FOIA Documents Expose Details On TSA's $47,000 Coin Flipping App
from the but-with-at-least-as-much-possible-groin-grabbing-as-Tinder! dept
Time for yet another episode of “Your Tax Dollars Faffing About.” According to documents liberated by Kevin Burke, the TSA spent a ridiculous amount of money on an iPad app that randomly generates a left or right arrow.
They sent me two documents. The first is a disclaimer about how they had to black out some of the information. The second is the contract between the TSA and IBM. And there’s the payment:
Later today Pratheek Rebala reached out to mention that this data is available publicly, and there were 8 other payments as part of the same award, totaling $1.4 million; the document I have is one part, totaling $336,000. Furthermore, there were 4 bids for the contract and IBM won the bidding.
Because these are FOIA documents, some information has not been freed. (See: FOIA Exemption: SOP) This makes it difficult to narrow down the amount of the contract that went just to the random number/arrow generator.
Here’s a blurry photo of the app in use, overseen by a TSA agent wearing the regulation genital-fondling gloves.
The TSA — presumably appropriately shamed for spending $1.4 million on an app someone could build for several hundred thousand dollars less/without IBM’s awesome computing power during their spare time — began reaching out to those covering this story with a correction.
Taxpayers: the $1.4 million may have been blown on a left/right arrow app in total, but only ~$50,000 went directly to the development of the TSA’s random number generator.
The total development cost for the randomizer app was $47,400, a TSA spokesperson told Mashable, which was part of the $336,413.59 contract.
No further details were provided. This clarification suggests the TSA only comically overpaid for its “randomizer” rather than tragicomically overpaid for its digital coin flipper.
It’s not that the app doesn’t serve a purpose — although it does so in an overpriced, underwhelming fashion. The TSA had two concerns to address. First, it didn’t want to be viewed as “profiling” when “randomly” selecting people for extra scrutiny, as it had in the past.
You’re OK.
You’re OK.
You’re… brown. Come this way.
You’re OK.
You’re OK.
You’re… an infant. Please follow me.
Second, it had to actually randomize the outcome to deter would-be terrorists from gaming the system and bypassing the Director’s Cut of the TSA’s Security Theater.
So, it handled it as government agencies are supposed to. It made a list of requirements, opened up the floor for bidding, awarded the contract, and (most likely) watched deadlines and budget targets sail past like passengers granted instant Pre-Check approval just because the lines were getting a little long.
Now, it’s probably not quite as ridiculous as it first appears — all of this money devoted to a left/right arrow generator. The app would need to be both tamper-proof and idiot-proof and combining the TSA and IBM on a project is going to generate a lot of overhead costs. The total may also include the purchase of a few hundred iPads, which aren’t exactly easy on the wallet.
But in the end, it’s $50,000 for a random number generator with a lackluster front-end being run by a Wal-Mart greeter but for potential terrorists. And to date, it has yet to direct a would-be terrorist into the waiting arms of secondary screeners.
Comments on “FOIA Documents Expose Details On TSA's $47,000 Coin Flipping App”
mas o menos
We’re very proud of the “American tradition” that our free-market economy, supply-and-demand, and market-driven focus allows “greater freedoms.”
Of course ignoring tariffs*, trade-agreements, credit-exchanges, and other regulatory mechanisms that entirely make the above false, we get to the crux of the thing.
We love it when we can get a great deal on a new car because we did our homework. We love it when we find a great special at Macy’s on that crystal photo frame we just didn’t get as a gift at wedding number one. We love it when we can get five limes for a dollar instead of three.
On the flip side we’re proud when we sold our used VW Bug for a few thousands of dollars over the estimated price. We love seeing that Blac Chyna will likely get one million dollars for “starring” in a KUWTK episode. We love it if our worthless script for “Time Tunnel 1980” (starring Barry Van Dyke and Kent McCord) is purchased for a million dollars.
So we love getting something for less than what it’s worth.
We love selling something for more than what it’s worth.
This thing isn’t a failure on IBM’s part. IBM did their shareholders proud by collecting an amazing (“tragicomical”?) amount of money for a one-line app any schoolkid can code in under a minute. That someone put a graphical user interface (GUI) on it that’s a big arrow, and someone else made it “tamper-proof”* is awesome.
What IS the problem is that our government — which is supposed to have accountability and checks and balances — not only happily approved this whole mess, but then tries to explain it’s not as bad as we think it is.
