Papers, Please!

A report from the Colorado State Auditor reveals that the state DMV’s data security system is so flawed that it puts the personal information of 3.4 million driver’s license and state ID cardholders at risk of identity theft or fraud. The State Auditor told the Colorado legislature that, among other things, the Colorado DMV “does not have adequate processes for mitigating the risk of employee-perpetrated fraud or measuring the effectiveness of its improvements to the issuance system” and “the Department’s management of information security is fragmented, disorganized, and poorly planned.”

The State Auditor explained that the DMV transmitted large batches of personally identifiable data unencrypted. “These batch transmissions could be intercepted by unscrupulous individuals and expose Colorado residents to identity theft and other criminal activity.” A significant problem is that “the Department lacks a tracking mechanism for collecting and analyzing statistics on the effectiveness of its controls for preventing fraudulent issuances [of licenses or ID cards]. As such, the Department cannot determine whether additional controls or system enhancements are needed.”

Under the REAL ID national identification system being pushed by the US Department of Homeland Security, the databases of 56 states and territories would be linked, allowing any individual state to access all of the others’ information. This massive, centralized system would include the personal data of 245 million license and ID cardholders nationwide. It would be a tempting target for identity thieves, because if a criminal could break just one state’s data security system, then he would have access to the sensitive data retained by all 56 states and territories.

In a series of posts in their blog, the TSA has expanded on its claimed authority for the changes to “ID verification procedures” announced in a press release last month.

Lawmaking by press release exemplifies the evils of “secret law” which the Supreme Court declined to consider in Gilmore v. Gonzalez. The TSA now says that, “Our position is that Gilmore v. Gonzalez affirmed our ability to require ID for transportation via air and the law that formed TSA, the Aviation and Transportation Security Act (ATSA) empowers the TSA to make these decisions.”

In fact:

1. The 9th Circuit Court of Appeals in Gilmore v. Gonzalez reached its decision without addressing whether it would have been permissible for the airline or the TSA (or anyone else) to require Mr. Gilmore to show evidence of his identity, or to prevent him from travelling if he failed to do so. The court found that, as of that time and in that particular case, Mr. Gilmore could have flown without showing ID.
2. The section of the statute cited by the TSA in its press release and blog grants the TSA authority to issue certain regulations. But such regulations must be issued in a particular way, published in the Federal Register for comment, etc. Whatever they have done in secret, the TSA has not, in fact, issued any actual “regulations” requiring would-be passengers to display evidence of their identity, or to answer questions related to their identity.
3. If the TSA were to promulgate such regulations, they would exceed the authority granted by the statute cited by the TSA, which defines TSA authority to limit access to “sterile” areas in airports as limited to screening for weapons, explosives, and incendiaries — not absent or unsatisfactory evidence of identity.
4. Finally, any statute purporting to grant the TSA such authority — were one to be enacted, which it hasn’t been — would have to pass muster under both Constitutional and international human rights treaty standards.

So the question isn’t what authority the TSA has to issue regulations for screening, but what authority they have to compel answers to questions, to compel production of documentary evidence, or to prevent or delay people from travelling, in the absence of regulations or statutory authority for such actions.

But that’s not all. The TSA’s new “procedures” may violate several other laws:

