In news first reported by Mikael Thalen and David Covucci of of the Daily Dot, Swiss hacker maia arson crimew has found versions of the Transportation Security Administration’s “No-Fly” and “Selectee” lists dating from 2019 on insecure Amazon Web Services cloud servers used by the airline CommuteAir for software development and staging.
CommuteAir is little known in its own name, but operates as a subcontractor to United Airlines for flights by regional jets between United hubs and secondary airports marketed under the “United Express” brand with United Airlines flight numbers.
In a statement to the Daily Dot, CommuteAir confirmed that, “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth.”
This isn’t the first time that information about the TSA’s “watchlists” (blacklists) and related procedures has been leaked or left exposed on the Internet. In 2009, the TSA posted an unredacted copy of its Standard Operating Procedures for “screening” of airline passengers on a Federal government website for contractors. In 2014, the Terrorist Screening Center’s Watchlisting Guidance, which describes the methodology and purported basis for entering names on the No-Fly, Selectee, and other blacklists, was obtained and published by The Intercept.
The lists found by maia and shared with journalists and researchers confirm the TSA’s (1) Islamophobia, (2) overconfidence in the certainty of its pre-crime predictions, and (3) mission creep.
The data in the files found by maia is limited to first and last name and date of birth and a sequence number for each listing, but there are headers for several other fields that are blank in most of the records: place of birth, citizenship, passport or ID number, “MISC”, and a blank field labeled “CLEARED” which may have been used to indicate those entries that were intended to be to be whitelisted rather than blacklisted.
The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming names. More than 10% of the entries on the No-Fly list (174,202 of 1,566,062) contain “MUHAMMAD” in either the first or last name fields. “It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” maia told the Daily Dot.
The “NOFLY.csv” file found by maia contains 1,556,062 entries. The “SELECTEE.csv” file contains 251,169. The youngest of those on this version of the No-Fly List, as of 2019, were three four-year-olds. The oldest were twenty-five centenarians.
The relative numbers of entries on the two lists are counter-intuitive and, when you think about it, disturbing.
A rational decision-maker would recognize that predictions are, at best, highly uncertain. For every case in which a would-be passenger seems to present such a clear and present danger as to justify denial of access to the services of a common carrier, we would expect that there would be many cases where there was some evidence of possible risk, enough to justify some extra precautions (e.g. a more through search for weapons or explosives) but not enough to justify a categorical no-fly order.
There should, therefore, be many more entries on the selectee list than on the no-fly list.
That the No-Fly list is six times as large as the Selectee list suggests either that the government wrongly believes that it has near-perfect precogs and that uncertainty as to travelers’ criminal intentions (as inferred from profiling algorithms) is rare, or that the government is erring on the side of saying “no”, and violating the presumption of innocence and the right of access to common carriers, by putting most uncertain or edge cases on the No-Fly list rather than the Selectee list.
It’s also significant and disturbing that these No-Fly and Selectee lists were found on airline servers and are being used in airline software applications.
To understand why this is problematic, it’s important to keep in mind that decisions to prevent would-be travelers from flying or to subject them to more intrusive search, questioning, or other special treatment aren’t based solely on the No-Fly and Selectee lists. These decisions are made in real time, each time you try to fly, by precrime predictive algorithms and human staff of the TSA (for domestic flights within the US) and US Customs and Border Protection (for international flights to, from, or via the US or US airspace).
Each airline that serves (or overflies) the US must send information about each passenger, in advance, to the TSA or CBP, and is forbidden to issue a boarding pass or allow a passenger to board a plane unless and until TSA or CBP gives explicit, individualized, permission in the form of a per-passenger, per-flight Boarding Pass Printing Result (BPPR).
As was revealed during the first trial in a court challenge to a no-fly order, the BPPR can contain handling codes instructing the airline and TSA checkpoint staff how to proceed. If a reservation matches an entry on the “selectee” list, or is selected based on other data and rules in the selection algorithm, the BPRR will direct the airline and/or checkpoint staff to conduct a more intrusive (warrantless) search and/or questioning of the would-be traveler.
