Papers, Please!

The Identity Project

May 08 2025

ARC sells airline ticket records to ICE and others

Contracts by Federal agencies with the Airlines Reporting Corporation for access to reports of airline tickets issued by US travel agencies, from USAspending.gov.

A company you’ve never heard of is selling copies of every airline ticket issued by a travel agency in the US to the US Department of Homeland Security (DHS) and a plethora of other Federal law enforcement and immigration agencies — and who knows who else.

Records of airline tickets issued by travel agencies in the US are being sold to US Immigration and Customs Enforcement (ICE) and other Federal law enforcement agencies, according to an ICE procurement document posted yesterday on a US government contract website and uncovered in a major scoop today by Katya Schwenk of Lever News.

According to the document found by Ms. Schwenk on SAM.gov, ICE is entering into a no-bid contract with the Airlines Reporting Corporation (ARC) “to procure, on a sole source basis, licenses for Travel Intelligence Program (TIP)… The vendor listed is the only company that can provide the required software licenses.”

ARC is the financial clearinghouse through which travel agencies in the US (from mom-and-pop agencies to online mega-agencies like Expedia) pay airlines (including both US and foreign airlines) for the tickets those agencies have sold. Its role is similar to that of VISA and MasterCard for credit card merchant  transactions, except that VISA and MasterCard compete with each other, while ARC has no competitor in  the US.

Every day, each travel agency in the US submits a report to ARC with a copy of every ticket it has issued, the amount paid, the fare calculation and tax breakdown, and the form of payment. ARC takes the total for the day’s sales on all airlines out of the agency’s bank account, and pays each airline a daily total for its tickets issued by all agencies accredited through ARC. Copies of tickets are included with agencies’ daily reports to ARC so that airlines can audit that agents have charged the correct fare.

(ARC only handles payments from travel agencies in the US. Payments and credits to airlines from travel agencies in countries other than the US are settled through other regional financial clearinghouses under IATA’s Bank Settlement Plan, BSP.)

The amounts paid to ARC by Federal agencies aren’t large enough to make selling data to the Feds a significant line of business for ARC.  But the amounts are large enough to indicate that Federal law enforcement and immigration agencies are using information about airline tickets obtained from ARC in a significant and growing number of cases, for unknown purposes and on an unknown legal basis.

We’ve never heard of the “Travel Intelligence Portal” through which ARC offers access to ticket records before now. TIP isn’t mentioned anywhere on ARC’s website, in ARC’s privacy policy, or in the privacy policy of any airline or travel agency we’ve reviewed.  Travelers and ticket purchasers who don’t know that ARC exists aren’t likely to ask what it has done with their data. We don’t know whether TIP is a service offered by ARC exclusively to Federal agencies, or if it has other government or commercial users in the US and/or abroad.

The previously unnoticed ARC contracts with ICE and other US government agencies also raise substantial doubt as to whether travel agencies or airlines — including foreign airlines that process payments for their ticket sales in the US through ARC, and travel agencies that act as their agents in the US — are complying with foreign laws including PIPEDA in Canada and the GDPR in Europe.

If ARC is selling ticket data to the US government without reporting those disclosures to the travel agencies and airlines involved, those agencies and airlines  will be unable to provide data subjects with an accurate or complete accounting of the disclosures of their personal data, as required by PIPEDA and the GDPR.

On the other hand, if travel agencies and/or airlines have authorized ARC to make this data available to the US government, or have continued to transmit data to ARC after learning that ARC was making it available to the US government, those travel agencies and/or airlines have likely violated their duty not to transmit personal data to entities that could not assure adequate protection of that data against onward disclosure.

Read More

May 05 2025

What can you do if you aren’t allowed to fly without REAL-ID?

On Wednesday, May 7, 2025, the Transportation Security Administration (TSA) plans to start treating driver’s licenses and state IDs that don’t comply with the REAL-ID Act as “unacceptable” ID at TSA checkpoints. That doesn’t mean that travelers without REAL-ID won’t be allowed to fly. What the TSA has said is that it will subject travelers without REAL-ID on or after May 7th to its current procedures for airline passengers with no ID or unacceptable ID.

