Bad policies, bad decisions and a terrible blunder at the TSA

In a report that should come as no surprise to anyone following the story, the Department of Homeland Security Inspector General has blasted the Transportation Security Administration (TSA) for a series of failures that let to the disclosure of data classified as Sensitive Security Information (SSI) last December. Among other things, the report identifies as “deficient” the TSA’s information handling policies. Even more damning, however, are some of the details in the back-story that explain how the TSA managed to get themselves into the situation they were in. Indeed, the whole issue stems from concerns about privacy and handling of personal data, something that the TSA has been blasted for in the past. And while changes have been promised in response to the report, it remains to be seen if actual change can come from this event.

In prior years the TSA controlled public access to information that was considered SSI – whether redacted or not – through the use of a password-protected intranet site available only for potential bidders on projects associated with the documents.

Prior to a 2007 solicitation for requests for proposals to implement privatized screening at the Key West Airport, TSA required potential vendors to sign a nondisclosure agreement before providing the SSI Screening Management SOPs via its SPPO web-board. The web-board controlled access via login/password to vendor personnel who had submitted a signed nondisclosure agreement.

TSA officials reported to us that over time, TSA’s Office of Privacy and the Office of Chief Counsel’s Information Law branch informed SPPO and the Office of Acquisitions (ACQ) that the program’s prior process for vetting vendors, which included completion of a nondisclosure agreement, violated their privacy rights. TSA does not have a Privacy Impact Assessment (PIA) in place for the collection of personally identifiable information provided through the nondisclosure agreements.

In other words, the TSA was inappropriately collecting information from potential vendors and was unable to assure those vendors that the information collected was being handled in a reasonable manner. At this point the TSA had a choice to make: establish a PIA or stop collecting the information. For reasons which are not particularly clear and which are not addressed in the report the TSA chose the latter. They simply stopped collecting the information in question and stopped providing access to SSI documents associated with contracts that were up for bid. This issue came to a head with the 2007 solicitation for security vendors in Key West.

…TSA released the solicitation to implement privatized screening at the Key West Airport with limited information, did not have vendors sign a nondisclosure agreement, and did not release the SSI Screening Management SOPs. After the contract award, one vendor that had proposed to undertake and perform these duties at Key West Airport conveyed to TSA that not having access to SSI Screening Management SOPs placed them at a disadvantage, as other vendors had those documents through previously signed nondisclosure agreements.

In reviewing the Key West solicitation, the Offices of Chief Counsel and ACQ determined that TSA provided too little information and risked receiving an award protest. The expressed view was that incumbent contractors who already possessed the Screening Management SOPs would have an unfair advantage.

That decision made to avoid the PIA led to the scenario where the bids solicited were uninformed and biased in favor of incumbent parties who had previously had access to the information. Bad policy begat bad decisions which begat a terrible blunder.

The TSA made the decision at this point – mid 2008 – to produce a redacted version of the Screening Management SOP document so that they could distribute it to vendors. This was, in theory, the best of both worlds. The TSA would have the information available and would not have the issues associated with collecting personal information and the need for a PIA. Unfortunately, however, the TSA failed to properly produce this document, resulting in the events of last December.

The instructions for producing such documents are pretty straightforward. Indeed, the report includes a pretty picture that describes the process. The key step comes in the box that is redacted in this image but that is described pretty clearly in the report itself, “

In <<Adobe Acrobat>>
the key step to ensure that document contents cannot be either manipulated or retrievable is to check <<Apply Redaction>>. (N.B. – the bits inside the << >> marks are actually properly redacted in the original report. I have inserted the text here based on a reasonably solid supposition as to what the contents likely are. As someone who has worked with the tools in question and from reading the other content of the document it seems pretty likely that the above is correct.)

So, essentially, the error came because someone forgot to click on a checkbox. It was furthered when that user chose to skip the second to last step in the flowchart, searching for known redacted content in the finished document. Moreover, the document was returned to the Office of SSI for clarification of the header/footer that stated the document was still considered SSI. At that time a new electronic document was produced following the same procedures as the first one, skipping the appropriate steps to correctly apply the redaction.

Particularly damning in the report is the Inspector General’s review of the TSA’s training for its employees in the handling of SSI documents.

After our review of [the (SSI) Awareness] training course, we determined that this training does not contain instruction on handling redacted SSI material, the process of consulting with SSI coordinators, or discussion of any other quality control steps prior to the release of redacted information outside of DHS.

It is not clear what the training does cover but the fact that it doesn’t include anything about how to properly handle redacted material or to manage the release of the information to the public. Not comforting at all for the traveling public that the TSA’s training doesn’t actually cover things that seem critical to the topic in question.

Another of the findings in the Inspector General report is interesting, especially in light of some of the comments made by Acting Secretary of the TSA, Gale Rossides. Ms. Rossides testified during hearings before the House Subcommittee on Transportation Security and Infrastructure Protection that the leaked version was old and that many updated versions had been released in the interim months. While this is almost certainly true it belies a readily apparent fact: the main substance of the document didn’t change all that much. Indeed, the report suggests that over a span of 9 months – from the production of the original redacted version until the version was posted online – the “changes were determined to be insignificant” by the Screening Partnership Program Office and the same document was forwarded on to be included in the posting online.

Ultimately the failures associated with this document being published were many. The TSA made a decision to avoid responsibility associated with a Privacy Impact Assessment. An office worker chose to not follow the established process in creating a redacted document and also failed to check the document after producing it. And the Agency missed at least one other opportunity to discover the error and resolve it. As stated rather succinctly in the report:

We are concerned that an improperly redacted version of the SSI Screening Management SOPs passed through a number of TSA offices from June 7, 2008, to posting the document on FedBizOps.gov on March 3, 2009, and again on March 16, 2009, without any internal procedures to determine whether the document was redacted properly. As a result, TSA and department internal controls for reviewing, redacting, and coordinating the protection of SSI are deficient.