Jul 30 2010

Washington Post: “Secure Flight may be making your privacy less secure”

We’re quoted today in the Washington Post in a story by Christopher Elliott about how airlines are able to use personal information — collected under government duress for the TSA’s Secure Flight passenger surveillance and control scheme — for the airlines’ own marketing and other purposes.

“Could it be that the information we give airlines doesn’t belong to anyone or, worse, isn’t regulated by anyone?” Elliott asks.

A good question — and “privacy” may be the least of the problems with Secure Flight, as discussed in our testimony (quoted from, in part, in the Post story) at the TSA’s only public hearing on Secure Flight, our more detailed written comments submitted to the TSA, and our FAQ about Secure Flight.

Jul 30 2010

DHS plays politics with FOIA requests

The Associated Press reports that the Department of Homeland Security has been delaying responses to Freedom of Information Act (FOIA) requests — possibly including ours — while they are “reviewed’ by top political advisors:

[T]he Homeland Security Department detoured hundreds of requests for federal records to senior political advisers for highly unusual scrutiny, probing for information about the requesters and delaying disclosures deemed too politically sensitive….

The special reviews at times delayed the release of information to Congress, watchdog groups and the news media for weeks beyond the usual wait….

Political staffers reviewed information requests submitted by reporters and other citizens as a way to anticipate troublesome scrutiny. Days after the nearly catastrophic Christmas Day bombing attempt aboard a Detroit-bound airliner, they asked whether news media or other organizations had filed records requests about the attack.

[To confirm whether our requests were among those improperly delayed or subjected to political scrutiny, we’ve filed new FOIA requests for the documents released to the AP and for all records of the processing of our previous FOIA requests and appeals.]

Jul 27 2010

US but not UK gives travel “permission” for Iroquois lacrosse team

The good news: In one of the first tests of US rules purporting to forbid US citizens from crossing US borders without first obtaining US passports (issued at the government’s apparently standardless discretion), the US Department of State issued “one-time waivers” authorizing the “Iroquois Nationals” lacrosse team to leave the US (and presumably to return, although that’s not entirely clear from news reports) without carrying US passports.

The dispute arose because some Iroquois, like other Native Americans, have for many years used passports issued by their own tribes or nations.  Whether those passports were “passports” within the meaning of US law was largely irrelevant as long as passports were merely a convenience, not a requirement, for international travel.  Lacrosse was an Iroquois invention (for an introduction to the sport, see John McPhee’s essay last year in the New Yorker, “Spin Right and Shoot Left”, included in his latest anthology, “Silk Parachute”), and travel on Iroquois passports was and is especially significant for the Iroquois Nationals team, who compete on behalf of their own nation in international lacrosse tournaments.

While it was framed as a dispute over the sovereignty of the iroquois Confederations and/or the validity of Iroquois-issued passports, the US appears to have seen it purely as a question of whether native Americans who are also US citizens may leave or return to the US without US passports.

At first, the US had threatened to prevent the team from boarding flights to the UK for the international lacrosse championships. But without admitting either the “validity” of Iroquois passports (i.e. not whether they are genuine but whether they satisfy US requirement for exit or entry permits), or the invalidity of the passport requirements for US citizens, the US effectively backed down by granting the team “waivers” and, more importantly, saying that they would not interfere with their departure from the US.

This continues the pattern we have sen to date: We have yet to hear of a case in which the US government has actually prevented a US citizen from leaving or returning to the country on the basis of their not having, or declining to carry or display, a US passport. In every incident that has been brought to our attention, the US government has eventually indicated its willingness to stand aside from interference with departure from or return to the country without passports — although travel has sometimes been frustrated in other ways, such as refusal to give airlines permission to transport them. Presumably, the US government realizes that preventing its own citizens form leaving or returning to the country would be such a flagrant violation of international human rights law as to lead to diplomatic complications, even if it would be difficult to challenge on those grounds in US courts.

The bad news: After finally obtaining “permission” to leave the US without US passports, the Iroquois Nationals lacrosse team was denied visas by the UK — not on the grounds that their passports were invalid, or weren’t issued by a sovereign entity, but on the grounds that their passports don’t contain ICAO-standard “security” features required by the UK for visitors from the US.  It is, again, unclear from news reports what absent “features” were at issue, but they might have included machine-readability (OCR or RFID) or other aspects of formatting or data content.

Jul 23 2010

“The government shouldn’t decide who can fly”

In one of the first statements in the mainstream media to (a) recognize that the essential feature of the TSA’s Secure Flight program is the requirement for domestic US air travelers to receive government permisison to fly and (b) oppose that requirement, The Chicago Tribune has published an op-ed column by Steve Chapman (also appearing in Reason) arguing that, “The government shouldn’t decide who can fly”:

Get rid of the no-fly list entirely. For that matter, get rid of the requirement that passengers provide government-approved identification just to go from one place to another.

