Sep 29 2013

How the NSA obtains and uses airline reservations

A front-page report in today’s New York Times based on documents leaked by NSA whistleblower Edward Snowden confirms that the NSA, like the DHS, uses airline reservation data as part of its profiling and social network analysis of US citizens and foreigners. Today’s report also raises new questions, and suggests some answers, as to how the NSA obtains and uses this airline data.

The Times’ report today on NSA social network analysis mentions that:

The [NSA] can augment the communications data with material from public, commercial and other sources, including … passenger manifests…,  according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners….

[T]he N.S.A. correlates 164 “relationship types” to build social networks and what the agency calls “community of interest” profiles, using queries like “travelsWith“.

In their most basic form, passenger manifests list each passenger individually and do not indicate which passengers were traveling together.  At a minimum, either “Advance Passenger Information” (API) data, some other source of “enhanced” passenger manifest data, or complete Passenger Name Records (PNRs) would be needed to identify which passengers on a given flight had reservations in the same PNR (a single PNR can contain the reservations for an entire party or group traveling together) and thus who “travelsWith” whom.

We’ve long known that the DHS collects API and PNR data about US citizens and foreigners alike, compiles this data in its Automated Targeting System and Secure Flight databases, and mines this data both to target individuals (including journalists and activists) and for social network analysis (correlating e.g. telephone numbers and airline reservations) to identify and target new suspects on the basis of their association with current suspects (i.e. as a suspicion-generating or guilt-by-association system).

A typical PNR like the one shown above (from a DHS Automated Targeting System dossier; click the thumbnail for a larger image) includes a timestamped IP address (line 5 of the “remarks” in the example above), email address, home address, credit card number, mobile phone number, etc., so it can readily be correlated with Internet, communications, and financial records.

The NSA would presumably have been interested in flights worldwide, including flights within parts of the world far from the USA, while the DHS claims to collect PNR data only for flights to, from, within, or via the US.  But we know that the DHS can, and sometimes does, collect PNR data about flights elsewhere.

As we reported in 2007, and as was mentioned in a front-page story in the Washington Post based on our research, ATS records released by DHS in response to our requests (you can request your own ATS file using the forms here) confirmed that the DHS already had “root” access to the computerized reservation systems (CRSs), so that the DHS could retrieve any PNR in those CRSs, even if it didn’t include any US flights.

The “smoking gun” confirming DHS root access to CRSs was this PNR for someone who traveled from San Francisco to Berlin (TXL) on United Airlines and a United/Lufthansa codeshare flight, stayed in Berlin for six days, continued from Berlin to London (LHR), stayed in London for another six days, and then returned to SFO on United:

The portion of the journey from Berlin to London via Prague was on Czech Airlines (OK), an airline which does not (and did not then) fly to, from, or via any point in the US. Additional details in the PNR showed that a separate ticket was issued for the OK flights, which did not connect to flights to or from the US.  A CRS user with a United Airlines user ID and privileges would not have been able to see these flights. Only a user with an ID from the travel agency that made these reservations, or a user with “root” privileges (such as a user with an ID from the CRS company), would have been able to see all of the data that the DHS was able to see and import into ATS.

So could the NSA have obtained its copies of PNR and/or API data from DHS, or by using the root-user credentials that CRS companies had provided to the DHS?  Maybe.  Since neither DHS nor the CRSs keep logs of who accesses their respective copies of PNR data, there’s no way to know for sure except through leaks or the testimony of whistleblowers.

But we suspect that the NSA has some way to obtain PNR and/or API data independent of the DHS.

Read More

Sep 17 2013

How airline reservations are used to target illegal searches

One of the most detailed pictures to date of how the US government uses airline reservations to target illegal searches is provided by documents released recently by the US government as part of an agreement to settle a lawsuit brought by David House, an activist with the Pvt. Manning Support Network.

Mr. House was detained and searched and had his electronic devices confiscated and copied by DHS personnel at O’Hare Airport as he was re-entering the US after a vacation in Mexico in 2010.

The government learned of Mr. House’s travel plans through their systems for real-time monitoring and mining of airline reservations:

The ACLU analysis of the documents released to Mr. House, and reports by the New York Times and the Associated Press,  focus on the DHS seizure and copying of the data from Mr. House’s electronic devices. An article in Mother Jones highlights the technical ineptness of the government’s attempts to analyze the data seized from Mr. House. (It took DHS “experts” more than a month, for example, to realize that a portion of the data dump from Mr. House’s netbook was a Linux partition.)

