Feb 25 2016

Why the Judicial Redress Act is worthless

Yesterday President Obama signed the Judicial Redress Act into law.  European Union Commissioner for Justice Věra Jourová described the new law as, “a historic achievement [that] will ensure that all EU citizens have the right to enforce data protection rights in U.S. courts…. The entry into force of the Judicial Redress Act will pave the way for the signature of the EU-U.S. Data Protection Umbrella Agreement.”

Is the Judicial Redress Act really so historic? And will it actually “ensure that all EU citizens have the right to enforce data protection rights in U.S. courts”?

Sadly, no.

Europeans should not be fooled by statements such as those from Commissioner Jourová or her counterparts in other EU institutions. As we know from our own experience in court as US citizens, there are almost no real-world cases in which the Judicial Redress Act will provide any actual protection or enforceable legal rights to citizens or residents of the EU, or anywhere else.

The Judicial Redress Act gives some foreign citizens some of the rights that US citizens currently have, with respect to some of the uses and misuses by the US government of their personal information.  But in no case will any foreigner have more rights under the Judicial Redress Act than US citizens have under the Privacy Act.

Serious scrutiny of the terms of the Privacy Act, and of the history of attempts by US citizens to use the Privacy Act to protect themselves against misuse of our personal information by the US government, has been largely absent from the debate about the Judicial Redress Act. But from our experience as parties to one of the key lawsuits attempting to assert Privacy Act claims by US citizens in relation to one of the most controversial categories of personal information being transferred from the EU to the US — passenger name records (PNRs) for international airline flights — we have learned an important lesson that Europeans need to know: the Privacy Act is so limited and riddled with exceptions that it is almost worthless. It is because the Privacy Act is useless, not because the US government follows fair personal information practices in its dragnet surveillance, that there are so few examples of successful litigation against the US government by US citizens under the Privacy Act.

All of the limitations and exceptions that always rendered the “protection” of the Privacy Act inadequate — even for US citizens — will continue to render the protection of the Judicial Redress Act inadequate for foreigners, in all of the same ways, and in additional ones.

What are these exceptions and limitations? In order to make sense out of the Judicial Redress Act, it’s essential to understand the exemptions in the Privacy Act, as courts have interpreted them.

Federal agencies can exempt themselves from almost all of the requirements of the Privacy Act with respect to “investigatory material compiled for law enforcement purposes,” a catch-all category that has been applied to records of dragnet surveillance and other information compiled and used for “pre-crime” profiling, even when the data subjects have never been accused or suspected of any crime. All an agency has to do to opt-out is to publish a notice in the Federal Register that a particular system of records has been declared exempt by the agency that maintains the records. An agency can wait to promulgate such a notice until after it receives a request for access to records, a request for an accounting of disclosures, or a request for correction of records.

Read More

Feb 24 2016

The real state of compliance with the REAL-ID Act

S2S-map-Clerus-22FEB2016 [As of February 2016, only the 4 states colored green on the map above are compliant with the REAL-ID Act. Map courtesy of Clerus Solutions, contractor for S2S.]

How many states have actually complied with the REAL-ID Act of 2005? Only four out of fifty-six states and US territories, we’ve recently learned.

The US Department of Homeland Security is trying hard to convince reluctant state governments that resistance to the REAL-ID Act is futile, because most of the other states and US territories have already complied or agreed to do so.

A DHS map shows only five “noncompliant” states that are the target of current DHS threats, while the DHS list of the Current Status of States/Territories alleges that 22 states and the District of Columbia “are compliant with the REAL ID Act.”

Are any of these DHS claims true? No.

The REAL-ID Act requires any state or territory that wants to issue driver’s licenses or state ID cards acceptable for “Federal purposes” to, “Provide electronic access to all other States to information contained in the motor vehicle database of the State.”  A state that does not give other states full access to its database of drivers and ID cardholders is not “compliant” with the Federal law.

As we’ve previously reported, the only system currently available (or likely to be made available, given the cost and complexity of developing an alternative) for states to make their driver’s license and ID databases accessible to other states is the S2S system operated by the AAMVA. This included the SPEXS “pointer” database — the centrally-located national ID database the DHS keeps claiming doesn’t exist — with information about all REAL-ID compliant licenses, ID cards, drivers, and cardholders.

