Archive for the ‘Surveillance State’ Category

Smile for the camera, citizen!

Monday, March 23rd, 2015

The Department of Homeland Security is extending its photography of travelers at US border crossings, ports, and international airports from foreign nationals to US citizens entering and leaving our own country.

On January 5, 2004, under an “interim final rule” for the “US-VISIT” program effective the same day it was published in the Federal Register, agents of US Customs and Border Protection (CBP) began fingerprinting and photographing foreign visitors on their arrival and again on their departure from the US.

At first, only those foreign citizens who required visas to enter the US were given this treatment.  A few countries. starting with Brazil, took this as a sign of their “least favored nation” status with the US government, and reciprocated by photographing and fingerprinting US citizens arriving in and departing from their countries. Many other countries didn’t take things quite so far, but partially reciprocated to the extent of increasing their visa or entry fees for US visitors, or imposing new fees where entry for US tourists had been free, to match the US$135 minimum fee for a tourist or transit visa to the US for citizens of most other countries.

On August 31, 2004, under yet another “interim” rule effective the same day it was published, fingerprinting and photography at US airports and borders was extended to citizens of countries in the US “visa waiver program”.

For the third phase of expansion of US-VISIT fingerprinting and photography of border crossers, the DHS published a notice of proposed rulemaking in 2006, giving organizations and individuals a chance to object before the rules were finalized. But the numerous objections, including ours, were ignored. In December 2008, the DHS promulgated a final rule extending the fingerprinting and photography of visitors to all non-US citizens, including permanent US residents (green-card holders).

Now, without bothering to propose or finalize any new regulations, DHS has announced through a non-binding “Privacy Impact Assessment” (PIA) posted on its website that CBP is already conducting a “Facial Recognition Air Entry Pilot” program under which some unspecified fraction of US citizens entering the US by air are being required to submit to facial photography by CBP agents:

U.S. citizens with U.S. e-passports arriving at air ports of entry testing the technology may be selected to participate in the pilot at port discretion. Individuals that are selected do not have the option to opt out of this process.

Facial recognition software is being used to compare the photos to the digital photos stored on the RFID chips in US citizens’ passports, and to assign a score indicating the robot’s “confidence” that the photo in the passport and the photo taken at the airport depict the same person. “The facial recognition system is a tool to assist CBPOs [CBP officers] in the inspection process.”

The selection is supposedly random, but there is no specified limit on how large the percentage of US citizens subjected to this requirement might be:

Supervisory CBPOs (SCBPO) will set the standard for the random selection criteria and have discretion to change the criteria as needed. For example, the SCBPO may choose to select every fifth traveler but may change to every third or every seventh traveler at his or her discretion.

DHS has a history of prolonging and expanding “tests” as cover for de facto full implementation of controversial requirements. There’s nothing in this PIA to rule out the extension of the “pilot” program to nine out of ten arriving US citizens, or 99 out of 100.

Disturbingly but characteristically, DHS suggests that US citizens returning to our own country can be required to do whatever is necessary to “satisfy” CBP officers:

A person claiming U.S. citizenship must establish that fact to the examining [CBP] officer’s satisfaction [emphasis added] and must present a U.S. passport or alternative documentation as required by 22 CFR part 53. If such applicant for admission fails to satisfy the examining immigration officer that he or she is a U.S. citizen, he or she shall thereafter be inspected as an alien.

(more…)

Amtrak lies about police use of passenger data

Friday, March 20th, 2015

Passenger Name Record (PNR) view from Amtrak "Police GUI". (Click image for larger version.)

The first “interim” release of documents responsive to our FOIA request for records of police and other government access to Amtrak reservation data show that Amtrak is not only giving police root access and a dedicated user interface to mine passenger data for general state and local law enforcement purposes, but also lying to passengers about this, misleading Amtrak’s own IT and planning staff about the legal basis for these actions, and violating Canadian if not necessarily US law.

Our FOIA request was prompted by Amtrak’s obviously incomplete response to an earlier FOIA request from the ACLU.  That response omitted any mention  of government access to Amtrak reservation data, even though we’ve seen records of Amtrak travel in DHS files about individual  citizens obtained in response to previous Privacy Act and FOIA requests. The documents we have just received were clearly responsive to the ACLU’s request, and should have been, but weren’t, included in Amtrak’s response to that request.

