Archive for the ‘Surveillance State’ Category

Toll payment devices used to track vehicles on toll-free roads

Tuesday, April 28th, 2015

Public records obtained by the ACLU from New York City and State agencies have confirmed the extensive use of RFID readers to track RFID toll payment devices on streets and roads where there are no tolls.

The ACLU’s report on the responses to its public records requests speaks for itself, but raises more questions about where else, by which government agencies, and for what purposes motor vehicle movements are being tracked, and whether vehicles without these RFID toll payment devices are also being tracked.

In New York, toll-tag RFID readers were systematically deployed on toll-free city streets for traffic monitoring. By logging the time and a unique vehicle identifier (broadcast by the RFID toll tag) for each vehicle passing each set of sensors, the system can calculate the most recent travel times between any tow sets of sensors.  That’s what’s used (at least in New York City) to generate the travel times displayed on road signs, and for other traffic management and traffic signal control optimization purposes.

The problem is that measuring the time required for an individual vehicle to travel between any two points in the road network requires uniquely identifying each vehicle and logging the time it passes each sensor.  It’s unclear from the documents obtained by the ACLU how long these logs are retained, to whom they are accessible, or how they are used.

The E-ZPass toll tags used in New York and other states in the Northeast and Midwest use the same long-range RFID technology, with the same potential for surveillance use, as FasTrak in California, SunPass in Florida, and RFID toll payment systems in many other states including (we are not making this up) Freedom Pass for toll roads in Alabama.

The RFID transponders in these toll payment devices are designed, of course, to be read from above or alongside the road, even when the device is inside the vehicle.  These RFID transponders are promiscuous: they will respond with their unique ID number to a query from any RFID reader.  In general, no license, permit, or consent is required to operate an RFID reader.  Anyone can legally buy an off-the-shelf RFID reader, install it wherever they want — near a road, or in a vehicle — and start logging the time, location, and unique ID of each toll tag that comes within range. They can use or sell these logs without restriction.

Most motorists, of course, have no idea how the travel times on highway signs are estimated, and these vary from place to place. The state of Washington, for example, has experimented with a homebrewed system for tracking vehicles through the unique MAC addresses broadcast by in-vehicle Bluetooth systems.

Most toll-collection agencies provide foil bags in which RFID toll tags can be kept when they aren’t in use. But it’s a nuisance at best, and potentially dangerous for someone driving alone, to remove the toll tag from the foil bag while driving, and replace it in the bag after passing each toll payment point. Most people leave these ID-broadcasting devices permanently mounted and exposed on the sun visor, windshield, or dashboard of their vehicle.

What about those motorists who don’t carry these RFID-based toll payment and tracking devices in their vehicles?  Many toll roads are moving to “all electronic tolling” (AET) in order to eliminate toll booths and any possibility of on-the-spot payment of tolls.  At least as currently being deployed in the US, most if not all of these AET systems use automated license plate readers in each lane to identify each motor vehicle without an RFID toll payment device. A bill for the toll is then mailed to the registered owner of the vehicle.  One way or another, either by RFID tag serial number or license plate number, every vehicle is uniquely identified and the time, location, and direction of its passage is logged by the toll agency or its contractors.  These all electronic tolling and vehicle tracking systems are already in use on bridges, tunnels, and toll roads from the Mystic/Tobin Bridge in Boston to the Golden Gate Bridge in San Francisco.

License plate readers are increasingly widely deployed, but RFID readers are a cheaper and more versatile technology for vehicle tracking than LPRs, at least at present.  A separate, properly positioned LPR camera is typically required for each lane, and optical character recognition software is needed to extract license plate numbers from raw imagery.  A single, cheaper, RFID reader can cover multiple lanes, from a wider range of placement locations.

Vehicles without toll payment devices have other promiscuous RFID chips that broadcast unencrypted unique identifiers. New motor vehicles sold in the US are required to have automated tire pressure monitoring systems (TPMS), most of which rely on sensors and transponders attached to, or embedded in, new tires.  There are no legal controls on tracking or logging of vehicle movements by means of these tire tags, and no way for ordinary motorists to know when, where, or by whom their position has been recorded, who has logs of past vehicle movements, or how those logs might be used in the future. Similar (and similarly uncontrolled) but shorter-range unique-numbered RFID chips are used as stored-value transit fare payment devices in many major metropolitan areas, so even non-drivers are at risk of being covertly tracked.

