One of the conversations we had at the November 2600 meeting was about Bruce Schneier’s alteration of airline boarding passes and using one to get through a TSA checkpoint. Schneier admits that it is illegal, and if done, there is a possibility of arrest. (Note: If you’re reading this and considering doing it, remember that you are not Bruce Schneier. I don’t truly think that the Feds would arrest him, but they would arrest you.)
At the meeting, we were discussing what those illegalities might be. To do so, we considered how fraud is different from a hoax or forgery. In short, fraud is where deception is used to unlawfully take property (usually money) or services from another.
Not a "Joe Terror," or "Joe Six Pack," a PhD student named Chris Soghoian wrote a program accessible through is website that would generate a fake boarding pass. What happened is discussed in his blog: in short, the glass on his front door was smashed by the FBI, his computer equipment taken, and a search warrant (issued at 2 AM) was taped to his kitchen table. But how does the law address altering boarding passes? Consider this section of federal law addressing the falsification of airline tickets or boarding documents (highlighted for emphasis):
From DHS Code Title 49, Volume 8; October 1, 2004 rev. [Page 302]:
TITLE 49--TRANSPORTATION
CHAPTER XII--TRANSPORTATION SECURITY ADMINISTRATION, DEPARTMENT OF HOMELAND SECURITY
PART 1540_CIVIL AVIATION SECURITY: GENERAL RULES--Table of Contents
Part 1540.5 -- Terms used in this subchapter.
§1540.5 Sterile area means a portion of an airport defined in the airport security program that provides passengers access to boarding aircraft and to which the access generally is controlled by TSA, or by an aircraft operator under part 1544 of this chapter or a foreign air carrier under part 1546 of this chapter, through the screening of persons and property.
Subpart B_Responsibilities of Passengers and Other Individuals and
Persons
Sec. 1540.103 Fraud and intentional falsification of records.
No person may make, or cause to be made, any of the following:
(a) Any fraudulent or intentionally false statement in any
application for any security program, access medium, or identification
medium, or any amendment thereto, under this subchapter.
(b) Any fraudulent or intentionally false entry in any record or
report that is kept, made, or used to show compliance with this
subchapter, or exercise any privileges under this subchapter.
(c) Any reproduction or alteration, for fraudulent purpose, of any
report, record, security program, access medium, or identification
medium issued under this subchapter.
Below is something under the USC that is applicable to altering a document regarding a “matter within the jurisdiction of executive, legislative, or judicial branch of the Government":
Title 18. Crimes and Criminal
Chapter 47. Fraud and False Statements
47 U.S.C. § 1001
a) Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully--
(1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact;
(2) makes any materially false, fictitious, or fraudulent statement or representation; or
(3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry;
shall be fined under this title or imprisoned not more than 5 years, or both.
Although these codes would answer our question about Bruce Schneier’s experiment with altered boarding passes, they do not exactly cover Chris Soghoian with his website that created boarding passes. Most people who saw it when it was up (I did), thought it was a parody. Here’s what Chris recently said about that experience: “In 2006, the FBI investigated me for some of my research into boarding pass security. While no charges were ever filed, it's reasonable to state that I have little affection for the DOJ computer crimes section.”
In summary, altering boarding passes—for fraudulent purposes or not-- is covered under these statutes. Beware if you’re not Bruce Schneier. And if you are Bruce Schneier or Chris Soghogian, thank you for your security research and for potentially, “taking a hit for the team."
No comments:
Post a Comment