Alex Kingsbury

Improperly redacted PDF allowed access to secret TSA information

TSA officials say that a "full review" is underway to determine how a 2008 copy of its standard operating procedures for all airport security checkpoints was released in its entirety on the Internet. The document was "improperly redacted," according to TSA officials, meaning that with a few keystrokes what was once secret spilled out into the public domain.

The document itself details screening procedures at metal detectors, explosive residue testers, and other elements of airport security. It outlines procedures for escorting certain travelers around security checkpoints, including air marshals, diplomats, and CIA officers. An annex to the document gives several examples of official credentials for agencies including the CIA, Congress, and federal air marshals and notes on determining their authenticity.

Another redacted section of the document reveals that travelers are selected for screening if their passports are issued by any one of 12 specific countries.

The TSA document, dated June 30, 2008, is stamped "Sensitive Security Information," a description of sensitive but not classified information. Releasing it to the public can result in "civil penalties or other action," according to a warning stamped on each page of the document.

Agency officials promised swift action.

"The Transportation Security Administration has become aware that an outdated version of a standard operating procedures document was improperly posted by the agency to the Federal Business Opportunities website wherein redacted material was not properly protected," the agency said in a statement.

"TSA takes this matter very seriously and took swift action when this was discovered. A full review is now underway. TSA has many layers of security to keep the traveling public safe and to constantly adapt to evolving threats. TSA has appropriate measures in place to effectively screen passengers at airport security checkpoints nationwide."

Several bloggers who focus on national security issues first discovered this particular slip-up, but it is an all-too-common problem for government officials trying to keep information secret in the digital age, experts say. "It is a pervasive problem that needs to be addressed," says Steven Aftergood, an expert in government secrecy with the Federation of American Scientists. "People ought to learn to get it right."

To redact the TSA document for public release, officials apparently used a computer program to blacken particularly sensitive parts of the handbook, including which types of travelers are exempt from various kinds of random and required screening, the procedure for CIA officers escorting foreign dignitaries and others through checkpoints, the minimum gauge of wire used to calibrate X-ray machines, and the types of chemicals used for cleaning explosive residue scanners.

The document was then published online as a PDF, a common file format used widely by the government. To redact it, officials obscured text using a program which successfully obscures the text as viewed on a computer monitor. But the information wasn't deleted. Highlighting the text of the PDF page and then using the copy and paste functions on a computer easily revealed the hidden information.

It's not the first time that digital redactions have gone awry. In June, the State Department's security service accused a former CIA station chief in Algeria of rape. An online copy of the search warrant issued in the case was published as a PDF document, with a similar use of black to redact information. Selecting the text of the document, however, and copying and pasting the results revealed the detailed address information of where the CIA officer lived in Algeria.

Sometimes the redacted information is seemingly harmless. Aftergood pointed to another case in 2004, where the Justice Department filed a redacted legal document that censored a benign quote from the Supreme Court.

But the insufficient redaction problem has become so pervasive across the government that in 2005 the National Security Agency published a report called "Redacting With Confidence" on how to properly redact a Microsoft Word or PDF document.

"The key concept for understanding the issues that lead to the inadvertent exposure is that information hidden or covered in a computer document can almost always be recovered," the report warned. "The way to avoid exposure is to ensure that sensitive information is not just visually hidden or made illegible, but is actually removed from the original document."

 

 

NEWS & CURRENT EVENTS ...

WORLD | AFRICA | ASIA | EUROPE | LATIN AMERICA | MIDDLE EAST | UNITED STATES | ECONOMICS | EDUCATION | ENVIRONMENT | FOREIGN POLICY | POLITICS

 

TSA to Conduct Full Review After Sensitive Information Leak | Alex Kingsbury