I had always assumed that the “no fly” list was a phrase and that it didn’t refer to an actual list, but rather a database with more detailed information than a “can they fly?” Column with a Y/N entry. In pharmacy we have a database we have to access when we suspect there is abuse, fraud, or diversion of controlled substances. The database is regularly updated with current information about prescriptions that were dispensed including location, prescribing physician, etc. I had always assumed the “no fly” list would be something similar. Now that I think about it though, that wouldn’t be efficient or useful at all. It would make sense for it to be much more simple.
I naively thought a secret list (file) with secret data is not distributed among random developers of random organizations in full but having a private access point where specific persons could be checked for no fly list by those with right for it, audited, with measures to avoid abusing the service. Potentially with training set available for developers separately. There are services where the accuracy of certain data can be validated (i.e. for cars by license plate and other data) so those who query should already possess the data of a particular person when using it and not just browse everyone in the secret list they please.
I had a friend with a common Indian name get bounced off a flight and then be unable to book flights after it turned out he shared his name with someone on the no-fly. He had to petition his senator/congress person to get off it. TSA had no easy way to prove innocence. It was very clear the list was just a list of names with no useful or distinguishing unique fields with it.
This was roughly 10 years ago, so things might have changed, but at the time it seemed like federal agencies could easily append to the list, but there was no standard process to get off it. I'd guess there are obvious incentive for agencies to add ("hey look, we've found terrorists", even if nothing was actually done about it), and none to remove people from it.
Network connectivity in airports can be patchy at best, and connectivity from the airport internal network to the internet even worse. All the check-in and boarding systems are designed to be able to work offline (with semi-automatic reconciliation afterwards). You have to query the no-fly list at check-in and boarding, so it's more resilient to have a list that can be loaded airport-side every morning
yeah, surprised as well. In finance, there is ofac for people forbidden from moving money, but it's also typically used as a service/db instead of passing around csv files to everyone. Very bizarre.
There are various aggregators who combine this list and a bunch of other sanctions/related lists like the BIS Entity List which is probably what he was referring to.
Have you ever witnessed this file being used by companies moving money stored in S3 as "shitlist2019.txt" for screening incoming transactions in production? Because that's what the article is alluding to.
