Dec 02 2020

Speaking Spanish is a not a lawful basis for being made to show ID

US Customs and Border Protection (CBP) has agreed to pay a “monetary sum” to two native-born US citizens and Montana residents  who were made to show ID and detained for about 40 minutes (including continuing detention even after they showed their Montana drivers licenses) solely because a CBP agent overhead them speaking Spanish to each other.

The amount of the settlement has not been made public.

The ACLU of Montana represented the two Latinx residents of Havre, MT, in their lawsuit, which initially sought a declaratory judgement “that race, accent, and language cannot create suspicion to justify seizure and/or detention” (which ought to go without saying) in addition to money damages.

The facts alleged in the complaint are supported by cellphone video of a CBP agent’s admission that the detention and ID demand were based solely on the language spoken by the agents’ Latinx victims. On discovery, CBP turned over additional self-incriminating video of statements made by CBP agents in interviews with internal CBP investigators, as well as grossly racist text messages exchanged by the CBP agents. Havre is a border town with two crossing points to Canada, where French is a national language, but the Havre-based CBP agents freely admitted that they wouldn’t treat speaking French as suspicious.

After the lawsuit got local and national publicity, the two plaintiffs and their families were harassed and driven out of town. “At his high school, a teacher asked Mimi’s son whether he had brought his ID to class,” one of the victims says. “Our clients bore the brunt of local backlash as a result of coming forward. They both ultimately left Havre for fear of their families’ safety,” according to the executive director of the ACLU of Montana.

Nov 30 2020

CBP proposes to require mug shots of all non-US citizen travelers

Last December we called attention to plans  by US Customs and Border Protection (CBP) to require mug shots of all travelers entering or leaving the US by air or sea, including US citizens.

Within days, CBP issued a press release falsely accusing us of incorrectly reporting  the official CBP notice of its plans, and saying that it would withdraw its notice the next time the regulatory agenda was published.

So what happened?

Earlier this month, CBP withdrew the notice of proposed rulemaking (NPRM)… and issued a new notice of proposed rulemaking the same day that wouldn’t apply to US citizens, but would require all non-US citizens, including permanent US residents (green-card holders) to be photographed whenever they enter or leave the US by any means: air, land, or sea.

(This proposed rule is for collection of biometrics from international travelers at airports, cruise ports, and land borders. There’s a separate pending proposal for collection of biometrics including fingerprints and DNA samples, in advance of travel, from visa applicants, other would-be US visitors, and their US sponsors.)

At airports, the scheme contemplated by CBP would follow the public/private partnership model that CBP and the Transportation Security Administration (TSA) have been collaborating on with airlines and airport operating authorities in the USA and abroad:

Generally, when travelers present themselves for entry or exit, they will encounter a camera connected to CBP’s cloud-based TVS facial matching service via a secure, encrypted connection…. The camera may be owned by CBP, the air or vessel carrier, another government agency such as TSA, or an international partner governmental agency….

At the departure gate, each traveler stands for a photo in front of a partner-provided camera. Aided by the authorized airline or airport personnel, the partner-owned camera attempts to capture a usable image and submits the image, sometimes through an authorized integration platform or vendor, to CBP’s cloud-based TVS facial matching service.

The key element in this partnership, CBP makes clear, is that airlines and airports will pay to operate cameras and send photos of passengers to CBP, in exchange for getting uncontrolled use of the CBP facial recognition system for their own business purposes:

The hardware cost in the regulatory period will be borne by the carriers and airports who partner with CBP.  CBP will give carriers and airports access to its facial recognition system and the carriers and airports will choose (and pay for) the hardware that best fits their needs. While this partnership is voluntary, CBP expects that all commercial carriers and major airports will elect to participate within five years.

Unless airlines and airports were given free use of the CBP facial recognition service for their own purposes, they would have no business reason to bear the cost of installing and operating cameras at all departure gates, or to send the photos to CBP. CBP has limited authority to force airlines to surveil their customers, so CBP’s scheme depends on successfully bribing them — all of them — to collaborate by giving them free access to the facial recognition service. This quid pro quo is the key to CBP’s confidence in its plans.

