The classified list was exposed online for three weeks
This almost sounds like the premise for a fictional thriller about international cyber-espionage. The details do, however, raise a number of valid questions, even some relating to rights guaranteed by the U.S. Constitution.
Numerous articles, including one posted on August 16, 2021, to BleepingComputer.com/news/, reported that an online database accessible without a password was found to contain what appeared to be a secret terrorist watchlist and no-fly list information. It’s important to note up front that, as of the date that article was posted, no confirmation had been made as to whether the records exposed actually originated from an agency of the U.S. government.
The database was discovered on July 19, 2021, by Security Discovery researcher Bob Diachenko. Diachenko told BleepingComputer that the records did appear to be the type used by multiple U.S. government agencies in counter-terrorism operations. Diachenko claims he informed the Department of Homeland Security (DHS) of his discovery the same day he found the database, but said the server and the 1.9 million records it hosted remained accessible until August 9, 2021, nearly three weeks later.
What Diachenko observed
Security Discovery, the organization with which Diachenko is affiliated, provides security consulting services. In the course of his research work, Diachenko happened upon the database and found that no password was required for access. He also found that the database server had previously been indexed by ZoomEye and Censys search engines, indicating it had been there for a while and that he might not have been the first to find and access it.
Diachenko looked at some of the 1.9 million records in the database and found that they contained sensitive personal information including individuals’ names, their countries of citizenship, passport information, sex, birth dates, and “no-fly” status. Diachenko told BleepingComputer that, based on the type of data he initially observed, the datasets appeared at first glance to be from a no-fly list and/or terrorist watchlist.
Per the article, the FBI maintains what is known as the Terrorist Screening Center, or TSC. The TSC is used as a counter-terrorism tool by multiple federal agencies. Diachenko said his ongoing inspection revealed a specific record field labeled “TSC_ID” within the datasets. The FBI also maintains the Terrorist Screening Database, referred to as the no-fly list. According to Diachenko, he observed a field labeled “no_fly_indicator” in the datasets as well.
These field names, together with the fact that passport details were also included, further indicated to Diachenko that the data he found was, in fact, a no-fly list and/or some type of terrorist watchlist. The subtle indicators kept coming. Diachencko also found fields labeled “selectee_indicator” and “nomination_type.” Per the article, individuals who may pose a risk to national security are “nominated” by government officials for selection and addition to watchlists.
These watchlists are used by agencies including the Transportation Security Administration, Department of State, Department of Defense, and Customs and Border Protection. Individuals placed on such a list may be prohibited from boarding aircraft, entering the U.S., or participating in other activities.
Another questionable find
Diachenko found that the server hosting the database had a Bahrain IP address. This raises many additional questions regarding where the data came from and why, if it was a classified U.S. watchlist of some sort, and if it was stored on an unsecured server with a foreign IP.
If it was classified data from a U.S. government watchlist, why did it take so long to secure?
As stated, Diachenko told BleepingComputer that he reported his findings to the DHS on July 19, 2021, the date he discovered the database, but the records remained exposed for almost three weeks thereafter before the server was finally taken offline. Diachenko said he had no idea why it took so long. He has no way of knowing how many others may have accessed the data during those three weeks. The BleepingComputer article states that its staff requested comment from the FBI, but, as of the article’s August 16 publication date, the agency had provided no response.
Take a moment to consider the U.S. Constitution
This will take a little while, but it’s relevant. In his communications with BleepingComputer, Diachenko expressed valid concerns regarding how individuals make it onto the no-fly list and other secret watchlists. As he pointed out, people can be added to these lists without even being charged with crimes, much less convicted. In fact, not only are those added to the list given no opportunity to present their cases as to why they should not be included, they aren’t even aware in most instances that they’ve been added until they try to board a plane and are turned away. Additionally, there’s no way for individuals to check and find out whether they are on the no-fly list. That’s a secret.
Diachenko worries that the listing process can result in the inclusion of innocent individuals. Any potentially innocent people whose information may have been exposed in this particular incident could, according to Diachenko, be subjected to harassment, persecution, and oppression. These issues could impact their work and their families as well.
The Fifth Amendment to the U.S. Constitution prohibits the government from depriving individuals of “life, liberty, or property without due process of law.” The Fourteenth Amendment includes the same language in what’s known as the “Due Process Clause.” The Cornell School of Law’s Legal Information Institute expands upon these provisions in their article at law.cornell.edu/wex/due_process if you’d like to learn more.
Many legal minds have opined that the method by which individuals are added to the no-fly list wrongfully deprives them of their due process rights and, as a consequence, their liberties. Per BleepingComputer’s article, the American Civil Liberties Union has battled for years against the use of the no-fly list based on the absence of due process.
What does all of this have to do with the unsecured database records? Well, if, in fact, they are from the U.S. no-fly list, those whose records were compromised may have been unlawfully placed at risk in the first place by being included in the list without due process and, because the list is classified, they likely won’t even be told that their sensitive personal data has been exposed. This incident could potentially turn out to be one that is cited in future arguments against the compilation of such lists.
This story raises a lot of questions. First and foremost, where did these records come from? If they were classified U.S. government records, how did they end up on an unsecured server in Bahrain and why did it take so long to take it down once DHS was notified? If the records are what they appear to be, how will the U.S. handle this matter? Will those whose data was exposed be notified? Will they be offered any relief, perhaps in the form of an identity theft protection policy? Private organizations are frequently sued and held accountable for damages in association with their data breaches. Will this incident result in any positive changes in security or legal processes? Will it lead to more lawsuits being filed challenging the constitutionality of compiling such lists?
In today’s cyber threat environment where your data is constantly being collected and shared and criminals are coming up with new ways to steal it, your best defense is to take significant and effective steps to secure your identity and accounts. Data breaches have become so common that people are becoming desensitized to the news that another one has occurred. In many instances, those whose information was compromised are eventually notified or can find out by visiting sites like haveibeenpwned.com. In this case, however, they may never know. Be proactive with your cybersecurity.
This is original content from NewsBreak’s Creator Program. Join today to publish and share your own content.