Amtrak is still working on our request, but has begun providing us with responsive records as it completes “processing” of them: search, retrieval, and redaction. (Amtrak is even further behind in responding to some other FOIA requests, such as this one for certain disciplinary records related to misconduct by Amtrak Police.)

The first “interim” release to us by Amtrak includes just a few documents: a 2004 letter from US Customs and Border Potection (CBP) to the Amtrak Police legal department, requesting “voluntary” provision by Amtrak to CBP of Advanced Passenger Information System (APIS) identification data about all passengers on international Amtrak trains, and a 2004-2005 project summary and scoping document for the work that would be required by Amtrak’s IT department to automate the collection, maintenance in Amtrak’s “ARROW” passenger reservation database, and delivery to CBP of this data.

(more…)

US government veterans call for curbs on surveillance

Monday, March 9th, 2015

Citing our research and analysis on NSA surveillance of travelers as part of the basis for their recommendations, an organization of veterans of US intelligence agencies has called for curbs on mass surveillance of innocent individuals, in order to “preserve privacy and increase security”.

These recommendations to the Privacy and Civil Liberties Oversight Board (PCLOB) are the latest in a series of statements issued by the Veteran Intelligence Professionals for Sanity (VIPS), a group which includes prominent NSA, CIA, State Department, FBI, and other whistleblowers. (More from former FBI agent Coleen Rowley, one of the members of VIPS and a signatory of the statement.)

Thel letter from VIPS  to the PCLOB is worth reading in full, but we found these portions among the most trenchant:

The Fear Factor

If Americans want to actively protest U.S. Government policies, but are aware that their communications are being monitored, some individuals will be fearful, inclined toward self-censorship and less likely to speak out – with the chilling effect of being denied their First Amendment rights to free speech and association.

With the Government’s surveillance resources devoted to electronic communications, facial image capture, retina scans, GPS and E-ZPass tracking, license plate readers, banking transactions, and air travel reservations, those with access to the data will be free to develop their own “threat” profiles to target people with tragic consequences for citizens’ freedom of speech, press, religion, and association.

Is this the state of freedom Americans choose to live under? It was achieved through a cooperative Congress and an anxious news media that reacted on the basis of a fear-mongering Intelligence and Law Enforcement Community backed by profiteers from the private sector eager to come to the rescue with all manners of big data analytics solutions. Over the ensuing years, public malaise seems to have set in yielding a general sense of resignation over the loss of privacy wherein it’s viewed to be a small price to pay for the convenience of having perpetual electronic access within reach 24/7.

(more…)

Must we choose between the right to travel and the right to remain silent?

Tuesday, February 24th, 2015

When US citizen Jonathan Corbett checked in at Heathrow Airport in London for an American Airlines flight to New York last December, he was questioned by an airline employee or contractor (it’s often impossible to tell which are which) about his travel outside the US:

When questions changed from, “Where are you flying?” to “Was your trip for personal or business purposes,” and “Where were you since you left America,” I asked if the questions were necessary, and was told yes.

Mr. Corbett was eventually allowed to board his flight without answering these questions. But he followed up first with the airline, which referred him to the TSA, and then with the TSA itself.

Both AA and the TSA said that the questioning is part of a TSA-mandated “security program”. While AA and the TSA both claimed that most details of this program are secret, the TSA “Office of Global Strategies Communications Desk” (OGSCommunications@tsa.dhs.gov) told Mr. Corbett that answering the questions is a condition of boarding a flight to the US:

As part of its Transportation Security Administration (TSA)-approved security program, American Airlines is required to conduct a security interview of passengers prior to departure to the United States… If a passenger declines the security inteview, American Airlines will deny the passenger boarding. The contents of the security program and the security interview are considered Sensitive Security Information (SSI) … and its contents are not for public disclosure. Any security procedure performed by the airline would be because of a requirement in their program.

Yesterday, Mr. Corbett filed suit against the TSA in both the U.S. District Court for the Eastern District of New York (which has jurisdiction over Kennedy Airport in Queens, where his flight arrived in the US) and in the 11th Circuit Court of Appeals (which has jurisdiction over Florida, where Mr. Corbett resides).  Perverse judicial precedents including those in Mr. Corbett’s own previous lawsuits require most lawsuits against TSA practices to be filed simultaneously in both District and Circuit Courts, to avoid a risk of being dismissed on jurisdictional grounds.