Read More

Nov 25 2020

Airlines call for new app-based air travel controls

During  its online annual general meeting this week, the International Air Transport Association (IATA) rolled out a  new proposal for an app-based system of control over air travel that IATA is proposing for use by its member international airlines and by governments.

The scheme is being promoted as a response to the COVID-10 pandemic, but would institutionalize structures and practices with the potential for continuing and wider abuse.

IATA is calling its scheme the IATA Travel Pass. As described in these slides,  it would require would-be air travelers to enter both personally identifying information (most likely passport or other ID-card details) and records of tests and/or vaccinations into an IATA  smartphone app.  The data would  be processed by the algorithms of a “rules engine” to detemine whether to issue an “OK to travel” permission message. The output of this algorithmic decision would be available for use by both airlines and governments.

The intent of the IATA proposal is to create an infrastructure for sharing of data and travel permission decisions, at any point before or after the journey, with both airlines and governments, on the basis of an open-ended ruleset:

Of course IATA’s new proposal has all the defects of any smartphone-based travel surveillance or control regime that we discussed back in April when Hawaii tried out such a scheme. IATA is silent on what is to happen to  a traveler who doesn’t have a smartphone, charged-up and operable, with them when they try to travel.

And what about travelers without passport? No passport is currently required, even for international flights, within some free-movement zones such as within Mercosur, ECOWAS, or the European Union, or between the UK and Ireland.

But that’s not the worst aspect of the IATA proposal. Unlike Hawaii’s app-based location reporting system, the IATA app would go beyond surveillance to incorporate an algorithmic decision-making system for prior restraint of the right to travel.  Very disturbingly, there’s no mention in the IATA proposal of who would control the algorithmic ruleset, leaving it wide open to mission  creep and abuse by governments worldwide.  There’s no apparent way to restrict the nature of the rules or the purposes — blacklisting? discrimination? profiling? retaliation? — for which they could be used. Deployment of a general-purpose algorithmic travel control app for use worldwide would invite abuse.

Read More

Nov 10 2020

What does REAL-ID Act “enforcement” really mean?

For the last fifteen years, as both Republican and Democratic administrations have come and gone, the US Department of Homeland Security (DHS) has been using the threat of “enforcement” of the REAL-ID Act of 2005 to extort state legislators, governors, and driver licensing agencies into complying with the REAL-ID Act of 2005 and uploading their residents’ drivers license and state-issued ID card data to the national REAL-ID database, “SPEXS”.

The threat has been that the DHS and/or its components (such as the Transportation Security Agency) will harass or turn away residents of noncompliant states when they try to pass through TSA or other Federal checkpoints or enter Federal facilities.

Not wanting to provoke riots or protests at airports, the DHS has repeatedly postponed its arbitrarily self-imposed “deadlines” for REAL-ID enforcement at TSA checkpoints, most recently until October 1, 2021.  And the TSA, despite repeated trial balloons suggesting what new rules it might try to adopt to require ID to fly, has not yet tried to finalize such a  rule. So we don’t really know what, if anything, REAL-ID Act enforcement at airports might mean.

However, the REAL-ID Act has supposedly been being enforced for access to some other Federal facilities for more than five years, starting on October 15, 2015.

We’ve been trying for almost that long to find out what that “enforcement” has really meant, so that we and the public can assess the meaning and impact of the DHS threats.

How many people have been turned away for lack of acceptable or compliant ID, or ID issued by a “compliant” state, when they tried to enter Federal facilities? At what types of facilities has this happened? And for what purposes were these people seeking entry?

Read More

Nov 06 2020

Canada copies US “Secure Flight” air travel controls

While we were watching US election returns, our neighbors to the north were adopting new travel regulations that incorporate some of the worst aspects of the US system of surveillance and control of air travel, and in some respects go even further in the wrong direction.

