It's a turn of events that Franz Kafka would have to admire.
A site designed for the Transportation Security Administration (TSA) to help airline passengers remove their names from terrorist watch lists was so poorly constructed and lacking security that users of the site may be at risk for identity theft.
House Democrat Henry Waxman (D-CA), chairman of the Committee on Oversight and Government Reform, blasted the TSA and a small Virginia Web services company called Desyne for launching a Web site that "violated basic operating standards of web security and failed to protect travelers' sensitive personal information."
The 12-page report from Waxman's office found that "these security breaches can be traced to TSA's poor acquisition practices, conflicts of interest, and inadequate oversight."
According to the report, the "Traveler Redress" Website was farmed out to Desyne in a no-bid contract with no other competition. Desyne's cozy relationship with the TSA could be traced back to Nicholas Panunzio, the head of the project, who knew Desyne's CEO for many years and and was a former Desyne employee himself.
TSA investigators also failed to oversee the project adequately enough to catch conflicts of interest such as Panunzio's.
Unsecured sites
The Web site itself was not hosted on a government domain (i.e. ".gov,"), but on a commercial Web domain operated by Desyne. Many of the pages designed to submit sensitive personal information were not encrypted, and even pages with secure socket layer (SSL) encryption were not certified as actually being secure. In one case, Desyne signed its own security certificate for the page.
These vulnerabilities could have enabled hackers to access the information without the user -- or the site owners -- being aware of it.
The site's vulnerabilities were first discovered by University of Indiana student Chris Soghoian, a blogger who had earlier gained a measure of notoriety for creating an online "boarding pass generator" that could generate fake boarding passes. Soghoian claimed to have created the generator to demonstrate how easily the TSA's security procedures could be circumvented.
Although the "Traveler Redress" site was redirected to a subdomain of TSA not long after the problems were exposed, neither Desyne or Panunzio were disciplined or penalized for the problems.
Desyne has received $500,000 worth of no-bid contracts from TSA and the Department of Homeland Security, and an internal investigation of Panunzio found no wrongdoing on his part, since he did not personally profit from the contract, investigators said.
Insecure flights
The Desyne scandal is only the latest in a long string of security mishaps that have plagued TSA in recent years.
Its "terrorist watch lists" have been roundly criticized for adding thousands of names based on dubious criteria.
Removing oneself from a terrorist watch list is an onerous procedure, involving sending copious amounts of personal information to the TSA to prove one's identity. Security analysts have criticized the lists as a placebo measure that don't actually make it easier to track terrorists.
The TSA had initially hired another contractor to collect data on millions of Americans as part of a study for its ill-fated "Secure Flight" program. The Government Accountability Office (GAO) reported that the data collection took place in violation of the Privacy Act and was done without public knowledge.
The "Secure Flight" program, created to match passenger names to "watch lists," was eventually grounded after four years and $150 million spent, due to numerous security and planning problems in the project.
TSA has also violated individual privacy by accident on several occasions. The agency lost a hard drive containing the personal information of 100,000 TSA employees in May 2006. Another contractor for TSA, Accenture, mixed up personal documents for 1,200 employees, sending them to the wrong addresses in September 2006.
