Jan 20 2023

The #NoFly list is a #MuslimBan list

[CommuteAir routes operated as “United Express”]

In news first reported by Mikael Thalen and David Covucci of of the Daily Dot, Swiss hacker maia arson crimew has found versions of the Transportation Security Administration’s “No-Fly” and “Selectee” lists dating from 2019 on insecure Amazon Web Services cloud servers used by the airline CommuteAir for software development and staging.

CommuteAir is little known in its own name, but operates as a subcontractor to United Airlines for flights by regional jets between United hubs and secondary airports marketed under the “United Express” brand with United Airlines flight numbers.

In a statement to the Daily Dot, CommuteAir confirmed that, “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth.”

This isn’t the first time that information about the TSA’s “watchlists” (blacklists) and related procedures has been leaked or left exposed on the Internet. In 2009, the TSA posted an unredacted copy of its Standard Operating Procedures for “screening” of airline passengers on a Federal government website for contractors. In 2014, the Terrorist Screening Center’s Watchlisting Guidance, which describes the methodology and purported basis for entering names on the No-Fly, Selectee, and other blacklists, was obtained and published by The Intercept.

The lists found by maia and shared with journalists and researchers confirm the TSA’s (1) Islamophobia, (2) overconfidence in the certainty of its pre-crime predictions, and (3) mission creep.

The data in the files found by maia is limited to first and last name and date of birth and a sequence number for each listing, but there are headers for several other fields that are blank in most of the records: place of birth, citizenship, passport or ID number, “MISC”, and a blank field labeled “CLEARED” which may have been used to indicate those entries that were intended to be to be whitelisted rather than blacklisted.

The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming  names. More than 10% of the entries on the No-Fly list (174,202 of 1,566,062)  contain “MUHAMMAD” in either the first or last name fields. “It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” maia told the Daily Dot.

[Some of the listings for Osama Bin Laden — already long dead — on the 2019 No-Fly List]

The “NOFLY.csv” file found by maia contains 1,556,062 entries. The “SELECTEE.csv” file contains 251,169. The youngest of those on this version of the No-Fly List, as of 2019, were three four-year-olds. The oldest were twenty-five centenarians.

The relative numbers of entries on the two lists are counter-intuitive and, when you think about it, disturbing.

A rational decision-maker would recognize that predictions are, at best, highly uncertain. For every case in which a would-be passenger seems to present such a clear and present danger as to justify denial of access to the services of a common carrier, we would expect that there would be many cases where there was some evidence of possible risk, enough to justify some extra precautions (e.g. a more through search for weapons or explosives) but not enough to  justify a categorical no-fly order.

There should, therefore, be many more entries on the selectee list than on the no-fly list.

That the No-Fly list is six times as large as the Selectee list suggests either that the government wrongly believes that it has near-perfect precogs and that uncertainty as to travelers’ criminal intentions (as inferred from profiling algorithms) is rare, or that the government is erring on the side of saying “no”, and violating the presumption of innocence and the right of access to common carriers, by putting most uncertain or edge cases on the No-Fly list rather than the Selectee list.

It’s also significant and disturbing that these No-Fly and Selectee lists were found on airline servers and are being used in airline software applications.

To understand why this is problematic, it’s important to keep in mind that decisions to prevent would-be travelers from flying or to subject them to more intrusive search, questioning, or other special treatment aren’t based solely on the No-Fly and Selectee lists. These decisions are made in real time, each time you try to fly, by precrime predictive algorithms and human staff of the TSA (for domestic flights within the US) and US Customs and Border Protection (for international flights to, from, or via the US or US airspace).

Each airline that serves (or overflies) the US must send information about each passenger, in advance, to the TSA or CBP, and is forbidden to issue a boarding pass or allow a passenger to board a plane unless and until TSA or CBP gives explicit, individualized, permission in the form of a per-passenger, per-flight Boarding Pass Printing Result (BPPR).

As was revealed during the first trial in a court challenge to a no-fly order, the BPPR can contain handling codes instructing the airline and TSA checkpoint staff how to proceed. If  a reservation matches an entry on the “selectee” list, or is selected based on other data and rules in the selection algorithm, the BPPR will direct the airline and/or checkpoint staff to conduct a more intrusive (warrantless) search and/or questioning of the would-be traveler.

The sets of rules used in TSA and CBP precrime prediction algorithms include both list-based rules and non-list-based rules based on other attributes contained in or inferred from airline reservations and linked databases.

If the data about you in an airline reservation is determined to match an entry in the No-Fly list closely enough, the TSA or CBP won’t let you fly. But even if the information about you that the airline sends to the TSA or CBP isn’t found to match an entry on one of these lists, the TSA or CBP may decline to give the airline permission to let you on the plane if the algorithm generates too high a precrime risk score.

