More Sensitive Security Info Improperly Redacted by TSA

As the Transportation Security Administration (TSA) last week threatened to jail two journalists for publishing the leaked Security Directive that was issued soon after Umar Farouk Abdulmutallab allegedly bungled bombing the Northwest Airline flight he was on Christmas day from Amsterdam to Detroit, it was discovered that TSA once again had improperly redacted sensitive but unclassified information in a document that was posted on a government website last May.
The document is a Merit Systems Protection Board (MSPB) Opinion and Order involving TSA baggage explosives screening that contained Sensitive Security Information (SSI) that the Board said TSA had properly redacted before it was posted on the MSPB website.
But like happened with the June 30, 2008 TSA airport “Screening Management Standard Operating Procedures” (SOP) manual that also was posted online without the SSI information in it having been properly redacted, the redactions of the SSI in the MSPB ruling also was done in an insecure manner that allowed them to be easily removed.
HSToday.us decided not to provide a link to the document because the improperly redacted portions can be easily viewed.
The MSPB’s May 4, 2009 Opinion and Order was improperly redacted by TSA within just a few months of TSA’s improper redacting of its screening SOP that was posted on the Federal Business Opportunities website.
The MSPB Opinion and Order was a ruling on an appeal by a TSA “Transportation Security Specialist” of a Board administrative judge’s (AJ) decision that changes to the SOP covering covert testing of baggage and passenger security systems at US airports did not provide a “substantial and specific danger to public health or safety” like the specialist had raised concerns about.
The Transportation Security Specialist was “tasked with covert testing and with overseeing a team of [redacted] people in conducting tests involving bags and passenger checkpoints … to pass simulated bombs and bags tainted with explosive contaminants through screening.”
The appeals board determined “that the AJ erred in finding that the appellant did not prove by preponderant evidence that he had a reasonable belief that changes in the SOPs would pose a substantial and specific danger to public safety.”
The appeal was filed in response to the TSA officer alleging “that the agency violated the Whistleblower Protection Act (WPA) when it proposed to suspend him for 14 days and removed some of his team leader duties … He asserted that the agency’s actions were in retaliation for protected disclosures, i.e., his criticism of proposed changes in standard operating procedures (SOPs) for checked baggage screening.”
The original unexpurgated version of the Opinion and Order contained Sensitive Security Information that “per agreement between the Merit Systems Protection Board and the Transportation Security Administration, the TSA has redacted all SSI protected” information “so that it can be made available to the public,” the MSPB stated in posting the order on its website.
This latest misstep by TSA to properly redact SSI in documents to be made public has bolsteredthe position of lawmakers who believe SSI materials should be prohibited from being made public even if they are inadvertently made public by the government itself.
Following bloggers and news organizations having made the improperly redacted TSA screening SOP widely available on their websites once it was realized it contained SSI information – not “top-secret” information like some reports erroneously stated – some lawmakers called for restrictions on “bloggers” and journalists from publishing or broadcasting sensitive but unclassified DHS documents.
HSToday.us declined to provide a link to a copy of the unredacted SOP.
House Homeland Security Committee ranking Republicans Peter T. King of New York, Charles Dent of Pennsylvania, and Gus Bilirakis of Florida asked Homeland Security Secretary Janet Napolitano in a letter “how the Department of Homeland Security and the Transportation Security Administration [have] addressed the repeated reposting of the screening SOP manual to other websites and what legal action, if any, can be taken to compel its removal?”
A little noticed law seems to be the tool the lawmakers are wondering whether DHS has considered wielding. The language of Title 49, Part 1520 – Protection of Sensitive Security Information, Section 1520.17 – Consequences of unauthorized disclosure of SSI, of the United States Code, states DHS can take “corrective action [that] may include issuance of an order requiring retrieval of SSI to remedy unauthorized disclosure or an order to cease future unauthorized disclosure.”
But when asked by Dent at a December 16 hearing of the House Homeland Security Subcommittee on Transportation Security whether “current regulations provide you a mechanism to keep individuals from reposting this information on other websites?” Acting TSA Administrator Gale Rossides said, “no, sir, they do not. We do not have any authority to ask non-government or non-DHS sites to take it down.”
Dent persisted: “What action does TSA intend to take against those who are reposting this sensitive document that should not be in the public domain?”