Canadian authorities don’t generally want to be seen as imitating the US or capitulating to US pressure. There was no mention in the official analysis of the latest amendments to the Canadian regulations of the US models on which they are based. But according to the press release this week from Public Safety Canada, the latest version of the Canadian Secure Air Travel Regulations  which came into force this week for domestic flights within Canada as well as international flights to or from Canada include the following elements, each of which appears to be based on the US Secure Flight system:

  1. All air travelers will be required to show government-issued photo ID. The Canadian ID requirement to fly is now explicit, unlike the de facto ID requirement that the US Department of Homeland Security is attempting to impose and already wrongly enforcing, in some cases, without statutory or regulatory authority. The Canadian rules appear to reflect the authority to deny passage to air travelers without ID that the DHS has sought, but has not yet been granted, in the US.
  2. Fly/no-fly decision-making will be transferred from airlines (making binary fly/no-fly decisions on the basis of a no-fly list provided by the government) to a government agency. After receiving information about each passenger from the airline, Public Safety Canada will transmit a permission messages to the airline with respect to each would-be passenger on each flight,  with a default of “not permitted to board” if no message is received by the airline from the government. Exactly this change was made in the US through the Secure Flight regulations promulgated in 2008. This change serves two purposes for the government: (A) it provides a basis for building positive real-time government control over boarding pass issuance into airline IT infrastructure, converting every airline check-in kiosk or boarding-pass app into a virtual government checkpoint that can be used to control movement on any basis and for any reason that the government later chooses, and (B) it enables the switch from blacklist-based no-fly decision-making to more complex and opaque real-time algorithmic pre-crime profiling  based on a  larger number of factors.
  3. Air travelers in Canada will be required to provide the airline  with their full name, gender, and date of birth, as listed on government-issued ID, and airlines will be required to enter this data in each reservation and transmit it to the government 72 hours before the flight or as soon as the reservation is made, whichever comes first. All of this is exactly as has bene required for flights within the US since the coming into force of the DHS Secure Flight regulations. This additional information about each passenger enables the government to match passengers’ identities, in advance, to other commercial and government databases, and thus to incorporate a much wider range of surveillance and data mining into its profiling algorithms.
  4. Travelers will be able to apply to the government for a “Canadian Travel Number” which, if issued, they can enter in their reservations to distinguish themselves as whitelisted people from blacklisted people with similar names and/or other similar personal data.  This Canadian Travel Number is obviously modeled on the “redress number” incorporated in the US Secure Flight system. The goal of this “whitelist number” is to reduce the complaints and political embarrassment of the recurring incidents of innocent people with similar names, including  children, being mistakenly identified as blacklisted people, and denied boarding on Canadian flights. The problem, of course, is that this does nothing to help the innocent people who are correctly identified as having been blacklisted by the government, but who were wrongly blacklisted in the first place.

As our Canadian friends at the  International Civil Liberities Monitoring Group put it in a statement this week:

These regulations do not address the central, foundational problems that plague Canada’s No Fly List system and will continue to result in the undermining of individuals’ rights as they travel….

The Canadian government had a solution from the beginning, and they still do: abolish the No Fly List. If someone is a threat to airline travel or to those in the region they are traveling to, charge them under the criminal code and take them to court where they can defend themselves, in public.

It’s time to be done with secret security lists once and for all.

Oct 09 2020

Port of Seattle continues debate on facial recognition

The debate continues on whether the Port of Seattle should allow or pay for continued or expanded use of facial recognition at Sea-Tac Airport (SEA) and the Seattle cruise port.

Yesterday Port of Seattle staff and a subcommittee of the Port Commission met with an advisory committee on biometrics appointed by the Port Commission.

Jennifer Lee of the ACLU of Washington State delivered a letter co-signed by a coalition of organizations including the Identity Project urging the Port Commission not to authorize, pay for, or participate in any use of facial recognition to identify travelers:

On December 10, 2019, the Commission adopted seven principles to guide its decision-making on if and how biometrics should be used at the Port. These principles are: justified, voluntary, private, equitable, transparent, legal, and ethical.

