Friday, August 22, 2008

Terror Watch List Glitches

A few days ago, CNN showed yet another Drew Griffin's report about "terror watch list" glitches[1] (UPDATE: the original video seems to be not available anymore, but the script is still there; also, there is a copy on YouTube - WARNING: there is some wacky message appended at the end of the video, but the clip itself does not appear to have been altered).

Let politicians argue about who is to blame for this mess. I am going to focus exclusively on its technical aspects the way I understand them. Of course, it is not easy to tell how a system works and what may be wrong with it when all technical details are classified. Still, based on the information from public sources, I am going to try to answer the following questions:
  • How does a law-abiding citizen get on the no-fly list?
  • Why is it impossible to get removed from it?
  • Why is it so easy to find ways around the no-fly list?
  • Is it going to get any better?

First, let us try to understand how one gets on the list.

Let's say, some intelligence agency from some sources has learned that some terrorist somewhere is likely to use the name "John Smith". Now, the name "John Smith" together with whatever extra information counter-terrorism people may have collected on this terrorist (we will call him "John Smith, the terrorist") is entered into TIDE (Terrorist Identities Datamart Environment). Once that happens, the name "John Smith" pops up on the TSA's "no-fly" list, also known as "terror watch list".[2] From this point on, "John Smith, the law-abiding citizen" will not be able to check in for his flight without going to the ticket counter and showing some identification for the TSA people to make sure that he is not "John Smith, the terrorist". Yes, it is a major inconvenience, but - as far as I can tell - there is no other way this type of screening system can work. Its logic is very simple: first, you stop everyone whose name matches the name on the list, and only afterwards you exclude the ones who are not terrorists. Let me emphasize this: "John Smith, the law-abiding citizen" is NOT on the no-fly list . It is "John Smith, the terrorist" who IS. Of course, it does not make the life of the former any easier, but we are not going to get into that right now.

Okay. Now let's talk about getting OFF the list.

In the same CNN piece, Homeland Security Secretary, Michael Chertoff, claims: "If you can get from the 'innocent John Smiths' their dates of birth or some other additional unique identifying fact, you can put that into the system, and then, when they present identification, they are immediately taken out of the system".[1] Everything is correct except for the "they are immediately taken out of the system" part (Secretary Chertoff does not seem to know how the system works). According to the U.S. Department of Homeland Security web site, passengers experiencing difficulties similar to the ones described in the CNN report can fill out a simple form, attach copies of their IDs, and mail the package to DHS TRIP (Department of Homeland Security Traveler Redress Inquiry Program). One can even e-mail electronic copies to them instead of mailing hard copies and even track the progress of the case on-line. The web site does not explicitly say what Secretary Chertoff said about the names being "taken out of the system", but kind of implies that all the problems will be taken care of.[3] Sounds comforting, but, according to the Drew Griffin's report that prompted me to write this blog post, each of the three Robinsons, who filed the necessary paperwork with DHS TRIP years ago, still cannot check in without going to the ticket counter. Drew Griffin, who has also submitted his paperwork, cannot either.[1]

So, it doesn't work? Of course, it doesn't. It is not supposed to. At least, it is not supposed to work the way most - including, it appears, Secretary Chertoff - expect it to. No matter how diligently our "John Smith, the law-abiding citizen" fills out the DHS TRIP form and how many copies of various IDs he attaches to it, he cannot be removed from the list because HE is NOT on the list, no matter how absurd it may sound to some. As long as "John Smith, the bad guy" is out there and is considered a threat, "the innocent John Smith" will not be able to check in at curb side and will have to show some proof that he is not the "bad guy". The only thing the list maintainers can do is to add "John Smith, the good guy" to some kind of "white list" (as opposed to "black list"), but it is not going to make much difference, if any, because he will still have to prove that he is "the white-listed John Smith".

The only possible way to alleviate the hassle for "the white-listed John Smith" (provided that he is already on the "white list") is to somehow get from him one or more of what Michael Chertoff calls a "unique identifying fact" that will positively identify him as "the white-listed John Smith" without actually making him go to the ticket counter. For example, such information may be requested at the time of reservation. TSA's new Secure Flight Program seems to be moving in that direction. According to TSA, it is going to require airlines to collect from a passenger his/her full name, gender (optionally), and date of birth (optionally), as well as redress number (optionally and if available) or known traveler number (optionally and if available). Redress number is a unique number issued by DHS TRIP after a person submits his/her data to DHS TRIP and is cleared.[4][5] It is, basically, a "white list ID number". Known traveler number is, as far as I understand, also a "white list ID number" issued to a person after he/she has been checked out and cleared as someone who does not pose a threat through known/registered traveler program[6] (I am not 100% sure that registered traveler and known traveler are the same programs though). The way I understand it, the new system is supposed to work as follows:
  1. Airline collects information from passengers (the more information they provide, the lower the chances of misidentification are going to be) and transmits it to TSA;
  2. TSA compares passengers data against the "black list" and clears those passengers whose names do not match any names on the "black list";
  3. If there are matches with the "black list", TSA compares those names against the "white list" and clears those who are on it;
  4. Remaining passenger data may be examined by a human analyst and some passengers cleared, but most probably they all will be subjected to additional screening;
  5. TSA transmits to the airline instructions on who can get boarding passes without additional screening and who cannot.
Of course, this will require that airlines, as well as, possibly, travel agencies and various on-line reservation systems, update their software in order to collect the additional information from passengers and "package" it for transmission into format required by TSA.