In a sample of incident logs and reports released in response to one of our Freedom Of Information Act requests, 98% of the airline passengers who showed up at TSA checkpoints with no ID or unacceptable ID were allowed to fly after additional “security theater”.

But given the numbers of people without REAL-ID, even 2% of those who try to fly without REAL-ID could be a significant number. And if you’re the one being told, “You can’t fly today”, any number of unlawful and denials of your right to travel is significant.

Some people without REAL-ID will be turned away illegally at TSA checkpoints. Others will be delayed for so long that they miss their flights. Of that latter group, some will be denied refunds by airlines, or told they have to pay change fees to fly on later flights.

What are your rights at the airport? What can you do if you are turned away by the TSA because you don’t have REAL-ID, delayed and miss your flight, or denied a refund or charged a fee to change a flight you missed because of TSA delays and ID checks?

This isn’t advice from lawyers, but it’s practical advice about what to do to protect your rights and maximize your chances if you later take the TSA or an airline to court.

Read More

May 02 2025

Objections to blanket approval for USCIS surveillance of social media

Today the Identity Project, Privacy Times, and Government Information Watch filed comments objecting to a proposal by US Citizenship and Immigration Services (USCIS) for blanket advance approval for USCIS to demand that all foreigners submitting any sort of application to USCIS provide a statement under penalty of perjury a list of all  social media “platforms” and “identifiers” they have used in the last five years. The forms on which this information would be required would include applications for permanent residency, adjustment of status, and naturalization.

The proposal builds on earlier proposals, to which we and many other organizations objected, to require applicants for visas or visa-free entry to the US to provide lists of social media platforms and identifiers they have used. The current proposal by USCIS would extend mandatory social media usage reporting to those foreigners who have already demonstrated the strongest ties to the US, including permanent US residents applying for naturalization as US citizens. The current proposal would also give blanket pre-approval to USCIS to demand this information on other forms in the future.

According to our comments:

The proposed collection of information does not comply with the Paperwork Reduction Act (PRA), the First and Fourth Amendments to the U.S. Constitution, or the International Covenant on Civil and Political Rights (ICCPR). This vague and overbroad collection of information from permanent residents, applicants for naturalization, and other non-U.S. citizens is inappropriate as a matter of policy and contrary to U.S. national and international interests in democracy and human rights. In many cases, it would be impossible for individuals to provide the requested information or to attest under penalty of perjury to its completeness. The proposed request for information, in its proposed form, would thus function as a pretext for denial of residency or naturalization as a citizen or other adverse decisions.

The proposal for this collection of information by U.S. Citizenship and Immigration Services (USCIS) should be withdrawn. If this proposal is submitted to the Office of Management and Budget (OMB) for approval, it should be rejected as failing to meet the statutory standard of necessity for an agency purpose and as a violation of the Constitutional and human rights of individuals about whom information would be collected, including U.S. citizens who engage in protected acts of assembly and speech with non-U.S citizens.

Social media platforms and identifiers are undefined in the proposal or in any other law or regulation, leaving the proposed requirement unconstitutionally vague.

The proposal targets social media, and only social media, in order to identify with whom we associate, including associations between US and foreign citizens. It appears to be based on the assumption that freedom of speech and freedom of association are rights of citizenship, not human rights, that can be denied not just to non-citizens but to US citizens who associate with foreigners. But this assumption has no basis in the US Constitution or in the human rights treaties the US has ratified.

What, if any, social media platforms or identifiers a person has used is not, and cannot Constitutionally be, a basis for USCIS decisions. Rather than having any lawful use, this information would be useful only for a a variety of unlawful purposes, including:

  • Robotic predictive pre-crime profiling;
  • Suspicion generation and guilt by association; and
  • Pretextual denial of applications for permanent residency or naturalization.

You can submit your own comments on the USCIS proposal by clicking on the “Comment” button here until the end of the day on Monday, May 5, 2025.

We have urged USCIS to withdraw its proposal for this collection of social media usage information. If the proposal is not withdrawn, there will be a second comment period when it is submitted to the Office of Management and Budget (OMB) for final approval

Apr 30 2025

Oklahoma resolution would reaffirm right to opt out of REAL-ID

SR 18, introduced yesterday in the Oklahoma Legislature by state Sen. Kendal Sacchieri (R-Blanchard) would re-affirm the right of Oklahoma residents to choose to have driver’s licenses and state IDs that don’t comply with the Federal REAL-ID Act — and not to have data about those noncompliant licenses shared with Federal agencies without a warrant.