We do not believe that either the current or the proposed uses of biometrics to identify travelers on Port property can be implemented in a manner consistent with these principles. Port staff state that its recommendations “are not meant to suggest that the Port should implement public-facing biometrics, but rather how to do so in alignment with our guiding principles.”  The only action that would be aligned with those principles would be to ban the use of facial recognition technology to identify members of the public by the Port, as well as by the Port’s tenants and contractors….

1. We urge the Port of Seattle Commission to reject participation in, and funding of, CBP’s facial recognition exit and entry programs….

2. We urge the Port of Seattle Commission to prohibit use of facial recognition technology by private entities.

The Port of Seattle should prohibit business tenants such as airlines from integrating with CBP’s Traveler Verification Service (TVS) — the agency’s “Identity as a Service” biometrics system…. When Port tenants integrate with CBP’s TVS architecture, it is impossible to separate “private” or non-federal surveillance from federal government surveillance of travelers. Travelers may think that they are having their photo taken at a self-service kiosk solely for use by the airport or airline. But in reality, that photo will also be shared with DHS and CBP.

The Port, airlines, and contractors should not obscure the role of DHS and CBP by collecting facial images on their behalf. The Privacy Act, as discussed further below, requires that if an individual’s personal information is to be used by a federal agency, it must be collected by that agency directly from that individual. The best way to provide travelers with clear notice that facial images are being passed on to DHS is to require that any such images be collected by identifiable, uniformed DHS staff, using DHS equipment, at DHS’s expense.

The Port meeting also heard from the office of Rep. Pramila Jayapal, who represents the city of Seattle and environs (although not Sea-Tac Airport) in Congress.  Noting the concerns that led her to introduce a bill in Congress that would “place a prohibition on the domestic use of facial recognition technology by federal entities, which can only be lifted with an act of Congress,” Rep. Jayapal suggested that the Port Commission “consider a moratorium on the use of biometrics technology in all Port activities under its purview.”

Read More

Sep 17 2020

New CBP propaganda on facial recognition and other biometrics

US Customs and Border Ptotection (CBP) has launched an entire new subdomain of its website, biometrics.cbp.gov, devoted to propaganda intended to persuade the traveling public to submit to, and airlines and airport operating authorities to collaborate in, the use of facial recognition and other biometrics to identify and track travelers.

There’s nothing in CBP’s happy-talk sales pitch for facial recognition on this new website that we haven’t seen before. And there are still no answers to any of the questions we’ve asked CBP officials about these practices and the legal basis (not) for them.

Biometrics.cbp.gov features links to the (nonbinding) Privacy Impact Assessments (PIAs) that are supposed to describe how mug shots obtained by CBP or its airport and airline “partners” are to be used. But the new CBP site doesn’t link to the legally binding System Of Records Notices (SORNs) that disclose a much wider range of routine and permitted uses of these images.

If there’s anything noteworthy on this site, it’s under the Resources tab, where you can download  copies of the official CBP signs that are supposedly posted at airports, seaports, and land border crossings, including those for airport arrivals (shown at the top of this blog post), airport departures, cruise ports, and pedestrian lanes at land borders.

Leaving aside questions of the accuracy of the claims on these signs, they provide definitive confirmation that all of these biometric programs are in flagrant violation of Federal law — as we’ve pointed out repeatedly to CBP, but to no avail.

None of these signs contain any Paperwork Reduction Act (PRA) notice or any OMB Control Number. Even if the collection of photos or other biometric information were authorized by law, even if it were voluntary, even if it were limited to non-US persons, and even if none of the images or other data were retained, this collection of information would still have to be approved in advance by OMB, assigned an OMB Control Number confirming the approval, and accompanied by PRA notices including that OMB Control Number.