So good on IBM and its shareholders for maintaining a profit margin on every app. Bad on the TSA for this. You can, however, consider that after fondling children, searching baby diapers, making people take out colostomy bags and various other things, having a mother drink her own breast milk, and holding travelers hostage for 15 years… this isn’t even sweet icing on that cake.
Ehud
* Those blue regulation “genital fondling” gloves mean they can’t hack anything. They don’t trigger a response from capacitative-touch screens.
The Price Is Right-ish.
A true randomizer (and not one that can be predicted) is actually a reasonable complex thing to write. The random() functions in most computer languages are not really as random as you wish they were.
46k for a the software that includes the randomizer actually ain’t very expensive at all. Remember, that is the whole APP, and not just the generator.
Re: The Price Is Right-ish.
Yes, true computer generated randomization is really hard to do.
But I’d bet $46k that they didn’t do anything fancier than built in random functions. Or, at most, stock IBM functions that they’ve had sitting around.
Re: Re: The Price Is Right-ish.
No, “true” computer randomization is easy. It’s beginner level stuff. If you don’t have the math, there’s a number of pages on the web that describe (complete with code) how to do any number of random number generators that are statistically indistinguishable from “true” randomization. Pick one and add the arrow and you’re done. It’s like 5 minutes work, with 4 of that being reading the web page and deciding which RNG you want to use.
Re: Re: Re: The Price Is Right-ish.
Ummm, no, it’s not. The best you can do is to pull tricks like measuring time between arbitrary noncomputed events, such as keystrokes. But even those aren’t actually random.
You can, as you say, select RNGs that have very similar statistical characteristics with actual randomness for a finite run, but they are not producing truly random numbers.
But all of that is irrelevant, since what is needed for an app like this isn’t anything close to randomness anyway. Just using the standard library RNG combined with reseeding every so often would be more than adequate.
Re: Re: Re:2 The Price Is Right-ish.
Software for true randomness is probably not that hard either though is it? That has to be supported by special hardware, so you just query the hardware for some random output. I’ve never done it so maybe I’m wrong but it seems like it would be simple.
Re: Re: Re:3 The Price Is Right-ish.
But that’s not the software generating random numbers (something that is impossible with the sorts of computers we use). It’s just the software reading a number from a device.
If that’s what the TSA was paying for, then one would think that they would have said so. Also, I don’t see any hardware plugged into those tablets.
Re: Re: Re:4 The Price Is Right-ish.
Right, I wasn’t talking about this app, just software generally. And that’s exactly right, software doesn’t make random numbers.
Re: Re: Re:2 The Price Is Right-ish.
Now you’re just arguing philosophical definitions of “true”. I’m talking engineering.
Re: Re: Re:3 The Price Is Right-ish.
I’m talking engineering.
Computer engineers are very aware of the difference between random numbers and pseudorandom numbers, and it is not a philosophical distinction.
Re: Re: Re:4 The Price Is Right-ish.
Not when they’re statistically indistinguishable.
Re: Re: Re:5 The Price Is Right-ish.
Not when they’re statistically indistinguishable.
If by philosophical you mean academic or semantic, I’m fine with that. If you mean arbitrary or subjective, then no.
Re: Re: Re: The Price Is Right-ish.
Let’s get into more math…
If the TSA wants a random number generator that’s statistically more accurate than a regular computer’s random number generator, then what is the probability this system will catch a terrorist, based on all the past evidence of catching any terrorist at the TSA line? If the number of terrorists to be caught is statistically 0, then there’s no need for a random number generator with a higher level of precision.
Or Occam’s razor:
What are the chances that a terrorist will take the time to determine that the TSA is using RNG-1 Alpha 3 and that the randomization pattern is 0-1-1-1-0-0 and he’s able to slip into the wrong line? Compare that to a terrorist who just says “f this- I’m in the wrong line so I’ll blow up the airport”?
In other words, this is another $47,000 spent to make it look like the TSA is “doing something”.
Re: Re: Re:2 The Price Is Right-ish.
John85851 wrote:
> In other words, this is another $47,000 spent to make it look like the TSA is “doing something”.
Absolutely. All this talk of math is missing the forest for the trees.
The TSA’s job is to prevent hazardous materials and dangerous people from crossing into the sterile area of a public airport. All the rest of this discussion is about a trivial piece of waving shiny object with an arrow on it which is all just a part of The Security Theater.
Ehud
One line.....
function directPassenger(){
return Math.random() > 0.5 ? “RIGHT” : “LEFT” ;
}
Re: One line.....
