December 15, 2009, 6:10 PM — The improperly redacted document that the Transportation Security Administration posted on the Internet demonstrates failure on many levels, but not all of the failures are the ones the press and congressional critics have been focusing on.
The document in question, which concerns airport security, was actually posted a relatively long time ago, as a PDF. Rather than removing sensitive information from the document, it was blacked over, which means all sorts of details that supposedly could help terrorists blow up airplanes were available to anyone who made the effort to look beyond what was visible on screen. Once this breach was reported to the world, members of Congress expressed their outrage, and the TSA put people on administrative leave. Well, I hope that means time off with pay, because I see little reason to punish those individuals.
Why am I defending the people involved? After all, you would think they would know better. Isn't it common sense that blacking out data still leaves the data there? Let me quote a phrase from my human factors days: "There is no common sense without common knowledge."
So, is there common knowledge that might have allowed the TSA employees to exercise common sense? I don't think so, and that is a problem with the Department of Homeland Security as a whole, not the individual employees.
You might expect the TSA employees to know that there is a lot of information in most documents that people don't necessarily realize is there. But this fact is sadly not realized even by some supposed computer security professionals. I recently worked on a case in which a person who works for a network forensics company sent out a PDF without realizing that the metadata in the file impugned him.
In my book, then, it's not so surprising that the TSA employees would run afoul of what you might think of as the anti-WYSIWYG. You remember that old term, "what you see is what you get"? It described word processors that printed what was displayed on the screen. Before that, you saw command language and hoped for the best when it printed. The problem is that what you see is not what you get in an electronic version of the file, and in this case, what the TSA people saw was black, which hid the black text on the screen. The text was still there, and it was easy to recover when someone finally decided to look for it.