Some people wonder why we care about OMB approval or PRA notices. OMB approval is often little more than a rubber stamp. It’s not an onerous burden on the agency, and it doesn’t usually involve any meaningful scrutiny of the legal basis claimed by an agency for collecting information from individuals. PRA notices don’t give much information about how the data that’s being collected will be used.  Few people know to look for PRA notices or OMB Control Numbers, how to interpret them, or what they signify.

The significance of CBP’s complete disregard for the PRA — a minimal administrative formality that CBP could easily comply with — is that it is indicative of CBP’s complete disregard for the law in general. It’s not that CBP or its parent agency the US Department of Homeland Security (DHS) are lazy. The choice not to seek OMB approval for their actions, or to post PRA notices, is not an accident. It’s emblematic of the extent to which CBP and the DHS assume that they can disregard any of the substantive or procedural rules that apply to all other agencies, and make their own laws through secret diktats. The real problem is not the violation of the PRA, but that CBP and DHS have no greater respect for human rights treaties or the US Constitution than they do for Federal laws like the PRA.

Sep 15 2020

DHS lies again about REAL-ID

As it’s been doing for years, the US Department of Homeland Security (DHS) is still lying about the state of compliance by states with the Federal REAL-ID Act of 2005.

The latest DHS whopper is this DHS press release issued September 10, 2010:

The DHS claims that “All U.S. States [Are] Now Compliant” with the REAL-ID Act. But as we’ve noted many times before, the REAL-ID Act explicitly and unambiguously requires that to be “compliant”, a state must “Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

How many states do that today? At most, 28, not all 50, as shown in the map below:The only mechanism available for states that want to share their drivers’ license databases is the outsourced “State to State” (S2S) system operated by the American Association of Motior Vehicle Administators (AAMVA), a private contractor not subject to the Federal or any state Freedom Of Information Act (FOIA) or other laws proviidng transparency and accountability for government agencies. Despite the misleading name, S2S is not a mechanism for messaging directly from state to state. It’s a centralized system which depends on a central national ID database, SPEXS, aggregated from state drivers’ license and ID data.

Here’s the latest list released by AAMVA of states that are particpating in S2S. Each particpating state has uploaded information about all drivers’  licenses and state ID to SPEXS. Together these 28 states include substantially less than half the U.S. population:

We wish we didn’t have to keep saying, again and again, that the DHS is lying about REAL-ID. But as long as Federal and state agencies keep putting these lies in their headlines, we’re going to keep on pointing out that the emperor (still) has no clothes.

Sep 14 2020

10th Circuit: No qualified immunity for police who demand ID

A panel of the 10th Circuit US Court of Appeals has ruled, in the case of Mglej v. Gardner, that it is “clearly established law” that police in Utah may not require suspects (or anyone else they detain, except operators of motor vehicles) to show ID documents, and therefore that the Garfield County Sheriff who wrongly arrested Matthew T. Mglej for “refusing to identify himself” is not entitled to qualified immunity and can be held liable for damages.

In the summer of 2011, Mr. Mglej, then 21 years old, set out on his motorcycle from his family home in Portland, OR, to visit relatives in Dallas, TX. Mid-way on that road trip, his motorcycle developed problems, and he stopped in Boulder, UT (population around 200), to see if he could get his bike repaired and replace a tire that was threatening to blow.

Read More

Sep 09 2020

Portland bans facial recognition by city agencies or in places of public accommodation

Today the City Council of Portland, Oregon, voted unanimously to ban the use of facial recognition technology by City agencies or by private entities in places of public accommodation within the City limits, including at the Portland International Airport (PDX), effective immediately.

Many local and national organizations and individuals testified eloquently in favor of these proposals. We don’t need to repeat all of their general arguments.

But a point of particular concern and particular pleasure for us is that the Port of Portland asked the City Council for an exemption from the ban to allow use of facial recognition “for air carrier passenger processing” — and was turned down.

