Papers, Please!

The Identity Project

Monthly Archives: November 2015

Nov 16 2015

The human rights of migrants in transit

Last year the UN Office of the High Commissioner for Human Rights (OHCHR) developed and promulgated a set of “Recommended Principles and Guidelines on Human Rights at International Borders”, including respect for the right to freedom of movement, on which we made recommendations at the invitation of the OHCHR.

As a follow-up, and in response to ongoing refugee crises in Europe and elsewhere, the OHCHR has been tasked by the UN Human Rights Council with preparing further recommendations in relation to the rights of migrants in transit, including, “[e]xit restrictions … and the externalisation of border controls which could have an impact on the human rights of migrants in transit.”

Our latest recommendations to the OHCHR focus on the human rights implications of restrictions on travel by common carrier:

As we discussed in our previous submission to the OHCHR concerning the human rights of migrants, refugees, and asylum seekers, the right to leave any country is routinely and systematically violated – even where there is no explicit requirement for an “exit permit” – through (1) requirements for identity credentials or other travel documents as a condition of travel by common carrier, without respect for the right to leave any country and to return to the country of one’s citizenship regardless of what, if any, credentials or documents one possesses, (2) requirements for “screening” and approval of common carrier passengers that amount to de facto exit visa, transit visa, and/or entry visa requirements, (3) sanctions imposed on common carriers to induce carriers not to transport certain would-be passengers, on the basis of decisions not made, and not subject to appeal, through effective judicial procedures, and (4) failure by governments to enforce the duties of common carriers to transport all would-be passengers, regardless of their legal status or possession of documents.

Some of the most important decision-makers for asylum seekers, refugees, and other migrants are airline and other common carrier ticket sellers and check-in staff. Many eligible asylum seekers are unable to reach places of refuge, and others die trying, as a direct result of improper denial of transportation by common carrier staff.

Many eligible asylum seekers could afford to purchase airline tickets or tickets on other common carriers (ferries, trains, buses, etc.) to travel to countries where, on arrival, they would be eligible for asylum. They risk their lives as “boat people”, and some of them die, not for financial reasons, but because airlines or other government-licensed common carriers improperly refuse to sell them tickets or deny them boarding.

When airlines or other common carriers deny passage, they often claim that they are doing so in compliance with government mandates or government-authorized carrier “discretion”. But decisions about these “mandates” and how to apply them, and about the scope of common carrier “discretion”, are enforced not by judicial or police personnel but by airline or other common carrier staff, or by contractors, at the points of ticket sales, check-in, or boarding. As a result, it is almost impossible for would-be passengers to obtain judicial review of carrier decisions to refuse ticket sales, check-in, or boarding.

Asylum seekers who are trying to leave a country where they are subject to persecution, and who are denied transport, are unlikely to have access to effective judicial review and redress through the courts of the country that is persecuting them. Airlines know that they can violate the rights of asylum seekers with de facto impunity.

Respect for the right to freedom of movement requires significant changes in the practices of carrier staff. To fulfill their human rights obligations, governments need to ensure that common carriers are aware of, and respect, the right to freedom of movement.

[More.]

Nov 09 2015

Accurint exposed as data broker behind TSA “ID verification”

The most recent documents released in response to one of our Freedom of Information Act (FOIA) requests may have identified the data broker powering the TSA’s “ID verification” system as Accurint — the current incarnation of a component of the discredited and supposedly disbanded Total Information Awareness program — rather than Acxiom as we had speculated (and as had powered other TSA passenger-profiling schemes).

We found this clue to the company behind the curtain in the daily reports on the operation of the TSA Identity Verification Call Center (IVCC) that gets the call whenever someone tries to fly without having, or without being willing to show,  government-issued ID satisfactory to the TSA or contractor staff at an airport checkpoint:

Over the past 48 hours the IVCC experienced on-going internet connectivity issues that caused IVCC operations to be disconnected from Accurint and WebEOC databases…. The interrupted service resulted in extended call times when either database conductivity was abruptly discontinued or unavailable. At approximately 1430, TSOC IT contacted the Accurint Customer Support who indicated the issue was internal to Accurint. At approximately 1615, service appeared to be restored. At 1900, the connectivity issue resurfaced but with limited impact to operations. The TSOC Network Engineer is monitoring the Accurint situation and EMOC Security is working to identify and resolve those issues separate to Accurint.

This report strongly suggests that it’s Accurint that provides the database and “verification” algorithms used by the IVCC, the TSA, and TSA contractors to decide who to allow to fly, and who not to allow to fly.  There’s no other apparent reason why the IVCC would need connectivity to Accurint, or why an outage in IVCC connectivity would would be significant.

Who are these guys? It’s a shell game of acronyms, acquisitions, and corporate restructuring.

Accurint is a service of the LexisNexis brand of the UK-incorporated RELX Group plc, which until June 2015 was named Reed Elsevier.  The aggregated “garbage in, garbage out” database and pre-crime profiling algorithms used by Accurint for “ID verification” were developed by a company called Seisint, under contracts (brokered in part by Rudy Giuliani’s influence-peddling consultancy) to the DHS and Department of Justice, for the MATRIX (Multistate Anti-Terrorism Information Exchange) component of Total Information Awareness (TIA).

