We just got back from a few weeks in Europe. On our way out of the country, we were detained for additional screening at the TSA[1] security checkpoint at JFK. In the process, we left behind our laptops. This is the story of how it happened, where the process failed, and how we (ultimately) got them back.
Our flight itinerary took us through JFK and then overseas, but our final domestic leg on the way to JFK was greatly delayed due to some problem “on the ground” at JFK that prevented us from taking off at the origin. We never heard exactly what the problem is, and it doesn’t matter. This delay caused us to miss our overseas flight, but we were reserved seats on another flight the same day to the same destination. Unfortunately, as we have often encountered in the past, our reservations (which were a codeshare on a different airline) were not processed correctly, and it took over an hour to get our boarding passes straightened out. This left us passing through the TSA security checkpoint approximately one hour before our scheduled departure. International flights can (but seldom do) close their doors long before scheduled takeoff, so this was tighter than we were comfortable with.
As our bags went through the security scanner, a TSA agent held up my daughter’s diaper bag and asked whose bag it was. I replied that it was mine, and she asked me to step aside with her. They had decided that a small sippy cup with some milk in it was clearly dangerous contraband, and possibly explosive, and that it needed to be examined carefully. (I know this is standard procedure, but it doesn’t make it any less ridiculous. As if liquids are somehow magically more dangerous than solids.) Unfortunately, the chemical sniffer was out of test strips, so she had to depart the station to find one. This didn’t take very long, but it did take a couple of minutes. She returned, sniffed the milk, ascertained that it was in fact a child’s milk (or at least not an explosive compound), and allowed us to proceed.
This was annoying and stupid, but not really a huge problem in the big scheme of things — Delta’s bungling of our ticket transfer was a lot worse — except that in the hassle and confusion of being pulled aside, we grabbed all of our bags and possessions except our laptops, which had been stupidly removed from our bags in yet another aspect of the useless security theater put on by the TSA (examples here, here, here, and of course here, and those are just the first four I found in a quick search).
No one attempted to find us, no announcements were made of left baggage at the TSA checkpoint, nothing. We simply boarded our plane and flew away for three weeks, unknowing of the fact that we had left our laptops — and our data — in the hands of the TSA. To be fair, identifying us specifically from the laptops would have been difficult, as they are not externally marked; Marina’s laptop does, however, have her name visible on the login screen when it boots. They could have at least tried.
I contacted the TSA at my earliest opportunity from overseas, when we found the laptops missing and figured out what must have happened. The only contact point they give is a phone number, which is very inconvenient for international travelers. It does, at least, give an email address in its answering message, before it drops you to a voice mail box with no opportunity to ever speak to a human being. I sent an email to that email address immediately (rather than paying through the nose to leave a message on the cell phone from which I was calling) describing our laptops and asking what I should do to get them back.
I got no reply in the next day, even accounting for time zone differences. So I called back (by this time I’d established a way to call that only cost me about 25 cents per minute) and left essentially the same information with both my email address and a callback number with voicemail that I could check online. Again, no reply for a day or more. I emailed again, a shorter message with little more than contact information and a brief description of the laptops (in case the TSA agent at the other end just didn’t have the patience and/or literacy to read through my detailed description from before). No reply to that, either. So I called again, and left a very terse and somewhat annoyed message. About a day after that, I got a reply to my second email.
The reply to my second email showed that nobody had read my first email (or at least, not connected the two), because it asked for some of the information from that email. Essentially, they said that they had some items that might be the property I was describing, but that I would have to give them identifying information for the lost laptops so that they could verify. At that point, and only at that point, would they let me know what my options were. Fortunately I was able to determine uniquely identifying information for both machines, and after another annoying delay the TSA confirmed that they had my laptops in their possession and that I might be able to actually get them back. More than a week had gone by, so sending them to catch up with us was no longer reasonable, but sending them home looked plausible.
For other people who might be in this position, the process for getting lost items back from the TSA (at least, from the TSA screening areas at JFK, which may not be consistent across airports) is as follows:
- Identify your property by general description and specific identifying information (such as serial number, property tag, information visible at boot time, account password[2], etc.) in an email or voicemail to the TSA.