Amtrak formats for passenger ID data dumps to governments

Thursday, April 23rd, 2015

Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.

The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (”passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).

Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.

Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.

Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.

CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs

The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.

We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.

DHS expands mining of travel data while reducing logging and controls

Wednesday, April 22nd, 2015

The US Department of Homeland Security has announced plans to expand its data mining and “sharing”of DHS files about travelers, while removing some of the limited access controls and audit logging that it had only recently claimed to be putting in place for its Department-wide surveillance data framework:

Privacy Impact Assessment for the DHS Data Framework — Interim Process to Address an Emergent Threat (DHS/ALL/PIA-051, April 15, 2015)

DHS has a critical mission need to perform classified queries on its unclassified data in order to identify individuals supporting the terrorist activities of: (1) the Islamic State of Iraq and the Levant (ISIL), (2) al-Qa’ida in the Arabian Peninsula (AQAP), (3) al-Nusrah Front, (4) affiliated offshoots of these groups, or (5) individuals seeking to join the Syria-Iraq conflict. (These individuals are often referred to as “foreign fighters” by the media and in public discourse.) The ability to perform classified searches of unclassified data for this uniquely time sensitive purpose will allow DHS to better identify and track foreign fighters who may seek to travel from, to, or through the United States. This type of comparison is a long-standing mission need; however, the specific threat has shortened the timeframe in which DHS must meet the need.

To meet this critical mission need, DHS will adopt an interim process that foregoes many of the automated protections of the DHS Data Framework, such as the tagging of necessary data sets in the unclassified data lake. By foregoing these automated protections, DHS will be able to expedite transfers of information from the Electronic System for Travel Authorization (ESTA), the Advance Passenger Information System (APIS), Form I-94 records, and Passenger Name Records (PNR) directly from the unclassified DHS domain to the classified DHS domain through a manual process….

The previously announced “protections”  on DHS use and sharing of personal data are fig leaves of little value to the subjects of DHS travel surveillance. But the DHS decision to “forego” those protections is significant for what it shows about how the DHS carries out its activities.

(more…)

DHS continues and expands use of commercial vehicle tracking databases

Tuesday, April 7th, 2015

Barely more than a year after publicly cancelling a request for bids on the construction of a national database of vehicle location data compiled from commercial and government-operated license-plate reader (LPR) cameras, the DHS has quietly revealed that it is once again seeking to buy access to commercially-aggregated LPR data, and that some DHS component field offices are already doing so.

Cameras combined with optical character recognition software allow for automated logging of the license-plate number (and of course the associated time, date, plate, and direction of travel) of every passing vehicle. “Some LPR systems also capture within the image the environment surrounding a vehicle, which may include drivers and passengers,” the DHS acknowledges in its latest Privacy Impact Assessment for DHS use of commercial LPR data.

The only apparent difference between the proposal supposedly nixed in February 2014 and the plans revealed in the March 2015 PIA is that the DHS’s own LPR vehicle, driver, and passenger tracking data won’t be completely merged with LPR data from commercial sources and aggregators — at least not by the DHS itself.  The PIA describes a scheme in which the DHS will pay for query-based access to commercially-aggregated LPR data and the ability to set flags that will generate real-time alerts to the DHS whenever license-plate numbers of interest are observed.

(more…)

You can’t tell the travelers without a scorecard

Tuesday, March 31st, 2015
The TSA uses appearance profiles to decide whether to search you and/or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from GAO report.)

Point scores assigned by TSA "Behavior Detection Officers" are used to decide whether to search you or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from 2013 GAO report. Click image for larger version.)

The Intercept has published the scorecard used by TSA “Behavior Detection” precogs to assign points to travelers, as part of the TSA’s “SPOT” pre-crime scheme for deciding which travelers to subject more intrusive search and/or interrogation or “refer” to local police:

Whether you call SPOT and the TSA’s other pre-crime profiling programs “junk science”, “culturally biased”, or simply “unconstitutional”, it’s clear that the TSA can’t tell the terrorist travelers with or without a scorecard.

The SPOT scorecard includes pairs of, “Damned if you do, damned if you don’t,” point categories. “Avoids eye contact with security personnel or LEO [Law Enforcement Officer]“? +1 point. On the other hand, “Cold penetrating stare” or “Widely open staring eyes”? +2 points.

