Dec 03 2018

Smile, travelers! You’re on candid DHS cameras.

The Department of Homeland Security has posted the latest update to a series of Privacy Impact Assessments attempting to whitewash the invasions of privacy and human rights inherent in a comprehensive system of automated facial identification of travelers.

The latest PIA reveals more than the DHS has previously admitted about the nature and scope of its planned use of automated facial ID technology.

The DHS plans to use image data aggregated from commercial surveillance systems operated by airlines and airports, as well as DHS cameras, including non-obvious cameras, to identify air travelers (including both domestic and international travelers), international ferry and cruise passengers, and travelers crossing US land borders in vehicles or on foot.

Automated identification of travelers based on facial images would be used as the basis for who is, and who is not, allowed to travel, based on travel histories and algorithmic “risk assessments” that form the US counterpart of, and predecessor to, China’s control of  travel and other activities through facial recognition and “social credit” scoring.

The latest PIA makes a variety of claims about how the risks to privacy and human rights inherent in this scheme will purportedly be “mitigated”. Some of these “reassurances” are implausible, while others are already contradicted by the facts on the ground. And none of them would cure some of the ongoing violations of Federal law in current DHS practices.

Read More

Nov 21 2018

REAL-ID database still lacks basic protections

[As of August 2017, this was one of the two highest priorities for the SPEXS/S2S governance committee —  but still unresolved.]

There is still no way to find out whether there’s a record about yourself in the national REAL-ID database, or what information that record contains, or to correct it. This has been recognized as a priority by the state officials who indirectly “govern” the contractors who operate the database. But years have passed, and nothing has been done to address the problem, even as the database has grown to include information about more than 50 million US residents.

How has this been allowed to happen?

The most significant requirement for US states and territories that choose to comply with the Federal REAL-ID Act of 2005 is participation in the national ID database, SPEXS.

But while SPEXS has been developed to enable state submission to Federal requests, development and operation of the SPEXS has been outsourced to the American Association of Motor Vehicle Administrators, a nominally-private nonprofit corporation, and a for-profit AAMVA contractor, Clerus Solutions. Neither AAMVA nor Clerus Solutions are directly subject to any Federal or state government transparency laws.

Federal funding for SPEXS from the DHS has been laundered through grants to states, keeping the Feds at arms length from AAMVA, Clerus Solutions, or any direct oversight of, or accountability for, SPEXS. We have requested DHS records of these grants, but the DHS has yet to produce them. Just today — well after the deadline for the DHS to respond to our request  — we got a message  claiming that the FOIA office to which our request has been referred isn’t sure what we want, and asking us to “clarify” our request.

In the meantime, the main sources of information about the build-out of SPEXS into a comprehensive national database of drivers licenses and state-issued ID cards have been responses to requests to state driver licensing agencies (DLAs in AAMVA-speak) under state public records laws.  If you want to request these records from your state DLA, here’s a 2017 list of state points of contact for participants in SPEXS and the AAMVA subcommittee for privatized “governance” of SPEXS.

This list is part of the latest batch of records released by the Wisconsin Department of Motor Vehicles (the first participant in SPEXS) in response to a  request under that state’s open records law.

Among other details, these records confirm that as recently as August 2017, AAMVA still had not  agreed on any procedure by which an individual could find out whether there is a record about them in the SPEXS database, or what information it contains. No system for handling access or correction requests had been established, even though by that time the SPEXS database contained information about 50 million people.

We asked AAMVA’s “Chief Privacy Officer about this in early 2016. Nothing was done. Members of the S2S/SPEXS governance committee were polled in 2017, and identified this as one of their two highest priorities. Still, another year later, nothing has been done. Read More

Nov 14 2018

OIG confirms State Dept. broke its own rules when it seized US citizens’ passports

A report released earlier this month by the State Department’s Office of Inspector General confirms that, as we and others began reporting in 2013 and 2014, State Department staff  “failed to comply with relevant procedures intended to safeguard the rights of U.S. citizens” when they summarily seized or retained the passports of US citizens who sought consular assistance at the US Embassy in Sana’a, Yemen.

Because of incomplete and inconsistent record-keeping and shifting stories told to OIG investigators by State Department staff, the OIG was unable to determine how many US citizens were improperly deprived of their passports, or for how long.

The consequences for these Yemeni-American US citizens were especially dire because many of them were seeking to leave Yemen to escape the escalating civil war and foreign military interventions in Yemen (some of which were backed by the US and its allies).

Without passports, these US citizens were unable to travel legally from Yemen  to other countries, or to return to the US. They were forced either to remain in increasingly war-torn and dangerous Yemen, or use dangerous illegal means of transport to escape.

