No-Fly List Exposure Challenges Security and Privacy

 

CommuteAir, the Ohio-based company operating United Express flights, recently had its database hacked. Source for photo: Los Angeles Times

On January 19, 2023, a Swiss hacker released a copy of the federal No-Fly List. The list, a component of the U.S. FBI’s Terrorist Screening database, contains identifying information of individuals with known or suspected terrorism connections strong enough that the FBI has determined their presence on commercial aircraft would pose a security risk to other passengers. The release of the list brought up concerns about the security of critical infrastructure, as well as the obscurity and perceived bias of the no-fly list system.

The hacker states that, while browsing the internet, they found a database with login credentials for the website of CommuteAir, an Ohio-based regional airline which operates United Express flights. These login credentials allowed the hacker to access a 2019 copy of two spreadsheets holding what is colloquially known as the No-Fly List. The main spreadsheet, containing 1,566,062 records, lists individuals who are deemed by the FBI to be inadmissible on commercial aircraft due to their links to terrorist organizations. The second, with 251,169 names, indicates individuals subject to additional airport security screening procedures. The list, initially created during the George W. Bush administration, was further expanded after the 9/11 terrorist attacks and eventually developed into a formalized document used for pre-screening in 2009.

The release of the list has heightened focus on questions surrounding the No-Fly List and the nature of the United States aviation system. Activists have long raised concerns about the list, claiming that the criteria for placement are obscure and that inclusion on the list cannot be easily challenged. Well-known names include arms dealer Viktor Bout and his 16 most common aliases. Yet, some of the other entries include family members of terrorists, such as an individual who was four or five years old at the time of their inclusion. Also, the high percentage of Arabic or Muslim-seeming names on the list, according to rights groups, raises concerns that list-placement determinations may be unfairly biased against Muslims, people from Arabic-speaking countries, or those of Middle Eastern origin.

The hacker claims that in addition to accessing the list, they may even have been able to take actions such as canceling flights or rescheduling crew members without prior notice. CommuteAir is a regional airline, with fewer employees and a smaller route map, when compared to its larger United partner. In the hands of a more ill-intentioned actor, would this level of access produce significant compounding effects across the US aviation system? With the commercial aviation system providing a popular target for attackers, smaller and less-resourced operations such as CommuteAir may provide a backdoor for malicious actors looking to wreak havoc.

In response to the incident, CommuteAir stated that no active customer information was exposed in the incident. The Transportation Security Administration (TSA) has released a statement calling on all airlines and airports to increase their cybersecurity precautions. On the Congressional side, members of the Committee on Homeland Security of the US House of Representatives sent a letter to the TSA demanding assurances on the safety of critical infrastructure such as the aviation sector.

Ultimately, this event highlights the conflicting pressures of security and democracy in an increasingly online world. The No-Fly list process is notably obscure, with very few democratic checks in place to guard against abuse yet significant consequences for listed individuals. Yet the release of the No-Fly list and the sensitive personal information it contains violates deeply-held privacy expectations. The subsidiary role of CommuteAir, which serves more as a United contractor than an independent competitor in its own right, brings home concerns about the role of subcontractors and contracting reliance in the critical infrastructure space. The divided responses, between calls for stricter security measures and pleas for further transparency and reform, suggest that these issues will remain salient for a long time to come.