TSA Web Site Puts Travelers At Risk of Identity Theft

If you fly on commercial airlines, then you are aware of the constantly changing security rules. If you have a complaint about a travel  experience, you can submit it to the airline or to the Transportation Security Administration (TSA). According to the Washington Post newspaper:

"A government Web site designed to help travelers remove their names from aviation watch lists was so riddled with security holes that hackers could easily have stolen personal information from scores of passengers, a congressional report concluded yesterday. Thousands of people used the Web site, and as many as 247 submitted detailed personal information between October 2006 and last February, the report says."

And, it gets worse. It looks like the fix was in:

"Congressional investigators raised concerns about a conflict of interest in how the no-bid contract to create the Web site was awarded. The TSA employee who framed many of the contract's requirements and was in charge of overseeing the site was once employed by the firm that was awarded the contract -- Desyne Web Services, a small firm in Boston, Va. -- and socialized with members of the company... The TSA continues to use Desyne on various projects, the report said, and has awarded the company no-bid contracts worth about $500,000."

You can download the House Oversight report. I spent some time at Desyne's web site. I've seen better designed web sites with better designed navigation elements. I found the current TSA web site difficult to use and poorly organized. (Note: An an Information Designer in my day job, my role is to architect clients' web sites so they are easy to use from a user's point-of-view.)

The TSA has a history of producing less-than-optimal web sites. In his Surveillance State blog, Chris Soghoian described his experience with the TSA site:

"This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers... The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site."

No matter how the TSA representative tries to spin an answer, a no-bid contract isn't right. It doesn't smell right, either. We citizens aren't getting the best value for our dollars, either.