Mr. Corbett’s lawsuit directly challenges the requirement for a traveler to answer questions (i.e. to waive his or her Firth Amendment right to remain silent) as a condition of the exercise of the rifght to travel, specifically the right of a US citizen to return to the US.

(more…)

Feds aggregating license-plate scans to track vehicles and people in real time

Friday, February 6th, 2015

We’ve talked a lot about government surveillance and control of air travelers, and occasionally about its extension to bus and train travel.  (Our FOIA request about this to Amtrak remains unanswered and several months overdue for a response.)

But can you avoid being tracked and watched by the government if you travel by private car? No:

A year ago, when the Department of Homeland Security cancelled a request for bids from commercial vendors to supply vehicle location logs compiled from automated (optical character recognition) license-plate readers, we pointed out that the DHS didn’t need to buy this information from commercial data aggregators, since it already had it available from government sources.  In fact, as we noted then, the DHS had already given official notice of the inclusion of license-plate location logs in DHS databases about both US and foreign citizens (while claiming that a license plate number isn’t a “personal identifier”).

New documents released to the ACLU in response to FOIA requests and reported by the Wall Street Journal (paywalled article; NPR interview with the WSJ reporter on the story) confirm our suspicions: As early as 2009, a “National LPR Initiative” was compiling data from license-plate readers operated by the DHS and other Federal, state, and local government agencies to track both vehicles and their occupants in real time. (More background and additional documents from the ACLU’s previous FOIA requests regardign license-plate readers; related documents released to EPIC and to EFF.)

Many of the Federal government’s license-plate readers are operated by the Customs and Border Protection (CBP) division of the DHS, under its assertion of authority to conduct unlimited “border” searches anywhere within 100 miles of a US land border or seacoast. But the master database is being compiled and maintained by the Drug Enforcement Agency (DEA), and used primarily to intercept domestic commerce in drugs and to target vehicles, cash, and other property that can be seized under “civil forfeiture” laws.

This isn’t, of course, the first time we’ve seen CBP’s assertion of a “Constitution-free zone” in coastal and border regions where the majority of the US population lives misused as the basis for surveillance of, and interference with, domestic travel.  Sadly, we don’t expect that this will be the last such instance, either.

Is the attack on Charlie Hebdo a reason for air travel surveillance?

Tuesday, January 13th, 2015

In a speech today in Strasbourg opening the current session of the European Parliament, the President of the European Council (the executive branch of the European Union, comprised of national governments) invoked the attack on the satirical cartoonists of Charlie Hebdo as a reason for popularly-elected EU legislators to put aside their previous objections and enact a comprehensive EU-wide mandate for surveillance and profiling of airline passengers on the basis of Passenger Name Record (PNR) data from airline reservations.

Today’s speech by Council President Donald Tusk of Poland echoed similar statements by “security” (policing and surveillance) officials of other EU governments in conjunction with a summit meeting of EU ministers. The summit is also being attended by senior US officials from the DHS and other agencies that have been lobbying the EU for years to set up a PNR-based surveillance and profiling scheme modeled on the one used by the US.

Tusk and other EU officials have made PNR-based profiling of air travelers a priority as a “response” to the Charlie Hebdo attack in Paris, claiming that it “can help in detecting the travel of dangerous people.”

Is this true? And does the attack on Charlie Hebdo provide any reason for Members of the European Parliament, or the European Court of Justice, to change their opinion that mandatory root access by governments to airline reservation databases is unjustified and violates fundamental rights?

No, and no.

The attack on Charlie Hebdo was an act of domestic terrorism carried out within France by French citizens.  They didn’t travel by air or cross international borders.  Their means of transportation to and from the scene of the crime in Paris was a car stolen elsewhere in the Paris metropolitan area. Airline reservations or border controls would have given no indication of the impending attack, and could not have been used to prevent it.

After the fact, police pursuing the perpetrators could have obtained search warrants, including warrants for PNR data or other airline records if there was a likelihood that they would be relevant, through normal judicial procedures.