How many states actually participate in S2S and SPEXS?  Unable to find any published information about this, we asked Chrissy Nizer (Maryland’s Motor Vehicle Administrator) and Nancy Carlson (Senior Business Analyst for Clerus Solutions, the prime contractor to AAMVA for the development of the S2S and SPEXS system), who were until recently identified publicly as points of contact for S2S and SPEXS.

In response to our last blog post about REAL-ID, which included diagrams and the list of the fields in the national REAL-ID database from the SPEXS specifications, AAMVA moved the SPEXS specifications and the entire “State-to-State” section of its website behind a login firewall. AAMVA also blocked the S2S software download directory of their website from Web crawlers.

But we did, somewhat to our surprise, eventually receive a polite response from Ms. Carlson, providing us with the S2S status map at the top of this article and some additional information about the national “pointer” database. To quote Ms. Carlson:

  • In August 2015, Wisconsin was the first state to participate in S2S.  North Dakota joined in November 2015. Maryland joined in early February 2016 and Indiana joined in February 2016. We have a total of 15 states that have signed Letters of Intent to participate in S2S. All 15 pilot states plan to implement the service by December of 2016.
  • The map [above] shows the current status of the states with respect to S2S.
  • The S2S pointer index is operated by the American Association of Motor Vehicle Administrators (AAMVA) at a datacenter located in Virginia.  AAMVA is providing these services under contract to the Mississippi Department of Public Safety (MSDPS).

States and territories that aren’t compliant with the REAL-ID Act are in good company, and should stand firm.  Fifty-two of the total of 56 states, US territories, and the District of Columbia are not yet making their state databases available to other states, as will eventually be required if they choose to comply.

Feb 23 2016

US border guards have root access to all Amtrak domestic reservations

The latest installment in Amtrak’s response to one of our FOIA requests confirms our suspicion that Amtrak has given US Customs and Border Protection (CBP) access to all Amtrak reservations including those for purely domestic passengers and trains — but in an additional and harder-to-track manner than we had previously been aware of.

In October 2014, we asked Amtrak for its records related to data-sharing and other collaboration with the Department of Homeland Security (DHS) and other US and foreign law enforcement agencies. Amtrak is still in the process of searching for and censoring responsive records, more than a year after the legal deadline for its full response. In the mean time, however, Amtrak has been providing intermittent “interim” responses, which we’ve been analyzing and reporting on as we receive them. Because Amtrak is a Federal government entity subject to FOIA, unlike commercial airlines or bus lines, we’ve been able; to find out much more about Amtrak collaboration with DHS and other law enforcement agencies than about the parallel practices of private transportation carriers.

We’ve learned that Amtrak’s own police — who are commissioned by individual states, but have unusual multi-state jurisdiction — have root access to Amtrak’s “ARROW” computerized reservation system, and even a special “Police GUI” (graphical user interface) to mine passenger reservations for police purposes.

We’ve also learned about Amtrak’s transmission to DHS of information about all passengers on Amtrak trains that cross the US-Canada border.

What we didn’t know, until the latest interim release of Amtrak documents this month, was whether DHS or any other Federal police agency also has access to complete reservation details for the much larger number of passengers on domestic Amtrak trains within the US.

Now we know: Agents of US Customs and Border Protection (CBP) have the same access to all Amtrak reservations as Amtrak onboard train conductors, in such a way that their access evades ever being logged or associated with CBP, but appears to Arrow and Amtrak as though it was carried out by Amtrak staff.

It works like this:

Read More

Feb 22 2016

Supreme Court hears arguments on illegal police ID demands

The U.S. Supreme Court is hearing oral argument today in the case of Utah v. Strieff, a case involving the legal and practical consequences of an illegal warrantless police stop and demand for ID from a pedestrian on the street, in circumstances in which the police concede that they had no probable cause and not even any reasonable, articulable suspicion that the person they stopped and required to show ID had committed any crime.

After illegally stopping Mr. Strieff, and while illegally detaining him, the police illegally demanded that if he had any ID, he hand it over to the police — which, under duress, he did.  From this illegally seized evidence of Mr. Strieff’s identity, the police determined that there was an outstanding warrant for his arrest in relation to an accusation of a minor traffic violation.

All of this, and the illegality of each step in this process, the police now concede.