Disturbingly, some of the largest point values are assigned for the exercise of First Amendment rights to express opinions, ask questions, and observe what is in plain sight: “Asks the BDO [Behavior Detection Officer] security-related questions”? +3 points. “Shows arrogance and verbally expresses contempt for the screening process”? +2 points. “Scans area, appearing to look for security personnel or LEO”? +2 points.

In what appears to be flagrant discrimination against people with disabilities, anyone attempting to communicate in sign language is severely penalized: “Exhibiting hand gestures to others”? +3 points.

Part of the scorecard is broken down into “Stress”, “Fear”, and “Deception” categories. Stress and fear would seem to be natural responses to being profiled, judged, interrogated, and groped by government agents in cop-like uniforms who claim discretionary and deliberately unpredictable power to stop us from exercising our rights.  What traveler anywhere in the world doesn’t tense up when they are stopped at a checkpoint, and breathe a sigh of relief when they have made it through?

Points are also assigned for attributes having nothing to do with these factors, and which cannot lawfully be construed as constituting a reasonable basis for suspicion sufficient to justify search or detention.

Are you one of a party of, “Males traveling together who are NOT part of a family”? +1 point. Take that, pairs of traveling salesmen, and pairs of Mormon Elders on a mission! Do you appear to be a “Member of a family”?  -2 points. What’s a “family”? And how can the TSA tell?

Possession of duct tape “which the passenger has no apparent reason to possess”? +1 point. Isn’t the reason to carry duct tape that you never know for what purpose you will need it?

Cash is considered presumptively and for outbound international travelers conclusively suspicious. Possession of, “Large sum of monies leaving U.S.”, or “Large sum of monies with no apparent reason to possess”? Automatically notify a law enforcement officer.

Some of the scoring categories appear to be purely cultural or fashion bigotry: “Face pale from recent shaving of beard”? +1 point.  Others show age and/or gender bias: “Facial flushing while undergoing screening”? +1 point. So much for any woman who happens to have a hot flash at a checkpoint. “Apparent married couple with both spouses over 55 years old”? -2 points.

The Intercept quotes two unnamed former TSA “Behavior Detection Officer” managers. One says the scorecard is, “designed in such a way that virtually every passenger will exhibit multiple ‘behaviors’ that can … justify BDO interaction with a passenger. A license to harass.” Another describes the SPOT porgram as, “Bullshit. Complete bullshit.”  We couldn’t have said it better.

Smile for the camera, citizen!

Monday, March 23rd, 2015

The Department of Homeland Security is extending its photography of travelers at US border crossings, ports, and international airports from foreign nationals to US citizens entering and leaving our own country.

On January 5, 2004, under an “interim final rule” for the “US-VISIT” program effective the same day it was published in the Federal Register, agents of US Customs and Border Protection (CBP) began fingerprinting and photographing foreign visitors on their arrival and again on their departure from the US.

At first, only those foreign citizens who required visas to enter the US were given this treatment.  A few countries. starting with Brazil, took this as a sign of their “least favored nation” status with the US government, and reciprocated by photographing and fingerprinting US citizens arriving in and departing from their countries. Many other countries didn’t take things quite so far, but partially reciprocated to the extent of increasing their visa or entry fees for US visitors, or imposing new fees where entry for US tourists had been free, to match the US$135 minimum fee for a tourist or transit visa to the US for citizens of most other countries.

On August 31, 2004, under yet another “interim” rule effective the same day it was published, fingerprinting and photography at US airports and borders was extended to citizens of countries in the US “visa waiver program”.

For the third phase of expansion of US-VISIT fingerprinting and photography of border crossers, the DHS published a notice of proposed rulemaking in 2006, giving organizations and individuals a chance to object before the rules were finalized. But the numerous objections, including ours, were ignored. In December 2008, the DHS promulgated a final rule extending the fingerprinting and photography of visitors to all non-US citizens, including permanent US residents (green-card holders).

Now, without bothering to propose or finalize any new regulations, DHS has announced through a non-binding “Privacy Impact Assessment” (PIA) posted on its website that CBP is already conducting a “Facial Recognition Air Entry Pilot” program under which some unspecified fraction of US citizens entering the US by air are being required to submit to facial photography by CBP agents:

U.S. citizens with U.S. e-passports arriving at air ports of entry testing the technology may be selected to participate in the pilot at port discretion. Individuals that are selected do not have the option to opt out of this process.