“Sixty percent of Oklahomans have declined to participate in the federal REAL ID system,”  Sen. Sacchieri noted in introducing SR 18. “Senate Resolution 18 is about protecting Oklahomans’ privacy and preserving their freedom to choose. We affirm our citizens’ right to opt out of the federal REAL ID system, and we must also ensure their personal information remains secure. This resolution calls for a real, uncoerced choice — without unnecessary exposure of private data.”

Read More

Apr 22 2025

REAL-ID FAQ: What will happen at US airports on May 7, 2025?

[Summary of TSA procedures for airline passengers with no ID or unacceptable ID, from DHS Office of Inspector General report OIG-2024-65, September 2024]

The US Transportation Security Administration (TSA) has announced that it will begin “implementation of its REAL ID enforcement measures at TSA checkpoints nationwide” on May 7, 2025.

What does this mean if you want to fly but don’t have any of the types of ID that the TSA deems compliant with the REAL-ID Act (including a US or foreign passport, a US passport card, a Canadian provincial driver’s license, or a US driver’s license or state ID with a REAL-ID gold star in the upper right corner or that is marked as an “Enhanced Drivers License”)?

The key thing to know is that — unless the TSA makes undisclosed changes to its procedures — air travelers with “noncompliant” ID on or after May 7, 2025, should be treated, and should be allowed to fly, the same way people with no ID fly today.

We can’t predict with certainty what the TSA will do on May 7th, because:

  1. The TSA has been violating the law for years with its ID procedures at airports, including through illegal demands for ID, illegal demands for information, and illegal use of an unapproved ID verification form.
  2. No laws or regulations prescribe the TSA’s checkpoint procedures, including ID checks. The law says only that airline passengers must “submit” to “screening”, without defining either of those terms. Courts have defined “screening” as “search”, with no indication that this includes questioning about, or evidence of, identity.
  3. The TSA has claimed that its internal “Standard Operating Procedures” (SOPs) for ID checks, before or after May 7, 2025, aren’t binding on the TSA, create no legal rights for airline passengers, and can be secretly changed at any time.
  4. The SOPs purport to grant discretion to TSA staff at each airport to decide who to allow, and who not to allow, to exercise their right to airline travel by common carrier, for any or no reason, regardless of what if any ID travelers show.
  5. The TSA has purported to grant itself the authority to change even its published “rules” at any time, without notice, merely by posting new non-rules on its website. It hasn’t done so yet, nor has it published any of the other notices in the Federal Register that would be required by the Privacy Act and the Paperwork Reduction Act to establish a “graduated enforcement” scheme. The New York Times reported on April 9th that “a T.S.A. spokesperson said on Friday that the agency had decided that the phased approach was not necessary and that full enforcement would begin on May 7”, but that decision could be reversed at any time, before or after May 7th.
  6. The Trump 2.0 Administration in general and the Department of Homeland Security (DHS) in particular have been changing and sometimes reversing their directives in many other areas, without warning and with little or no basis in law or overall policy, and could do the same with directives to the TSA.

With these uncertainties in mind, what can we say about what will be required and will happen at airports on May 7th?

Does the law require you to have ID to fly?

No.

The TSA itself has stated repeatedly in court, under oath, in litigation in which The Identity Project and individuals we support have been involved, that no Federal law or regulation requires airline passengers to have, carry, or show any ID.

See e.g. State of New Mexico v. Phillip Mocek, in which a TSA witness testified that, “It [flying without ID] happens all the time. We have a procedure for that”, and Gilmore v. Gonzales, in which the 9th Circuit Court of Appeals found, based on the TSA’s own submissions to the court, that, “Gilmore had a meaningful choice. He could have presented identification, submitted to a search, or left the airport. That he chose the latter does not detract from the fact that he could have boarded the airplane had he chosen one of the other two options.”

People fly without ID every day, openly and legally.