(And as Wikileaks recently revealed, European governments are already obtaining PNR data “informally” from airlines, and using it to profile travelers, without legal authority.)

Nothing about the attack on Charlie Hebdo provides any reason to give governments more power to engage in warrantless surveillance or profiling of travelers who aren’t suspected of any crime.

Comprehensive PNR surveillance is like the NSA’s dragnet interception and mining of Internet and telephone records — except that metadata about the movements of our physical bodies (PNR data) can be far more intimate that metadata about the movement of our messages. Which is more intrusive: For the NSA to know that  you talked on the telephone or exchanged email messages or were in the same mobile phone “cell” with someone, or for the DHS or a European “Passenger Analysis Unit” to know from a hotel reservation passed on to the government as part of your PNR data that you slept in the same bed with that person?

The purpose of PNR-based surveillance is neither to investigate past crimes nor to track people who are already suspected of crimes.  Those activities require neither new procedures nor new police powers.  The only reason for governments to obtain the entire rich and intimately revealing PNR dataset for all air travelers is to identify new potential suspects, based on profiles and associations. Profiling and suspicion-by-association are the central purposes of a PNR system, not side effects or aberrations.

We’ll be in Brussels next week to discuss these issues with our European colleagues at a Privacy Camp on “Big Data & Ever Increasing State Surveillance“, and at the Computers, Privacy & Data Protection (CPDP) conference.

Wikileaks publishes CIA reports on travel ID checks

Monday, January 12th, 2015

Wikileaks has published two internal briefing documents produced for the use of CIA undercover agents, describing the methods used by airlines and governments to identify international travelers.

Both of these reports were produced as part of the CIA’S previously-unknown CHECKPOINT program of travel ID-related activities:

This product has been prepared by CIA’s CHECKPOINT Identity and Travel Intelligence Program. Located in the Identity Intelligence Center (i2c) within the Directorate of Science and Technology, CHECKPOINT serves the Intelligence Community by providing tailored identity and travel intelligence products. CHECKPOINT collects, analyzes, and disseminates information to help US intelligence personnel protect their identities and operational activities while abroad.

One of the reports, “Surviving Secondary“, describes ID-related “secondary screening” procedures at international airports, with examples from the US, EU, and other countries around the world.  The other report is an overview of, “The European Union’s Schengen biometric-based border-management systems.”

Most of the airline and government profiling and “screening” activities described in the reports, are already well-known.  These include many of the ways that governments obtain and use Passenger Name Record (PNR) and Advance Passenger Information (API or APIS) data derived form airline reservations.

But these newly-released reports also confirm that the CIA (and the other agencies with which the reports have been shared within the US government) are aware of some airline and government activities and some vulnerabilities for travelers which we and others have complained about, but which the US government has not previously acknowledged.

One problem confirmed by the CIA report on secondary screening is that government agencies can, and routinely do, obtain and use PNR, API, and other airline data, without legal authority or due process:

Security services lacking APIS or PNR information may have other arrangements to receive passenger manifests ahead of time. For example, the Airport Police Intelligence Brigade (BIPA) of the Chilean Investigative Police does not routinely obtain advance passenger manifests but can request the information from airlines on an ad hoc basis to search for targets of interest. Strict privacy laws covering Danish citizens extend to all passengers traveling through Copenhagen airport such that the Danish Police Intelligence Service (PET) cannot legally obtain routine access to flight manifests. However, if one of PET’s four cooperative airline contacts is on duty, the service can unofficially request a search on a specific name, according to August 2007 liaison reporting.

Airline data obtained by government agencies through these extrajudicial channels is used for profiling and targeting of searches, questioning, and other adverse actions against travelers.

This practice is illegal in many of the countries where it is routine, but typically occurs without leaving a trace.  Many airline staff are willing to betray their customers’ privacy to government agencies. And because no records are kept of who accesses PNR data, both government agents and their airline collaborators know that they are unlikely to be held accountable unless they confess or are caught in the act.

The persistence of routine “informal”, often illegal, and almost always unrecorded government access to airline data about travelers highlights a crucial issue we’ve been talking about for years: the complete absence of access logging in the architecture of the computerized reservation systems (CRSs) which host airlines’ PNR databases.  CRSs have PNR change logs, but no PNR access logs.

