Sep 21 2010

How will “Secure Flight” be enforced?

Recent announcements by airlines suggest that, either on their own initiative or in response to secret Security Directives from the TSA, they are implementing new and clearly illegal Secure Flight enforcement measures.

One of the many questions about the TSA’s Secure Flight program has been how it would be enforced.

None of the published Secure Flight regulations include any enforcement provisions or any provisions imposing obligations on travelers, and the details of Secure Flight implementation are spelled out, if at all, only in secret Security Directives to airlines that by their nature cannot impose any obligations on travelers.

The TSA’s own secrecy leaves us no choice but to rely on whistle-blowers and leakers within the government and the airline industry (please keep those calls, letters, and e-mail messages coming!) and on what we can infer from airlines’ public disclosures.

This new notice from American Airlines is typical of what we’ve been seeing and hearing lately:

As a result of the Transportation Security Administration (TSA) and Department of Homeland Security (DHS) mandate, beginning November 1, all passengers will be required to have Secure Flight Passenger Data (SFPD) in their reservation at least 72 hours prior to departure….

In compliance with this mandate you will be required to provide Secure Flight Passenger Data:

  • To purchase any ticket on or after September 15, 2010
  • To travel November 1, 2010, or later regardless of purchase date

What’s wrong with this picture?

The “mandate” described on the AA website doesn’t exist in any Federal statute or publicly-disclosed regulation, or in AA’s tariff or contractual conditions of carriage.  On the contrary, airlines are required by Federal law to be licensed as common carriers. They are required to sell a ticket to, and to transport, any would-be passenger willing to pay the fare and comply with the rules in their published tariff.

Federal agencies including the TSA and Department of Transportation (DOT) are required when issuing regulations to take into consideration “the public right of freedom of transit” by air, and have no authority to issue administrative regulations or directives that would override the statutory definition of airlines as common carriers.

No court has ever even considered, much less upheld, any suggestion that air travelers forfeit their right to remain silent in response to questions from the TSA or other Federal employees, much less from TSA contractors or airlines.

On international routes, bilateral and multilateral aviation treaties similarly require airlines to operate as common carriers, in accordance with published rules and a published tariff.

So if AA or any other airline refuses to sell you or a ticket, or to transport you, solely on the basis of your declining to provide Secure Flight data, they render themselves liable to Federal civil suit and damages for refusal of transportation in violation of their duty as a common carrier, as well as to formal complaint and revocation of their operating license for the same violation.

While the US government might intervene in US court to block such a suit on the grounds that any Security Directives issued to the airline were a state secret, that wouldn’t be possible if the lawsuit for refusal to transport were brought in the courts of a foreign country from which the airline refused to transport you to the US.

If an airline tried to file new conditions of carriage incorporating such a provision for denial of transportation, the US Department of Transportation would be duty bound, by Federal statute, to disapprove it.  And if the DOT approved such a filing applicable to an international route, the government of other affected country or countries would be entitled both to disapprove the filing (by treaty, international tariffs typically require approval by both or all countries involved) and to protest its approval by the US as a treaty violation.

We hope that, faced with these choices and risks, airlines will choose to follow Federal law and international aviation and human rights treaties, and will vigorously and publicly litigate their challenges to any US attempt, through secret Security Directives or otherwise, to get them to depart from their duty to the traveling public as common carriers.

Sep 21 2010

ESTA fees: the whole is worse than the sum of its parts

New U.S. Customs and Border Protection (CBP) regulations took effect this month that combine two bad ideas — fees to encourage foreigners to visit the US by charging them more to do so, and fees for the Electronic System for Travel Authorization (ESTA) — in a way that creates new possibilities for travel surveillance and control that are far worse than either component alone.

The Interim Final Rule for ESTA and Travel Promotion Act fees took effect on an emergency basis on September 8, 2010, with public comments and objections being taken only after the fact. In promulgating the new rule, CBP continues to ignore the objections we raised to the fundamental illegality of the ESTA scheme. CBP also continues to ignore the Presidential Directive that it consider in its rulemakings US obligations under international human rights law, and continues to claim, in direct contravention of the applicable law, that it doesn’t need to consider the impact of the rule on individuals because “individuals are not small economic entities”, despite the fact that a sole proprietor, freelancer, or other self-employed individual is the epitome of a small economic entity (as the DHS has itself admitted in response to some of our previous objections to this same false boilerplate claim in other rulemakings). And it remains unclear if and when an ESTA is actually required, or how the “requirement” is supposed to be enforced.

But the most problematic consequences of the new rule result from the new requirement, completely lacking in statutory authority, that the the new “travel promotion” and ESTA fees can be paid only by one of four specified brands of credit or debit cards.  This implies:

  1. Travel control by credit and debit card issuers: If you do not have one of these four types of cards, you cannot travel to the US intending to enter under the Visa Waiver Program (VWP), but may enter the US only if you obtain a visa at a cost of at least US$135 plus a personal interview at a US consulate or embassy (for which there may be a waiting list of several months). Since the regulations impose no obligations whatsoever on the issuers of these cards, this means that collectively the four companies (Visa, MasterCharge, American Express, and Discover) have absolute, secret, standardless commercial veto power over eligibility for VWP entry to the US.
  2. Universal financial surveillance of VWP travellers: Because the credit or debit card details must be provided as part of the same online ESTA application with the would-be visitor’s personal information, it is now illegal to travdel to the US intending to enter under the VWP without having at least one currently valid credit or debit card on file with CBP and linked to your identifying and travel details.  As some news reports have already noted, this creates new possibilities for financial surveillance of travelers. All of the four acceptable types of cards are issued through US-based commercial entities, so all records related to them can be accessed by the US government in secret, without warrant, through “National Security Letters”. Even if you use a different card while in the US, it will in almost all cases be linkable through card application or other banking records (such as those obtainable by the US government from SWIFT or other companies through the “Terrorist Finance Tracking Program”).
  3. Vastly increased potential for identity theft, phishing, and other ESTA-based fraud: Because ESTA requires entry through an easy-to-imitate website of exactly the sort of personal information that’s needed for identity theft, together with travel itinerary information that makes it easy to carry out the attack while the victim is away from home and less likely to notice or be able to respond quickly and effectively, ESTA phishing and fraud are already rampant.  But the addition of current valid credit or debit card data to the online-only ESTA application requirements has put phony ESTA websites in the vanguard of current phishing techniques. Already, most of the top search results for “ESTA application” in the languages of countries in the VWP are fraudulent phishing sites, and the problem is getting steadily worse. We can tell you that the only legitimate ESTA application website is at — but how do you, or anyone else, know to believe us rather than to believe any of the other bogus websites that say otherwise?:Visitor beware!