In the midst of public controversy over MATRIX, TIA, and other aspects of Seisint and its operations, Seisint was acquired by Reed Elsevier for $775 million in 2004.  Seisint’s Accurint service was folded into LexisNexis, part of what is now RELX Group plc.

“Matrix reloaded”?

Here’s what Megan Kaushik of the Brennan Center for Justice found when she tried to find out what’s in Accurint’s files about herself:

After an exhaustive search, I ultimately received records from … LexisNexis’s Accurint…. The report[] listed every phone number and address I had ever been associated with, from my college mailbox to the relative’s home where I’d forwarded mail while abroad. Accurint listed the apartment I rented while interning in DC, along with the names and phone numbers of its current occupants. It even provided the sale price and mortgage on each home I’d lived in.

Surprisingly, much of the information was also inaccurate….

Accurint listed someone named Florinda as “Associated with Subject’s SSN” though it assured me this “doesn’t usually indicate fraud.”

Obtaining my data … was difficult. Amending incorrect information was impossible. Unlike Canada or the UK where data brokers must allow individuals to access and amend their data, American law lacks such requirements. Accurint’s report stated it “may not contain all personally identifiable information in our databases” and they “do not verify data, nor is it possible to change incorrect data.”

In addition, “LexisNexis does not suppress personal information from databases used by law enforcement customers,” regardless of whether LexisNexis knows it to be inaccurate or misleading. As we said earlier,  “garbage in, garbage out”. All the garbage, no matter how much it stinks.

Since its latest latest corporate restructuring in June 2015, Accurint has been operated by a UK corporation, RLEX Group plc. Stock in RLEX Group plc is owned partly by a UK-based and partly by a Netherlands-based parent corporation. But there’s no US-incorporated subsidiary to shield RLEX Group plc, as a UK corporation, from its obligation to comply with UK law in its worldwide operations, whether in the US or anywhere else.

Many of Accurint’s policies and practices with respect to its services for the TSA and other law enforcement agencies appear to violate both the LexisNexis privacy policy and, more importantly, the obligations of RLEX Group plc pursuant to UK and European Union data protection law. The governing factor under UK and EU law appears to be that the data controller for Accurint, RLEX Group plc, is legally domiciled in the UK.

It doesn’t help rescue RELX Group plc from liability under UK and EU law that it has relied on self-certification that it complies with the “safe harbor” framework, which has now been ruled legally inadequate, as the basis for transferring personal data to entities in the US such as the TSA.

Accurint also integrates social media data from “Twitter, Tumblr, Disqus, Foursquare, WordPress, Instagram, Facebook, Google+, YouTube and more,”  monitored and mined by Digital Stakeout, Inc. This confirms what we have long feared: that (privatized but government-funded) surveillance of social media and other Internet activity is being used as one of the inputs to the black box that decides whether to allow us to exercise our rights. As we said five years ago in conjunction with the first “Social Network Users’ Bill of Rights”:

In such a world, your “identity” is what these companies say it is. Where do these private companies think you lived, and with whom, in a certain year, for example? An identity thief who has gotten your files may be more likely than you are to to know the “correct” answer.  And each time such a commercial service is used to verify your ID for government purposes, the service provider has a record of the transaction to add to its dossier about you, and use for whatever purposes it chooses.

We’ll be posting more details and statistics as the TSA releases more of its records about what happens to people who try to fly without ID. But the records we’ve received to date show that people are already being prevented from traveling by air, despite having valid tickets on common carrier airlines, because the private data broker(s) consulted by the TSA don’t have enough data to profile them, or their answers don’t correspond to the garbage in the aggregators’ data warehouses about things such as who Accurint thinks they live with or thinks who their neighbors are.

Nov 06 2015

Most Federal agencies still ignore human rights complaints

Despite a recent decision by the European Court of Justice based in part on the inability of US courts to enforce US obligations under human rights treaties to which the US is a party, and despite a direct order from the President, most Federal agencies have still done nothing to create even administrative channels or points of contact for handling complaints of human rights violations.

Last April, we joined a broad coalition of civil liberties and human rights organizations in a public letter to some of the Federal departments engaged in the most egregious human rights violations — torture, extrajudicial killings, mass surveillance, denial of freedom movement, etc. — calling on them to carry out the President’s longstanding orders to designate points of contact responsible for responding to complaints that they have violated human rights treaties.

Six months later, there’s been no response to our letter and no publicly-disclosed indication that any of the agencies and departments to which it was sent has taken any action to fulfill its duties under Executive Order 13107, which was issued by President Clinton in 1998 and has remained in effect ever since.

This week, we joined in a follow-up letter, pointing out the failure to act and the heightened importance of showing a US government commitment to human rights, including the right to privacy, if the US wants to persuade other countries and their citizens that personal information transferred to via the US will be adequately protected against unwarranted mass surveillance.

The real lesson, of course, is that neither US citizens nor foreigners can rely on merely administrative mechanisms  for the protection of fundamental rights. If direct orders from the President aren’t enough to get Federal department heads even to receive and log human rights complaints, what could be?

As the UN Human Rights Committee recommended last year at the conclusion of its latest review of US (non)implementation of its human rights treaty obligations, what’s really needed is for Congress to enact effectuating legislation for human rights treaties to grant US courts — not the agencies that are the subjects of the complaints — the jurisdiction to hear and rule on complaints of violations of rights guaranteed by those treaties that the US has ratified and promised to honor and implement.