1. Pursuant to the Regulatory Flexibility Act, an agency may not conduct, and a person is not required to respond to, a collection of information unless the collection of information displays a valid control number assigned by the Office of Management and Budget following publication of the proposal for the information collection in the Federal Register, and an opportunity for public comment. We haven’t seen any OMB control number on any TSA signs requesting the collection of either ticket or identity document information, and we can find no record of any Federal Register notice of a TSA proposal to collect either sort of information from travellers. If the TSA asks you to complete any sort of ticket or identity verification form, look for the OMB control number. If there is one, let us know what it is. (We’d love to see a copy of the actual form as well.) If there’s no OMB control number, politely remind the TSA that they aren’t allowed to collect this information, and you aren’t required to provide it.
2. Under the Privacy Act, it is a crime for a Federal employee to operate a system of records without providing notice — both in a System of Records Notice in the Federal Register, and when requesting information from individuals — of the authority for the system and the ways the information will be used. We haven’t seen any Privacy Act notices being provided to travellers when they are asked to show their tickets and identity documents, and we can’t find any record of a SORN in the Federal Register for any system of records of tickets or passenger ID for domestic flights within the US. If this information is to be recorded, ask to see a Privacy Act notice for what system it will be stored in and how it will be used. (if you can get one, please send us a copy of this notice.) And remind the TSA politely that anyone who is storing it without such a published notice is committing a Federal crime.
3. The TSA has admitted in their blog that they are using “public source” information about would-be travellers to determine whether to allow them to fly. But under Section 513 of the Consolidated Appropriations Act, 2007 (P.L. 110-161, H.R. 2764), “(d) … (a), no information gathered from passengers, foreign or domestic air carriers, or reservation systems may be used to screen aviation passengers, or delay or deny boarding to such passengers, except in instances where passenger names are matched to a Government watch list.” It’s unclear if the new TSA identity verification procedures are limited to passengers whose names match those on watch lists, but it seems unlikely. So if you are stopped or delayed by the TSA, on the basis of the information you have provided (including on the basis of that infomation being nonexistent because you decline to provide it, as any attorney would probably advise you to decline to do), remind the TSA that they are forbidden by law from taking any such action without an actual match of your name with a watch list.
4. Perhaps most importantly, Section 513 of the Consolidated Appropriations Act, 2007 (P.L. 110-161, H.R. 2764), also provides that, “(f) None of the funds provided in this or any other Act may be used for data or a database that is obtained from or remains under the control of a non-Federal entity”. It’s unclear what exactly the TSA means by “public source” identity verification data, but if that data comes from a commercial source — as it likely does — and if the TSA has paid for it — as they likely have — they are breaking the law. (For what it’s worth, this is a slightly different sub-section of the latest version of the same law the TSA violated, and continues to violate, by operating their Automated Targeting System for international travel.)

We look forward to the TSA’s response to our FOIA request for more information about what the TSA is up to with this illegal scheme.

In a Notice of Proposed Rulemaking (NPRM) in the Federal Register on June 9, 2008 (73 Federal Register 32440-32453), the Department of Homeland Security has proposed a new system for foreign citizens intending to visit the U.S without visas, and to enter the U.S. by air or sea, to apply for and receive an additional form of advance permission to travel to the U.S.

Effective August 8, 2008, a person “intending to travel to the United States by air or sea under the VWP [Visa Waiver Program]” will be permitted to apply in advance for an electronic “travel authorization”(ETA) from the DHS Bureau of Customs and Border Protection (CBP). The ETA application will contain “such information as the Secretary [of Homeland Security] deems necessary to issue a travel authorization, as reflected by the I–94W Nonimmigrant Alien Arrival/Departure Form (I–94W).”

Effective as of a date the CBP intends to specify in another Federal Register notice in early November 2008, at least 60 days after the publication of that follow-up notice but no later than January 12, 2009, each person with such intent will be required to (1) provide certain specified personal information, in specified form, to the CBP in an ETA application and (2) “receive a travel authorization [from the CBP] prior to embarking on a carrier for travel to the United States.”

While the proposed regulations would require travellers to apply for and obtain ETA’s, nothing in the NPRM would require the CBP to respond to or act on such applications at all, much less to do so with any specified timeliness. No standards or criteria for approval, denial, or inaction on an ETA application are specified; no particular decision-making entity within CBP is specified; no administrative appeal is provided for; and no court would have jurisdiction to review an ETA decision (although courts could, of course, review the legality of the program as a whole).

