US “No Fly” List Leaked
On Thursday, January 19th, a Swiss hacktivist known as maia arson crimew (it/she) released a blog post detailing its discovery of the 2019 Transportation Security Administration’s (TSA) “no fly” list. The no fly list is a subset of the FBI’s larger terrorist watch list that singles out people who are not allowed to board an airplane within or bound for the U.S.
Crimew says she was browsing Shodan (a search engine for internet-connected servers) when she came across a server belonging to airline CommuteAir. After a few minutes, crimew was able to view the entirety of the 2019 no fly list and employee records (including passport numbers, addresses, phone numbers, and credentials). She then offered distribution of the list to researchers and journalists.
Shortly after the leak, a TSA spokesman said the agency was “aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners.” Additionally, the TSA has released new security directives that “reinforce existing requirements on handling sensitive security information and personally identifiable information.”
Reactions to the list’s leak have been mixed. Edward Hasbrouck (he/him), an author and human-rights advocate, writes that “the most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming names.” More than 10% of the entries on the list contain “Muhammad” in either the first or last name fields. The FBI, however, claims its procedures for including people on the list are not “based solely on race, ethnicity, national origin, religious affiliation, or any First Amendment-protected activities such as free speech.”
While Hasbrouck has used this hack to criticize alleged Islamophobia in the TSA, others fear the dangerous implications of the list’s leak. Kenneth Gray (he/him), a retired FBI agent, told Business Insider, “If that information is released, then the public becomes aware of ongoing investigations. And those international terrorism cases, those ongoing investigations are normally classified. And so revealing this kind of information could lead to those individuals becoming aware that they are under investigation… This could be of potential use for a terrorist group, even if that was not the original intent for the hack.”