- Once you receive confirmation that your item(s) have been found (along with some sort of property tracking numbers), create a FedEx account with a nine-digit account number. The TSA requests that you verify that this account number can be used to purchase shipping supplies, but I really couldn’t get anything but useless form responses from FedEx about this — and then it worked when they did it.
- Send the FedEx account number along with a shipping address to the TSA, including the property numbers you received and some shipping instructions (such as whether to send overnight, three day, etc.).
- Wait and pray.
Creating a FedEx account from overseas and configuring payment methods was a real pain; I assume this is because they assume fraud, which I appreciate, but still. There appeared to be no way to prove legitimacy, setting up payment information simply failed with no explanation. The reason I believe overseas connectivity was the problem is that I was able to set up an account using an SSH tunnel back to a VPS in the US as a proxy. (If you don’t know about ssh -D <port>, look it up now.) With that in hand, I completed the list above. The TSA never contacted me again to let me know that my laptops were shipped, or even to confirm that both items had been identified. I had reason to believe they had shipped only because I received notification from FedEx that an item had been shipped on my account.
If we fast forward a couple of weeks, we get to receipt of the laptops. When I received them, they were ludicrously poorly packed. The two laptops were individually wrapped (reasonably well, fortunately, for this is the only thing they did right) in bubble wrap, and then very loosely (by very loosely, I mean such that they could be separated by about 12") bound together with bubble wrap and packing tape ... and dropped in a box that could have held literally six or eight such bundles, and enclosed a volume of ten or more.
I’m not sure I’ve ever seen a more irresponsible or poorer packing job, and certainly not from anyone who should be handling their packing professionally. If there’s any clearer sign of the incompetence and general lack of professionalism at the TSA, I don’t know what it might be — unless it’s reducing elderly, minor, or infirm passengers to tears with invasive and demeaning “security” procedures, of course.
Now that the story of what happened and how it was mishandled is out of the way, let’s move on to what can be learned from this. Some of it is obvious, and even things I already knew (or should have known).
- Protect your data. This seems obvious, but I know that many people don’t follow it. Both the operating system and my data are encrypted on my laptop. Unfortunately, the entire chain of bootup can’t be completely trusted, because a) I have no way to trust the BIOS, and b) the boot partition must be unencrypted (though, once booted, preferably from external media, I can verify that it is unchanged via my package manager), but at least I can have some reasonable assurance that my data was not stolen.
- Mark your property, and retain serial numbers. I was able to get my laptop back only because I just happened to have one of the uniquely identifying items on its serial number plate. I don’t have that for most of my other electronics. I plan to get property tags of some sort for large and expensive items. I know several people who do so, and it now seems prudent. I keep serial numbers for all sorts of things for insurance purposes, but it honestly hadn’t occurred to me to keep them for travel purposes. I don’t know why not.
- Carry duplicates of important data in separate luggage. I had carefully copied a fair amount of data that I knew I was going to need abroad to my laptop before departing ... which did me zero good when it was left behind in the US. I should have had an extra copy on a USB drive or similar medium, possibly checked in my luggage (and encrypted, of course). As it is, I wasted a fair amount of time dragging several hundred MB or more of data across the Atlantic and through a poor cellular connection.
- Bring a second computing environment with you. I don’t mean another laptop (that would have been lost, too), but something like a live USB disk. When you get where you’re going, it’s entirely possible that you’re going to find yourself in a primitive and unhospitable land with no access to anything but (for example) Windows. I spent another large chunk of time creating an environment in which I could work without reinstalling a borrowed machine. Checking a cheap (and therefore reasonable to subject to the vagaries of airline baggage handlers) machine such as a Chromebook or older netbook might be a reasonable solution, as well. For my own part, I plan to customize an Ubuntu live USB and put it in a different carry-on from my laptop.
So when all is said and done, I have my computer back, my data is intact and safe, and all I’m out is a few hours of backing up and restoring. I was due for release upgrade, anyway. One could claim that the above criticisms are first world whining, but I strongly disagree. If my laptop had been randomly lost in an airport somewhere because I set it down, then I would consider the successful recovery a lucky victory. The fact that the only reason it was out of my bag was for flawed and ineffective security theater, and that the only reason I left it behind was that I was pulled aside for additional theater, changes the equation. Instead of an unhappy accident with a happy ending, we arrive at an unacceptable travel interruption and onerous burden of loss with a bungled response.