Facial recognition software is being used to compare the photos to the digital photos stored on the RFID chips in US citizens’ passports, and to assign a score indicating the robot’s “confidence” that the photo in the passport and the photo taken at the airport depict the same person. “The facial recognition system is a tool to assist CBPOs [CBP officers] in the inspection process.”

The selection is supposedly random, but there is no specified limit on how large the percentage of US citizens subjected to this requirement might be:

Supervisory CBPOs (SCBPO) will set the standard for the random selection criteria and have discretion to change the criteria as needed. For example, the SCBPO may choose to select every fifth traveler but may change to every third or every seventh traveler at his or her discretion.

DHS has a history of prolonging and expanding “tests” as cover for de facto full implementation of controversial requirements. There’s nothing in this PIA to rule out the extension of the “pilot” program to nine out of ten arriving US citizens, or 99 out of 100.

Disturbingly but characteristically, DHS suggests that US citizens returning to our own country can be required to do whatever is necessary to “satisfy” CBP officers:

A person claiming U.S. citizenship must establish that fact to the examining [CBP] officer’s satisfaction [emphasis added] and must present a U.S. passport or alternative documentation as required by 22 CFR part 53. If such applicant for admission fails to satisfy the examining immigration officer that he or she is a U.S. citizen, he or she shall thereafter be inspected as an alien.

(more…)

Amtrak lies about police use of passenger data

Friday, March 20th, 2015

Passenger Name Record (PNR) view from Amtrak "Police GUI". (Click image for larger version.)

The first “interim” release of documents responsive to our FOIA request for records of police and other government access to Amtrak reservation data show that Amtrak is not only giving police root access and a dedicated user interface to mine passenger data for general state and local law enforcement purposes, but also lying to passengers about this, misleading Amtrak’s own IT and planning staff about the legal basis for these actions, and violating Canadian if not necessarily US law.

Our FOIA request was prompted by Amtrak’s obviously incomplete response to an earlier FOIA request from the ACLU.  That response omitted any mention  of government access to Amtrak reservation data, even though we’ve seen records of Amtrak travel in DHS files about individual  citizens obtained in response to previous Privacy Act and FOIA requests. The documents we have just received were clearly responsive to the ACLU’s request, and should have been, but weren’t, included in Amtrak’s response to that request.

Amtrak is still working on our request, but has begun providing us with responsive records as it completes “processing” of them: search, retrieval, and redaction. (Amtrak is even further behind in responding to some other FOIA requests, such as this one for certain disciplinary records related to misconduct by Amtrak Police.)

The first “interim” release to us by Amtrak includes just a few documents: a 2004 letter from US Customs and Border Potection (CBP) to the Amtrak Police legal department, requesting “voluntary” provision by Amtrak to CBP of Advanced Passenger Information System (APIS) identification data about all passengers on international Amtrak trains, and a 2004-2005 project summary and scoping document for the work that would be required by Amtrak’s IT department to automate the collection, maintenance in Amtrak’s “ARROW” passenger reservation database, and delivery to CBP of this data.

(more…)

US government veterans call for curbs on surveillance

Monday, March 9th, 2015

Citing our research and analysis on NSA surveillance of travelers as part of the basis for their recommendations, an organization of veterans of US intelligence agencies has called for curbs on mass surveillance of innocent individuals, in order to “preserve privacy and increase security”.

These recommendations to the Privacy and Civil Liberties Oversight Board (PCLOB) are the latest in a series of statements issued by the Veteran Intelligence Professionals for Sanity (VIPS), a group which includes prominent NSA, CIA, State Department, FBI, and other whistleblowers. (More from former FBI agent Coleen Rowley, one of the members of VIPS and a signatory of the statement.)

Thel letter from VIPS  to the PCLOB is worth reading in full, but we found these portions among the most trenchant:

The Fear Factor

If Americans want to actively protest U.S. Government policies, but are aware that their communications are being monitored, some individuals will be fearful, inclined toward self-censorship and less likely to speak out – with the chilling effect of being denied their First Amendment rights to free speech and association.

With the Government’s surveillance resources devoted to electronic communications, facial image capture, retina scans, GPS and E-ZPass tracking, license plate readers, banking transactions, and air travel reservations, those with access to the data will be free to develop their own “threat” profiles to target people with tragic consequences for citizens’ freedom of speech, press, religion, and association.

