Papers, Please!

The Identity Project

Monthly Archives: October 2013

Oct 22 2013

TSA’s lying “response” to today’s story in the New York Times

We’re quoted on the front page of today’s New York Times in a story by Susan Stellin, “Security Check Now Starts Long Before You Fly”:

The Transportation Security Administration is expanding its screening of passengers before they arrive at the airport by searching a wide array of government and private databases that can include records like car registrations and employment information….

“I think the best way to look at it is as a pre-crime assessment every time you fly,” said Edward Hasbrouck, a consultant to the Identity Project, one of the groups that oppose the prescreening initiatives. “The default will be the highest, most intrusive level of search, and anything less will be conditioned on providing some additional information in some fashion.”

More:

The TSA refused to say anything to the Times on the record, but published a blog post today (with the misleading title “Expediting Screening for the Traveling Public”) responding to the Times’ story with a succession of lies and prevarications.

We call “bullshit” on the TSA:

  • “We are not using “private databases.”” This is an out-and-out lie, as “Blogger Bob” and the TSA surely know. All TSA pre-secreening systems relie primarily on information from private commercial databases of airline reservations (PNRs). Since there is no requirement for a U.S. citizen to notify the government directly before taking a trip by common carrier, “pre-screening” would be impossible without access to, and reliance on, these private commercial databases. The US government has gone to great effort, through the APIS,  PNR, and Secure Flight regulations and through lobbying for changes to Canadian privacy law and exceptions to European privacy law, to implement requirements for DHS access to this data.  If these databases are no longer “private”, that is only because the TSA and other DHS components have compelled airlines and reservation hosting companies to make this data available to government agencies.
  • “TSA does not monitor a passenger’s length of stay in any location.” The TSA doesn’t always retain the travel itinerary information it compels airlines to provide for domestic travel, but it claims the right to do so for anyone deemed (arbitrarily or according to secret criteria) to be “suspicious” or to “match” an entry on any of the government’s (arbitrary, secret) “watchlists”.  And for international travel, CBP (another DHS component agency) does retain complete PNR data, including travel itineraries, and comprehensive border crossing and entry/exit logs, for all travelers, in its Automated Targeting System (ATS) — and claims the right to “share” all this data with the TSA. (And that doesn’t even begin to consider the NSA’s apparently independent hacking of airlines and reservation systems and potential sharing of PNR and other travel data with DHS.)
  • “We are not using car registrations.” Again, it’s CBP rather than the TSA that is logging license plates and vehicle movements (using cameras near borders and optical character recognition software), linking them to individual ATS records, and using them to generate “risk” scores and watchlist messages — which are then passed on to the TSA.  TSA is using this data, just (slightly) indirectly. According to the latest System Of Records Notice for ATS, published in the Federal Register in 2012, “ATS maintains the official record for … the combination of license plate, Department of Motor Vehicle (DMV) registration data and biographical data associated with a border crossing”.
  • “[W]e rely on the same security information passengers have been required to submit at time of booking for many years…. [T]he info we rely on is the same info that passengers have provided for years when they book their flight.” Actually, we didn’t used to have to provide our ID number, date of birth, or gender in order to make an airline (or Amtrak train, or Greyhound bus) reservation. It used to be possible to hold airline reservations in “dummy” names, or with no names at all. The TSA relies on information that has only been required since the creation of the TSA. And in the past, we “provided” that information, if at all, only to airlines and travel companies. Prior to the creation of the TSA, we never had to provide any information to the government to book a flight.  (Unless we were traveling in a foreign country where a foreign government agency like the Stasi required us to show our ID cards or permission papers to book a flight.)
  • “Anyone who has never traveled outside the United States would not have a passport number on file and would therefore not be subject to the rules that the agency uses to determine risk.” Nonsense. Many people have our passport numbers on file with the TSA because we’ve used our passports as ID for domestic flights.  Many people have no government-issued ID except a passport.  Despite the State Department’s moves to make it more difficult to get a passport, the REAL-ID  law sometimes makes it even more difficult to get a drivers license or other state-issued ID than to get a passport.
  • “We are not expanding the type of information we use.” If that were true, why would the TSA have published formal notices in the Federal Register of new systems of records and new uses for existing systems of records?  They don’t publish these legal notices just for fun. Either (a) the TSA has already been illegally collecting and/or using this data without proper notice, in violation of the Privacy Act (as DHS did for years with the Automated Targeting System), (b) the TSA is doing what is says in the notices it is doing, and collecting and using new information in new ways, or (c) the TSA plans to do so in the future, and wants to be able to say, if someone later complains, “But we gave you fair notice that this was what we were going to do. If you wanted to object, you should have done so back in 2013 when we published that notice.”
  • “[W]e are not using any new data to determine low risk passengers.” Applicants for the TSA’s Pre-Check program — i.e. people who want to be relieved of suspicion-by-default and the associated more intrusive search each time they travel — are being required to provide information that the TSA has never before requested, including fingerprints, other biometric information, and authorization for checks of criminal, financial, and other government and commercial records.  If the TSA isn’t using any of this new data, why is it compiling it? More than likely, this new data is being or will soon be used — and retained for possible additional future uses for an unknown range of purposes.