But as discussed below, more is revealed by these documents about DHS access to, and use of, airline reservations.

The documents released to Mr. House may also help explain how David Miranda, the domestic partner of journalist Glenn Greenwald, was detained and searched last month while changing planes at Heathrow Airport in London.

And in that context, they may also suggest an explanation for why Mr. Miranda was detained and searched in the UK, and Mr. House in the US, but Mr. Greenwald himself has not been detained or similarly searched when he travels to the US.

Read More

Sep 10 2013

9th Circuit considers Constitutionality of ban on Internet anonymity

Last year, we reported on a Federal district court hearing on the Constitutionality of portions of the law enacted by California’s Proposition 35, which requires California residents who have been convicted of certain sex-related crimes to register with the local police, annually and within 24 hours of any addition or change, for the rest of their lives, “A list of any and all Internet identifiers established or used by the person [and] A list of any and all Internet service providers used by the person… For purposes of this chapter, (a) “Internet service provider” means a business, organization, or other entity providing a computer and communications facility directly to consumers through which a person may obtain access to the Internet…. (b)  “Internet identifier” means an electronic mail address, user name, screen name, or similar identifier used for the purpose of Internet forum discussions, Internet chat room discussions, instant messaging, social networking, or similar Internet communication.”

The challenge to this portion of the law, being argued by Electronic Frontier Foundation and the ACLU of Northern California on behalf of as-yet-anonymous clients who would be subject to this registration requirement, is a crucial test of the right to anonymity on the Internet.

It’s easy to say, “This only affects sex offenders.”

But restrictions on First Amendment rights are always imposed first on the most stigmatized groups of people, whether the villians du jour are serial killers, perverts, Communists, or Jews.  Once they are accepted by the public as applied to those disfavored classes, these measures can gradually be expanded until everyone has to register with the government, carry government-assigned credentials identifying them and/or their group affiliation (Star of David, pink triangle, etc.), or comply with other restrictions that have come to be accepted  as merely “administrative” rules for how they can exercise their rights, and are no longer considered substantive restrictions on rights.

Judge Thelton Henderson of the U.S. District Court for the Northern District of California had issued a temporary restraining order prohibiting the state form enforcing this part of the law. Following the hearing we reported on, Judge Henderson converted that order into a preliminary injunction.  Both the state of California, and the sponsors of the ballot initiative (as “intervenors” in the court case) appealed to the Circuit Court before the District Court could resolve the issue of whether to make the injunction permanent.

Today a three-judge panel of he 9th Circuit Court of Appeals heard arguments on whether to let the preliminary injunction remain in force while the District Court proceedings continue.

Today’s hearing focused on whether the provisions of Prop. 35 requiring registration of Internet service providers and “identifiers” chill the exercise of free speach and are overbroad, i.e are not “narrowly tailored” to restrict no more activity protected by the First Amendment than is necessary. (The vagueness of the terms “Internet service provider” and “Internet identifier” was raised in the briefs, but barely mentioned at argument.)

Early in the hearing, Judge Jay Bybee observed that, “We’re living in a post-Snowden world now, where we all have to wonder whether all of our communications are being monitored by the NSA.” It was an intriguing suggestion of how much judicial attitudes may have been reshaped by the actions of whistleblowers.

The law’s proponents argued that free speech would not be chilled because under the law the police would have only limited authority to make Internet identifiers public.

But Michael Risher of the ACLU pointed out that chilling effects result primarily from fear of official retaliation — such as by the police. Police don’t have to make registration information public to use it themselves against people who say things they don’t like.

“A registrant who wants to criticize the local police department in comments on a local newspaper’s website, but doesn’t want to face retaliation, will be chilled if they know that their identifier is on file with those local police…. Among the reasons for protection of anonymous speech is to protect against this sort of official retaliation.”  It’s easy for the police to make life hard for a registered sex offender, Risher pointed out.

The law’s defenders had a particularly hard time justifying the breadth of the registration requirement, which they conceded applied (at least as the law is written) to screen names or accounts used to post comments on websites from the New York Times to eBay, and to people whose crimes had nothing to do with the Internet.

“If I open an account so I can sell my bicycle on Craigslist, do I have to report that?”, Judge Bybee asked.

When counsel for the intervenors tried to justify the requirement for registration of Internet identifiers (but not pseudonyms used for other sorts of communications) by claiming that “sex crimes are moving to the Internet”, Judge Mary Schroeder shot back, “So is shopping. So what?”

We’re relatively optimistic that this panel of the 9th Circuit will allow the District Court’s preliminary injunction to remain in force. But it’s still up to the District Court to make that injunction permanent.

Sep 06 2013

Why did the NSA hack an airline reservation system (when CBP already has root access)?

The latest revelations about NSA attacks on encrypted electronic communications include this sentence buried in an article in yesterday’s New York Times (first noted today by the travel news website Skift):

But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them.

It’s no surprise that the U.S. government was and is interested in monitoring airline reservations in real time as well as in mining historical airline reservation records.

But why did the NSA feel it was necessary to hack into airline and computerized reservation system (CRS) messaging, when the U.S. Customs and Border Protection division of DHS already had root access to reservations for flights worldwide stored in any of the four largest CRSs (including Amadeus, the only one not based in the USA), and was already extracting copies of all reservations that include flights to, from, via, or over the U.S. and compiling them into tits Automated Targeting System (ATS)?

  • Was the government interested in some airlines (who were these three?) that didn’t use one of the big four CRSs to host their reservations?
  • Was the government afraid that some airline or CRS (which one?) might pull the plug on CBP access, or restrict it to reservations for flights that actually touch the USA?
  • What was it about airline and CRS messaging that interested the NSA?  For what NSA purpose was the content of PNRs insufficient?

Whistleblowers, especially with airlines or CRSs or their contractors and suppliers, we need your help! If you know what was up with the NSA’s hacking of airline and CRS messaging, leave a comment or get in touch.

Sep 05 2013

How the TSA treats FOIA requesters it doesn’t like

The more we learn about the TSA’s handling of our Freedom Of Information Act (FOIA) requests, the uglier it gets. The latest chapter in the TSA’s vendetta against us is described in a FOIA appeal we filed this week.

The DHS, which of course includes the TSA, has long had a department-wide policy requiring special political approval — and often delay — of all FOIA requests from media, watchdog, or activist individuals or organizations, which we know included requests from The Identity Project.

In addition, we have now obtained less redacted versions of internal TSA and DHS email messages (which were officially released to us only with the most incriminating portions blacked out) showing that the TSA’s Chief Privacy Officer engaged in a campaign of character assassination intended to persuade TSA FOIA staff that individuals associated with The Identity Project are lunatics and liars and hold particular opinions and beliefs as a result of which we and our requests should be ignored or not taken seriously.

(Click image for larger version.)

In the libelous internal TSA email message reproduced above, TSA Privacy Officer Peter Pietra had this to say about Edward Hasbrouck, a consultant to The Identity Project who has filed many of our FOIA requests (and asked questions of Mr. Petra and filed other FOIA requests for records related to Mr. Petra’s work):

Ed is crazy as a loon, and as rude and belligerent at [sic] Bill says…. He misrepresents any interaction you have with him, so be wary (even where there is video that contradicts his version of events). He also thought 9/11 was a govt conspiracy because the FBI investigated it instead of the NTSB.

This message was distributed to TSA FOIA officers including those involved in processing our FOIA requests. And it was sent — the TSA itself later found — with the intention of influencing their decisions.

Even if Mr. Hasbrouck held these opinions and beliefs (which he doesn’t — the allegations about his opinions and beliefs are pure fabrications by TSA staff), who we are or what individuals associated with our organization think or believe is irrelevant to our entitlement to access government records pursuant to FOIA.

Attempting to induce FOIA staff to base FOIA processing or decisions on their opinions of the requesters’ beliefs is among the most serious forms of possible misconduct by officials responsible for compliance with FOIA.

If there’s anything worse, it’s withholding requested government records in order to cover up offical misconduct. But that’s exactly what happened when we requested the email message above.

The TSA’s Chief FOIA Officer and FOIA Public Liaison, Yvonne Coates, redacted the libelous portions of the message on the grounds that they were part of the decision-making process (even though she knows that making FOIA decision on the basis of who we are or what we believe is forbidden by FOIA) and that disclosure of these portions of the message “would injure the quality of future agency decisions by discouraging the open and frank policy discussions between subordinates and superiors”:

(Click image for larger version.)

The dismal track record of DHS and TSA noncompliance with FOIA began with the creation of these agencies during the Bush administration, and has continued during the Obama  administration.  Our FOIA requests (like those of other requesters) have routinely been delayed or lost. Responses have been incomplete, improperly and excessively redacted, and almost always months or years later than the deadlines in the law.

Read More