The NPRM does not mention any enforcement mechanism for the ETA requirement, or any sanctions for noncompliance. Even if the CBP were later to seek to impose any sanctions for failure to apply for, or to receive, an ETA — for example, were they to seek to make possession of an ETA a condition of admission under the VWP — they would first need to seek Congressional action to grant them statutory authority. And any such statute, as well as any regulations later promulgated to implement it, would have to be consistent with US obligations under Article 12 of the International Covenant on Civil and Political Rights (ICCPR) and any other applicable laws and treaties.

The “Supplemantary Information” accompanying the proposed regulations in the NPRM states that “DHS … recommends that VWP travelers obtain travel authorizations at the time of reservation or purchase of the ticket, or at least 72 hours before departure to the United States, in order to facilitate timely departures.” But there is no mention of this “recommendation” in the actual regulations as proposed, although it was described as a requirement and a key feature of the ESTA in previous DHS public statements about the ESTA concept. Probably the change from a requirement to a mere “recommendation” for ETA’s further in advance was a response to the outrage by both travellers (especially business travellers) and the travel industry at the crippling effect on business and travel of a prohibition on last-minute travel.

But the change in the ETA deadline from the original concept leaves the CBP hard-pressed to explain what possible benefit the ESTA could have over the existing APIS requirement for the airline, cruise line, ferry, or other carrier to obtain CBP permission (in the form of an individualized “clearance” message) before issuing anyone a boarding pass or allowing them to board an airplane or vessel bound for the U.S. The NPRM (73 FR at 32451) acknowledges the extent to which the proposed ESTA duplicates this APIS function, and that the agency is unable to specify or quantify any security benefit likely to be derived from subjecting travellers, all of whom would already be subject to the APIS “clearance” requirement, to the proposed additional ETA requirement. Those are particularly noteworthy concessions in light of the CBP’s previous reluctance to admit that the APIS rules contain a travel permission, and its failure to acknowledge or respond to the critique of that permission requirement in our comments on the APIS proposals.

Whether a person is required to obtain an ETA depends on their intention at the time of their “embarkation” (the moment they step foot through the aircraft door or off the gangway onto a vessel) on a trip to the USA.  Only those who volunteer a specific intention, as of their embarkation, (1) to enter the US and (2) to do so under the VWP, are required to obtain an ETA.

The isue is whether a person has an actual intent to enter the US under the VWP, and whether there is sufficient evidence to establish such an intent. And all that matters is the genuineness of their intentions, not whether those intentions might be unreasonable, ill-founded, mistaken, or incapable of realization (for example, if they genuinely intend to enter the US on some other nonexistent or inapplicable basis, rather than under the VWP).

Those to whom the proposed ESTA rules do not apply, because they do not have (or cannot be shown to have) such a specific intent to enter the US under the VWP, include among others:

1. Travellers who decline to volunteer, prior to embarkation to the US, any statements or other evidence of their intentions (if any) with respect to entry to the US: Neither the proposed rules nor any statute obligates travellers to declare their intentions (if any) for whether, or on what basis, they intend to seek entry to the US, until they actually arrive at a a US port of entry and present themselves for admission.
2. Travellers who do not intend to enter the US, but intend merely to transit the US en route to another country: The US no longer makes any provision for such transit without visa (TWOV) and without formal “entry” to the US. But it’s the international norm, and every country currently participating in the VWP allows transits without visa by US citizens. So a great many foreigners, quite reasonably if mistakenly, expect the US to reciprocate, and present themselves at points of embarkation for the US without intending to “enter” the US at all. Some already have onward tickets from the US to other countries before they embark to the US, but some intend to buy tickets for the onward portion of their journey while in transit through the US.
3. Travellers who intend to seek to enter the US under any program or category other than the VWP: as long as their belief is genuine, it doesn’t matter whether any such program actually exists, much less whether they would be admissible under it. Someone, for example, who knows that they are unlikely to be admitted as a refugee, but who says sincerely, “I intend to apply as a refugee, and take my chances”, is exempt from the proposed ESTA requirement, as is someone whose actual intent is to apply for a visa on arrival (regardless, as long as their intention is sincere, of the fact that the US doesn’t issue visas on arrival).
4. Travellers who lack any specific intention with respect to the particular program or category, if any, under which they will attempt, once they arrive, to be admitted to the US. US citizens can be admitted to any of countries participating in the VWP without prior arrangement and without requesting admission under any particular program. Many citizens of such countries reasonably expect reciprocal treatment when they visit the US, and embark on trips to the US without giving any particular thought to whether they will be admitted, much less under which particular provision of US law. Someone who intends to tell the immigration officer on arrival, “I’m a tourist” or “I’m here on business”, and let the officer figure out how to categorize them under US law, is exempt from the proposed ESTA rules. Even someone generally aware of the procedures for entry to the US without visa, but unaware at the time of their embarkation that they comprise something called the “Visa Waiver Program” (something most visitors learn, if at all, only from in-flight literature and videos), is probably exempt from the proposed requirements.