Americans have a constitutionally protected right, recognized by the U.S. Supreme Court, to travel freely. They also have the right not to be subject to unreasonable searches and other government intrusions. But in the blind pursuit of safety, we have swallowed restrictions on travel and infringements on privacy we would never tolerate elsewhere….

If the federal government began requiring every citizen to provide identification for each trip in a car or ride on a bus, there would be a mass uprising. Somehow, though, Americans have come to see commercial air travel as a privilege to be dispensed by the government.

Jul 09 2010

Australian government expanding air travel surveillance

Closely following the bad example (controversial both in the US and Australia) of the USA, the government of Australia is moving toward increasing detailed and integrated ID-based surveillance and control of air travelers.

As of the first of this month, under the so-called Enhanced Passenger Assessment and Clearance (EPAC) systems, Australian authorities have real-time access to all passenger name record (PNR) data for all passengers on all international flights to Australia.  And an additional A$24.9 million is being spent by the government over the next two years, in addition to uncounted amounts that airlines and other travel companies will have to spend, to expand the amounts of data collected by airlines and passed on to government agencies as well as the automated profiling (“risk assessment”) conducted on the basis of this data.

The changes and the heightened surveillance and control of travelers to Australia come at the same time that the European Union is simultaneously renegotiating agreements with Australia and the USA for government access to PNR data related to flights to and from the EU.

The Sydney Morning Herald quotes  the president of the Australian Council for Civil Liberties, Terry O’Gorman, as saying that the scheme “increases the risk of a person wrongly being put on a no-fly list.”

Jul 09 2010

Social networks, identity services, and national ID

Most of the reporting on last month’s conference on Computers, Freedom and Privacy (where we joined a panel on current hot topics in privacy) has focused on the issuance of a Social Network User’s Bill of Rights. That’s testimony to the importance of Facebook, but the implications extend even to those who aren’t currently users of Facebook or similar services.

As Brad Templeton has described it, “Facebook [is] mak[ing] a play to be the main provider of what is sometimes called ‘identity’ services on the internet,” with greater domination (monopolization?) of that niche than any previous provider of “single sign-on” services — even Microsoft.  If a third party wants to offer an online service that depends on a unique identifier, and doesn’t want to put the speed bump of needing to remember a separate user name and password or other identifier in front of customers, the default today has become to offer that service as a Facebook app, on the assumption that most potential users are already signed in to Facebook.  You can opt out of Facebook, but that option is a cop-out, not least because then you can’t use any of the other services that, as Facebook apps, rely on Facebook for their user ID and authentication.

Inherent in using Facebook for authentication is that Facebook itself, as the ID services provider, is aware of each ID-verification or authentication event involving any Facebook app, just as a credit bureau has a record of each time a third party has verified your ID or credit using their service. Facebook has a duty to its shareholders to monetize this information, if it can figure out a way to do so, and a legal duty to hand it over to the government in response to a court order.

Worse — and the deeper reason for this blog post — government agencies are increasingly turning to commercial ID services, if not yet to Facebook, as outsourced ID verification services for the provision of government services and the exercise of citizens’ legal rights.

Already the TSA is using an (illegal, but still in operation after more than two full years) ID verification scheme under which would-be airline passengers who decline to display acceptable government-issued credentials are required to “verify” their identity by asking them questions about the information contained in the records about them maintained by Choicepoint or Acxiom.  And the latest issue of Privacy Journal reports that the Social Security Administration is considering a similar system using questions and answers based on the records of commercial data aggregators as a way to “authenticate” individuals for online management of their Social Security accounts.

In such a world, your “identity” is what these companies say it is. Where do these private companies think you lived, and with whom, in a certain year, for example? An identity thief who has gotten your files may be more likely than you are to to know the “correct” answer.  And each time such a commercial service is used to verify your ID for government purposes, the service provider has a record of the transaction to add to its dossier about you, and use for whatever purposes it chooses.

At present, our use of one set of credentials or identifiers to pass through TSA checkpoints (if we choose to provide them), our checking our record of Social Security contributions, and many other dealings with government agencies are tracked separately, using (at least sometimes) separate identifiers. But as we discussed with representatives of the NO2ID, drawing on the UK example, and others at CFP, the more dangerous part of a national ID scheme isn’t necessarily the single national ID card (if any) but the reliance on a single identifier for multiple purposes, and the resulting ease of compilation of a database of transactions and events which are all linked to that ID even when they are carried out by different government agencies or third parties.  That’s just as much of a danger whether the monopolistic ID services provider is a government Ministry of Identity or if it’s Facebook, Acxiom, or Choicepoint.

