual obligation not to disclose or sell its customers’ data. In the same motion, plaintiffs also sought an order requiring the preservation of evidence.

Judge Holwell agreed, and issued an order enjoining VIP from 1) selling any confidential information obtained from Clear members of applicants, 2) disclosing any such information to any other entity, and 3) maintaining or storing information in a manner that permits disclosure of the information.   Judge Holwell also ordered that VIP take all necessary steps to preserve evidence relevant to the case. As news outlets have reported, however, VIP’s lawyers may challenge the order on the grounds that the judge failed to give them an opportunity to respond to plaintiff’s motion.

Regardless of whether this particular order remains in place, the controversy surrounding VIP’s cessation of CLEAR service underscores the security and privacy issues that arise when companies entrusted with customers’ personal information are no longer financial viable.  

Links:

Tags: , , , , , , , ,