The sets of rules used in TSA and CBP precrime prediction algorithms include both list-based rules and non-list-based rules based on other attributes contained in or inferred from airline reservations and linked databases.
If the data about you in an airline reservation is determined to match an entry in the No-Fly list closely enough, the TSA or CBP won’t let you fly. But even if the information about you that the airline sends to the TSA or CBP isn’t found to match an entry on one of these lists, the TSA or CBP may decline to give the airline permission to let you on the plane if the algorithm generates too high a precrime risk score.
(This system is now being globalized under United Nations and ICAO mandates, ignoring the provisions of human rights treaties that recognize a right to freedom of movement.)
Airlines used to make fly/no-fly decisions based on lists provided by the government, but that was changed in 2009 when the government switched to a real-time profiling and permission-to-fly system operated by the TSA and CBP. Whatever CommuteAir was doing with these lists, it wasn’t supposed to be using them to make fly/no-fly decisions.
This brings us to a key question: If the No-Fly and Selectee lists are only part of the basis for no-fly decisions, those decisions are made by government agencies and not airlines, and each airline has to send information about each passenger and wait for a BPPR (including any handling codes telling the airline what to do) before issuing a boarding pass, even if the name on the reservation doesn’t match any of the names on these lists, what are these lists doing on airline servers and how are they being used by airlines?
The answer, unsurprisingly, is mission creep.
maia found these lists in repositories used by CommuteAir for software development and testing. “The project these were used in proactively checks the lists against a list of the entire airline staff to check if any of their staff are on nofly or selectee” lists, maia told us.
The decisions to put names on these lists were made based on who was (supposedly) predicted to be likely to try to commit future crimes on airplanes. But after the lists were created on that basis, they are being used as blacklists affecting a wider range of activities, without even the pretense of any determination actually related to those activities.
The use of the NOFLY.csv and SELECTEE.csv files found by maia is just one example of where this has already led: If the robo-precogs think you are so suspicious that you should always be groped before being allowed to fly, and you therefore are put on the Selectee list, that has now become a barrier to being able to get a job cleaning the toilets in an airline office downtown, far from any airport, or working in an airline’s advertising department, even if those jobs would not give you any opportunity to attack planes.
Thanks to the exposure of these lists, it will be easier for those who are prevented from flying, or harassed when they fly (or who were as of 2019) to find out whether this is because their information matches an entry on one of these lists or for some other reason (such as real-time algorithmic profiling or human bias or malice).
Be aware, however, that not being on the No-Fly or Selectee blacklists doesn’t mean you aren’t on a watchlist or targeted for special treatment when you fly. TECS alerts can be, and are, used to flag airline reservations of persons of interest, based on identifying information (name, passport number, etc.) or other data (phone number, credit card number, etc.) in reservations. You can be the subject of a TECS alert that will tip off Federal agents to your travel plans, regardless of whether you are on the No-Fly or Selectee lists.
But knowing who is (or was) on the No-Fly and Selectee lists is not enough. How much more evidence do we need of what’s wrong with these lists, how they are constructed, and how they are used?
We need to get rid of this whole system, restore the right to travel by common carrier, and let people fly unless their right to do so has been restricted by court order.
[Correction, January 22, 2023: Due to our error in parsing the date format in the original file, the version of the article above as originally published had incorrect numbers for the youngest and oldest entries on the No-Fly list. The youngest listings were for four-year-olds, not fourteen-year-olds; there were 25, not 19, listings for people more than 100 years old. The article above has been corrected. Some additional notes about this version of the No-Fly list: The “CITIZENSHIP” column is blank except for 1,637 listings tagged as “PK” for Pakistan, 81 tagged as “AF” for Afghanistan, and 73 tagged as “TH” for Thailand. 7,729 listings include a date of birth of January 1, 1970, which suggests that this was a default used in cases of missing or unknown birthdates.]