Jun 28 2008

NY Times: US and Europe Near Agreement on Data Sharing

The New York Times has obtained a report showing that US and European negotiators are nearing an agreement on international sharing of private data.

The United States and the European Union are nearing completion of an agreement allowing law enforcement and security agencies to obtain private information — like credit card transactions, travel histories and Internet browsing habits — about people on the other side of the Atlantic Ocean. […]

Negotiators, who have been meeting since February 2007, have largely agreed on draft language for 12 major issues central to a “binding international agreement,” the report said. The pact would make clear that it is lawful for European governments and companies to transfer personal information to the United States, and vice versa.

The negotiators remain at odds on some issues, such as “what rights European citizens will have if the United States government violates data privacy rules or takes an adverse action against them — like denying them entry into the country or placing them on a no-fly list — based on incorrect personal information.”

It is unclear what standards both sides believe would adequately protect individuals’ civil liberties, including free speech and the right to travel.

David Sobel, a senior counsel with the Electronic Frontier Foundation, a nonprofit organization dedicated to data-privacy rights, said the administration’s depiction of the process of correcting mishandled data through agency procedures sounds “very rosy,” but the reality is that it is often impossible, even for American citizens, to win such a fight.

The story refers to transfers of data directly from entities in the the EU to the US government, and that’s where most of the attention has focused in recent EU/US disputes.  But in many cases, data is first transferred from the EU to commercial entities in the US (for example, from airline and travel agency offices in the EU to computerized reservation systems in the US) and only later, if at all, accessed by the US government from those US commercial entities.  Those commercial transfers violate EU data protection law, regardless of whether the US government also accesses the data.  It’s unclear form the Times story if the draft agreement would purport to immunize commerical entities engaging in such transfers.

It’s also unclear if the draft “agreement” would take the form of a treaty — ratified by the U.S. Senate, and enforceable in U.S. courts — or whether it would be another nonbinding DHS “undertaking” without legal effect.

The full New York Times story is here.

Jun 27 2008

Nation’s Capital Creates ‘One Card’ to ID Them All

The Washington Post reports on a new identification program from the DC government. DC wants to use the “One Card” to track “library accounts, public school attendance, recreation-center use and other services,” and “Metro riders can have a SmarTrip chip implanted in the card.”

The DC government’s chief technology officer says, “The eventual goal is that you’d need only one card across the entire District government.”

Why create a city-wide centralized identification system, mandatory for public school students and government workers but “voluntary” for others? We’ve all heard it before with REAL ID and other broad identification programs: the “papers please” system of One Card would be more efficient and save money.

The Washington Post points out that DC officials “could not offer specifics about those savings for agencies or the city.”

Read the rest of the story here.

Jun 27 2008

Target Store Scans Driver’s License / ID Card Data

George Hulme at InformationWeek has an interesting story about a Target store scanning his driver’s license when he went to buy Nicorette gum:

Now, during checkout, the cashier asks to “see” my driver’s license. Alright, since I’ve been carded before buying controlled substances, I figure she needs to check my age.

Before I have a chance to realize exactly what’s going on, the cashier swipes my driver’s license through the register. The machine then kicks and spasms out my receipt. Whoa!

I inquire, “What information, if any, was captured from my license?”

I get that deer-in-the-headlights what-ya-talk’n-bout glaze. She’d never thought about, or was apparently never asked, why she was physically scanning driver’s licenses.

“You asked to ‘see’ my license, but you swiped it. Big difference,” I say.

The cashier has no idea how to answer his question. Hulme leaves a message at Target’s press office asking for information as to whether his data was merely scanned to verify age or if all of his license data was downloaded by Target; if so what was the reason for this data capture and how long were they going to keep his data. No answer. He also e-mailed Target customer service and got a response. But it was a non-response. Read his full story.

Note that the final regulations for the REAL ID national identification system includes an unencrypted machine-readable zone. This means that anyone with an off-the-shelf card reader could swipe and download your personal data. And DHS Secretary Chertoff wants everyone to use this national ID card to “cash a check, hire a baby sitter, board a plane or engage in countless other activities,” so all of those situations could lead to your data being downloaded and retained.