Years-delayed responses by the TSA  to our Freedom Of Information Act (FOIA) requests show that, as of 2016, almost 2,000 people a day were allowed through TSA checkpoints at airports nationwide with no ID or with ID that was deemed “unacceptable”. TSA incident logs released in response to our FOIA requests show that 98% of travelers who showed up at airports with no ID or with “unacceptable” ID were allowed to fly after undergoing additional questioning and/or more intrusive searches and groping (“screening”).

Will the REAL-ID Act require you to have ID to fly on or after May 7, 2025?

No.

The REAL-ID Act governs which IDs can be accepted by Federal agencies such as the TSA in circumstances where ID is required. It doesn’t create any new requirements to have, carry, or show any ID in circumstances — such as airline travel — where ID is not required by some other law.

According to the latest TSA statement on April 11, 2025:

Passengers who present a state-issued identification that is not REAL ID compliant and who do not have another acceptable alternative (e.g., passport) can expect to face delays, additional screening and the possibility of not being permitted into the security checkpoint…. TSA … will continue with additional screening measures for those without a REAL ID until it is no longer considered a security vulnerability.

This doesn’t say that individuals without REAL-ID, or without any ID, will be prevented from flying. All it says is that these individuals will be subjected to “additional screening” (which of course may occasion delay) and the “possibility” of not being permitted into the checkpoint (i.e. if they don’t agree to submit to additional searches).

What will happen if you show up at the airport on or after May 7, 2025, with “noncompliant” state-issued ID?

So far as we can tell, airline passengers who show up at TSA checkpoints on or after May 7, 2025,  with noncompliant ID or no ID will be treated the same way  travelers with “unacceptable” ID (expired IDs, student IDs, IDs issued by private employers, etc.) or no ID at all (lost or stolen or forgotten or just don’t have ID) are treated now.

What is the TSA’s standard procedure for people with no ID or “unacceptable” ID?

We don’t have up-to-date, unredacted versions of the TSA’s instructions to checkpoint staff at airports. But based on previously-released versions of the TSA’s Standard Operating Procedures(SOPs)  for Travel Document and ID Checks and for the TSA’s ID Verification Call Center (IVCC), TSA testimony and pleading in court cases, TSA ID verification logs and incident reports released in response to our FOIA requests, reports we’ve received from travelers without ID, the most recent 2024 report from the DHS Office of Inspector General on procedures for airline passengers without ID or with unacceptable ID, TSA testimony to Congress in 2024, and our own experiences, here’s what happens when a ticketed airline passenger shows up at a TSA checkpoint with no ID or “unacceptable” ID:

Read More

Apr 18 2025

No, the REAL-ID Act won’t stop “illegal aliens” from flying

The Department of Homeland Security (DHS) and Transportation Security Administration (TSA) have planted a story with Fox News falsely claiming that enforcement of the REAL-ID Act of 2005 at airports will prevent “illegal aliens” from boarding domestic airline flights within the US:

In a memo exclusively obtained by Fox News Digital, the [DHS] said part of the reason REAL ID will be enforced is to prevent those in the country illegally from flying – unless they are looking to self-deport on an international flight.

“Under Biden, illegal aliens used non-compliant IDs from sanctuary cities to board flights, but REAL ID’s higher security standards make it nearly impossible to forge legitimate documents, ensuring only verified travelers can fly,” the memo states….

“DHS and TSA are clear… illegal aliens will be barred from domestic flights, with one exception: illegal aliens self-deporting on international flights will be allowed to board without a REAL ID, encouraging their exit from the U.S.,” it states.

These DHS and TSA claims amplified by Fox News are false, in at least four respects:

First, as we reminded Maine state legislators at a hearing in Augusta earlier this week, the REAL-ID Act does not impose an ID requirement for air travel or authorize the TSA to prevent anyone from flying or traveling by any other common carrier on the basis of whether they have ID or “compliant” ID — regardless of their citizenship or immigration status. The TSA has said only that as of May 7th, 2025, as has been the case for years, airline passengers with no ID or ID the TSA deems “unacceptable” will be subject to delay for “additional screening” (more intrusive searches). If the TSA were to start refusing passage to airline ticket holders without ID, it would be acting illegally.