“Well, right now, there really isn’t any authoritative action we can take,” Rossides said.  “Honestly, persons that have posted it, I would, you know, hope that out of their patriotic sense of duty to, you know, their fellow countrymen, they would take it down.  But honestly, I have no authority to direct them and order them to take it down.”
Dent then stated “to those who reposted this security information on the Internet, you should share in the blame should security be breached as a result of this disclosure.”
Rossides did state, however, that “we do know — our CIO shop has done an initial review of who did download it and has it on their website — non-government, non-DHS websites. We do know that.”
The three lawmakers also asked Napolitano if DHS is “considering issuing new regulations pursuant to its authority in section 114 of title 49, United States Code, and are criminal penalties necessary or desirable to ensure such information is not reposted in the future?”
Title 49 grants authority to the Under Secretary to “prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security under authority of the Aviation and Transportation Security Act (Public Law 107-71) or under chapter 449 of this title if the Under Secretary decides that disclosing the information would,” among other things, “be detrimental to the security of transportation.”
Presently, “violation of [Part 1520, Section 1520.17] … is grounds [only] for a civil penalty and other enforcement or corrective action by DHS, and appropriate personnel actions for federal employees.”
The lawmakers’ implied intent in their questions to Napolitano can be construed to mean they are interested in seeking legal remedies and penalties that may be available to the government to discourage unauthorized disclosures of SSI materials by legitimate news organizations, bloggers, public websites, etc. – a slippery slope toward encroaching on the First Amendment and prior restraint of the press, even if the web-blog and whistle blower websites that originally made the SOP public aren’t news organizations in the traditional sense, but still have the luxury under the First Amendment to publish the SOP.
{mospagebreak}A variety of genuine news organizations followed up by also publishing the document, but while they, as legitimate news entities certainly have the First Amendment right to do so, everyone who published it had the moral obligation not to, critics argue.
News organizations have a history of not publishing damaging national security information, but there are well known examples in recent years of some who did in fact do grave damage by exposing classified intelligence programs and activities. Similarly, TSA insiders said those news organizations and bloggers who were compelled to make the unredacted SOP available on their websites caused considerable aggravation, when they could, the sources said, have just as easily generally described what the SOP contained and why its improper redaction and posting was damaging.
Even Federation of American Scientists (FAS) Government Secrecy Project Director Steven Aftergood said “had we been the ones to discover the unredacted manual, we probably would have refrained from publishing it.”
The Government Secrecy Project regularly publishes non-classified but restricted governmentmaterials, but also routinely refrains from publishing documents that contain highly sensitive national security information.
Aftergood went on to note that “the short answer seems to be that existing legal authorities cannot easily be used to compel the removal of such records from public websites, and that any attempt to do so would likely be counterproductive, and would itself do damage to press freedom and other societal values.”
He’s probably right. But one can hardly ignore the latest perennial conversations on the Hill and at the White House about imposing some sort of restrictions on the press when it comes to publication of “national security” information.
Beginning in earnest with the Reagan administration, the federal government has regularly resurrected threats to impose on the press something like Britain’s Official Secrets Act. In the waning days of the Clinton presidency, Congress actually passed legislation that for the first time would have in effect criminalized the leaking of secrets to the press, and, by extrapolation, potentially could have been used to seek criminal charges against journalists and news organizations. Clinton vetoed the legislation.
Under the Bush administration, the notion was raised again, but early on it was quashed by the White House.
There are little known legal precedents on the books that federal prosecutors conceivably could use (and certainly have considered using) to indict reporters, publishers, and broadcasters, but each time they’ve been broached and thought through, they’ve been dropped, largely because of the political backlash, but also because the federal government has yet to aggressively seek to prosecute a member of the press for publishing or broadcasting a leaked classified secret.
Nevertheless, with each successive Congress and administration, the fervor to make it a crime for the press to expose leaked secrets – even secrets the government has inadvertently put into the public domain itself – has grown a little stronger.
Observers said a case can be made that there also needs to be some common sense on the part of the press, bloggers, editorialists, and the like in how they deal with certain very sensitive or classified national security data.