Governments and travelers must demand that CRSs add comprehensive access logging to their core functionality for PNR hosting. That won’t stop the problem. Airline staff will still be able to show government agents printouts or let them look at displays, with only the airline personnel’s  access being logged. But access logs will help, and are an essential first step toward control of PNR data “leakage”.

The CIA report on secondary screening also confirmed that the CIA is aware of the sensitivity and use by European governments (and presumably other governments) of associational information contained in fare basis codes, ticket designators, and travel agency IDs:

April 2007 reporting resulting from a liaison exchange with the Hungarian Special Service for National Security (SSNS) provides insights into factors considered by officers at Ferihegy airport in Budapest, Hungary when examining tickets. Officers check … whether the ticket fare code represents a government or military discount, or whether a government travel agency booked the ticket. Hotel and car reservations are similarly examined for unusual discounts or government affiliation.

Of course, the same PNR data elements and pricing and ticket designators can reveal other, non-governmental, affiliations between travelers and with other individuals and groups. If an airline gives a discount to members of a political organization, trade union, or other group attending a convention or meeting, for example, each PNR and ticket for a member who receives the discount typically includes some unique code.

Despite complaints, including ours, both US and European officials have denied that ticket designators and similar codes in PNRs can reveal sensitive associational data.  Now we know that this information is already being used by European governments, and that the CIA is aware of these uses.  There’s no more excuse for pretending that these data elements are innocuous or that they can be “shared” without risk to travelers.

“CAPPS IV”: TSA expands profiling of domestic US airline passengers

Friday, January 9th, 2015

Under color of a vestigial provision of Federal law related to an airline passenger profiling program that was discontinued more than four years ago, and applying the name of that program (and attempting to apply the same legal mandate) to an entirely new scheme, the TSA is adding a new, additional layer of passenger profiling to its pre-crime system for domestic airline flights within the United States.

The existence and TSA-mandated implementation of the new so-called “Computer-Assisted Passenger Prescreening System (CAPPS)” was first disclosed publicly in an obscure posting this Monday on the DHS website and an equally obscure notice published the same day in the Federal Register.   According to both documents, the new CAPPS scheme has been under development since at least 2013, in secret collaboration between the TSA, the inter-departmental National Counterterrorism Center (NCTC), airlines, and private contractors.

What was the old CAPPS? What is the new CAPPS? And what does this mean for the rights of travelers?

Answering these simple-seeming questions requires understanding the history of government-mandated airline passenger profiling in the US and the shell game of labels that the government has applied to profiling schemes, as well as careful parsing of this week’s abstruse and uninformative (to the uninitiated) official notices.

(more…)

DHS proposes ID and search rules for passengers on ocean-going ships

Thursday, December 11th, 2014

In a Notice of Proposed Rulemaking (NPRM) published yesterday in the Federal Register, the Coast Guard has proposed that all so-called “cruise ship” ports be required to carry out airport-style searches (”screening) and check identity credentials of all embarking and disembarking passengers and any other visitors entering the port.

Entities responsible for the operations of large passenger vessels and ports are already required to submit “security” plans to the Coast Guard. Because those current plans are filed in secret, it’s not entirely clear how the  proposed requirements differ from current practices.

According to the NPRM, the Coast Guard’s guidelines for complying with the current regulations, in addition to various other supporting documents, were included in the rulemaking docket. We’ve confirmed with the docket office, however, that the Coast Guard never provided any of the supporting documents for posting on Regulations.gov or over-the-counter availability at the docket office. Presumably, a corrected notice with a new due date for comments will be published in the Federal Register once these documents are made publicly available.

From the summary in the NPRM, it appears that the main proposed changes are new requirements for port operators to:

(a) Screen all persons, baggage, and personal effects for dangerous substances and devices in accordance with the requirements in subpart E of this part;

(b) Check the identification of all persons seeking to enter the facility in accordance with §§ 101.514, 101.515, and 105.255 of this subchapter….