Except that isn’t truly random. It is pseudo random and talented people have proven the results can be predicted.
Re: Re: One line.....
This is a passenger directing tool. You don’t need crypto level secure PRNG. Your browser’s Math.random() will do just fine and no one will notice. Even if you wanted more randomness existing implementation of other PRNG would do just fine (https://en.wikipedia.org/wiki/Mersenne_Twister)
Re: Re: One line.....
Jeez, it’s more than random enough for the purpose it needs to serve.
Re: Re: One line.....
OK. Yeah, if you simply took the pseudorandom number generated, they wouldn’t be truly random. And yeah, if someone sat around long enough, they might be able to figure out the pattern, and make sure to take a position where they’d go into THIS line instead of THAT line. And that’s not acceptable for this type of thing.
But the solution to that is simple. Add the pseudorandom number to the human input you’re getting. If the user presses the “next” button and the milliseconds are even, take the psuedorandom result. If the milliseconds are odd, take the opposite.
For an application like this, that’s more than enough. You can’t get a reliable read on the pseudorandom sequence if the numbers are sometimes flipped. And even if you somehow could, there’s no way you could know to the millisecond when the TSA guy was going to press the button when it was your turn.
This should still take less than a day to make.
Re: Re: One line.....
Except that isn’t truly random. It is pseudo random and talented people have proven the results can be predicted.
When the screening is not likely to catch any weapons anyway, what difference does it make?
Re: Re: Re: One line.....
The difference is that if you have someone in screening who is working for you, you might want to go through their line instead of another line so that you could get something truly bad through security (drugs actually would be a good example). The whole point of having more than one line and selecting people at random for each is to make it much harder for people to end up in the correct lane to pull off such a thing.
It also why they rotate the workers around frequently and not on schedule so that it’s harder to know where any employee or group of employees may be at any given them.
In the world of what you guys would call “security theater” the random line selection software is actually something that adds to security in a small but real way.
Of course it was $50000. They had to pay for enough licenses for all the iPads. They can’t just buy one copy and install it on all their device. That would have to be infringement of some sort, and maybe piracy too.
In Defense of Walmart
Referring to TSA agents as Walmart greeters is quite an insult. I am shocked by such insensitivity. Walmart greeters are much better trained than TSA agents.
Price isn't that far off
I work in IT procurement for a non-IT fortune 50 company. We do business with all the major IT firms, IBM included.
For a simple custom web app that is being deployed in a (hopefully) controlled environment, this isn’t a terrible price. My guess would have been around 10-20k from a similarly sized developer. But the government contracting/requirements process by itself probably adds 50-100% to the cost, even before a line of code has been written.
I’m sure Joe developer could do it at home for less, but IBM’s not gouging them and the government isn’t overpaying any more than normal for this.
Re: Price isn't that far off
50 – 100 % is probably underestimating. Most of the requirements process is non-scaling. i.e. the costs remain the same no matter how small or simple the job.
I remember a certain defence company being forced to go through a full requirements, tendering and evaluation process to buy two radios….not two types, count them, two actual radios (one of the requirements being they had to be off the shelf). One of the bidders commented that it would have cost them less to just ignore the bid process and just send the two radios.
"True Random" vs "Pseudo Random"
It’s not really important whether it’s truly random. As Whatever pointed out “A true randomizer (and not one that can be predicted)” is what’s important. For being unpredictable the stock random functions are important enough.
See http://www.2uo.de/myths-about-urandom/ for a much more thorough discussion.
However, whatever random function they used, it’s still a huge chunk of change…
Coins
I could have sold them dollar coins for only two dollars cents each that they could have flipped, if they had asked.
Bidding?
It made a list of requirements, opened up the floor for bidding,…
Was there was actually a competitive bidding process?
Before this becomes a meme (too late?) it’s worth noting that, “It’s possible it also included the tablets themselves, which could account for some of the additional cost.”
You’re OK.
You’re OK.
You’re… brown. Come this way.
You’re OK.
You’re OK.
You’re… an infant. Please follow me.
You’re wearing a turban. OMFG!. That’s sort of like a Muslim. Evacuate the terminal, call the SWAT team.
The one thing that I keep seeing mentioned is that using the built in random function is not really random. This is indeed very true. The thing is, who is saying they actually wrote anything better? You assuming that almost $50k was used to make a more truly random system.
I for one would not be shocked is that app just uses the built in random number generator everyone is complaining about. I would love to see a study showing how well they did at really making this random.
Why do they even need an app?
There’s only one reason why they really need an App.