Has your license or ID card data been swiped and retained by a store, bank, bar, club or other business? Tell us about it. E-mail jph AT papersplease.org

Jun 26 2008

D.C. ID Roadblock Case Filed

The Partnership for Civil Justice, a Washington DC-based public interest law firm, filed a class action lawsuit in the United States District Court for the District of Columbia seeking an injunction against the Metropolitan Police Department’s Neighborhood Safety Zone checkpoint program.

The lawsuit asserts that the roadblock program instituted in recent weeks is an unconstitutional suspicionless seizure of persons traveling on public roadways in the District of Columbia. The lawsuit also challenges the District’s use of these mass civil rights violations to collect and aggregate data on the movements, activities and associations of law abiding residents and visitors to the District and seeks expungement of this information.

If anyone has doubts about the danger of mission creep associated with a state’s compliance with the Real ID Act, they should be told about what’s going on here.  While this fiasco was initiated by local authorities, remember that §201(3) of the Real ID Act grants a sole individual (the Secretary of DHS) the authority to establish by fiat when and where “official” ID is required in the United States.

Copies of the Class Action Complaint, Mills v. District of Columbia, can be accessed here.

Jun 26 2008

Senate Judiciary Subcommittee on Constitution Holds Hearing on Border Searches

The Senate Judiciary Subcommittee on Constitution held a hearing on “Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel.” Individuals innocent of any wrongdoing have increasingly been reporting that their laptops, smartphones and other electronic devices have been searched and seized by US Customs and Border Protection. The Washington Post reported in February:

The seizure of electronics at U.S. borders has prompted protests from travelers who say they now weigh the risk of traveling with sensitive or personal information on their laptops, cameras or cellphones. In some cases, companies have altered their policies to require employees to safeguard corporate secrets by clearing laptop hard drives before international travel.

At the Senate hearing, Subcommittee Chairman Sen. Russ Feingold summed up the situation succinctly: “Customs agents must have the ability to conduct even highly intrusive searches when there is reason to suspect criminal or terrorist activity, but suspicion-less searches of Americans’ laptops and similar devices go too far. Congress should not allow this gross violation of privacy.”

Various witnesses, including Susan Gurley, Executive Director of the Association of Corporate Travel Executives; Lee Tien, Senior Staff Attorney at the Electronic Frontier Foundation; and Peter P. Swire, Senior Fellow at the Center for American Progress, detailed the many privacy and civil liberty issues raised by suspicionless searches and seizures of electronic devices and data at the border.

Tien said that EFF agreed “the Fourth Amendment works differently at the border. But, ‘differently’ does not mean ‘not at all.’” EFF and the Asian Law Caucus have filed suit against the Department of Homeland Security (which oversees Customs and Border Protection) for denying access to public records on the questioning and searches of travelers and seizures of their property at U.S. borders. Read More

Jun 25 2008

UK Government Committee Warns National ID System Could Be Used for Routine Monitoring of Individuals

The UK House of Commons’ Home Affairs Select Committee is warning the British government that its massive national identity card scheme could threaten privacy. In a report (pdf), the Committee said it was especially concerned “about the potential for ‘function creep’ in terms of the surveillance potential of the National Identity Scheme.” The Committee urged the government to make “an explicit statement that the administrative information collected and stored in connection with the national identity register will not be used as a matter of routine to monitor the activities of individuals.”

Unfortunately, the Committee’s fears are all too real. The UK national id card scheme creates the same kind of total surveillance society that the US government hopes to create under the REAL ID scheme. For example, when the UK government described the national identification system in a press release earlier this year, it said:

The Government’s National Identity Scheme means that for the first time UK residents will have a single way to secure and verify their identity. We will be able to better protect ourselves and our families against identity fraud, as well as protecting our communities against crime, illegal immigration and terrorism. And it will help is to prove our identity in the course of our daily lives—when travelling, for example, or opening a bank account, applying for a new job, or accessing government services.

Sound familiar? It’s REAL ID all over again. More coverage at BBC News and Guardian UK. You can also learn about how to fight this massive surveillance system at No2ID.

Jun 24 2008

First Reports Of What It’s Like Flying Without ID Arrive

Travelers who willingly refuse to show ID to the Transportation Security Administration are now barred from flying. The new rule went into effect over the weekend. Now, in order to board the plane after forgetting one’s driver’s license, it seems you have to answer questions about your political party affiliation and previous addresses. TSA’s press release said that “cooperative passengers” without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures. It turns out that “and other measures” include questions about political party affiliation and other questionable invasions of privacy, according to an article that appeared on Consumerist.