Would-be terrorists or any other minimally skilled and knowledgeable malefactors, of course, will either keep mum about their intentions, disclaim any particular intention, claim to intend merely to transit the US without entry, or profess some plausible intention, other than entry under the VWP, the sincerity of which would be difficult or impossible for anyone at the point of embarkation (the doorway of the aircraft or top of the gangway of the ship) to disprove. So whatever else it will do, the ESTA as proposed will have absolutely no effect on any but the most inept terrorists or criminals.

The CBP lacks any staff at most foreign ports. And even in places where they are present (for example, at “preclearance” stations in Canada for US-bound travellers) their authority is limited (both by US law and by the agreements with Canada and other countries under which the preclearance facilities operate) to questioning relevant to admissibility to the US. Since an ETA is a travel authorization, not an authorization to enter the US, as the NPRM makes explicit, questions about ETA status are irrelevant to admissibility to the US and outside the scope of authority of CBP preclearance officers. Travellers thus may lawfully decline to answer such questions from preclearance officers, without penalty.

US laws (such as the Airline Deregulation Act of 1978) and a plethora of international maritime and aviation treaties that classify airlines and and ocean transportation lines as “common carriers” require them to transport anyone paying the fare in their published tariff and complying with their genral conditions of carriage, as filed with the governments between which they operate and as applied equally to all would-be passengers Nothing in existing law or treaties, or typical current conditions of carriage, authorizes such a common carrier to compel passengers to respond to interrogatories as to what they intend to do after they arrive at their destination, or to refuse them passage if they decline to specify any particular intention. Such authority could not be granted by US statute, but would require signing and ratification of amendments to numerous treaties.

(More research is needed as to whether such a requirement could permissibly be included in the conditions of carriage of a common carrier, or whether US government enforcement of such a condition would violate the Airline Dergulation Act, the assembly clause of the First Amendment, Article 12 of the ICCPR, or other laws. Similar issues would arise if common carriers tried to enforce conditions of carriage requiring passengers to present evidence of their identity.)

So if the ESTA would be unenforceable, have no effect on terrorists or other criminals, and would largely duplicate the exisitng APIS requirement for permission to travel, why has CBP proposed it?

Possible explanations are suggested by the following passage in the NPRM:

In conjunction with CBP’s final rule “Advance Electronic Transmission of Passenger and Crew Member Manifests for Commercial Aircraft and Vessels,” [previously referred to as the "Advanced Passenger Information System" or APIS rule] which was published in the Federal Register on August 23, 2007 (and became effective on February 19, 2008), DHS has been coordinating with commercial aircraft and commercial vessel carriers on the development and implementation of messaging capabilities for passenger data transmissions that will enable DHS to provide the carriers with messages pertaining to a passenger’s boarding status. A prospective VWP traveler’s ESTA status is a component of a passenger’s boarding status that has been introduced into the plans for implementing messaging capabilities between DHS and the carriers.

The reference to “has been coordinating … on the development and implmentation” (rather than “has developed and implemented”) and “plans for implementing messaging capabilities”, as well as the future tense in “will enable”, suggests that CBP and DHS might not yet have implemented the “clearance” system their own APIS rule required to be in effect by January 2008. That would be consistent with the absence of any published reports of actions being taken against would-be travellers under the APIS “clearance” system, or of any externally obvious changes in airline procedures to accommodate the need for APIS clearance prior to issuance of boarding passes.

One possibility is that the airlines were correct when they predicted (in their formal comments on the APIS proposal) that it would be technically impossible to implement the “clearance” scheme as quickly as was to be required by the APIS rules. The CBP might think that ESTA scheme, which puts the burden on the traveller rather than the airline to obtain CBP permission to travel, will be easier or quicker to implement, or less disruptive of airline and travel industry practices.

A second possibility is that the CBP might not have chosen to put the APIS scheme into effect, or at least not to try to use it to deny boarding to otherwise qualified would-be travellers, out of concern that it would not withstand legal challenge on grounds such as those raised in our comments on the APIS proposal. The CBP might prefer to establish the precedent for a permission-based system of travel control with the ESTA scheme, which unlike the APIS rule (A) affects only non-US citizen, non-immigrant visitors, who have fewer legal rights in the US than citizens and resident immgrants, and (B) determinations under which have been exempted by statute from judicial review (although the legality of the ESTA law and implementing regulations remains subject to Federal court jurisdiction ).

Yet a third possible reason for the duplication of the APIS clearance requirement and the ESTA is that the CBP may not have wanted to call the attention of Congress to the APIS “clearance” rules, when Congress was debating the ESTA law, lest this also bring to the attention of Congress the fact that CBP had promulgated the APIS “clearance” travel permission scheme without statutory authority. This wasn’t the first time the DHS has acted first to exert controls on travel, and only looked for legal authority after the fact. But the CBP may have thought it easier to go along with the ESTA mandate than to ‘fess up to the fact that they had already exceeded their authority by doing essentially everything it required, and a great deal more, for all international travellers to, from, or via the US, under the APIS rules.

The only international precedent for the ESTA proposal in the US is an ETA scheme that has been in use since 1996 by the Australian government. As with ETA’s for Australia, ETA applications for travel to the US would be made either through a government Web site, through aninterface between the CBP and the computerized reservations system (CRS’s) used by airlines and travel agencies, or through other third-party for-profit intermediaries. No restrictions have yet been proposed for what secondary usage airlines or other third parties could make of personal information given to them for the purpose of processing ETA applications for the US, just as there currently are no restrictions on what they can do with the information clients “give” them in order to apply for ETA’s for Australia. Unless that changes, they will be free to retain, use, or sell this personal data. Technical problems — some of them inherent in the basic concept — routinely result in travellers being denied passage to Australai when they would probably have been admitted if they had they been able to reach the port of entry in Australia, while others receive ETA’s and arrive in Australia only to find out that they are inadmissable. Similar inequities, on a larger scale, are likely to occur if the ESTA propsal goes into effect in the US.

Public comments on the ESTA proposal are being accepted by the CBP through August 8, 2008.

The massive U.S. terror watchlists will soon add their one millionth name and the ACLU will mark the day with an event on July 14th at the National Press Club involving innocent individuals who have been wrongly matched to the terrorist watchlists. The ACLU gets the one millionth number from a Department of Justice Inspector general report that said the watchlists included 700,000 names in April 2007 and the lists were growing by 20,000 names per month.

The Transportation Security Administration recently stated on its blog, “While the exact number of ‘no-flys’ is secret, there are many, many less than 500, 000.” The agency did not point to any documentation, merely asking the public to believe its numbers. The agency also did not estimate the number of individuals on the “selectee” list.

The Terrorist Screening Center maintains two terrorist watchlists, the “no fly” and “selectee” lists. Individuals on the “no fly” lists are deemed too dangerous to fly by the U.S. government. Individuals on the “selectee” lists must endure more invasive security screening before they are allowed to fly by the U.S. government. How individual names are added to the list is unknown. The government claims there is a redress process for individuals who are “mistakenly matched” to the watchlists, but it is cumbersome and opaque.

A number of innocent individuals including a nun, Senator Ted Kennedy, and former presidential candidate John Anderson have all been wrongly deemed suspects. Have you been caught in the watchlist web? Tell us your story. E-mail jph AT papersplease DOT org

The New York Times has obtained a report showing that US and European negotiators are nearing an agreement on international sharing of private data.

The United States and the European Union are nearing completion of an agreement allowing law enforcement and security agencies to obtain private information — like credit card transactions, travel histories and Internet browsing habits — about people on the other side of the Atlantic Ocean. […]

Negotiators, who have been meeting since February 2007, have largely agreed on draft language for 12 major issues central to a “binding international agreement,” the report said. The pact would make clear that it is lawful for European governments and companies to transfer personal information to the United States, and vice versa.

The negotiators remain at odds on some issues, such as “what rights European citizens will have if the United States government violates data privacy rules or takes an adverse action against them — like denying them entry into the country or placing them on a no-fly list — based on incorrect personal information.”

It is unclear what standards both sides believe would adequately protect individuals’ civil liberties, including free speech and the right to travel.

David Sobel, a senior counsel with the Electronic Frontier Foundation, a nonprofit organization dedicated to data-privacy rights, said the administration’s depiction of the process of correcting mishandled data through agency procedures sounds “very rosy,” but the reality is that it is often impossible, even for American citizens, to win such a fight.

The story refers to transfers of data directly from entities in the the EU to the US government, and that’s where most of the attention has focused in recent EU/US disputes.  But in many cases, data is first transferred from the EU to commercial entities in the US (for example, from airline and travel agency offices in the EU to computerized reservation systems in the US) and only later, if at all, accessed by the US government from those US commercial entities.  Those commercial transfers violate EU data protection law, regardless of whether the US government also accesses the data.  It’s unclear form the Times story if the draft agreement would purport to immunize commerical entities engaging in such transfers.

It’s also unclear if the draft “agreement” would take the form of a treaty — ratified by the U.S. Senate, and enforceable in U.S. courts — or whether it would be another nonbinding DHS “undertaking” without legal effect.

The full New York Times story is here.

The Washington Post reports on a new identification program from the DC government. DC wants to use the “One Card” to track “library accounts, public school attendance, recreation-center use and other services,” and “Metro riders can have a SmarTrip chip implanted in the card.”

The DC government’s chief technology officer says, “The eventual goal is that you’d need only one card across the entire District government.”

Why create a city-wide centralized identification system, mandatory for public school students and government workers but “voluntary” for others? We’ve all heard it before with REAL ID and other broad identification programs: the “papers please” system of One Card would be more efficient and save money.

The Washington Post points out that DC officials “could not offer specifics about those savings for agencies or the city.”

Read the rest of the story here.

George Hulme at InformationWeek has an interesting story about a Target store scanning his driver’s license when he went to buy Nicorette gum:

Now, during checkout, the cashier asks to “see” my driver’s license. Alright, since I’ve been carded before buying controlled substances, I figure she needs to check my age.

Before I have a chance to realize exactly what’s going on, the cashier swipes my driver’s license through the register. The machine then kicks and spasms out my receipt. Whoa!

I inquire, “What information, if any, was captured from my license?”

I get that deer-in-the-headlights what-ya-talk’n-bout glaze. She’d never thought about, or was apparently never asked, why she was physically scanning driver’s licenses.

“You asked to ’see’ my license, but you swiped it. Big difference,” I say.

The cashier has no idea how to answer his question. Hulme leaves a message at Target’s press office asking for information as to whether his data was merely scanned to verify age or if all of his license data was downloaded by Target; if so what was the reason for this data capture and how long were they going to keep his data. No answer. He also e-mailed Target customer service and got a response. But it was a non-response. Read his full story.

Note that the final regulations for the REAL ID national identification system includes an unencrypted machine-readable zone. This means that anyone with an off-the-shelf card reader could swipe and download your personal data. And DHS Secretary Chertoff wants everyone to use this national ID card to “cash a check, hire a baby sitter, board a plane or engage in countless other activities,” so all of those situations could lead to your data being downloaded and retained.