Jul 06 2010

Lawsuit seeks suspension of TSA virtual strip-searches

Last year the Identity Project was one of more than 30 organizations that filed a joint petition with the DHS requesting a formal rulemaking on use of virtual strip-search machines or “body scanners”, then being referred to by DHS and TSA as “whole body imaging” machines and since re-euphemized as “advanced imaging technology”, as though the name itself could make them inherently more “advanced”.

In May of this year, after the DHS ignored our petition and moved forward with deployment of virtual strip-search machines without a formal rulemaking, we joined most of the same groups in filing a renewed petition for a formal rulemaking (including an opportunity for public comment) and for rescinsion of the rules requring submission to a virtual strip-search as a condition of passage through TSA checkpoints and travel by air common carrier.  We also filed a series of FOIA requests and appeals, which the TSA has to date ignored, for the TSA Standard Operating Procedures, screening-related directives to airlines, and other documents embodying the secret rules that include the virtual strip-search requirements.  We’ve also speculated about what legal recourse travelers denied passage on the basis of refusal to submit to a virtual strip-search might have, particularly in jurisdictions abroad where it would be easier than it is in the USA to raise issues of international human rights law.

This past Friday, July 2nd, the Electronic Privacy Information Center (EPIC) filed a federal lawsuit seeking to have the Court of Appeals for the District of Columbia review the TSA and DHS failure to conduct a formal rulemaking before deploying virtual strip-search machines and issue an emergency stay of the TSA/DHS decision to deploy and require them as a condition of passage through checkpoints and air travel.

The Identity Project was a party to the original petitions for rulemaking, and while we aren’t a party to the EPIC lawsuit, we fully support it.

As EPIC notes in its latest filings, even after September 11th Federal courts have upheld “administrative (warrantless, suspicionless) searches in airports only to the extent that they are limited to what is “necessary” — meaning that they are actually effective and are the least restrictive available means — to detect weapons and explosives. Even beyond the specific issue of virtual strip-searches, this lawsuit is likely to be significant in helping define the bounds of TSA authority to conduct ever more intrusive searches as a condition of common-carrier travel.

The petition filed in May by EPIC, the Identity project, and others stated that, “The undersigned file this petition pursuant to 5 U.S.C. § 553(e), which requires that ‘[e]ach agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule.'”  Notwithstanding this explicit statement, the DHS and TSA responded with the bizarre claim that, for unspecified reasons, it did not constitute such a petition.  Unfortunately, that’s characteristic of the behavior of the DHS and TSA, which have repeatedly refused to acknowledge or docket our formal complaints and then falsely claimed, including to the US public and to foreign governments  that they have received no such complaints.

Jul 01 2010

Should the identities of petition signers be public?

We note with interest the recent decision in Doe v. Reed (No. 09-599), which marks the first time in a few years that the Supreme Court has directly (albeit somewhat uncertainly) addressed whether the government can permissibly require individuals to be publicly identified.  Leaving aside what the legal implications of the ruling may be, we think the case carries an important lesson about technology and identity policy.

The case concerned whether individual registered voters can sign petitions to place an initiative or referendum on the ballot without having their identities as signatories made public.

Since the right to vote without having it be made public for whom you have voted is considered fundamental to democracy, it might seem natural that you would be able to sign a petition to put Initiative I or Referendum R on the ballot without having it be a public record which such measure(s) you have endorsed.  But traditionally, the list of signatories for each individual ballot proposition has been considered a public record.

Why? The answer, we suspect, lies in the technological history.

Paper-based technologies have long made it possible to verify that each ballot is cast by a registered voter, and that only one ballot is cast by each voter, while making it impossible to identify, after the fact, which voter has cast any given ballot.  This isn’t rocket science. Even when you submit an absentee ballot by mail in a signed (outer) envelope, for purposes of verification of your entitlement to cast that ballot, the ballot itself is enclosed in a second, inner (anonymous) envelope.  Paper technology —  the envelopes — makes it easy to separate verification of eligibility to vote from identifiability of the individual ballots or votes with specific voters.

On paper, it’s harder to separate the validation of signatures and elimination of duplicates from the counting of signatures.  It could be done, through essentially the same techniques as are used for paper absentee ballots, but that would require a different system than the traditional petition with multiple signatures on each sheet.  There’s really no policy reason behind the public identification of signatories that we have come to take for granted as “natural”. Rather, the lack of any possibility for anonymous endorsement of petitions is a corollary of the technique and format in which signed endorsements for a petition are collected.

There’s a lesson here of wide applicability. Providing for anonymity requires effort.  It requires that the systems be designed to provide for the possibility of anonymity, and that authorization (Is this the signature of a unique registered voter?) be separated from identification (Which voters signed this particular petition?).  If that isn’t a design criterion from the start, it’s likely to be simpler to munge those functions together in ways that preclude anonymity.