The de facto policy of the US Department of State as early as 2013 — even before the inclusion of Yemen in the 2017 Muslim ban executive orders — appears to have been to define anyone with Yemeni ancestry, regardless of citizenship, as an enemy of the US, and to use all available legal or illegal methods to deny them US passports. Typical tactics included putting applications by Yemeni-Americans for new or renewal passports into indefinite limbo, and indefinitely retaining US passports presented to consular officials at the US Embassy in Sana’a.

Typically, no formal decision that would be readily subject to judicial review was made. Even when a passport was revoked or an application for a passport was denied, the affected citizen often wasn’t notified until months or years later.

Several lawsuits were brought challenging the denials and delays in issuing, renewing, or returning passports. At least one case led to a  court order for the return of a US passport seized in Sana’a. But the government was able to evade judicial review of most of its passport denials and seizures by reversing its decisions and dropping charges or issuing delayed passports once its victims lawyered up and made it to US courts.

Despite the fairly scathing  report by the OIG, there’s no indication that any of the responsible State Department officials — either at the embassy in Yemen or making policy and directing practices from the US — have lost their jobs, much less been prosecuted, for conspiring to deprive US citizens of their fundamental rights, in circumstances where the ability to exercise those rights could be a matter of life and death.

Nov 02 2018

What China calls “social credit”, the US calls “risk assessment”

A viral video of an announcement on a Chinese high-speed train and a series of reports (here and here) on NPR have prompted a surge of interest this week in China’s “social credit” system:

Dear passengers: People who travel without a ticket, behave disorderly, or smoke in public areas will be punished according to regulations, and the behavior will be recorded in individual credit information system. To avoid a negative record of personal credit, please follow the relevant regulations and help with the orders on the train and at the station.

Despite unwarranted comparisons to US financial credit scores, “social credit” scoring in China is used by the government and para-statal entities, not just private companies, and not just for financial decision-making.

One of the NPR stories as well as a report last month by the Australian Broadcasting Co. include interviews with people who discovered they were barred by the Chinese government from travel on high-speed trains as a result of “social credit” scores, regardless of their ability to pay for tickets.

Dystopian? Yes.

Unjust? Yes?

“It can’t happen here?” No.

It already happens here, every day, to everyone who travels by airline or engages in bank or credit card transactions.

You may not realize it until you are mysteriously unable to obtain a boarding pass or complete a financial transaction, but each of these activities is already subject to secret, permission-based, extrajudicial prior restraint by the US government.

The default is “no”.  Since a little over 10 years ago, US Federal regulations have forbidden any airline from issuing a boarding pass unless and until it has sent the would-be traveler’s itinerary and identifying information to the DHS and has received back an individualized, per-passenger, per-flight, permission-to-travel message from the DHS. The DHS generates a secret “risk score” for each passenger, which determines how closely they are searched and questioned, whether the airline is instructed to call the police when they try to check in, and other aspects of how they are treated.

Even before airlines or banks get to the point of consulting the government, “carrier sanctions” and similar sanctions against financial institutions give them a financial incentive to err on the side of saying “no”, not “yes”.

You don’t have to be on a government blacklist for your air travel or financial transactions to be blocked by the US government or by airlines or banks acting at the government’s behest. There are multiple air travel blacklists (euphemistically and inaccurately called “watchlists”), but no-fly and transaction-processing decisions are also made in real time, on the basis of algorithmic “pre-crime” predictions (euphemistically and misleadingly called “risk assessments”, despite the lack of any evidence of a correlation between these scores and actual “risk”).

What China calls “social credit scoring”, the US calls “risk-based screening”.

Government blacklists and real-time pre-crime policing are being applied to control a growing range of activities of daily life. But air travel and financial transactions are the areas where the US government already has a fully deployed and operational real-time “social credit” system in which private service providers are seamlessly integrated with government agencies to surveil and control our everyday activities.

The question isn’t whether the US should have a “social credit” system — it already does — but whether it should be expanded to more aspects of our lives, or rolled back.

It can happen here. It is happening here. It will continue to happen here until we stop it.