[TSA Pre-Crime graphic from Leaksource]

Oct 10 2013

TSA proposes arbitrarily individualized surveillance-based searches

In the latest version of TSA’s endless series of “trusted traveler” (or “less mistrusted traveler”) schemes, the agency is currently proposing to impose more intrusive searches on any traveler who doesn’t “voluntarily” enroll in the TSA Pre-Check program and authorize the TSA to create a new permanent file with everything from your fingerprints to any “other information provided by … government agencies or other entities”.

These files would be exempted from the normal requirements of the Privacy Act that records used as the basis for decisions about individuals’ exercise of our rights be made available to us and be limited to information that is sufficiently accurate, complete, and relevant to form a legitimate basis for such decisions.

The proposal is contained in a package of three regulatory filings (one new and one revised “System of Records Notice” and a “Notice of Proposed Rulemaking” proposing Privacy Act exemptions) published last month in the Federal Register.  All three have to be read in combination to appreciate their full implications.

The deadline for public comments on two of these proposals is today, and for the third is tomorrow. We filed consolidated comments today objecting to all three of these proposals:

Read in combination, this new and revised SORN and these proposed regulations describe a system in which an essentially unlimited range of personal information collected from an essentially unlimited range of sources, and known to include inaccurate and irrelevant information, would be (or perhaps already is being) compiled into the “TSA Pre-Check Application Program” system of records.

These records would be used – either according to criteria which are illegally being kept secret, or in an entirely arbitrary manner at the “discretion” of the TSA – to determine who is and who is not deemed “eligible” to exercise the right to travel without being subject to unreasonable searches.

The results of that decision-making would be incorporated into the “Secure Flight” system of records, and used as part of the basis (also either pursuant to secret rules or entirely arbitrarily) for deciding to issue or withhold the issuance of individualized “boarding pass printing results”, including instructions to TSA staff and contractors as to the degree of intrusiveness of the search to which each would-be traveler is to be subjected as a condition of exercising our right to travel.

Maintenance and use of these systems of records in the manner contemplated by these SORNs and the proposed exemptions would violate the 1st, 4th, and 5th Amendments to the U.S. Constitution, the presumption of innocence, due process, the Freedom Of Information Act (FOIA), the Privacy Act, and Article 12 (Freedom of Movement) of the International Covenant on Civil and Political Rights (ICCPR.

These records should be expunged, and the proposed regulations should be withdrawn….

We also point out that the TSA is only pretending to give the required consideration to public comments:

According to the “TSA Pre-Check Application Program” SORN published on September 10, 2013, “The Secretary of Homeland Security has exempted certain records from this system from the notification, access, and amendment procedures of the Privacy Act because it may contain records or information related to law enforcement or national security purposes.”

