TSA's no-bid, data-leaking website was a complete screw-up: House Oversight Committee

The TSA's Traveler Redress Website was created by a no-bid crony contractor, leaked giant amount of personal information from hundreds of travellers (who had already been screwed over by the agency and were writing in for justice) and exposed them to identity theft. The House Oversight Committee concluded that the TSA totally, absolutely screwed up.

They sure do a bang up job at stopping you from bringing water through the checkpoint though.

That's gotta count for something.

* TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the "Statement of Work" for the contract was "written such that Desyne Web was the only vendor that could meet program requirements."

* The TSA official in charge of the project was a former employee of the contractor. The TSA official who was the "Technical Lead" on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne's owner.

* TSA did not detect the website's security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured "the privacy of users and the security of the system" before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.

Link (Thanks, Bill!)

Update: If you want to read the world's greatest "TSA have lied and cheated and lied and cheated" rant, check out our Teresa's post in the comment thread on the five year old whom the TSA thinks is a terr'ist.


  1. “Incredible that they would take the site live using a self-signed certificate. It shows major incompetence (elementary oversight should have caught this) and at Desyne, Inc. Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data. This is Web Development 101. Anyone who has ever worked on an ecommerce site should [be] aware of the issues.”

    A real Gem from the pdf. on the bottom of the website.

  2. Which Congress committee is responsible for this kind of thing? I’d like to request a hearing on the matter.

  3. Not to defend the TSA, but I would like to address the no bid issue. If you solicit bids, you may be forced to accept the lowest one by the same rules that forced you to solicit bids in the first place. The problem is that the lowest bidder is rarely the best choice. It’s no excuse for governmental cronyism, incompetent design or the existence of the TSA in the first place, but there is a conundrum built into this situation.

  4. @#6:

    The issue is that they are REQUIRED to have a bidding process. You can not defend “the no bid issue” as you call it when it comes to federal contracting of this nature.

  5. @#7,

    I’m not defending them. They’re evil. I’m just pointing out that the whole US government is built to be inoperable.

  6. I looked at the Desyne website. It doesn’t say a word about their gig with TSA.

    Nor does it give names of any of the officers/principals of the company; that’s always a red flag IMO.

    There are some major names on their “What We’ve Done” page but I also noticed the odd disclaimer: “Please note some of the web sites below may have changed since our initial involvement.”

    You will note the company’s tagline is “It’s all about winning.” No argument there, given how they scored their lucrative little no-bid TSA gig.

  7. The no-bid contract was awarded to a high-school chum of the TSA employee overseeing the work. The same guy was a former employee of said high-school chum. Also: they went out drinking together all the time.

  8. Oh, and notice that it was the House committee. The Senate homeland security committee is chaired by Joe Lieberman, who cooperates with the Republicans on the committee to make sure that absolutely nothing is investigated, ever.

  9. The self-signed cert makes me wince.

    Everyone here knows, the issue there is not the self-signed cert, but the overall incompetence it reveals. Far too many people don’t get that – they figure, alright, we’ll get a commercial cert, now it’s fixed.

    Nobody would be that nonchalant if they took their car in to be fixed and came back to find the steering wheel on upside down – they would demand that the garage foreman not only remount the steering wheel properly, but fire the clown who worked on their car, have someone qualified go over it from top to bottom to see what else he might have screwed up, and fix all those things for free too.

    So, what do you think it would take to make things like that – a self-signed SSL cert, or SQL injection by entering the username ‘OR1=1;– at the login page – popularly understood to be the equivalent of an upside-down steering wheel? Not something you fix and accept, but something you thank your lucky stars the site builder was incompetent enough to give himself away with something that obvious, and not just barely competent enough to get past your non-expert inspection, only to let you kill yourself when the brakes give out next week?

  10. The TSA, and the associated War On Common Sense has descended beyond “troubling” and “sad”, passed “absurd” and is just wallowing in absolute ridiculousness.

    I’m shocked that government has not intervened… at what point will congress take note? The US is turning into a real theatre of the absurd, and will only look stupider and stupider to foreigners and their governments.

    One can’t help but think too many people either lack self-respect or just don’t want to think about losing face when they conceed that the ‘terrorists’, lets face it, have ‘won’ – if you want to continue to use those inappropriate terms propagated in the name of homeland security.

  11. I would ask that anyone planning on voting in the upcoming elections here in the US, ask yourself what your favorite candidates position is on stuff like this? Being “against terrorism” isn’t an answer.
    I do know that I am very weary of the smoke and mirror game that TSA has created ostensibly to foil terrorist plots but most likely to cover its own ass and its massive stupidity. I guess there could be some internal logic in that nothing frightens a potential opponent more than knowing your enemy is soo freaking crazy it could literally screw the pooch, but we need something more in line with Israel’s intelligent and doubtlessly effective system of interrogation and intelligence instead of an army of earnest but ill-managed would-be burger flippers.
    FYI Ron Paul has said that he’d shut the thing down…Oh, and San Francisco’s airport which uses private security instead of TSA has a better than 90% success rate at finding test simulation attempts to introduce explosive, while TSA’s own get about 10%…Feel any safer now that the feds are “on the job” (which translates as “getting full benefits and impossible to fire”)?
    Me neither.

  12. Dogu4, if the ground-level employees were properly trained and administering a rational, well-run system, they’d be worth every penny we paid them. The problems originate a lot higher up.

Comments are closed.