A Web site commissioned by the U.S. Transportation Security Administration (TSA) to help travelers whose names were erroneously listed on airline watch lists originally had multiple security problems that could lead to identity theft, says a congressional report released Friday.
In addition, the TSA awarded the $48,816 contract for the Traveler Redress Web site based on a request for quotes with requirements that only one Web design firm could meet, says the report, released by the House of Representatives Committee on Oversight and Government Reform. The TSA's technical lead and author of a request for comments for the project was a longtime friend of the owner of Desyne Web Services and had briefly worked for the Virginia firm, the report says.
"This redress Web site had multiple security vulnerabilities: It was not hosted on a government domain, its homepage was not encrypted, one of its data submission pages was not encrypted, and its encrypted pages were not properly certified," the report says. "These deficiencies exposed thousands of American travelers to potential identity theft."
The TSA press office did not immediately respond to a request for comments on the House report. A receptionist at Desyne said the appropriate person for commenting was not available.
The redress Web site went live in October 2006, and blogger Christopher Soghoian, a graduate student in informatics at Indiana University, pointed out security problems there last February. The TSA took the Desyne Web site down that month and now hosts a traveler redress form on its own Web site.
"This begs the question: Who are these guys, why don't they know how to use SSL, and how were they awarded this sweet contract?" Soghoian wrote in February 2006. "Why can't TSA do a simple form submission themselves?"
One of the biggest concerns raised by Soghoian and the House report is that the Desyne Web site did not use SSL encryption on its home page or on its submissions page. Travelers were asked to submit personal information, such as their Social Security numbers and birth dates. The site was not hosted on a government domain, meaning visitors "lost any assurance they were visiting a legitimate government Web site," the House report says.
The House report was also critical of Desyne's "no-bid" contract to operate the redress Web site. Desyne had done work for TSA since 2004, and as of late 2007, it continued to host the TSA's Web site where travelers could file claims for damaged property. The TSA's April 2006 request for quotes for the redress site said the design had to be consistent with the claims management site, and it had to be hosted on the same server that hosted the claims management site, the House report says.
As of September, Desyne continued to operate Web sites for TSA, and the company has received more than $500,000 in business from the agency since 2004, the report says. "TSA did not take action ... to sanction Desyne for poor performance," the report says.