After arresting Mr. Stieff on the basis of the outstanding traffic warrant, the police searched him “incident to the arrest” and found evidence of unrelated but more serious violations of drug laws.  Mr. Stieff was charged with drug law violations, and convicted on the basis of the evidence found during the search “incident to” his arrest on the traffic warrant. The Supreme Court record is silent on whether Mr. Stieff was ever brought to trial, much less convicted, for the petty traffic offense for which the warrant had been issued and for which he was originally arrested.

Mr. Stieff hasn’t even tried to seek damages from the police for the illegal stop, illegal detention, and illegal demand for ID. All he is challenging, under the “exclusionary rule” for evidence obtained as a result of illegal police conduct, is the “suppression” from use as evidence against him of the drugs and paraphernalia found when he was searched.  So the case has been analyzed mainly in terms of the arcana of the exclusionary rule.

That’s important, but another way to describe this case is as being about whether the police get a free pass for illegal dragnet demands for ID if it subsequently turns out that there was a warrant for a person’s arrest.   If the Supreme Court agrees, police will be able, with de facto impunity, to stop anyone on the street, on an unwarranted “fishing expedition”, on the basis of racial or other profiling, or for any reason or no reason at all, and demand, “Your papers, please!”  That’s a demand which, in the context of police detention, renders the word “please” hypocritical.

As the briefs filed with the Supreme Court by Mr. Stieff and friends of the court including the ACLU and EPIC point out, there are tens of millions of arrest warrants outstanding in the US at any given time.  Many, perhaps most, of those warrants have been issued in conjunction with petty offenses, and/or for failure to appear in court. Many of the people for whom arrest warrants have been issued have not (yet) been convicted of the alleged offense in relation to which the warrant was issued, and many of them are never convicted of any offense. Warrants aren’t typically time-limited or self-sunsetting. They can, and often do, remain outstanding and enforceable indefinitely even after the underlying charges have been disposed of.

Because arrest warrants aren’t uniformly distributed, but are issued disproportionately against people in certain communities, there are neighborhoods where there are outstanding warrants for the arrest of a substantial percentage of people on the street, especially pedestrians who are on average lower income than people in motor vehicles. If the subsequent discovery of an arrest warrant, made possible only by an admittedly illegal ID demand, can retroactively justify the consequences of an otherwise illegal search, then everyone on the street or in any other public place is at risk of such dragnet stop and ID demands.

This case will play a key role in determining whether “stop and ID” will become the new justification for “stop and frisk” when police have no excuse for either.

Feb 11 2016

How the REAL-ID Act is creating a national ID database

SPEXS-central-files [The REAL-ID “hub” connects state and Federal agencies, private commercial third parties, and centralized, national database files.  AAMVA SPEXS Master Specification (AMIE), r6.0.8, page 5]

One of the big lies being told by supporters of the REAL-ID Act of 2005 is that, as the DHS says on its official “Rumor Control” page, “Fact: REAL ID does not build a national database nor does it grant the Federal Government or another state access to a state’s driver’s license data.” According to another DHS Web page, “REAL ID Frequently Asked Questions for the Public“:

Q: Is DHS trying to build a national database with all of our information?
No. … REAL ID does not create a federal database of driver license information.

In fact, as we’ve been pointing out and as others have noted, the REAL-ID Act is both building a national database and requiring any state that wants to issue drivers’ licenses or state ID cards that are “compliant” with the REAL-ID Act to grant all other states access to their state’s drivers’ license and ID card data.

Many state legislators and residents of states that are considering whether to start issuing “compliant” driver’s licenses are concerned about (a) whether this would affect residents of those states who “opt out” or choose not to have a gold-starred compliant license (it would, as we’ve discussed previously), (b) whether there would be a central database or list of all drivers or ID cardholders (there would be, as discussed below), and (c) what we mean when we say that the goal of the REAL-ID Act is the creation of a “distributed” national ID database in which a single query routed through the central “hub” can retrieve data from every state ID database.

Here’s what we’ve been able to find out about the centralized national ID database the DHS  claims doesn’t exist, what information it contains, how it works, and who operates it:

Read More

Feb 02 2016

Congress votes to stigmatize and surveil the travel of second-class US citizens

Can second-class US citizens be required to carry second-class US passports with a conspicuous stigmatizing “scarlet letter” label? Congress has now said yes.

