Revealed: 'Suicide bomber Barbie' and other TSA quack science that cost $1.5 billion

ACLU urges end to behavioral screening of travelers

From 2007 through 2015, the US Transportation Security Administration (TSA) spent $1.5 billion trying to identify potentially dangerous travelers by observing their behavior through an ongoing program called SPOT.

SPOT stands for "screening of passengers by observation techniques." And according to the TSA's own documents, obtained through a lawsuit filed by the American Civil Liberties Union (ACLU), the techniques employed by the agency to detect untrustworthy travelers are unscientific and unreliable.

The program started as interviews at checkpoints. It expanded beyond checkpoints in 2009 to include roving officers, some undercover, who engage travelers in casual conversation while looking for telltale signs of malicious intent, whatever those might be. Ostensibly, these conversations were voluntary, but seeking to avoid them or being insufficiently forthcoming was treated as an "indicator" that might prompt referral to additional screening.

"The TSA has repeatedly claimed that the behavior detection program is grounded in valid science, but the records that the ACLU obtained show that the TSA has in its possession a significant body of research that contradicts those claims," the ACLU said in its report.

The civil liberties defender says TSA records include a number of academic studies that show that attempts to detect deception by monitoring behavior are useless. Other documents suggest the TSA exaggerated the science supporting its methods in its communication with Congress and government auditors, or failed to disclose information undermining its position.

The ACLU also criticizes the agency for possessing documents that indicate a religious bias against Muslims – hard as that might be to imagine in the current political climate. For example, it cites a TSA-authored presentation from 2006 that "reflects demeaning stereotypes about Muslims and women."

The presentation suggests women can be turned into terrorists more easily than men because "females tend to be more emotional and therefore easier to indoctrinate." It also includes a cartoon that presents a mother and daughter wearing hijabs, arguing over the daughter's desire for yet another "suicide bomber martyr Barbie."

Mattel doesn't presently sell suicide bomber martyr Barbie. But if it did, and if the doll functioned as advertised, periodic replacement would be necessary.

The ACLU allows that it's not clear whether the TSA relied on this insensitive material in its behavior detection program. However, it notes that the TSA has engaged in specific instances of racial and religious profiling in Chicago, Honolulu, Miami, and Newark.

The ACLU argues SPOT should be shut down because behavioral observation isn't a reliable predictor of ill intent.

A 2013 Government Accountability Office report offers a similarly skeptical assessment of TSA's approach, finding the program to be a waste of taxpayer funds.

Hugh Handeyside, staff attorney with the ACLU National Security Project, in a phone interview with The Register, acknowledged that the TSA continues to defend its program. He said he hopes the documents that have emerged from the ACLU's lawsuit will help oversight entities keep the heat on the agency.

"Lawmakers from both parties have been quite critical of this program," Handeyside said. "We don't see how these kinds of techniques, given decades of research, can be used in a way that's consistent with passenger civil liberties."

Handeyside declined to delve into whether observing behavior might be useful for general law enforcement, but said such techniques are particularly problematic in the context of airport screening. "They raise serious civil liberties issues," he said.

In an emailed statement, the TSA said it stands by its program.

"TSA's behavior detection approach is designed to identify and engage individuals who may be high-risk (eg, possess malicious intent) on the basis of an objective process using behavioral indicators and thresholds, and then route them to additional security screening," a TSA spokesperson told The Register.

The agency spokesperson cited the value of behavioral detection in arrests made in Florida, Michigan, and Texas. The cases involved bulk transfer of currency, firearms possession, drugs, and identity fraud, but not terrorism.

The agency insists that behavior detection can be used to address a variety of threats and doesn't become obsolete in the face of new weapons or tactics. "It is one element of TSA's efforts to mitigate threats against the traveling public, and is critical to TSA's systems approach to deter, detect, and disrupt individuals who pose a threat to aviation," the TSA's spokesperson said.

The TSA said it continues to rely on behavior detection, though it no longer treats SPOT as a distinct program. The agency has integrated behavior detection officers into its ranks, in keeping with the 2016 FAA Authorization Act. ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • UK government seeks views on cloud, datacenter security
    Consultation asks for contributions from industry to better understand digital threats

    The UK government has kicked off a consultation to collate feedback on strengthening the security and resilience of local datacenters and cloud services to protect against outages and national security threats.

    Companies that run, purchase or rent any element of a datacenter are being asked to detail the types of customers they serve.

    Announced by the Department for Digital, Culture, Media and Sport (DCMS) late last week, the move is perhaps a recognition that the UK may need to beef up measures to safeguard key infrastructure against cyber threats and other disruptions.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022