(This system is now being globalized under United Nations and ICAO mandates, ignoring the provisions of human rights treaties that recognize a right to freedom of movement.)

Airlines used to make fly/no-fly decisions based on lists provided by the government, but that was changed in 2009 when the government switched to a real-time profiling and permission-to-fly system operated by the TSA and CBP. Whatever CommuteAir was doing with these lists, it wasn’t supposed to be using them to make fly/no-fly decisions.

This brings us to a key question: If the No-Fly and Selectee lists are only part of the basis for no-fly decisions, those decisions are made by government agencies and not airlines, and each airline has to send information about each passenger and wait for a BPPR (including any handling codes telling the airline what to do) before issuing a boarding pass, even if the name on the reservation doesn’t match any of the names on these lists, what are these lists doing  on airline servers and how are they being used by airlines?

The answer, unsurprisingly, is mission creep.

maia found these lists in repositories used by CommuteAir for software development and testing. “The project these were used in proactively checks the lists against a list of the entire airline staff to check if any of their staff are on nofly or selectee” lists, maia told us.

The decisions to put names on these lists were made based on who was (supposedly) predicted to be likely to try to commit future crimes on airplanes. But after the lists were created on that basis, they are being used as blacklists affecting a wider range of activities, without even the pretense of any determination actually related to those activities.

The use of the NOFLY.csv and SELECTEE.csv files found by maia is just one example of where this has already led: If the robo-precogs think you are so suspicious that you should always be groped before being allowed to fly, and you therefore are put on the Selectee list, that has now become a barrier to being able to get a job cleaning the toilets in an airline office downtown, far from any airport, or working in an airline’s advertising department, even if those jobs would not give you any opportunity to attack planes.

Thanks to the exposure of these lists, it will be easier for those who are prevented from flying, or harassed when they fly (or who were as of 2019) to find out whether this is because their information matches an entry on one of these lists or for some other reason (such as real-time algorithmic profiling or human bias or malice).

Be aware, however, that not being on the No-Fly or Selectee blacklists doesn’t mean you aren’t on a watchlist or targeted for special treatment when you fly. TECS alerts can be, and are, used to flag airline reservations of persons of interest, based on identifying information (name, passport number, etc.) or other data (phone number, credit card number, etc.) in reservations. You can be the subject of a TECS alert that will tip off Federal agents to your travel plans, regardless of whether you are on the No-Fly or Selectee lists.

But knowing who is (or was)  on the No-Fly and Selectee lists is not enough. How much more evidence do we need of what’s wrong with these lists, how they are constructed, and how they are used?

We need to get rid of this whole system, restore the right to travel by common carrier, and let people fly unless their right to do so has been restricted by court order.

[Correction, January 22, 2023: Due to our error in parsing the date format in the original file, the version of the article above as originally published had incorrect numbers for the youngest and oldest entries on the No-Fly list. The youngest listings were for four-year-olds, not fourteen-year-olds; there were 25, not 19, listings for people more than 100 years old. The article above has been corrected. Some additional notes about this version of the No-Fly list: The “CITIZENSHIP” column is blank except for 1,637 listings tagged as “PK” for Pakistan, 81 tagged as “AF” for Afghanistan, and 73 tagged as “TH” for Thailand. 7,729 listings include a date of birth of January 1, 1970, which suggests that this was a default used in cases of missing or unknown birthdates. “MUHAMMAD” (174,202 occurrences) is by far the most common spelling/transliteration in the No-Fly list. There are also 51,933 entries with “MOHAMMED” in the first or last name field, 34,040 with “MOHAMED”, 8,792 with “MUHAMMED”, and 3,775 with “MUHAMAD”.]

60 thoughts on “The #NoFly list is a #MuslimBan list

  1. @bugs – maia has provided copies of the lists it found to journalists and researchers, but has not posted them publicly or made them available to others for public posting. According to maia’s blog post, “while the nature of this information is sensitive, i believe it is in the public interest for this list to be made available to journalists and human rights organizations. if you are a journalist, researcher, or other party with legitimate interest, please reach out at nofly@crimew.gay. i will only give this data to parties that i believe will do the right thing with it.”