Do DHS pre-cogs have the omniscience and infallibility of angels at predicting and protecting the US and the world against future crimes? Congress has now said yes.

Yesterday Congress completed its approval of a bill which, assuming it is signed into law by the President, will stigmatize and surveil the international movements of certain US citizens by (1) requiring the State Department to mark their passports with a modern equivalent of an “A for Adulterer” or “J for Jew” (a “visual designation affixed to a conspicuous location on the passport indicating” their status), (2) requiring these individuals to notify the government, in advance, of any intended travel outside the US, including their complete itinerary and any details of their planned movements demanded by the Attorney General, and (3) creating a new pre-crime travel surveillance and policing agency within the DHS to track, log, and alert foreign governments to the intended movements of these travelers.

The bill, H.R. 515, obtained final approval yesterday in the House of Representatives by voice vote, with no real debate and only a handful of members present, under procedures allowing for suspension of normal Congressional rules. [The bill had already been approved by the Senate in December.] But in previous statements about the bill and its predecessors, which Congress has been considering for years, members of Congress have made clear their hope that the combined effect of stigmatized passports, deliberately burdensome reporting requirements, and advance notice to foreign governments from the US government (carrying with it an implicit message that the US wants those foreign governments to deny entry to these US citizens) will effectively prevent these US citizens from traveling abroad at all, and confine them within the borders of the USA.

In an astonishing Orwellianism — but one that perfectly describes the fallacy of the vision embodied in the law — Congress has named the new pre-crime travel policing unit within the DHS the “Angel Watch Center”, claiming for the DHS the omniscient and infallible divine predictive ability of angels to watch over us and protect us from the people they think, or “know” by means that mortals cannot question, are going to commit future crimes.

Read More

Feb 01 2016

REAL-ID Act “opt-outs” and “two-tier” ID systems

Under the pressure of empty (but scary) threats by the Federal government to harass residents of states whose governments the DHS doesn’t deem sufficiently “compliant” with the REAL-ID Act of 2005, many state governments are trying to find ways to “comply” with DHS desires without selling out their residents’ rights.

State legislatures in New Hampshire, New Mexico, Minnesota, Oklahoma, and Missouri, among others, are currently considering bills that would create “two-tier” systems of compliant and noncompliant driver’s licenses and state ID cards in, and would allow individual residents of those states to “opt out” of having driver’s licenses or state IUD cards that comply with the REAL-ID Act.

Some of the sponsors of these bills mean well, but what they are proposing — whether or not they realize it — is capitulation, not compromise.  Worse, these”two-tier” systems would give state residents who “opt out” of having a compliant license an illusion of security, while their personal information from state records would in fact be included in the nationally distributed ID database.

In order to put a gold star for REAL-ID Act compliance on anyone’s driver’s license or state ID card, the REAL-ID Act requires each state to make its entire database of information about all holders of driver’s licenses and state ID cards accessible to all other states and territories.  States can choose to issue noncompliant ID cards without the gold star to individuals who opt out of providing birth certificates and other documents or complying with other provisions of the REAL-ID Act. But the Federal law doesn’t let states give individuals a choice about having their information in the database.

In order for anyone in a state to get a compliant license or state ID card, information about everyone with any sort of driver’s license or state-issued ID card must be included in the database made available to all other states and territories.

As soon as a state issues its first gold-starred license or ID, it is committed to share its entire database of information about everyone with any sort of state-issued ID card. The only way for a state to opt-out of the REAL-ID Act distributed national ID database is not to issue any compliant licenses or ID cards.

The DHS hasn’t included compliance with the database access provisions of the REAL-ID Act in its discretionary criteria for granting states temporary transitional certifications of “material progress” toward compliance, or extensions of time to comply fully. But eventually, once the DHS deems the transitional period over and begins to base its decisions on full compliance, the Federal law leaves it no more discretion. States will then have to decide either to not to comply and to invalidate all the gold-star licenses they have issues during the transition period, or to comply and give all other states access to information about all state license or ID holders, including those with noncompliant cards who think they have “opted out” of national database access.

Many of the sponsors of these “opt-out” bills say they oppose the REAL-ID Act, but want to provide a “choice” for residents who “need” a REAl-ID Act compliant ID. Who exactly are these people, and why do they “need” compliant state-issued ID cards? Read More