China’s social credit system provides a useful object lesson in the three essential preconditions for a system of ID-based surveillance and control. We can block or impede the expansion of such schemes by undermining any of these three legs of the tripod:

  1. ID requirements to travel or engage in other transactions or activities — If you travel, pay, or act anonymously,  your individualized “score” can’t be used to control you. China’s “social credit” system is enabled by requirements to show government-issued ID to open a bank or mobile payment account or purchase a SIM card.  You can only rent a shared bicycle in China through an app, not by cash, and you can’t use the app without an ID-linked mobile phone and ID-linked payment account. So even if you travel around a Chinese city by shared bicycle, you can be tracked. Travel anonymously, and use cash or other anonymous forms of payment.
  2. Collection of ID-linked transaction and position data  — Chinese “social credit” scores and US “risk assessments” are based on travel, movement, and transaction histories. Some of this data is collected through biometric identification, primarily automated  facial recognition. Other data is “ingested” by the government from commercial databases such as travel reservations and financial transactions. Private companies can and should resist requests for this data, but can’t be counted on to do so. No airline, for example, has ever challenged government demands for warrantless access to the entirety of their reservation database, including free-text derogatory internal comments by front-line reservation and customer-service staff that are imported directly into permanent DHS files used for “risk” scoring. Once personally identified or identifiable data is collected, it’s almost impossible to resist demands for government access made in the name of “security”.  Any data that is collected about you can and will be used against you. The only real way to oppose this mass surveillance is #DoNotCollect. Just say no to requests for information, for consent to search, or for sharing of data with the government.
  3. Government control of movement, activity, and transactions — A key step in the implementation of the “social credit” system for air travel was the installation (at a cost to the airline industry of at least US$2 billion) of the control lines that transformed a reporting (i.e. surveillance) system into a “pre-crime” control system. It’s critical to defend against having our Constitutional and human rights redefined as privileges to be exercised only by prior permission of the government —  as the right to travel by common carrier has already been. Demand that restrictions on the exercise of rights be based on evidence-based court orders, not pre-crime fantasies.

As for the specific Chinese examples of travel by high-speed train, Amtrak, like the operators of Chinese trains, is a para-statal government-charterted corporation. In 2014, we made a FOIA request to Amtrak for records of Amtrak’s sharing of passenger data with the DHS and other law enforcement agencies. Amtrak has been releasing a trickle of responsive records, as we’ve been reporting. But Amtrak’s response remains incomplete, and this is now the oldest pending unanswered request in Amtrak’s FOIA queue.

 

Oct 18 2018

How many air travel blacklists does the US have?

[Click image for full-sized version.]

Heavily redacted records released by the Transportation Security Administration (TSA) last month, more than six years after they were requested by the Electronic Privacy Information Center (EPIC), give fragmentary clues to the answer to an important question: Just how many air travel blacklists does the US government have?

Read More

Oct 15 2018

TSA announces “biometrics vision for all commercial aviation travelers”

Today the US Transportation Security Administration released a detailed TSA Biometric Roadmap for Aviation Security & the Passenger Experience, making explicit the goal of requiring mug shots (to be used for automated facial recognition and image-based surveillance and control) as a condition of all domestic or international air travel.

This makes explicit the goal that has been apparent, but only implicit, in the activities and statements of both government agencies and airline and airport trade associations.

It’s a terrifyingly totalitarian vision of pervasive surveillance of air travelers at, quite literally and deliberately, every step of their journey, enabled by automated facial recognition and by the seamless collaboration of airlines and airport operators that will help the government surveil their customers in exchange for free use of facial images for their own business purposes and profits.

The  closest contemporary counterpart to what the TSA envisions for the USA is the pervasive surveillance and control of travelers in China through automated facial recognition by the Public Security Bureau.

Read More

Oct 10 2018

What AAMVA doesn’t want you to know about the national REAL-ID database

Another “deadline” for enforcement of the REAL-ID Act of 2005 passed uneventfully today.

The US Department of Homeland Security had advertised that DHS extensions of time for voluntary compliance with the REAL-ID Act by many states would expire today.

The DHS threatened that starting today it would “enforce” the REAL-ID Act through harassment or denial of the right to travel of airline passengers without ID or with ID issued by states or territories that the DHS, in its standardless administrative discretion, deemed insufficiently compliant with Federal wishes.

Today’s supposed “deadline” was fixed neither by law nor by regulation. Not surprisingly, the DHS blinked in the final days before its self-imposed ultimatum, as it has done again and again.

Every US state and territory subject to the REAL-ID Act was either certified by the DHS as sufficiently compliant to satisfy the DHS (at least for now), or was given a further extension of time to comply without penalty until at least January 10, 2019.

Yesterday, the day before the “deadline”, the DHS quietly posted notices on its website that it had granted further extensions until January 2019 to the last two states, California and New Jersey.

Perhaps the DHS is still unwilling to provoke riots at airports by stopping people without ID, or with ID from disfavored states and territories, from flying. Perhaps it isn’t yet prepared to face, and likely lose, the inevitable lawsuits from would-be flyers.

Even American Samoa, which — because the second-class status of American Samoans as US subjects but not US citizens would make it harder for them to challenge DHS restrictions of their rights — had been the first trial by the DHS of enforcement of the REAL-ID Act, was given an extension until October 10, 2019.

So far as we can tell, REAL-ID Act “enforcement” meant only modestly enhanced harassment of American Samoans at airports. Our FOIA request for records of how many people tried to fly with American Samoa IDs, and what happened to them, remains pending with no response after more than five months.

American Samao isn’t the limit of REAL-ID Act expansion beyond US borders and overseas. H.R. 3398, a bill to extend eligibility for REAL-ID Act compliant drivers licenses and IDs to citizens of several nominally independent de facto US dependencies, has passed the House and is pending in the Senate.

Meanwhile, the real movement toward state compliance with the REAL-ID Act is behind the scenes  — as the DHS, its collaborators among state driver licensing agencies, and AAMVA, the operator of the outsourced and pseudo-privatized national ID database, want it to be.

Since we last reported on the status of REAL-ID Act compliance six months ago, agencies in three more states — Pennsylvania, New Mexico, and most recently Washington in September 2018 — have uploaded information about all licensed drivers and holders of state-issued IDs to the SPEXS national database. That brings to 19 the number of states whose residents’ personal information is included in the aggregated database.

But even as the database grows to include information about more and more US residents, the DHS persists in denying its existence. According to the DHS public FAQ about the REAL-ID Act:

A: Is DHS trying to build a national database with all of our information?

No…. REAL ID does not create a federal database of driver license information.

To the extent that there is any truth at all in this statement, it’s that the SPEXS national database isn’t under direct Federal or state control, but has been handed over to AAMVA and AAMVA’s contractors. (The database is apparently actually hosted by Microsoft.)

For obvious reasons, nobody is more eager than AAMVA to have you pay no attention to the national ID database behind the REAL-ID Act curtain.

In June 2018, we were honored to receive an urgent letter by Fedex from the President  & CEO of AAMVA, demanding that we immediately remove from our website the specifications for the SPEXS database, which we had obtained in 2016 from AAMVA’s own public website. After AAMVA made that whole section of its site “members-only”, we posted a copy of the SPEXS specification to help readers understand the details of the system, and as one of the key sources for our analysis of SPEXS.

SPEXS already includes personal information obtained from government records of drivers licenses and state IDs, including dates of birth and the last five digits of Social Security Numbers, for more than 50 million US residents. We think the people whose data is included in this system are entitled to know what information is being kept about them, who has access to it, and how it is used.

According to the SPEXS specifications,  development of SPEXS was funded by grants from componetns of the DHS and the Department of Transportation. (We’re waiting for responses to our FOIA requests for those agencies’ records about SPEXS.) If SPEXS were being operated directly by a Federal agency, the Privacy Act would require it to provide notice of the types of records in the system, how they are used, and with whom they are shared, as well as procedures for individuals to see the records about themselves and to obtain an “accounting of disclosures” to third parties of information about themselves.

But because the SPEXS database has been outsourced to a nominally private contractor, AAMVA, both Federal and state agencies can disclaim any responsibility for it. That leaves the SPEXS specifications as the best available evidence of what the system is and does.

In a later message to our Web hosting provider, a lawyer for AAMVA claimed that, “The information contained in this work is sensitive and its unauthorized publication could jeopardize the security of the governmental program to which this document relates.” This is nonsense. AAMVA waived any claim of sensitivity by making the specifications public.

When it was still struggling to sell the first states on buying into SPEXS, AAMVA posted the SPEXS specification on its website for anyone to download. More than two years after we called attention to what this document reveals, AAMVA is trying to suppress it. Not because it contains any secrets — it’s been publicly available for years — but because it conclusively disproves the DHS big lie that there is no national REAL-ID database, and shows the essential role that AAMVA itself is playing in this surveillance system.

We encourage you to pay close attention to the AAMVA man behind the REAL-ID Act curtain. And if you have questions about SPEXS or the SPEXS specifications, feel free to contact us.

Oct 09 2018

Another round in 9th Circuit fight over “No-Fly” orders

A 3-judge panel of the 9th Circuit US Court of Appeals heard arguments today in Portland, Oregon, in Kariye v. Sessions, the third and latest round of appeals to the 9th Circuit in a challenge to US government “No-Fly” orders that was filed in 2010 as Latif v. Holder.

The lawsuit has survived two previous appeals to the 9th Circuit. But most recently,  the District Court dismissed the claims of those plaintiffs who remain blacklisted from domestic or international air travel. Today’s third round of argument in the 9th Circuit was on the appeal of that latest dismissal of the complaint.

Today’s oral argument was conducted in a courtroom closed to everyone except the judges, court staff, the parties to the case, and their attorneys. Presumably, the argument was closed because one of the issues was whether the government should have been allowed to submit evidence “ex parte and in camera” for the court to consider without the plaintiffs being able to see it, or whether the District Court and/or the Court of Appeals should consider such submissions.

If you think there’s something Kafka-esque about secret arguments about whether to consider secret evidence, we agree. It’s possible that redacted excerpts from the oral argument will be made available later in the 9th Circuit’s video and audio archives.

Legal documents in the case are available from the ACLU, which is representing the plaintiffs. The best summary of the issues in the current appeal, and the best overview of what’s wrong with the government no-fly decision-making procedures at issue in the case,  is in the plaintiffs’ opening brief in the current appeal.

Read More

Oct 03 2018

3rd Circuit to reconsider impunity of TSA checkpoint staff

Good news: The 3rd Circuit Court of Appeals has decided to reconsider whether, as a panel of that court decided earlier this year, TSA checkpoint staff should have legal impunity to assault or otherwise violate the rights of travelers without consequences.

When it was issued in July 2018, we said that “The details of the opinion dismissing Ms. Pellegrino’s complaint might be described charitably as arcane, and uncharitably as twisted.” There was a well-argued dissent by one of the three members of the panel.

The majority of the panel recognized that the job of TSA checkpoint staff is to search travelers, but then somehow managed to conclude that they aren’t “officer[s] of the United States who [are] empowered by law to execute searches.” The majority of the panel also went outside the factual record to base their decision on false speculation that TSA checkpoint staff don’t conduct searches for general law enforcement purposes.

Based on these arguments and “facts”, the panel majority found that TSA staff are immune from lawsuits for travelers, even if they admit to assaulting travelers.

The decision by a majority of the judges of the 3rd Circuit to grant rehearing en banc in the case of Pellegrino v. TSA voids the original opinion by a three-judge panel. The appeal will now be re-argued de novo, after new briefing, before all of the judges of the 3rd Circuit.

Let’s hope that the full court gets it right this time, and recognizes that TSA checkpoint staff are not above the law.

Oct 01 2018

Yes, the DHS wants mug shots of all air travelers

A new report by the DHS Office of Inspector General (OIG) gives perhaps the most detailed official picture to date of the US government’s plans for ed biometric identification, tracking, and control of international air travelers through automated facial recognition.

Contrary to specious claims in DHS propaganda that the current rollout of mug-shot machines at departure gates at airports across the country is “only a test,” the DHS OIG reports that US Customs and Border Protection (CBP) plans to expand the mug shot and automated facial image recognition program from 6 million air travelers in 2018 to 60 million in 2019, 120 million in 2020, and 129 million — 100% of international airline departures from the US — by 2021.

But that’s not all. “Over time, the program plans to … incrementally deploy biometric capabilities across all modes of travel — air, sea, and land — by fiscal year 2025,” according to the OIG report.

The scope of these plans should make clear that the only thing being “tested” is whether travelers will submit to this program, not whether it is justified or what interests it serves.

The OIG report mentions that US citizens have been “allowed” to opt out of the airport mug shot “pilot program “, but doesn’t say whether they were told they had a right to do so:

CBP allowed U.S. citizens to decline participation in the pilot. In such cases, CBP officers would permit the travelers to bypass the camera and would instead check the individuals’ passports to verify U.S. citizenship. When a U.S. citizen opted to participate in the pilot but did not successfully match with a gallery photo, the CBP officer would examine the individual’s passport but did not collect fingerprints. We observed biometric screening at four airports — a total of 12 flights — during our audit and witnessed only 16 passengers who declined to participate.

[Note the absence of any apparent notice that US citizens can “opt-out”.]

In preparing their report, OIG staff “met with a number of external stakeholders, including the Airlines for America trade association, Delta Airlines, JetBlue Airlines, and British Airways.” Notably, however, OIG made no attempt to consult consumer, civil liberties, or human rights organizations or to consider their objections to mandatory mug shots.

The only objections noted in the OIG report came from airlines and airport operators. But it would be a mistake to interpret this as “resistance” from the airline industry to biometric surveillance of airline passengers through automated facial recognition.

The OIG report makes clear that the only thing being disputed by airlines and airports is who will pay for equipment and staff, not whether these systems will be deployed: Read More