The difference in “screening” practices contemplated by the proposed rules seems to be that they would be more standardized than at present, more like those at airports, and would be required to enforce a Coast Guard “prohibited items” list.  Although the list of items prohibited from aircraft is designated as “Sensitive Security Information”, the Coast Guard has included a tentative list of items proposed to be prohibited from cruise ship cabin baggage in the proposed rules. At the same time, the proposed rules would provide that:

The Prohibited Items List does not contain all possible items that may be prohibited from being brought on a cruise ship by passengers. The Coast Guard and the cruise ship terminal reserve the right to confiscate (and destroy) any articles that in our discretion are considered dangerous or pose a risk to the safety and security of the ship, or our guests, and no compensation will be provided.

Cruise ship passengers are already required to “present personal identification in order to gian entry to a vessel [or port] facility,”  but it isn’t clear how or by whom this is supposed to be enforced. The propsoed rules would create a new obligation for port operators to check passengers’ ID credentials.

As with the definition of “prohibited items”, the definition of acceptable ID credentials is defined for air travel only in secret (SSI) TSA Security Directives and/or Standard Operating Procedures, but is defined publicly in Federal regulations for cruise ships.

The NPRM would leave the definition of acceptable ID unchanged. In addition to government-issued ID credentials, the regulations specifically provide for the acceptance of ID issued under thre authority of, “The individual’s employer, union, or trade association”, as long as it is laminated, includes a current photo, and baears the name of the issuing authority.

By its plain language, this regulation allows any self-employed person to issue their own self-signed personal ID credentials for access to port facilities.

That’s not inappropriate, since many self-employed contractors need to enter ports for business reasons.

In practice, most cruise lines enforce (with or without legal authority) ID requirements more stringent than those in Federal regulations. But we’d be interested in hearing from anyone who has presented self-signed ID credentials, in accordance with these regulations, for purposes of entry to a port or to board a cruise ship.  Some cruise lines alloow guests onboard while ships are in port, such as friends seeing off passengers. So you might be able to experiment without being a passenger yourself.

(more…)

Dept. of Justice guidance against profiling exempts borders and “screening”

Wednesday, December 10th, 2014

The US Department of Justice has issued new Guidance for Federal Law Enforcement Agencies Regarding the Use of Race, Ethnicity, Gender, National Origin, Religion, Sexual Orientation, or Gender Identity.

“This Guidance … reaffirms the Federal government’s deep commitment to ensuring that its law enforcement agencies conduct their activities in an unbiased manner” — except at and near borders and coastlines and during any activity labelled “screening”.

According to a footnote, “This Guidance… does not, create any right … enforceable … against the United States, its departments, agencies, instrumentalities, entities, officers, employees, or agents, or any person, nor does it create any right of review in an administrative, judicial, or any other proceeding.”

And in a huge exception hidden in the same footnote:

[T]his Guidance does not apply to interdiction activities in the vicinity of the border, or to protective, inspection, or screening activities.

Most of the US population lives “near” (within 100 miles of) a border or seacoast, and the ACLU’s “Blog of Rights” has a good analysis of the what’s wrong allowing racial and other profiling at and near US borders.

On a daily basis, however, more people are stopped and subjected to “administrative” searches as part of TSA and other Federal “screening activities” than are stopped at border and near-border checkpoints. These are the searches that are labelled as “screening”, rather than searches, by the TSA and other agencies that don’t want to admit that these searches are subject to the 4th Amendment.

The DOJ guidance is applicable to all Federal law enforcement officers, not just DOJ personnel.  It includes TSA and other DHS officers everywhere except when they are in the vicinity of the border or carrying out “screening activities.” (Most TSA checkpoint staff aren’t law enforcement officers, despite their badges and their job title of “officer”, but some other TSA employees are.)  So this exception isn’t about the DOJ not having jurisdiction over employees or contractors of the DHS or other agencies. The job of the DOJ includes interpreting Federal law for all executive agencies.

The only reason these activities were exempted from the DOJ guidelines is because the DHS argued successfully, to the DOJ and in whatever White House or other inter-agency process led to the issuance of the guidelines, that racial and other profiling was a proper element of its border, near-border, and “screening” activities — not an accident, oversight, or something DHS is trying to reduce or eliminate.

That should be no surprise, since the DHS has made explicit that it now profiles all air travelers as a part of so-called “screening”, and has added questions about profiling critieria such as national origin to its forms for would-be border crossers.  But it’s yet another indication of the belief by the DHS that it is above the law and exempt from the norms of justice that apply to the rest of the government.