I have not been able to find any information on whether and how the "white list" will be synchronized with other databases, for example, with TSA's Federal Flight Deck Officers Program[7]. One would logically assume that if someone is authorized to fly an airplane with a loaded gun as a pilot, he/she should not be subjected to additional screening flying as a passenger. But. again, according to the CNN report it does not work that way either.[1]

And here comes the scary part!

Now we are getting from the annoying to the really scary stuff. How is it possible that the person with a ticket issued to James Robinson is always stopped for additional screening, while the same person whose ticket reads "J. K. Robinson" or "Jim Robinson" isn't? How come Drew Griffin is subjected to additional screening and the same Drew Griffin who "misspells" his name without a space between his first and middle name is not?[1]

When I learned about it, my first guess was that the system only searches for exact matches. Then, I stumbled upon the blog post by James Moore in which he claims that DHS uses soundex algorithm.[8] Without getting into the technical stuff, let me just say that soundex algorithm (which is one of the family of phonetic algorithms) mostly works fine when it comes to phonetically similar English names (e.g., "Jack" and "Jake"), but it is pretty much useless for searching foreign names, misspelled names or initials. It also "doesn't know" that "William" and "Bill" are variants of the same name. I am guessing that Lockheed Martin decided to use soundex (again, if James Moore's claim is correct) simply because soundex function is built into Oracle (why bother developing a custom algorithm or adapting a third-party algorithm if one can simply use something that is already there and... kind of works?!). Another reason might be that other government agencies use soundex. For example, the U.S. National Archives and Records Administration (NARA) uses it to index and search census data.[9] Whatever the reasons might have been, it probably was a poor choice.

According to Ronald Kessler, the no-fly list, in addition to the names of terror suspects, contains "aliases or different spellings of the same name, like Muhammed and Mohammad"[10], which, unless I am misinterpreting it, sounds like someone actually enters those aliases or different spellings into the database. But then how come "the list" does not contain "Jim Robinson" in addition to "James Robinson"? Does that mean that they are 100% sure that "James Robinson, the terrorist" cannot use the name "Jim Robinson"? If it is a "bug" (and it looks like it is), will it be fixed in the new system? Unfortunately, I do not have enough information to answer these questions. What I do know, however, is that, if TSA fixes this bug and its new Secure Flight Program will not be as easy to "fool", the number of false positives will increase despite TSA's claims that it will reduce the number of misidentified passengers.


1. Drew Griffin and Kathleen Johnston, "Airline captain, lawyer, child on terror 'watch list'", August 20, 2008, CNN (UPDATE: the original video seems to be not available anymore, but the script is; also, there is a copy on YouTube - WARNING: there is some wacky message appended at the end of the video, but the clip itself does not appear to have been altered)

2. "Terrorist Identities Datamart Environment (TIDE)", Fact Sheet, National Counterterrorism Center (UPDATE: the document appears to be unavailable at its original location, but still can be downloaded from the website of the Office of the Director of National Intelligence)

3. Traveler Redress Inquiry Program, U.S. Department of Homeland Security

4. TSA Secure Flight Program, Public Meeting Transcript, September 20, 2007, Transportation Security Administration (UPDATE: the document appears to be unavailable at its original location, but still can be downloaded from Papers, Please! The Identity Project)

5. Secure Flight Program, Notice of Proposed Rulemaking, Docket No. TSA-2007-28572, Transportation Security Administration (UPDATE: the document appears to be unavailable at its original location, but still can be viewed/downloaded at/from Federal Register)

6. Registered Traveler, Transportation Security Administration (UPDATE: the page appears to be unavailable at its original location)

7. Federal Flight Deck Officers, Transportation Security Administration (UPDATE: the page appears to be unavailable at its original location)

8. James Moore, "Are You on the No Fly List, Too?", March 2, 2007, The Huffington Post

9. "The Soundex Indexing System", updated May 30, 2007, U.S. National Archives and Records Administration

10. Ronald Kessler, "NCTC: Up to 70 Terrorist Plots Each Day", August 15, 2006, NewsMax.Com (UPDATE: the article appears to be unavailable)

No comments: