Jan 20 2025

UK “Electronic Travel Authorization” sets a bad example

Effective January 8, 2025, the United Kingdom began requiring citizens of the USA and most other countries who previously could enter the UK without visas for short visits for tourism and some other purposes to obtain a so-called Electronic Travel Authorization (ETA) as a new precondition for admission to the UK for those purposes.

The UK ETA is significant both in its own right and as a case study in what’s wrong with similar requirements and systems already in effect in other countries, including the USA, Canada, Australia, and in preparation in many more countries including all members of the European Union.

The requirement for an ETA is intended for a pupose fundamentally contrary to international treaties on aviation and the rights of refugees, and has been implemented in ways that facilitate surveillance of ETA applicants and arbitrary control by a few private companies of who can and who can’t travel to the UK.

We hope the EU and other countries will learn from and avoid, not emulate, this bad example set by the UK.

The UK ETA system is not the first of its kind, but it’s the first that most US citizens, except those who have traveled to Australia, will encounter. US citizens don’t generally see what foreign citizens have to go through to enter the US, even as tourists or in transit. And US and Canadian citizens visiting each other’s countries are exempt from the electronic travel authorization requirements that their governments apply to visitors from other countries.

But while it may be a new experience for US citizens, the UK ETA is similar to what’s already required for most tourists and short-term business visitors to the USA, Canada, or Australia. And the UK ETA is similar to the system that the EU plans to roll out for citizens of the US, Canada, UK, and many other countries.

Australia pioneered this concept with its ETA system, beginning in 1996 (and modified several times since them). The USA launched its ESTA system, modeled on the Australian ETA, in 2009. Canada followed with its eTA system in 2016. Now the UK is rolling out its similar ETA system in 2025.

The EU EES and ETIAS schemes were planned to go into operation several years ago, sooner than the UK ETA, but have been postponed repeatedly. The most recent announcement by EU authorities is that EES — a system for collecting mug shots and fingerprints of visitors to the EU, as the US already does with visitors —  will be launched sometime in 2025, and ETIAS — an electonic travel authorization like the US ESTA and the UK ETA — will go into effect six months after the EES launch. (The EU is also considering a related system for a “travel permission app” with problematic implications.)

Acronym soup and national variations aside, what’s an ETA? How do ETA requirements violate international law? What’s wrong with the way the UK has implemented its ETA program? Read More

Jan 15 2025

Maine may stop complying with the REAL-ID Act

A bipartisan group of six Maine state legislators has introduced a bill, L.D. 160, which would repeal all of the provisions of Maine law enabling the state to issue driver’s licenses and state ID cards potentially compliant with the REAL-ID Act of 2005.

L.D. 160 was introduced yesterday and immediately referred to the Joint Committee on Transportation. No hearing on the bill has been scheduled yet.

According to a report by Randy Billings in the Portland Press-Herald, State Rep. Laurel Libby (R-Auburn), the lead sponsor of L.D. 160, says of the REAL-ID Act that, “It’s expensive. It puts Mainers’ privacy at risk. It doesn’t protect us from terrorism.”  Rep. Libby is joined by five Democratic co-sponosrs of L.D. 160. (News reports are separate from editorials, but the Press-Herald has previously editorialized that Congress should repeal the REAL-ID Act.)

Read More

Jan 14 2025

TSA issues new non-rules for REAL-ID

Today the Transportation Security Administration (TSA) published new regulations for the REAL-ID Act in the Federal Register, finalizing a bizarre and clearly illegal proposal the agency made in September 2024.

The new TSA regulations leave it even more unclear than before who the TSA will allow to fly without ID, and who it will prevent from flying without ID, after May 7, 2025.

Rather than establishing standards applicable to demands for ID by all Federal agencies, the new TSA regulations purport to authorize the TSA itself as well as other Federal agencies to establish agency-specific plans for selective enforcement of REAL-ID Act requirements.

These “graduated enforcement plans” will be regulations in all but name, and the TSA seems to think that they  will have the force of law. But these graduated enforcement plans won’t be standardized, and may vary from agency to agency, contrary to the plain mandate of the REAL-ID Act for the Department of Homeland Security to promulgate standards for ID applicable to all Federal agencies.

“Graduated enforcement plans” will be promulgated summarily, solely by posting on different Federal agency websites, without notice, opportunity for public comment, or publication in the Federal Register. In effect, the TSA is trying to opt itself and all other Federal agencies out of the most basic  transparency, procedural, and due process requirements of the Administrative Procedure Act (APA).

In its analysis of the 11,000 comments submitted in response to its Notice of Proposed Rulemaking  (NPRM), the TSA acknowledges our objection to its attempt to re-delegate rulemaking authority to other agencies and opt out of APA requirements. But the TSA claims that “graduated enforcement plans” posted on agency websites won’t be “regulations”, even if they are claimed to authorize decisions about who can and can’t exercise rights.

The TSA also brushes off a wide range of Constitutional and statutory objections to the proposed regulations as “outside the scope of this rulemaking”.

It remains to be seen whether the new REAL-ID regulations will be challenged on APA and/or other grounds.

In response to our objection to statements in (NPRM) implying that after the effective date of the new regulations ID would be required to fly, the TSA says  as follows:

Upon full card-based enforcement, TSA may not accept noncompliant State-issued DL/IDs at security screening checkpoints for the purpose of boarding federally regulated commercial aircraft. This rule does not otherwise effect TSA’s policies related to acceptable forms of identification and identity verification.

If this is true, it means that the procedures for travel without ID (as distinct from any procedures for travel with noncompliant state-issued ID) won’t change.  But we won’t know for sure until after May 7, 2025, how the TSA will deal with air travelers without any ID.

Read More

Jan 06 2025

Human Rights and “Countering Terrorist Travel”

In late 2023 the U.N. Special Rapporteur on Counter-Terrorism and Human Rights released perhaps the most significant independent assessment to date of the human rights implications of travel surveillance and control.

The Special Rapporteur’s report was released without publicity on the next-to-last day of the Special Rapporteur’s term. Aside from an article by Statewatch, it got little notice.

A year later, an update from Privacy International reminds us of the Special Rapporteur’s report and calls attention to how little its recommendations have been heeded — and how urgently important they remain.

The Special Rapporteur’s report provides both a call to action and an analysis of travel surveillance and control as a human rights issue.

The report by Special Rapporteur Fionnuala Ní Aoláin and her staff reviewed the U.N. Countering Terrorist (CT) Travel Programme and the goTravel software being provided by the U.N. to its member states for them to use in monitoring and controlling travel worldwide on the basis of airline passenger manifest (API) and reservation (PNR) data.

This wasn’t the first time that the Special Rapporteur has addressed the use of API and PNR data for travel surveillnace and control. But it was the most detailed assessment by to date any of the U.N. human rights bodies of the system of travel surveillance and control based on airline reservations against the norms of international human rights law. The Special Rapporteur’s report addressed privacy — the focus of the recent follow-up by Privacy International — but also other human rights including, perhaps most importantly, the right to freedom of movement.

In the considered judgement of the Special Rapporteur as the holder of the relevant human rights mandate within the U.N. framework, this system fails the test of human rights law. “The roll-out of the system must be paused and an urgent review initiated”:

This position paper carries out an in-depth analysis of human rights implications and concerns associated with the CT Travel Programme and its promulgation of goTravel. The position paper demonstrates how UNOCT and its UN implementing partners appear to be failing to adequately mainstream human rights in the development of the underlying system for collection, use, and sharing of API/PNR data, and how the system which is now being rolled out internationally at pace, risks squarely contravening international law, particularly international human rights law, in multiple respects….

The CT Travel Programme’s API and PNR collection and sharing system was never designed with human rights in mind. It is marked by ad hoc thinking and the absence of rigorous analysis of how the technology and the international framework for data sharing it facilitates could be designed and operated in a manner which complies with relevant legal obligations, particularly international human rights law. The absence of that analysis has led to a situation in which the UN is now directly implicated in an approach to API and PNR data collection and sharing being rolled out globally which risks placing immensely powerful tools in the hands of States which may misuse them, intentionally or inadvertently, to jeopardize human rights, without any evidence of sufficient prior vetting, and without any practical or legal recourse to prevent or sanction such misuse….

The current UN approach to API and PNR data collection and sharing which is facilitated by the UNOCT and UN implementing partners in the CT Travel Programme and go Travel software platform represents a profound human rights risk and a serious reputational risk for the UN itself.

The Special Rapporteur’s report notes, with appropriately grave concern, that the U.N. itself has mandated — as we have reported — that the government of each U.N. member state must establish an airline passenger surveillance and control agency (“Passenger Information Unit”), compel airlines to provide the government with mirror copies of airline reservations (PNRs), and make that data available on request to all other U.N. members.

Read More

Dec 16 2024

Identification as the enabler of ID-based surveillance and control

Edward Hasbrouck of the Identity Project was a guest today with Prof. David Farber (Keio Univ. Cyber Civilization Research Center) and Prof. Dan Gillmor (Arizona State Univ.) for the CCRC / IP-ASIA weekly online gathering on current issues, discussing the expansion of demands for ID, identification as a service provided by the government to commercial entities, the evolution of ID-based surveillance and control, and the human rights work of the Identity Project:

  • How do demands for ID enable ID-based surveillance and ID-based control of offline and online activities, including predictive “pre-crime” controls?
  • When are we required to identify ourselves ourselves or submit to automated identification?
  • How is this changing?
  • What can we do about it?
  • Invitation and Zoom link
  • Slides
Dec 09 2024

Public/private partnerships for financial surveillance

[Email from the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury to some of its banking industry partners forwarding list prepared by Mitsubishi United Financial Group (MUFG) of vendors at DMV (DC, Maryland, and Virginia) airports, train stations, and bus stops, to target reporting of purchases at these locations as “suspicious” .]

The House Committee on the Judiciary and its Select Subcommittee on the Weaponization of the Federal Government have released a ground-breaking report on their investigation of what they describe — accurately, we think — as “the coordination between Big Banks and Big Government” in financial surveillance.

The Judiciary Committee and Subcommittee’s latest report on financial surveillance as well as their earlier interim report on the same issue are part of their broader inquiry into the investigative tactics used in the aftermath of the storming of the US Capitol  on January 6, 2021.

Partisan criticism of the Weaponization Subcommittee may lead to some skepticism or dismissal of its report and recommendations. But that would be a mistake, regardless of what anyone thinks about the Weaponization Subcommittee in general. The report is thoroughly researched and its sources are well documented. It’s based on interviews with witnesses from goverment agencies and the banking industry and tens of thousands of documents provided in response to Congressional subpoenas.

The report on financial surveillance uses the post-January 6th investigation only as a case study. The practices it reports on could have been, and still could be, used against any of us, regardless of party or affiliation (if any). They shouldn’t be used against anyone, even the most stigmatized individuals and groups. What we allow to be done to our enemies, or anyone’s enemies, could be done to any of  us. The report deserves bipartisan public attention and calls for bipartisan action by Congress.

As we’ve noted in surveying what’s likely to lie ahead in demands for ID and ID-based surveillance and control of our real-world and virtual movements and activities, it’s all too easy and all too common for otherwise-principled civil libertarians to allow their distaste for particularly reviled individuals to blind them to the bad precedents being set by the investigative and prosecutorial tactics used against those stigmatized defendants.

We can’t afford to be sanguine about violations of anyone’s rights. The government’s response to the events of January 6, 2021, was a textbook example of the way that unsympathetic defendants are exploited to expand the norms of permissible and publicly-tolerated investigative and prosecutorial practices that can later used more widely.

After January 6th there were misguided calls to add everyone involved in the storming of the Capitol (and perhaps also anyone suspected of possibly having been involved) to the million-and-a-half names already on the US government’s no-fly list — by summary, secret, extrajudical administrative action. It’s unclear whether, or to what extent, that was done. That remains an open question, as does the larger question of how no-fly decisions are made. We hope that the  Weaponization Subcommittee and the Subcommittee on the Administrative State will look into these questions during the next session of Congress.

Suspects were targeted for prosecution after January 6th based on what may have been the most extensive use to date in any single investigation of geofence warrants for cellphone location data. Those general warrants were used not to obtain evidence pertaining to individuals who there was already probable cause to suppect of crimes, but to trawl through records of hundreds of millions of innocent cellphone users to find individuals to place under suspicion based on where their cellphones were logged by Google as having been on that day. Challenges to the Constitutionality of these general warrants for dragnet searchess were all — so far as we can tell — dismissed by the judges hearing these cases.

But that’s not all. The latest Judiciary Committee report shows how logs of routine, entirely legal, financial transactions were subjected to warrantless scrutiny and data mining by banks and financial services providers collaborating with government investigators, and used as the basis for placing individuals under suspicion.

The FBI encouraged banking companies to “voluntarily” submit Suspicious Activity Reports (SARSs) to  the Financial Crimes Enforcement Network (FinCEN), the police division of the Department of the Treasury. These SARs were used to finger to FinCEN as “suspicious” anyone who had engaged in such mundane activities as taking money out of an ATM, buying a meal at an airport, or paying for a hotel or AirBNB anywhere in the DMV (DC, Maryland, and Virginia) area on January 6th or the days before or after:

To be clear: these transactions were, in and of themselves, entirely legal, and weren’t in and of themselves in any way suspicious. They didn’t create probable cause to believe that each such individual was likely to have committed any crime, and they wouldn’t have provided sufficient basis for the issuance of a search warrant. These SARs were used not to investigate people who were already suspected of crimes, but to identify new individuals to be extrajudically placed under suspicion and investigated without probable cause.

Once submitted to FinCEN, these SARs are available for individual search and retrieval by tens of thousands of government agents, without the need to apply for a warrant. SAR data is also exported in bulk by FinCen for import into other agencies’ data mining systems.

Read More

Dec 06 2024

Court stays deadline for IDs and mug shots of corporate principals

A Federal District Court in Texas has issued a nationwide injunction against enforcement of the Corporate Transparency Act (CTA) of 2021.

This injunction is only temorary, pending a decision by the court on the merits of a lawsuit challenging the Consittutionality of the law, which could take months or years. But until that ruling, the preliminary nationwide injunction stays the January 1, 2025, deadline for officers and owners of all types of corporations to obtain ID documents from government agencies and submit copies of those documents, including photos, to the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury.

Another US District Court in Alabama has already ruled that the Corporate Transparency Act is unconstitutional. But that ruling only applied to the plaintiffs in that case.

The Texas District Court’s detailed ruling on the motion for a preliminary nationwide injuction focuses primarily on issues of federalism. It doesn’t mention the issue of corporate officers or owners who don’t have any of the required ID documents, or the implications of requiring  mug shots as well as document numbers and other written information.

The government argued that the plaintiffs in the case against the CTA had not suffered sufficient damage to give them a cause of action, because the reporting burden would be “de minimus” (minmal). The Court rejected that argument, noting that, according to the regulations implmenting the CTA reporting requirement, ” FinCEN estimates that the total cost of filing BOI [Beneficial Owner Information] reports is approximately $22.7 billion in the first year and $5.6 billion in the years after.”

The Court noted with a footnote that, “FinCEN also estimates that it will take approximately twenty minutes to read a beneficial ownership report form and understand it, thirty minutes to collect information about a company’s beneficial owners, and twenty minutes to fill out and file the report, resulting in a seventy-minute endeavor. But the Court notes that as a practical matter, it takes far longer than seventy minutes simply to read the CTA and Reporting Rule alone.”

What we find espcially significant and encouraging in this ruling is that it recognizes explicly that requiring ID is a law enforcement and investigatory device — as FinCEN’s very name, the Financial “Crimes Enforcement” Network, makes clear:

In other words, the CTA is a law enforcement tool—not an instrument calibrated to protect commerce; an exercise of police power, rather than a regulation of an activity…. The CTA regulates reporting companies, simply because they are registered entities, and compels the disclosure of information for a law enforcement purpose.

The Court rightly rejected the government’s argument that mandatory reporting of identifying information (and photos, although that wasn’t mentioned) about all corporate principals is “useful” for law enforcement. Unconstitutional general warrants, dragnet surveillance, or suspiconless, warrantless, house-to-house searches would undoubtedly enable the government to find evidence of crimes, some of which would otherwise have gone undetected, in many homes. But the effectiveness of these police tactics, from the point of view of the police, does not make them Constitutional.

FinCEN hasn’t updated its website yet to mention the nationawide injunction. The Texas case and other legal challenges to the CTA remain pending, and the injunction is likely to be appealed. For now, however, you can ignore the CTA reporting requirements and the January 1, 2025, compliance deadline.

Dec 04 2024

CBP facial recognition is a service for the airline industry

After five years of foot-dragging in responding to our Freedom Of Information Act (FOIA) request, US Customs and Border Protection (CBP) has finally released the pitch it made to the Future Travel Experience airline industry conference in 2019 on why airlines and airport operators should “partner” with CBP on automated facial recognition of airline passengers.

CBP claims in its presentation that “THIS IS *NOT* A SURVEILLANCE PROGRAM”. Its vision, however, is for CBP’s Traveler Verification Service (TVS) facial recognition system to provide automated identification of travelers at every stage of their journeys.

Airlines and airport operators won’t need to operate their own facial recognition software or databases. CBP will do that for them, allowing them to use TVS (which “integrates into airport infrastructure”, CBP boasts) for any of their business process automation, traveler profiling, personalized pricing, etc. purposes. Airlines and airport operators won’t need to store mug shots, since CBP will re-identify travelers for them as often as they want.

And that’s not all. The TVS facial recognition service will also be made available to cruise lines, bus companies, etc., to automatically identify travelers using all modes of transportation:

CBP will use a traveler’s face as the primary way of identifying the traveler…. This will create the opportunity for CBP to transform air travel by enabling all parties in the travel system to match travelers to their data via biometrics, thus unlocking benefits that… enhances the entire traveler experience.

The CBP “Biometric Pathway” will utilize biometrics to streamline passenger processes throughout the air travel continuum, and will provide airport and airline entities with the opportunity to validate identities against DHS information systems using the data available. CBP will partner with airlines, airports, and TSA to build a device independent, vendor neutral back­end system called the Traveler Verification Service (TVS) that allows for private sector investment in front end infrastructure, such as self­service baggage drop off kiosks, facial recognition self­boarding gates, and other equipment; this service will ultimately enable a biometric­ based entry/exit system to provide significant benefits to air travel partners…. The TVS will also be able to support future biometric deployments in the land and sea environments and throughout the traveler continuum. Figure 4 shows the different environments and touchpoints that will interact with the TVS.

Let’s make a deal”, CBP says to airlines and airport operators. “You provide the camera infrastructure embedded in passenger terminals at airports, and we’ll provide the facial recognition service.” It’s a Faustian bargain in which travelers are the losers, but already by 2019 many airlines and airports had taken CBP up on its offer. In the five years since, many more airlines and airports have joined CBP as collaborators in traveler identification, surveillance, and tracking.

