Ryan Singel
Security

27B Prompts Lawmaker to Investigate Shady Site

The head of the powerful House Government Oversight Committee — Henry Waxman (D-Calif.) — might just read 27B — since he just asked the Transportation Security Administration to explain what happened with the dodgy online form for travelers snagged by government watch lists. Full Wired News story. Waxman took 27B’s explanation of why the site […]

The head of the powerful House Government Oversight Committee -- Henry Waxman (D-Calif.) -- might just read 27B -- since he just asked the Transportation Security Administration to explain what happened with the dodgy online form for travelers snagged by government watch lists. Full Wired News story.

Waxman took 27B's explanation of why the site looked like an malicious attempt to harvest personal information from Americans and is demanding documents and a briefing from the TSA by March 9 according to this letter (.pdf). The original site, rife with misspellings characteristic of phishing, put users at risk of identity theft, used a suspect security certificate and was hosted on a non-government website. A replacement put up this week fixed most of the flaws, but still serves third-party tracking cookies.

Find out what Waxman wants to learn after the jump...

1. All documents relating to any contract(s) with Desyne Web Services, Inc., to provide web design, hosting, or maintenance services for the TSA website, including any agreement that Desyne Web Services would host the "Travel Verification Identity Program" on its own web domain, rather than on the TSA domain;

2. All communications between TSA, including any TSA contractor or consultant, and Desyne Web Services, Inc. regarding security and/or privacy protections for the "Travel Verification Identity Program" website;

3. All documents relating to the period during which the site operated without encrypted data transfer protections, including the number of travelers who may have submitted their personal information to the site during the period when the site was not SSL-protected;

4. All documents related to TSA's discovery and remediation of this security breach, including any reports or audits of investigations of the breach;

5. All documents related to TSA's compliance with the requirements of the Privacy Act of 1974 in creating this new website. If the "Travel Verification Identity Program" is part of the Department of Homeland Security's TRIP program, provide all information about TSA's compliance with the notice and comment submission requirements of the January 18, 2007 DHS TRIP notice in the Federal Register, as well as TSA's compliance with the Privacy Impact Assessment filed by the Department of Homeland Security on January
18, 2007.

6. Information regarding the domain on which this web site is now currently located. If the "Travel Verification Identity Program" site remains on the Desyne domain, please indicate whether Desyne is complying with the government-wide policy of not setting information-gathering "cookies" on the computers of users who access the site;

Photo: Ricardo Villela