This claim was, and is, false. As of the date of the SORN, no such exemption had even been proposed: the NPRM proposing such an exemption, and requesting public comments (such as this one) concerning that proposed exemption for consideration by the DHS, was not published until a day later, on September 11, 2013. Even now, the Secretary has promulgated no final rule for such an exemption. Nor could he or she promulgate any such final rule, consistent with the Administrative Procedure Act, unless and until the current period for public comment on the proposed exemption rule has concluded and the comments submitted (including these comments) have been considered by the DHS.

The false claim that “The Secretary of Homeland Security has exempted certain records from this system from the notification, access, and amendment procedures of the Privacy Act”, when in fact the Secretary has not done so, appears to be intended to mislead individuals about what rights we have, and to dissuade us from attempting to exercise our rights.  In addition, by stating the outcome of the current exemption rulemaking as a fait accompli, it constitutes prima facie evidence of bad faith in the consideration of public comments. It is not enough for an agency to accept submissions of comments from the public to the circular file, after making a decision. An agency must give genuine consideration to public comments before deciding whether to finalize, modify, or withdraw a proposed rule.

You can read our complete comments here. You can submit comments at Regulations gov (here, here , and here) but your comments won’t be processed or visible online until after the DHS Privacy Office re-opens.

[TSA Pre-Crime graphic from Leaksource]

Oct 10 2013

US government thinks human rights are not essential

Representatives of the US government were scheduled to appear next week for public, in-person questioning in Geneva by the UN Human Rights Committee, as part of the UNHRC’s periodic treaty-mandated review of US implementation of the International Convention on Civil and Political Rights (ICCPR).

Each party to the ICCPR, including the US,  is required by Article 40 of the treaty to report to the UNHRC, “whenever the Committee so requests”, on “the measures they have adopted which give effect to the rights recognized herein and on the progress made in the enjoyment of those rights.”

We were looking forward to next week’s session, at which the UNHRC was scheduled to consider issues we had raised in our submissions to the UNHRC, including US violations of Article 12 (Freedom of Movement) of the ICCPR and US failure to consider, respond to, log, or report on complaints of human rights treaty violations.

Today, however, the US requested and received a postponement until March 2014 of its appearance before the UNHRC, “due to the ongoing government shutdown.”

But the US government is not, of course, shut down.

Agencies, departments, and contractors deemed “essential”, including police, prisons, surveillance agencies, and travel “screeners” (searchers and interrogators), remain on the job. These “essential” operations include, of course, many of those engaged in human rights violations.

The real meaning of the US request for postponement of the review of its human rights record by the UNHRC is that the US does not consider compliance with international human rights treaties to be “essential”.

The government continues to violate our human rights during the “shutdown”. What have been shut down are any mechanisms for accountability, oversight, or enforcement of human rights treaty obligations.

This is nothing new or surprising, but it is nonetheless appalling. Human rights are essential. Compliance with treaties is as essential as compliance with any other provision of the US Constitution.

Unfortunately, this is typical of the way that decisions have been made as to which government functions are “essential”.

For example, the TSA and DHS offices responsible for responding to Freedom Of Information Act (FOIA) requests have been closed for the duration, even though FOIA mandates, and provide statutory deadlines for, responses to these requests. Meanwhile, TSA and DHS press offices, who perform no statutorily mandated function, remain open. Propaganda has been prioritized over both the substance of transparency and compliance with the law in making decisions about which offices will be kept open.

The postponement of the UNHRC’s review of US compliance with the ICCPR will give the Department of State more time to respond to our complaint of violations of the ICCPR by the State Department, and our FOIA request for State Department records related to complaints of human rights violations.  That request and complaint have been pending for more than two years. Shortly before all FOIA offices were shut down, however, we were told by the State Department that it doesn’t expect to complete its response to our FOIA request until 2015. That’s too late, conveniently, for it to be considered by the UNHRC in its review of the US human rights recrod, even at a postponed 2014 session.