Read More

Dec 02 2024

DEA pays airline staff to target innocent travelers

In response to a scathing report by its Office of the Inspector General (OIG), the US Department of Justice has directed the Drug Enforcement Agency (DEA) to suspend most of its suspicionless “consensual” questioning and searches of travelers at airports and in other transportation facilities, pending an internal review of these practices.

For years, DEA agents, sometimes in partnership with local law enforcement task forces, have been searching travelers in ways that make travelers think that they are being detained and are legally required to submit to searches and answer questions.

The OIG report stops short of calling for an end to these “consensual” searches and interrogations, but is pausing them indefinitely. According to the report, “the Deputy Attorney General (DAG) issued a memorandum directing the DEA to suspend the program until an assessment is completed, identified concerns addressed, and the DAG approves resumption of tbe program.”

Much of the OIG report concerns procedural and training issues. The DEA has failed to keep its previous promises (1) to train its agents on travelers’ rights before sending them into airports to stop, question, and interrogate travelers, without probable cause to suspect them of crimes, and (2) to keep records of these “consensual” encounters with travelers.

The lack of records makes it harder to tell whether DEA agents have been engaged in profiling on the basis of race or national origin.

The OIG also found that DEA agents didn’t wear body cameras. If you want a record of what happens, film the police yourself if you are stopped, questioned, or searched.

Even in the absence of demographic data about which travelers were stopped, searched, and questioned, or bodycam recording of these interactions, the OIG found evidence of continuing disregard for travelers’ rights:

[P]roceeding with such interdiction activities… creates substantial risks that DEA SAs [Special Agents] and TFOs [Task Force Officers] will conduct these activities improperly [and] impose unwarranted burdens on, and violate the legal rights of, innocent travelers.

The goal of these “consensual searches” is to find and seize cash, not drugs, from travelers. Rather than being based on suspicion of crimes, they are based on suspicion of carrying cash. Airline staff are given a cut of the seized cash to finger passengers to be stopped by DEA agents in the hope that they will “consent” to searches so that any cash that is found on their person or in their luggage can be seized: Read More

Nov 25 2024

Do you need ID to read the REAL-ID rules?

[“The welcoming, friendly and visually pleasing appearance” of the TSA’s headquarters at 6595 Springfield Center Drive, Springfield, VA.]

We spent most of a day last week outside the headquarters of the Transportation Security Administration (TSA), trying and failing to find out what the rules are for the TSA’s new digital-ID scheme.  What we did learn is that, by TSA policy and practice, you can’t read the REAL-ID rules, get to the TSA’s front door, or talk to any TSA staff unless you already have ID, bring it with you, and show it to the private guards outside the TSA’s gates.

The problems we have faced just trying to get access to the text of the TSA’s rules raise issuess about (recursive) incorporation by reference of third-party, nongovernmental text in regulations, secret law, and access to Federal services and rights by those without ID, as well as the underlying issues of REAL-ID, mobile driver’s licenses, and digital IDs.

In late October, as we’ve previously reported, the TSA issued a final rule establishing “standards” for smartphone-based digital IDs that would be deemed by the TSA to comply with the REAL-ID Act of 2005. These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.

The standards themselves — the meat of the TSA’s rule — weren’t published in the Federal Register or made public either when the rule was proposed or when it  was finalized. Instead, thousands of pages of documents from private third parties were incorporated by reference into the TSA’s rules, giving them the force of law, on the basis of false and fraudulent claims — the falsehood of which was easy for anyone who checked to verify — that they were “reasonably accessible” to affected individuals.

Secret laws are per se a violation of due process, and should be per se null and void. How can it be that “ignorance of the law is no excuse” if the government has kept you ignorant of the law, even when you try to find out what the law says?

You shouldn’t need ID to read the law, just as you shouldn’t need ID to travel by common carrier. But the TSA doesn’t seem to have read the Constitution.

Read More