The Terrorist Screening Center (TSC), an agency formed by several U.S. agencies to monitor potential terrorists and run by the FBI, has for years maintained a highly controversial terror watchlist listing potential terrorists and instructions on how to deal with them. That list was now openly available over the Internet.
Personal data and no-fly information
In addition to the personal data of more than two million people whom U.S. authorities consider to be potential terrorists, the list includes, among other things, information on flight bans imposed on the listed individuals. In addition to name, date of birth and nationality, the personal data included also includes passport data.
With the list, the responsible U.S. authorities want to ensure that potential terrorists can be identified during controls and prevented from boarding airplanes, for example. Among other things, the list is controversial because the practice of compiling it is not transparent: who ends up on the terror list and for what reason is not regulated by law and is not openly communicated. For example, security researcher Bob Diachenko, who discovered the list on the Internet, points out that the American Civil Liberties Union has been fighting the “secret government no-fly list without due process” for years.
List shared with airlines
The U.S. shares the list with a wide variety of airlines to enable effective enforcement of the flight bans. Whether it came directly from a U.S. agency or from an airline to a freely accessible server is so far unclear. However, the address of the affected server could be assigned to Bahrain.
Diachenko also points out that he immediately reported his find to the Department of Homeland Security. According to him, the list disappeared from the Internet only three weeks after he reported it. The fact that it was indexed by the search engines Censys and Zoomeye makes it likely that it did not just end up in the hands of the security researcher during its time online, which increases the likelihood of the data being used by third parties and poses a potential risk to both the listed and the U.S. authorities.