TSA Security Operating Procedures
Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).”
It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions are generally reasonable, covering things like the gauge of wire which needs to be detectable for an xray machine to be considered operational. That’s not something we need to know about to debate the right of free travel. We can assume that there’s some level that the machines are set to, and that’s ok. There are a few redactions where I disagree, like ones about who’s exempted from special security treatment. In a democratic society, we should be able to ask “should members of Congress be subject to the same treatment as the rest of us?”
Generally, what’s in the document is not likely to surprise anyone who flies often and pays attention. What’s most interesting to me are actually some of the non-redacted bits:
2.7. PHOTOGRAPHING, VIDEOTAPING, AND FILMING SCREENING LOCATIONS
A. TSA does not prohibit the public, passengers, or press from photographing, videotaping, or filming screening locations unless the activity interferes with a TSO’s ability to perform his or her duties or
prevents the orderly flow of individuals through the screening location. Requests by commercial entities to photograph an airport screening location must be forwarded to TSA’s Office of Strategic Communications and Public Affairs. Photographing EDS (Explosive Detection Systems) or ETD (Explosive Trace Detection) monitor screens or emitted images is
B. TSA must not confiscate or destroy the photographic equipment or film of any person photographing the
That’s very interesting, and not in accordance with signs I’ve seen.
2.11. INDIVIDUALS WHO REFUSE SCREENING OF THEIR PERSON
The screening process of an individual begins when he or she walks through a WTMD (or an ETP if it is placed ahead of the WTMD at ETP-equipped checkpoints), or a TSO grants an individual’s request for specialized screening. Once screening has begun, an individual may not withdraw from the screening process. […]
B. If an individual refuses to complete screening after screening has begun, the TSO must notify the STSO. The STSO must advise the individual that the screening process must be completed. The STSO must then offer the individual a final opportunity to complete the screening process. If the individual continues to
refuse screening, the STSO must:
1) Notify an LEO and request that the LEO assist in completing screening of the individual
2) Ensure that screening of the individual’s accessible property is completed
3) Inform TSA management if the LEO permits the individual to return to the public area without completing screening
C. If the individual, who has refused to complete screening, returns to the public area prior to clearance or the arrival of an LEO:
1) Screening personnel must attempt to keep the individual under constant observation until an LEO arrives.
2) Screening personnel must not physically detain or hinder the movement of the individual.
This is also a very interesting section. The individual “may not withdraw” but TSA may not detain or hinder someone who tries to leave. I believe that there have been questions raised about this, and now that this is public, I expect more.
Finally, I found 3.9.2.B, “TIP User ID requirements” interesting
The user ID number must contain at least four alphanumeric characters, usually comprised of the last four digits of the employee’s Social Security number, and it must be no greater than the number of characters
permitted by the x-ray manufacturer. Each user must choose a unique password containing at least four, but no greater than six, alphanumeric characters.
At first, I boggled at this. A 6 character password? Really? Then, as I thought about it, I realized that this isn’t that unreasonable. The machines are in physically secured areas. The data on them isn’t that valuable. It’s probably reasonable.
As an aside, are there fewer than 10,000 TIP operators? If not, there are certainly collisions in the user ID space. Otherwise, it’s a birthday problem.
[Update: Jon Stewart has assembled up some of the news reports, and Ed Hasbrouck covers the FOIA and legal aspects. ]