No member of the City Council mentioned the Port’s request for a carve-out for facial recogntion of air travelers during the City Council discussion, and the proposals were adopted without amendment except for making the ban on private use of facial recognition in places of public accommodation effective immediately, as had already been proposed for the ban on use by city agencies. (The amendment to make the private entity ban effective immediately was made verbally during the City Council meeting, so it isn’t reflected in the advance text of the proposal.)

This is an important precedent , as Portland is only the second jurisdiction in the US to consider local rules related to facial recognition at its airport.

Earlier this year, after behind-the-scenes threats by the US Department of Homeland Security (DHS) to make life difficult for the Port of Seattle if it didn’t collaborate with DHS facial recognition schemes at Sea-Tac International Airport (SEA) and allow airlines and contractors also to do so, the Port of Seattle Commission reneged on the aspirational policy principles it adopted in 2019  and decided to buy and operate common-use facial recognition cameras integrated with DHS and airline databases and operations.

(See our written testimony to the Seattle Port Commission on use of facial recognition at SEA: 1, 2, 3., and articles in our blog here and here.)

The decision by the Port of Seattle was made just before the COVID-19 pandemic drastically reduced traffic at SEA and other airports and delayed the need for the new gates at SEA where the DHS-linked cameras were to be installed. A broad coalition of local and national community and civil liberties organizations has called on the Seattle Port Commission to use the opportunity provided by this delay to reconsider its decision on facial recognition.

Portland did significantly better than Seattle in working to distance itself from and isolate the DHS — not surprisingly in light of the object lesson the DHS has provided in Portland recently with respect to DHS trustworthiness (not), self-restraint (not), commitment to the rule of law (not), and respect for civil and human rights (not). Portlanders don’t trust the DHS to behave any better at PDX Airport than it’s been behaving on the streets of Portland.

PDX airport is located within the City of Portland but operated by the Port of Portland, a special-purpose agency of the state of Oregon governed by a board appointed by the Governor of Oregon. The City of Portland can’t prevent use of facial recognition by the DHS or the Port of Portland, but can regulate or prohibit its use by private entities, including airlines, within the city limits, including at the airport.

The Port of Portland has the authority to enter into contracts, borrow and spend money, manage its employees, and enact rules for activities at PDX Airport. But in addition to the requirements of due process and other Constitutional rights, and the obligations on the airport as a publicly owned and operated place of public accommodations and common-carrier facility, the legislative authority of the Port is limited to the issuance of rules consistent with city ordinances. That appears to mean that the Port may not prohibit that which the city has duly prohibited. (If readers have more expertise on this jurisdictional issue, feel free to leave a comment or drop us a line.)

The Federal government could preempt the Portland ordinances if it enacted valid laws or promulgated valid regulations mandating use of facial recognition by Federally-regulated airlines and/or airports. But no law mandates use of facial recognition for US citizens, even when traveling internatoinally, or for passengers on domestic flights

The DHS has refrained from promulgating any such regulations, preferring to operate outside the law than to establish any legal framework for its use of facial recognition or subject it claim of authority to notice-and-comment rulemaking or judicial review. A petition for rulemaking on use of biometrics for traveler identification submitted to the DHS by the Portland-based World Privacy Forum has been ignored by the DHS for almost two years.

While the DHS has engaged in heavy-handed behind-the-scenes lobbying and threats to “persuade” airlines and airport operating agencies to become its “partners” in biometric surveillance and control of air travelers, as it did in Seattle, the DHS has continued to maintain — correctly — that this “cooperation” is entirely voluntary. In declining to participate, and by exercising its jurisdiction to prohibit airlines or other contractors form doing so within the city limits, the City of Portland is doing only what the DHS has consistently said that local jurisdictions have the authority to do, if they so choose.

The July 14, 2020, letter from the Port of Portland to the Portland City Council requesting exemption from the facial recognition ban made numerous false factual claims and specious arguments. Since these bogus arguments are likely to be raised again in other cites despite having failed to persuade any of the members of the Portland City Council, it’s worth noting and debunking them:

Read More