Internet Slip Leads to Trouble for TSA
Alex Kingsbury

For months, billboard ads have blanketed the nation's capital, declaring that "Adobe Opens Up Washington" and extolling the virtues of the company and its electronic document format, the pdf. But apparent negligence at the Transportation Safety Administration in handling one such pdf has opened up Washington a bit too much for anyone's comfort.

The TSA placed five employees on administrative leave and launched a full review to determine how an improperly redacted copy of the agency's manual for airport security screening was published on a publicly accessible website for government contractors. The Department of Homeland Security, which oversees TSA, says it will not post documents containing security information online until the examination of this incident is complete.

Over the past few years, there has been a rash of improperly sanitized documents posted online. This recently discovered lapse by the TSA is among the most serious, according to lawmakers and homeland security experts. The "Screening Management Standard Operating Procedure" manual includes, for instance, descriptions of the limitations of metal detectors, the procedures for CIA officers passing through checkpoints plus an example of their credential documents, and explanations of when passengers using wheelchairs or artificial limbs do not have to be screened. Each page of the document posted online was marked "sensitive security information," warning that "no part of this record may be disclosed to persons without a 'need to know.'"

"The manual includes information that could help terrorists to defeat and circumvent the TSA inspection process," Homeland Security Committee Chairman Sen. Joe Lieberman, a Connecticut independent, acknowledged during a hearing on the breach. At a separate hearing, DHS chief Janet Napolitano insisted that "the traveling public was not at risk." More hearings about the breach are scheduled for next week. The TSA said this week that there was nothing the agency could do to remove copies of the manual that are already online.

In the case of the screening document, TSA employees apparently believed that they had redacted secret information, but the obscured material in the documents could easily be revealed by using the "copy and paste" features available on all personal computers. Adobe posts proper redaction procedures on its website. The pdf file of the manual also was supposed to be protected by a password on the contracting website but instead was posted where anyone could access it.

This particular type of security breakdown is not new. In fact, by 2005, it had become prevalent and worrisome enough that the National Security Agency issued guidance on sanitizing pdf and Microsoft Word documents in a report called "Redacting With Confidence." A 2008 version of this document notes that "inadvertent disclosure of sensitive information has become an increasingly common problem because complex file formats offer substantial avenues for hidden data."

Security experts also note that new versions of popular software such as Microsoft Word and various Adobe products often allow more recovery of deleted data than older versions, meaning that digital redaction policies need to be constantly updated to keep pace with these upgrades. TSA announced late last week that it is developing an online training tool to "bolster the current redaction guidelines provided to employees."

TSA to Conduct Full Review After Sensitive Information Leak
Alex Kingsbury

TSA officials say that a full review is underway to determine how a 2008 copy of its standard operating procedures for all airport security checkpoints was released in its entirety on the Internet.