Second, city-issued IDs such as those discussed in the DHS memo are treated by the TSA as “unacceptable” ID. You can fly with a city ID, just like you can fly with no ID, after going through additional screening. Nothing in the REAL-ID Act will change that.

Third, the non-US citizens delayed and subjected to more intrusive searches because they don’t have ID documents compliant with the REAL-ID Act will consist disproportionately of asylum seekers lawfully entitled to remain in the US, not “illegal aliens”.  Any passport issued by any foreign government is considered compliant with the REAL-ID Act. Most foreigners in the US, regardless of their immigration status, have foreign passports. The exceptions are stateless people, people who have been denied passports by their countries of citizenship (strong evidence in support of an asylum claim), and people whose passports have been stolen or confiscated in the course of travel to the US. All of these foreigners without foreign passports are more likely to be (lawful) asylum seekers than are other categories of non-US citizens present in the US with foreign passports.

Fourth, because foreigners in the US are far more likely to have passports than are US citizens, most of the  burden of delay, extra searches of luggage, and extra groping of airline passengers without REAL-ID compliant documents will fall on US citizens without passports (which are not required for US citizens, especially within the US) or other documents the TSA deems “compliant” — not on any class of “aliens”.

The REAL-ID Act has nothing to do with aliens, legal or illegal. It’s primarily a measure to track and control US citizens traveling and going about our lives in our own country.

The TSA has tried to opt itself out of notice requirements for its ID rules. But we’re continuing to watch for clues to the TSA’s plan, if it has one. We’ll post an updated FAQ closer to the TSA’s current self-imposed deadline on what to expect at airports on May 7th.

Apr 15 2025

Withdrawal from REAL-ID gets a hearing in Maine

A bipartisan proposal to withdraw the state of Maine from compliance with the Federal REAL-ID Act of 2005 had its first hearing today (archived video) before the Joint Standing Committee on Transportation of the Maine State Legislature.

The REAL-ID withdrawal bill, LD 160, was presented to the Transportation Committee by state Rep. Laurel Libby (R-Auburn) and state Sen. Nicole Grohowski (D-Ellsworth), two of the six co-sponsors.

Public testimony in support of LD 160 was given by:

There was no public testimony against LD 160. The only opposition to the bill was voiced by Maine’s Secretary of State, Shenna Bellows.

Secretary of State Bellows struggled to explain her current support for REAL-ID compliance, in light of her history of opposition to the REAL-ID Act and Maine state compliance in her former positions as Executive Director of the ACLU of Maine and Maine State Senator.

Today, Secretary of State Bellows claimed, falsely — even after Mr. Kebede of the ACLU quoted the provisions of the REAL-ID Act requiring sharing with all other states of the contents of the state’s driver’s license database — that all of this information remains in the state of Maine. Secretary of State Bellows also claimed, also falsely, that the Federal government could not access the national REAL-ID database, SPEXS.

In fact, the SPEXS database is held by AAMVA, not by any Federal or state government agency. The Federal government could obtain access to SPEXS with a search warrant, subpoena, or national security letter directed to AAMVA, the same way it could obtain similar records from any private custodian. That order to AAMVA could include a “gag order” prohibiting AAMVA from disclosing the existence of the order or the release of SPEXS records to Maine, other states, or affected individuals. For all we, Secretary of State Bellows, or anyone in Maine knows, this may already have happened.

Members of the Transportation Committee seemed surprised — understandably — to learn from our testimony and that of other sponsors and supporters of LD 160 that the Maine Bureau of Motor Vehicles already uploaded personally identifying information extracted from all Maine driver’s license records to the SPEXS national ID database in December 2024.

Later in the same hearing, the Transportation Committee heard testimony from some of the same witnesses with respect to LD 1360, a well-meaning but inevitably flawed alternate legislative proposal to require the BMV to maintain the option of a “noncompliant” driver’s license or state ID. The  problem with this is that those who get a noncompliant license or ID will think they have opted out of the national ID system, but their information will end up in the same SPEXS national ID database.

Secretary of State Bellows first tried to say that there was no such database, then that it only contained information concerning REAL-ID compliant licenses and IDs, but finally conceded that Maine actually has only one driver’s license and ID database that includes both compliant and noncompliant credentials. Pointers extracted from all records in this state database, including both compliant and noncompliant licenses and IDs, have been and are continuing to be uploaded to SPEXS. And those pointer records, as we pointed out, contain sensitive personal information vulnerable to abuse.

