FBI’s secret terrorist watchlist leaked
The controversial watchlist could be accessed without protection from the Internet – and with it the sensitive data of around two million people.
The Terrorist Screening Center (TSC), an inter-agency organization led by the FBI, has leaked a terrorist watchlist containing sensitive data from around two million people. Back in July, security researcher Bob Diachenko discovered the list on an unprotected Elasticsearch server that anyone on the Internet could access.
In the terrorist watchlist and the associated no-fly list, the USA stores people it considers potential terrorists – partly on the basis of vague assessments or contacts of those affected – in order to recognize them during controls and to treat them according to the list ( e.g. not to allow boarding an aircraft).
The leaked lists contain names, nationality, gender, date of birth, passport data and other data as well as the no-fly status of the persons concerned. The data is shared with airlines. It is unclear whether the server was operated by US authorities or a third party. The IP address was assigned to Bahrain and not to the USA, explains Diachenko.
Contents
Controversial list will only be taken offline after 3 weeks
Diachenko reported his find to the US Department of Homeland Security on the same day, but the list did not go offline until three weeks later on August 9th. “It is not clear why it took so long, and I do not know for sure whether it was accessed by unauthorized persons,” writes Diachenko. “In the wrong hands, this list could be used to suppress, harass or persecute those on the list and their families.”
“The terrorist watchlist is highly controversial. For example, she fights [Bürgerrechtsorganisation] ACLU has been against the use of a secret state no-fly list without due process for many years, ”explains the security researcher. It is not uncommon for people who refuse to be recruited as informants to be put on such a list.
“It could cause a number of personal and professional problems for innocent people whose names are on the list,” writes Diachenko. The list was also indexed by the search engines Censys and Zoomeye. So Diachenko might not have been the only one who discovered the data.
The author of the article is Moritz Tremmel.