Is this the state of freedom Americans choose to live under? It was achieved through a cooperative Congress and an anxious news media that reacted on the basis of a fear-mongering Intelligence and Law Enforcement Community backed by profiteers from the private sector eager to come to the rescue with all manners of big data analytics solutions. Over the ensuing years, public malaise seems to have set in yielding a general sense of resignation over the loss of privacy wherein it’s viewed to be a small price to pay for the convenience of having perpetual electronic access within reach 24/7.

(more…)

Must we choose between the right to travel and the right to remain silent?

Tuesday, February 24th, 2015

When US citizen Jonathan Corbett checked in at Heathrow Airport in London for an American Airlines flight to New York last December, he was questioned by an airline employee or contractor (it’s often impossible to tell which are which) about his travel outside the US:

When questions changed from, “Where are you flying?” to “Was your trip for personal or business purposes,” and “Where were you since you left America,” I asked if the questions were necessary, and was told yes.

Mr. Corbett was eventually allowed to board his flight without answering these questions. But he followed up first with the airline, which referred him to the TSA, and then with the TSA itself.

Both AA and the TSA said that the questioning is part of a TSA-mandated “security program”. While AA and the TSA both claimed that most details of this program are secret, the TSA “Office of Global Strategies Communications Desk” (OGSCommunications@tsa.dhs.gov) told Mr. Corbett that answering the questions is a condition of boarding a flight to the US:

As part of its Transportation Security Administration (TSA)-approved security program, American Airlines is required to conduct a security interview of passengers prior to departure to the United States… If a passenger declines the security inteview, American Airlines will deny the passenger boarding. The contents of the security program and the security interview are considered Sensitive Security Information (SSI) … and its contents are not for public disclosure. Any security procedure performed by the airline would be because of a requirement in their program.

Yesterday, Mr. Corbett filed suit against the TSA in both the U.S. District Court for the Eastern District of New York (which has jurisdiction over Kennedy Airport in Queens, where his flight arrived in the US) and in the 11th Circuit Court of Appeals (which has jurisdiction over Florida, where Mr. Corbett resides).  Perverse judicial precedents including those in Mr. Corbett’s own previous lawsuits require most lawsuits against TSA practices to be filed simultaneously in both District and Circuit Courts, to avoid a risk of being dismissed on jurisdictional grounds.

Mr. Corbett’s lawsuit directly challenges the requirement for a traveler to answer questions (i.e. to waive his or her Firth Amendment right to remain silent) as a condition of the exercise of the rifght to travel, specifically the right of a US citizen to return to the US.

(more…)

Feds aggregating license-plate scans to track vehicles and people in real time

Friday, February 6th, 2015

We’ve talked a lot about government surveillance and control of air travelers, and occasionally about its extension to bus and train travel.  (Our FOIA request about this to Amtrak remains unanswered and several months overdue for a response.)

But can you avoid being tracked and watched by the government if you travel by private car? No:

A year ago, when the Department of Homeland Security cancelled a request for bids from commercial vendors to supply vehicle location logs compiled from automated (optical character recognition) license-plate readers, we pointed out that the DHS didn’t need to buy this information from commercial data aggregators, since it already had it available from government sources.  In fact, as we noted then, the DHS had already given official notice of the inclusion of license-plate location logs in DHS databases about both US and foreign citizens (while claiming that a license plate number isn’t a “personal identifier”).

New documents released to the ACLU in response to FOIA requests and reported by the Wall Street Journal (paywalled article; NPR interview with the WSJ reporter on the story) confirm our suspicions: As early as 2009, a “National LPR Initiative” was compiling data from license-plate readers operated by the DHS and other Federal, state, and local government agencies to track both vehicles and their occupants in real time. (More background and additional documents from the ACLU’s previous FOIA requests regardign license-plate readers; related documents released to EPIC and to EFF.)

Many of the Federal government’s license-plate readers are operated by the Customs and Border Protection (CBP) division of the DHS, under its assertion of authority to conduct unlimited “border” searches anywhere within 100 miles of a US land border or seacoast. But the master database is being compiled and maintained by the Drug Enforcement Agency (DEA), and used primarily to intercept domestic commerce in drugs and to target vehicles, cash, and other property that can be seized under “civil forfeiture” laws.

This isn’t, of course, the first time we’ve seen CBP’s assertion of a “Constitution-free zone” in coastal and border regions where the majority of the US population lives misused as the basis for surveillance of, and interference with, domestic travel.  Sadly, we don’t expect that this will be the last such instance, either.