Meanwhile, Rep. Sheila Jackson-Lee (D-TX), chairwoman of the House Committee on Homeland Security’s Subcommittee on Transportation Security and Infrastructure Protection, said she would introduce legislation to bar contractors from access to “sensitive security information,” since contractors apparently were at fault in the inadvertent disclosure of the TSA screening SOP manual. “It’ll be my legislative initiative to insist that contract employees not be used to handle sensitive security information, period,” she said.
Although Jackson-Lee wrote a few days ago in an op-ed that she intended to write legislation “that will make America better prepared to fight terrorists’ attacks,” any such legislation that would prohibit contractors from having access to SSI would cause extraordinary problems. Many contractors must have access to SSI to perform their contracted jobs for TSA and many other DHS components, just as Intelligence Community and Department of Defense contractors must have secret and top secret clearances to classified information in order to do their contracted jobs.
Further exacerbating the simmering issue of leaks of SSI materials, in an unprecedented move TSA last week sought to force two reporters who published a TSA Security Directive to tell them who had leaked it to them.
The SSI-sensitive TSA SD-1544-09-06 had been issued within hours of the botched Christmas Day bombing of the Northwest Airlines flight and was soon leaked to travel bloggers Steve Frischling and Chris Elliott, who both promptly published it on their blogs.
On December 28, TSA Special Agents visited the homes of both reporters and served them subpoenas that demanded they reveal who leaked the directive to them within roughly 48 hours.
{mospagebreak}“They’re saying it’s a security document but it was sent to every airport and airline,” Frischling told WIRED’s online “Threat Level” column. “It was sent to Islamabad, to Riyadh, and to Nigeria. So they’re looking for information about a security document sent to 10,000-plus people internationally. You can’t have a right to expect privacy after that.”
While Frischling is technically correct, SSI-designated information is prohibited from disclosure to anyone who does not have a need to know pursuant to Section 1520.11 of Title 49: Transportation, Part 1520 – Protection of Sensitive Security Information, and there are civil and other penalties for unauthorized disclosure to persons not authorized to have access to SSI materials.
Continuing, Frischling wrote that "two United States Transportation Security Administration Special Agents came to my home with a subpoena and stayed for more than two hours questioning me on how I came to be in possession of Security Directive SD-1544-09-06."
Frischling has worked for Life, Time, Newsweek, the New York Times, and was embedded with troops in Iraq.
Then, “on the 30th of December the same two US TSA Special Agents from the previous night returned to my home and removed my laptop from my house at approximately 10:30am and returned it around 4:20pm.
“The TSA was looking for the email address of the person who sent me Security Directive SD-1544-09-06. I did not have the email address and knew it was not on my hard-drive. However, the computer was removed to be searched by a Secret Service computer forensics expert. The search yielded nothing.”
“What worries me is this,” Frischling wrote, “and not for my own security and freedom, but for the safety of the traveling public which the TSA is charged with protecting. Why was I assigned two high-ranking TSA Special Agents?
“One Special Agent, out of Boston, served with Secret Service for more than 30 years and has also served in the role of Director of Counter Terrorism & Law Enforcement with the US Attorney’s Office. The other Special Agent, from NewJersey, served more than 20 years with the Secret Service, leaving the Secret Service in the position of Assistant Special Agent in Charge of the New York Field Office, and then going onto work as a Deputy Director of Global Security.
“The agent from Boston joined the TSA as a Special Agent in October 2009; the agent from New Jersey also joined the TSA as a Special Agent in 2009.”
“I understand the TSA’s concern in finding their internal leak,” Frischling stated, “however, as much of the media has reported, the TSA appears to be using a heavy handed tactic in coming after Chris Elliot and myself regarding this issue. These two agents, with more than a combined history of 50 years of working as Secret Service investigators, may be better tasked to dealing with matters of direct national security issues.
“The Department of Homeland Security could have better allocated its resources of two clearly senior investigators researching something more befitting their experience and expertise. The Department of Homeland Security could have better allocated its resources in having a Secret Service computer forensics specialist travel more than 100 miles to image my hard-drive.”
Frischling further wrote that “when the TSA removed my laptop from my home, my computer and system was functioning perfectly. Shortly before the TSA returned to my home they called me to tell me that the Secret Service computer forensic investigator was encountering many ‘bad sectors’ in my hard drive. Upon checking my MacBook following its return, and running Disk Utility it appears that I have many bad sectors in my hard drive, countless errors in my operating system, my MacBook will not synch with Time Machine to be backed up, my audio is no longer working and a red-light inside my audio jack is on constantly.”