Has your license or ID card data been swiped and retained by a store, bank, bar, club or other business? Tell us about it. E-mail jph AT papersplease.org

The Partnership for Civil Justice, a Washington DC-based public interest law firm, filed a class action lawsuit in the United States District Court for the District of Columbia seeking an injunction against the Metropolitan Police Department’s Neighborhood Safety Zone checkpoint program.

The lawsuit asserts that the roadblock program instituted in recent weeks is an unconstitutional suspicionless seizure of persons traveling on public roadways in the District of Columbia. The lawsuit also challenges the District’s use of these mass civil rights violations to collect and aggregate data on the movements, activities and associations of law abiding residents and visitors to the District and seeks expungement of this information.

If anyone has doubts about the danger of mission creep associated with a state’s compliance with the Real ID Act, they should be told about what’s going on here.  While this fiasco was initiated by local authorities, remember that §201(3) of the Real ID Act grants a sole individual (the Secretary of DHS) the authority to establish by fiat when and where “official” ID is required in the United States.

Copies of the Class Action Complaint, Mills v. District of Columbia, can be accessed here.

The Senate Judiciary Subcommittee on Constitution held a hearing on “Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel.” Individuals innocent of any wrongdoing have increasingly been reporting that their laptops, smartphones and other electronic devices have been searched and seized by US Customs and Border Protection. The Washington Post reported in February:

The seizure of electronics at U.S. borders has prompted protests from travelers who say they now weigh the risk of traveling with sensitive or personal information on their laptops, cameras or cellphones. In some cases, companies have altered their policies to require employees to safeguard corporate secrets by clearing laptop hard drives before international travel.

At the Senate hearing, Subcommittee Chairman Sen. Russ Feingold summed up the situation succinctly: “Customs agents must have the ability to conduct even highly intrusive searches when there is reason to suspect criminal or terrorist activity, but suspicion-less searches of Americans’ laptops and similar devices go too far. Congress should not allow this gross violation of privacy.”

Various witnesses, including Susan Gurley, Executive Director of the Association of Corporate Travel Executives; Lee Tien, Senior Staff Attorney at the Electronic Frontier Foundation; and Peter P. Swire, Senior Fellow at the Center for American Progress, detailed the many privacy and civil liberty issues raised by suspicionless searches and seizures of electronic devices and data at the border.

Tien said that EFF agreed “the Fourth Amendment works differently at the border. But, ‘differently’ does not mean ‘not at all.’” EFF and the Asian Law Caucus have filed suit against the Department of Homeland Security (which oversees Customs and Border Protection) for denying access to public records on the questioning and searches of travelers and seizures of their property at U.S. borders. Read the rest of this entry »

The UK House of Commons’ Home Affairs Select Committee is warning the British government that its massive national identity card scheme could threaten privacy. In a report (pdf), the Committee said it was especially concerned “about the potential for ‘function creep’ in terms of the surveillance potential of the National Identity Scheme.” The Committee urged the government to make “an explicit statement that the administrative information collected and stored in connection with the national identity register will not be used as a matter of routine to monitor the activities of individuals.”

Unfortunately, the Committee’s fears are all too real. The UK national id card scheme creates the same kind of total surveillance society that the US government hopes to create under the REAL ID scheme. For example, when the UK government described the national identification system in a press release earlier this year, it said:

The Government’s National Identity Scheme means that for the first time UK residents will have a single way to secure and verify their identity. We will be able to better protect ourselves and our families against identity fraud, as well as protecting our communities against crime, illegal immigration and terrorism. And it will help is to prove our identity in the course of our daily lives—when travelling, for example, or opening a bank account, applying for a new job, or accessing government services.

Sound familiar? It’s REAL ID all over again. More coverage at BBC News and Guardian UK. You can also learn about how to fight this massive surveillance system at No2ID.