Finally satisfied that I didn’t have ID, Laurie took my boarding pass and went away. She came back a few minutes later having photocopied it, and also had an affidavit that she requested I sign. It asked for my name and address, and stated in small print at the bottom that I did not have to fill it out, but if I didn’t I couldn’t fly. It also said that if I choose to fill it out and then provided false info, I would be in violation of federal law.

After filling out the affidavit, Laurie called a service to verify my address. The service needed me to then correctly answer three questions about myself, which Laurie relayed to me. The first was my date of birth, the second was a previous address (which I only got right on my second try), and the third was “You are registered to vote. Which political party have you registered with?” I got all three right, and only then did Laurie clear me to go through security.

As there is no published law governing what conditions the TSA has now placed upon individuals who have the temerity to travel without ID, only by reports such as these will we be able to ascertain what’s playing on the screen today at our nation’s security theater. The cost of admission is but your civil liberty and common sense. Contact us with your story.

Jun 24 2008

AAMVA Is Big Winner in DHS Grants to States for REAL ID Implementation

DHS recently announced $79 million in grants to states for REAL ID implementation. DHS said it “awarded $17 million to Missouri to lead the development of the verification hub. Four other states – Florida, Indiana, Nevada, and Wisconsin – will each receive $1.2 million to partner with Missouri for verification hub testing and implementation.”

Homeland Security Today investigated the details of the grants, and it’s clear that AAMVA is the big winner. The site reveals, “The breakdown of awards, obtained by HSToday.us, signifies that AAMVA effectively gains a no-bid contract under the awards, as DHS designates it the sole national centralized database of driver’s license information under REAL ID through a grant award to the state of Missouri.” (emphasis ours).

DHS sources told Homeland Security Today, “A competitive grant process could have resulted in multiple hub awards instead of a sole-source contract to AAMVA, sources argue, decentralizing REAL ID information somewhat and encouraging the rise of the most effective database solution between competing vendors.”

It is not surprising that DHS would ensure there would be a single database system. Currently, the states all have their own databases. The point of the REAL ID national identification system is to meld the information from 56 states and territories and create a single database filled with the personal data of all 240 million license and ID cardholders nationwide.

Jun 23 2008

Department of Homeland Security Gives States $79M for REAL ID Implementation

The Department of Homeland Security announced $79 million in grants to states for implementation of the REAL ID national identification system. The funds will go to projects “such as collecting applicants’ photos at the start of the application process and incorporating additional physical security features into DLs and IDs. Other funded projects that advance REAL ID implementation, include transitioning to centralized DL and ID production, improving data records for driver’s licenses, and upgrading source document imaging and storage.”

DHS also wants the states to use the funds to create a central “verification hub that will enable states to query federal and non-federal document-issuing authorities and verify applicant source documents.” “Verification hub” is DHS’s latest euphemism for the national identification system it seeks to create by linking the motor vehicle databases of all 56 states and territories, which the agency hopes will contain data on all 240 million driver’s license and cardholders nationwide.

Twenty states have passed anti-REAL ID legislation. The latest was Arizona. Last week, its governor signed into law a bill that prohibits Arizona from implementing the REAL ID system.

Read IDP’s comments on the draft regulations here (pdf). Our privacy and civil liberty arguments remain even with the final regulations. No national identification system should ever be created, whether under REAL ID or any other scheme.

Jun 23 2008

TSA Changes Airport ID Requirement; ID-Less Could Be Denied Right to Fly

The Transportation Security Administration has changed its airport ID requirement. These changes allow the agency to deny the right to fly to individuals who “willfully refuse” to present government-issued identification at an airport security checkpoint. The TSA’s press release, which is how we learn about changes in the law, now reads in part as follows:

Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity.

This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures.

In Gilmore v. Gonzales (Gilmore was represented by The Identity Project Director James Harrison), we learned that the pre-June 21, 2008 policy allowed individuals who willfully refused to present government-issued identification to fly if they submitted to extra security screening. This new regulation is a substantial change that was made without public review through the usual Federal Register notice and comment process. Read More