Chris Elliot, a travel journalist who is National Geographic Traveler’s Reader Advocate and writes a regular column for the Washington Post and MSNBC, wrote about his TSA subpoena on his blog. He and his attorneys also notified TSA they planned to challenge the subpoena this week in federal court.
“Interestingly, what led to the publication of the security directive was a total void of useful information about what to expect when flying,” Elliot just wrote in his latest MSNBC column.
“I had asked the TSA for a comment but it didn’t respond,” Elliot wrote, adding “the statements on its website about additional security precautions were vague, at best. Why did the TSA withhold this information, choosing to reveal it only to airlines and airports? Didn’t the public need to know about the additional restrictions when flying into the country? What could possibly be gained from keeping such changes secret?
{mospagebreak}“I don’t know,” Elliot wrote, “but one thing seems clear: Unless the TSA is reformed soon, we should anticipate more secret directives and hopelessly vague directions from the agency. In other words, we shouldn’t presume to be treated with any kind of consistency when we’re screened at the airport.”
Actually, TSA security directives, just like screening SOPs and other transportation-related SSI-designated materials, are all restricted from dissemination to individuals who do not have a need to know – and that includes the general public – for legitimate reasons.
“Certain security screening protocols and activities you quite obviously do not want to broadcast to terrorists,” a senior TSA official told HSToday.us.
And as HSToday.us pointed out in its report on the widespread posting of the TSA screening SOP manual, it caused more headaches for TSA and aviation security than the agency has publically acknowledged, according to agency insiders who were interviewed on condition of anonymity because of the sensitivity of their positions.
A TSA official explained on background, “TSA has a layered approach to security that allows us to surge resources as needed on a daily basis. We have the ability to quickly implement additional screening measures including explosive detection canine teams, gate screening, behavior detection and other measures both seen and unseen. These measures are designed to be unpredictable, so passengers should not expect to see the same thing at every airport, and visible measures aren’t an indicator of a higher threat.”
Coming on the heels of the widespread condemnation of TSA for having subpoenaed the two journalists, the agency almost as quickly announced that its investigation was “nearing a successful conclusion and the subpoenas are no longer in effect.”
Presumably, TSA got the information it needed from Frischling’s computer or, as others have suggested, through having subpoenaed Google, since the securitive directive appeared to have been sent from a Gmail account.
Neither TSA nor Google have commented on whether Google was subpoenaed.
TSA dropped its legal action against Frischling and Elliott, and apologized for its strong-arm tactics, which if TSA had continued to pursue would very likely have pitched it against the press in an unprecedented showdown between the government and the media over leaks of sensitive but unclassified information.
Prior to the announcement, TSA spokeswoman Suzanne Trevino stated that security directives “are not for public disclosure,” adding, “TSA’s Office of Inspections is currently investigating how the recent security directives were acquired and published by parties who should not have been privy to this information,” even though disclosure of the earlier airport screening SOP manual was improperly redacted and posted by a TSA contractor on a federal website.
Meanwhile, TSA announced that the securitive directive that was issued in response to the attempted bombing of the Northwest Airlines flight that was set to expire February 2 would be extended through at least February 3, and that it is being refining for possible further extension, although officials said any changes are likely to be minor – which raises the question about what all the ruckus over its leak was about since its security protocols are now widely known.
Although TSA said the directive was not supposed to be disclosed to the public, many of the security measures it ordered nevertheless were immediately obvious to flyers. Napolitano herself and other TSA officials acknowledged that some of the measures would be obvious to flyers.
Napolitano said “passengers flying from international locations to US destinations may notice additional security measures in place,” adding, “these measures are designed to be unpredictable, so passengers should not expect to see the same thing everywhere. Due to the busy holiday travel season, both domestic and international travelers should allot extra time for check-in.”
According to a DHS official who spoke on background, its more obscure websites are being “pinged” in what they said is an obvious “systematic” effort to search for additional documents containing SSI that may not have been properly redacted.
The official also said “there’s been an awful lot of training going on” for employees – and contractors – to make sure they know exactly how to redact SSI.

(Visited 5 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply