Jan 30 2015

You shouldn’t be arrested just because the TSA calls the cops on you

In the final episode of a legal saga we’ve been following for the last five years, Philadelphia police have agreed to pay $25,000 to a college student who was arrested after TSA checkpoint staff at the airport called in the police because he was carrying a a set of Arabic-English flash cards and a book critical of US foreign policy, “entitled, “Rogue Nation: American Unilateralism and the Failure of Good Intentions.”

In addition, as part of the settlement agreement with Nick George and the police (who had made a counter-claim the TSA for telling them to arrest Mr. George), the TSA has issued a fascinating official declaration that it has no authority to order anyone arrested and that police are not required to take any action on TSA “referrals”.

The TSA can (and sometimes does, as in the ongoing case of “Naked American Hero” John Brennan) initiate its own administrative procedures to fine you for whatever it defines as “interfering” with “screening”.  But the latest TSA declaration confirms that TSA staff (much less TSA contractors at airports such as SFO) are not law enforcement officers, have no power to arrest anyone (except at their own risk, as a citizen’s arrest), and cannot legally order anyone arrested. As we have been saying for years, all they can do is call the local police.  Once the police arrive, they can only detain or arrest you if they — the police, not the TSA — have a lawful basis for doing so. “The TSA asked us to hold you or take you away” is not sufficient.

A federal District Court judge initially rejected the TSA’s claim of “qualified immunity”, but that decision was reversed in late 2013, as we reported at the time, by the Court of Appeals for the 3rd Circuit, against both common sense and an earlier ruling by the 4th Circuit.

In another case of retaliation for the exercise of 1st Amendment rights as a TSA checkpoint, the 4th Circuit had found that, “[i]t is an undoubtedly natural consequence of reporting a person to the police that the person will be arrested.”  But the 3rd Circuit begged to differ, finding that, “it seems just as likely that police officers who are summoned by TSA Officials would use their own independent discretion to determine whether there are sufficient grounds to take someone into custody.”

(This isn’t the first time DHS personnel have drawn improper adverse content-based inferences from travelers’ reading habits.  John Gilmore was detained and subjected to “secondary screening” and notes made in his permanent DHS file (see slide 32) in 2007 because he was carrying a book entitled, “Drugs and Your Rights.”)

The decision by the 3rd Circuit left alive Mr. George’s claims against the police, and the police counter-claim against the TSA.  The settlement dismisses those remaining claims in exchange for a $25,000 payment by the police to Mr. George, an agreement to re-educate  the Philadelphia airport police about their duty not to delegate their authority to decide who to detain or arrest to the TSA, and the release of the TSA declaration.

We’re disappointed that the settlement leaves the ACLU unreimbursed for its costs of defending Mr. George’s rights, and that the TSA personnel got off scot free.  But if there’s a silver lining in the settlement, it’s the TSA declaration, which may make it harder for local police to claim ignorance of the law or immunity from liability when they arrest people on the say-so of the TSA or on the basis of a TSA “referral”.

If you think there’s a chance that the TSA might call the cops on you — and as Mr. George’s experience shows, the TSA could call the cops on anyone, for any reason or no reason — you might want to consider carrying a copy of this declaration to show the police when they show up at checkpoint.  And remember that you have the same rights in this setting as in any other encounter with police, including the right to remain silent.

Jan 13 2015

Is the attack on Charlie Hebdo a reason for air travel surveillance?

In a speech today in Strasbourg opening the current session of the European Parliament, the President of the European Council (the executive branch of the European Union, comprised of national governments) invoked the attack on the satirical cartoonists of Charlie Hebdo as a reason for popularly-elected EU legislators to put aside their previous objections and enact a comprehensive EU-wide mandate for surveillance and profiling of airline passengers on the basis of Passenger Name Record (PNR) data from airline reservations.

Today’s speech by Council President Donald Tusk of Poland echoed similar statements by “security” (policing and surveillance) officials of other EU governments in conjunction with a summit meeting of EU ministers. The summit is also being attended by senior US officials from the DHS and other agencies that have been lobbying the EU for years to set up a PNR-based surveillance and profiling scheme modeled on the one used by the US.

Tusk and other EU officials have made PNR-based profiling of air travelers a priority as a “response” to the Charlie Hebdo attack in Paris, claiming that it “can help in detecting the travel of dangerous people.”

Is this true? And does the attack on Charlie Hebdo provide any reason for Members of the European Parliament, or the European Court of Justice, to change their opinion that mandatory root access by governments to airline reservation databases is unjustified and violates fundamental rights?

No, and no.

The attack on Charlie Hebdo was an act of domestic terrorism carried out within France by French citizens.  They didn’t travel by air or cross international borders.  Their means of transportation to and from the scene of the crime in Paris was a car stolen elsewhere in the Paris metropolitan area. Airline reservations or border controls would have given no indication of the impending attack, and could not have been used to prevent it.

After the fact, police pursuing the perpetrators could have obtained search warrants, including warrants for PNR data or other airline records if there was a likelihood that they would be relevant, through normal judicial procedures.

(And as Wikileaks recently revealed, European governments are already obtaining PNR data “informally” from airlines, and using it to profile travelers, without legal authority.)

Nothing about the attack on Charlie Hebdo provides any reason to give governments more power to engage in warrantless surveillance or profiling of travelers who aren’t suspected of any crime.

Comprehensive PNR surveillance is like the NSA’s dragnet interception and mining of Internet and telephone records — except that metadata about the movements of our physical bodies (PNR data) can be far more intimate that metadata about the movement of our messages. Which is more intrusive: For the NSA to know that  you talked on the telephone or exchanged email messages or were in the same mobile phone “cell” with someone, or for the DHS or a European “Passenger Analysis Unit” to know from a hotel reservation passed on to the government as part of your PNR data that you slept in the same bed with that person?

The purpose of PNR-based surveillance is neither to investigate past crimes nor to track people who are already suspected of crimes.  Those activities require neither new procedures nor new police powers.  The only reason for governments to obtain the entire rich and intimately revealing PNR dataset for all air travelers is to identify new potential suspects, based on profiles and associations. Profiling and suspicion-by-association are the central purposes of a PNR system, not side effects or aberrations.

We’ll be in Brussels next week to discuss these issues with our European colleagues at a Privacy Camp on “Big Data & Ever Increasing State Surveillance“, and at the Computers, Privacy & Data Protection (CPDP) conference.

Jan 12 2015

Wikileaks publishes CIA reports on travel ID checks

Wikileaks has published two internal briefing documents produced for the use of CIA undercover agents, describing the methods used by airlines and governments to identify international travelers.

Both of these reports were produced as part of the CIA’S previously-unknown CHECKPOINT program of travel ID-related activities:

This product has been prepared by CIA’s CHECKPOINT Identity and Travel Intelligence Program. Located in the Identity Intelligence Center (i2c) within the Directorate of Science and Technology, CHECKPOINT serves the Intelligence Community by providing tailored identity and travel intelligence products. CHECKPOINT collects, analyzes, and disseminates information to help US intelligence personnel protect their identities and operational activities while abroad.

One of the reports, “Surviving Secondary“, describes ID-related “secondary screening” procedures at international airports, with examples from the US, EU, and other countries around the world.  The other report is an overview of, “The European Union’s Schengen biometric-based border-management systems.”

Most of the airline and government profiling and “screening” activities described in the reports, are already well-known.  These include many of the ways that governments obtain and use Passenger Name Record (PNR) and Advance Passenger Information (API or APIS) data derived form airline reservations.

But these newly-released reports also confirm that the CIA (and the other agencies with which the reports have been shared within the US government) are aware of some airline and government activities and some vulnerabilities for travelers which we and others have complained about, but which the US government has not previously acknowledged.

One problem confirmed by the CIA report on secondary screening is that government agencies can, and routinely do, obtain and use PNR, API, and other airline data, without legal authority or due process:

Security services lacking APIS or PNR information may have other arrangements to receive passenger manifests ahead of time. For example, the Airport Police Intelligence Brigade (BIPA) of the Chilean Investigative Police does not routinely obtain advance passenger manifests but can request the information from airlines on an ad hoc basis to search for targets of interest. Strict privacy laws covering Danish citizens extend to all passengers traveling through Copenhagen airport such that the Danish Police Intelligence Service (PET) cannot legally obtain routine access to flight manifests. However, if one of PET’s four cooperative airline contacts is on duty, the service can unofficially request a search on a specific name, according to August 2007 liaison reporting.

Airline data obtained by government agencies through these extrajudicial channels is used for profiling and targeting of searches, questioning, and other adverse actions against travelers.

This practice is illegal in many of the countries where it is routine, but typically occurs without leaving a trace.  Many airline staff are willing to betray their customers’ privacy to government agencies. And because no records are kept of who accesses PNR data, both government agents and their airline collaborators know that they are unlikely to be held accountable unless they confess or are caught in the act.

The persistence of routine “informal”, often illegal, and almost always unrecorded government access to airline data about travelers highlights a crucial issue we’ve been talking about for years: the complete absence of access logging in the architecture of the computerized reservation systems (CRSs) which host airlines’ PNR databases.  CRSs have PNR change logs, but no PNR access logs.

Governments and travelers must demand that CRSs add comprehensive access logging to their core functionality for PNR hosting. That won’t stop the problem. Airline staff will still be able to show government agents printouts or let them look at displays, with only the airline personnel’s  access being logged. But access logs will help, and are an essential first step toward control of PNR data “leakage”.

The CIA report on secondary screening also confirmed that the CIA is aware of the sensitivity and use by European governments (and presumably other governments) of associational information contained in fare basis codes, ticket designators, and travel agency IDs:

April 2007 reporting resulting from a liaison exchange with the Hungarian Special Service for National Security (SSNS) provides insights into factors considered by officers at Ferihegy airport in Budapest, Hungary when examining tickets. Officers check … whether the ticket fare code represents a government or military discount, or whether a government travel agency booked the ticket. Hotel and car reservations are similarly examined for unusual discounts or government affiliation.

Of course, the same PNR data elements and pricing and ticket designators can reveal other, non-governmental, affiliations between travelers and with other individuals and groups. If an airline gives a discount to members of a political organization, trade union, or other group attending a convention or meeting, for example, each PNR and ticket for a member who receives the discount typically includes some unique code.

Despite complaints, including ours, both US and European officials have denied that ticket designators and similar codes in PNRs can reveal sensitive associational data.  Now we know that this information is already being used by European governments, and that the CIA is aware of these uses.  There’s no more excuse for pretending that these data elements are innocuous or that they can be “shared” without risk to travelers.

Jan 09 2015

“CAPPS IV”: TSA expands profiling of domestic US airline passengers

Under color of a vestigial provision of Federal law related to an airline passenger profiling program that was discontinued more than four years ago, and applying the name of that program (and attempting to apply the same legal mandate) to an entirely new scheme, the TSA is adding a new, additional layer of passenger profiling to its pre-crime system for domestic airline flights within the United States.

The existence and TSA-mandated implementation of the new so-called “Computer-Assisted Passenger Prescreening System (CAPPS)” was first disclosed publicly in an obscure posting this Monday on the DHS website and an equally obscure notice published the same day in the Federal Register.   According to both documents, the new CAPPS scheme has been under development since at least 2013, in secret collaboration between the TSA, the inter-departmental National Counterterrorism Center (NCTC), airlines, and private contractors.

What was the old CAPPS? What is the new CAPPS? And what does this mean for the rights of travelers?

Answering these simple-seeming questions requires understanding the history of government-mandated airline passenger profiling in the US and the shell game of labels that the government has applied to profiling schemes, as well as careful parsing of this week’s abstruse and uninformative (to the uninitiated) official notices.

Read More