Here’s our 3-minute statement in support of LD 160 (full written submission):

Read More

Apr 11 2025

DOGE, DHS, and data matching

“Data matching” may seem abstract, but its consequences can be life-changing: visa revocation, deportation, sudden cessation of Social Security payments, all without warning or opportunity to present argument or evidence to a human fact-finder.

One of the hallmarks of the new U.S. Department Of Government Efficiency (DOGE) is large-scale algorithmic analysis and comparison of existing databases of personally-identified information. In many cases, algorithms, AI, and data matching are being substituted for human judgement as the basis for decisions about individuals. Similar projects are being carried out by the Department of Homeland Security (DHS).

These activities appear likely to violate the Privacy Act (including its rarely-enforced criminal provisions) and/or the Computer Matching and Privacy Protection Act.

DOGE’s programmers are working to aggregate and correlate databases that have been compiled by different agencies or commercial third parties such as social media platforms, identified in different ways, and ingested in different formats.

Data matching  is central to the methods of DOGE and the Trump 2.0 Administration. One of  President Trump’s Executive Orders to heads of all Federal agencies directs that:

Agency Heads shall take all necessary steps, to the maximum extent consistent with law, to ensure Federal officials designated by the President… have full and prompt access to all unclassified agency records, data, software systems, and information technology systems… This includes authorizing and facilitating both the intra- and inter-agency sharing and consolidation of unclassified agency records.

How is this working out, and what does this say about ID-linked records?

Read More

Mar 31 2025

Senators propose to abolish the TSA

[Excerpt from the Abolish TSA Act of 2025]

Late last week Senators Mike Lee (R-UT) and Tommy Tuberville (R-AL) announced that they are introducing the Abolish TSA Act in Congress.

If enacted, the Abolish TSA Act would abolish the Transportation Security Administration (TSA), in its entirely. Within three years of enactment of this bill, responsibility for securing airline flights, and for the cost of doing so, would be returned to the airlines and whatever private contractors they might hire. Responsibility for oversight over aviation security would be returned to the Federal Aviation Administration (FAA), as was the case before the creation of the TSA in 2002.

It should go without saying that if the new Department Of Government Efficiency (DOGE) is targeting wasteful programs and agencies, the TSA and its security theater should be near the top of the list. DOGE doesn’t have the authority to abolish the TSA, but Congress does.

In and of itself, privatizing aviation security won’t necessarily do anything to improve protection for travelers’ rights. As part of a largely stalled pilot program in privatization of searches of airline passengers, checkpoints at San Francisco International Airport and a few other smaller airports have been operated by private contractors almost since the creation of the TSA. The private contractors at SFO are trained to carry out the same searches of travelers as TSA agents at other airports, with the same intrusiveness.

Although we are unaware of any court ruling on the authority of TSA contractors at SFO or  other airports, the TSA appears to think that these contractors have both police powers and the same “qualified immunity” that the agency has claimed for its own staff.

The Abolish TSA Act wouldn’t just privatize airline security, though. It would also provide, as part of  the ground rules for a three-year transition plan for privatization, that:

The plan may not include… any agency requirement or regulation compelling private contractors conducting airport security screening services to conduct warrantless searches and seizures.

The main activity of the TSA is, of course, conducting warrantless searches. So this clause of the Abolish TSA Act would imply a major change in practices at airports.

We’d prefer that the word “compelling” in this sentence of the bill be replaced with “authorizing”. As introduced, the Abolish TSA Act might leave wiggle room for airlines or their contractors to claim that, even if they aren’t compelled by the government to perform warrantless searches as though they were police, they are still authorized to do so.

At a minimum, though, prohibiting the Federal government from compelling airlines to subject their passengers to warrantless searches would allow airlines to choose not to do so, deprive them of the defense that “the government made me do it”, and remove any basis for a claim of police-like qualified immunity against charges of battery or false arrest.

As of this writing, the Abolish TSA Act has not yet been docketed. We’ll update this article when the bill is assigned a number.