They don’t trust their own staff.
They don’t trust agents to divide people to proper lines to maximize traffic flow.
They don’t trust agents to not divert hot chicks to their buddies.
They don’t trust agents to not divert valuables to their cohorts for pilfering.
They don’t trust agents to not inappropriately scrutinize people (racist, etc).
They don’t trust that they will divert an unsavory person over to the line with a willing cohort avoid detecting things.
The only reason that makes sense why the TSA would spend $50K on an App to direct people randomly between two lines – is they are not able to trust their own agents.
Re: Why do they even need an app?
In fairness to the government, would YOU trust the average TSA agent that much?
Hell, I’d be surprised if they don’t have problems keeping them from getting their heads stuck in the cereal boxes in the morning.
Re: Re: Why do they even need an app?
I trust them to accept bribes to let terrorists onto a plane.
Re: Why do they even need an app?
I mean, if you’re going to spend a million dollars, spend it on technology that counts how many people are in each line and automatically sends people to whichever line is shorter.
Another consideration: humans are a poor judge of randomness, because our brains are designed to find patterns. True randomness may not be exactly what they needed here. It’s the old problem people had with thinking their iPod’s ‘liked’ certain artists over others. It didn’t, the random number generator just happened to pick several tracks from the same artist or album in a run.
A truly random system can have a long run of the same or similar results but on a long enough time scale will still show an even distribution of the possibilities. Imagine what a disaster it would be if the app selected LEFT a thousand times in a row, while the right lane stayed empty. And does the app support checkpoints with more than two lines?
They probably wanted a combination of randomness and even distribution on a short to medium timeframe so all lanes are utilized to capacity but no one can claim that they were profiled. You have to be random, but not too random. This might not have been the world’s most complicated software, but it isn’t trivial either. There’s plenty to criticize the TSA about; I’m not sure this is worth as much bluster as other things they do.
Re: Re:
Imagine what a disaster it would be if the app selected LEFT a thousand times in a row, while the right lane stayed empty.
If I understand right, this is not to optimize traffic flow. People will mostly even out the length of lines if left to their own devices. This is to decide who should get random additional (useless) screening. So it should choose one direction most of the time, and only divert someone now and then.
That app probably came with an inch-thick specification document and took two junior developers and a project manager 6 months to build. It was probably a fair price considering all the bureaucracy and hassle of dealing with the government.
But yeah, a normal company with streamlined / sane requirements could’ve had it build for a fraction of the cost.
Re: Re:
But yeah, a normal company with streamlined / sane requirements could’ve had it build for a fraction of the cost.
As in, one developer in less than a day.
New Tech for Old Tech
I remember visting Brazil around 20 years ago. As you got to the front of the customs queue, you pressed a button and were presented with a green or red light.
Green light, you went straight out the door, red light you were searched on your way out.
Probably just as random as this app, but in addition, there may have been someone watching the queue and overriding any random light selection!
Re: New Tech for Old Tech
I suspect that wasn’t technology at work, rather a camera, a couple of switches, and a bored clerk in another room (who couldn’t get assaulted for the choice) decided who went which way.
That isn’t random at all, just “distant” selection.
Re: Re: New Tech for Old Tech
I didn’t say that wasn’t the case. Who’ can say that isn’t the case with this app, unless someone has reviewed the code?
For 500 bucks *I* could have made this app. (Hell for 5 bucks i could have done it but I figured I could get some extra mad money from them)
Missing the point.
Nobody is actually going to believe that it’s random anyway.
The point, is that by putting it on a screen, the perp/vic can’t tell who picked him. Which makes litigation more difficult. And lessens the likely-hood of a direct conflict at the time of selecting said perp/vic.
Yep. It would be one line of code if it worked as described. No it isn’t one line of code.
Did I miss where the application requirements defined? Is the app actually supposed to be random or is everyone assuming this?
Re: Re:
Did I miss where the application requirements defined?
They’re not in the contract, they’re in some other document that I don’t think has been made public.
$1.4M?
“The TSA — presumably appropriately shamed for spending $1.4 million on an app someone could build for several hundred thousand dollars less/without IBM’s awesome computing power during their spare time.”
I am a professional software engineer with 30+ years experience in the field. I could write this program in about 15 minutes! At $200/hour (my consulting rate – may have to increase that), and a 1 day (8 hour) minimum, ok – $1600 bucks. That is almost 3 orders of magnitude (1000x) less than IBM charged!
Missing the point
We should be following the Israeli method and profiling.