TSA no-bids a contract, and messes it up, too

No-bid contracts are generally a bad thing, especially when they are given to a former employer of the person responsible for managing the contract, and even more so when the implementation is so grossly fubar’d that it results in the US government exposing personal data of people while at the same time claiming in hearings before Congress that the information is being protected.

But that didn’t stop the TSA from following this recipe for disaster with their Traveler Redress website. The site was set up so that anyone who found themselves on the watch list – which would result in an extra 15-60 minutes at the airport for each trip – could submit certain personal information and get themselves removed from the list. Of course the personal information required was detailed and probably stuff you wouldn’t want others on the internet to know about you, like your SSN and place of birth, but it was OK because the site was run by the TSA and they were definitely behaving appropriately in managing the data. After all, they are a government agency and have certain protocols that they have to follow. In reality, the site was only half encrypted, and the encryption that was there was done using a self-signed certificate, which is generally a bad idea. So the data being submitted was done in clear text most of the time, making it susceptible to eavesdropping.

The guy who exposed the risk has blogged about it a bit, and his most recent post includes a response from the TSA Spokesman, which is pretty entertaining to read both for the poor grammar and then flawed assumption that knowing the name of a passenger can accurately determine if that person is a danger on an airplane (or that someone can be so easily identified as being a danger on a plane).

It is not surprising to see the TSA continue to maintain the party line that we need deeper invasions of privacy into Americans’ lives in order to keep us secure, and I applaud anyone who exposes the flaws in the system. I’m actually not sure which is more important, getting the TSA to follow their own rules or fixing the rules, but in the mean time I’ll settle for people continuing to expose just how ridiculous the policies are. Oh, and if they wanted to fire the guy who no-bid the contract to his buddy that’d be OK with me, too.

Official House report/release here. MSNBC coverage here and BoingBoing coverage here, too.

Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.

Seth Miller

I'm Seth, also known as the Wandering Aramean. I was bit by the travel bug 30 years ago and there's no sign of a cure. I fly ~200,000 miles annually; these are my stories. You can connect with me on Twitter, Facebook, and LinkedIn.