  2. Pingback: Links 21/01/2023: GCompris 3.1 and General News | Techrights

  3. Pingback: Hacktivista encontra lista ‘No-Fly’ dos EUA, revela viés sistêmico e vigilância – Blog com Café

  4. Pingback: A bored hacktivist searching an unsecured airline server stumbled across national security secrets, including the FBI's "no fly" list. She says that what she found reveals a "perverse consequence of the surveillance state." - Loca

  5. Pingback: A bored hacktivist browsing an unsecured airline server stumbled upon national security secrets including the FBI's 'no fly' list. She says what she found reveals a 'perverse outgrowth of the surveillance state.' - Minnesota Busin

  6. Pingback: Hacktivist trova la lista “No-Fly” degli Stati Uniti, rivela pregiudizi sistemici, sorveglianza – Notizie WCCO

  7. Pingback: Un hacktiviste trouve une liste d'interdiction de vol aux États-Unis, révèle un biais systémique et une surveillance - NOUVELLES EPOCH

  8. Pingback: A bored hacktivist browsing an unsecured airline server stumbled upon national security secrets including the FBI's 'no fly' list. She says what she found reveals a 'perverse outgrowth of the surveillance state.' | Stateside Alter

  9. Pingback: Hacktivist Finds US 'No-Fly' List, Reveals Systemic Bias, Surveillance - TECHOYUM

  10. Pingback: Hacktivista encuentra la lista de 'No volar' de EE. UU., revela sesgo sistémico, vigilancia - Andromedaszn

  11. Pingback: Hacktivist намира американския списък със забранени полети, разкрива системни пристрастия, наблюдение - Актуализирано време за новини

  12. Pingback: Hacktivistas surado JAV neskraidančių sąrašą, atskleidžia sisteminį šališkumą, stebėjimą - Glowclarity.com

  13. Pingback: A hacker stumbled upon TSA's no-fly list via unsecured airline server - My Blog

  14. how can we check if we are on the list? can something be made so a person can check if they know the full name and DOB to guard for privacy and also find out?

  15. Pingback: Un hacktiviste ennuyé naviguant sur un serveur de compagnie aérienne non sécurisé est tombé sur des secrets de sécurité nationale américains - Nouvelles Du Monde

  16. Pingback: A Swiss Hacker Stumbled Upon the FBI’s ‘No Fly List’ – What They Found Is Disturbing: Report – ConservativeNewsBriefing

  17. Pingback: A Swiss Hacker Stumbled Upon the FBI’s ‘No Fly List’ – What They Found Is Disturbing: Report – Cybernistas

  18. Pingback: TSA的禁飞名单被黑客曝光,是她“无聊”时发现的 - Ktromedia.com

  19. Pingback: TSA’s no-fly list was exposed by a “bored” hacker – Daily Buzz

  20. Pingback: TSA'nın uçuş yasağı listesi, onu "sıkıldığında" bulan bir bilgisayar korsanı tarafından ifşa edildi. - Coin Baba

  21. Pingback: January 23, 2023 – Progressive News Service

  22. Pingback: How a Hacker Discovered the TSA’s No-Fly List – 24/7 News

  23. Pingback: How a Hacker Unearthed the TSA No-Fly List – AnyGeekOut

  24. Pingback: Bir Hacker TSA Uçuşa Yasak Listesini Nasıl Ortaya Çıkardı? - Otomobil Delisi

  25. Pingback: How a Hacker Unearthed the TSA No-Fly List - News Concerns

  26. Pingback: How a Hacker Unearthed the TSA No-Fly List - Jalopnik India

  27. “Tientallen Nederlanders staan op no-flylijst van de FBI, onder wie Laura H. en Tanja Nijmeijer. Ongewenst in de VS De Amerikaanse no-flylijst is veel groter dan gedacht, blijkt uit een gelekt document dat is ingezien door NRC. Op de lijst staan zeker tientallen Nederlanders.” (Stijn Bronzwaer & Wilmer Heck, NRC, January 24, 2023)

  28. Pingback: Peretas Menemukan Daftar ‘Larang Terbang’ AS, Mengungkap Bias Sistemik, Pengawasan – maspras

  29. Pingback: A Swiss Hacker Stumbled Upon the FBI's 'No Fly List' - What They Found Is Disturbing: Report - secondrightnews

  30. Pingback: A bored hacktivist browsing an unsecured airline server stumbled upon national security secrets including the FBI's 'no-fly' list. She says what she found reveals a 'perverse outgrowth of the surveillance state.' - Minnesota Busin

  31. The fact that the corrections to this article included that the youngest on the list were Toddlers instead of Preteens as well as getting the number of people over 100 TOO LOW… that just says everything for me.

  32. Pingback: Hacktivist Finds US 'No-Fly' List, Reveals Systemic Bias, Surveillance - 4Suisse

  33. “Islamistes, militants de Tarnac, cadres de Lafarge : ces Français qui figurent dans la liste des «interdits de vol» du FBI dévoilée par une hackeuse” (by Alexandre Horn, Fabien Leboucq, and Jacques Pezet, Liberation, January 27, 2023)

  34. Pingback: A blacklist is not a basis for search or seizure – Papers, Please!

  35. The very existence of the “no-fly” list is one reason why it is my personal conviction that the Stars and Stripes has morphed into the equivalent of a Swastika.

  36. Pingback: No-Fly-List der USA: In schlechter Gesellschaft

Leave a Reply

Your email address will not be published. Required fields are marked *