Jan 23 2019

New US push for an ICAO air travel surveillance mandate

Having successfully used the International Civil Aviation Organization (ICAO) as a vehicle for policy laundering on RFID transceivers in passports, the US government is making a new push toward its decade-old goal of getting ICAO to adopt a standard mandating (a) government access to Passenger Name Record (PNR) data and (b) the creation of airline passenger surveillance and profiling units, in all ICAO member countries.

As first noticed by Statewatch, the US made a proposal to ICAO’s High-Level Conference on Aviation Security in late November 2018, “for ICAO to establish a Standard(s) regarding the collection, use and analysis of PNR data.”  The US argued that:

Of urgent concern to combat would-be terrorists and terrorist activities, is the need to elevate the collection, use, processing and protection of Passenger Name Record (PNR) data to standards within Annex 9 and/or Annex 17.
To insure compliance with aviation safety norms, many countries’ laws require airlines to comply with ICAO standards.  So elevating an ICAO “recommendation” to a “standard” amounts to making it a de facto international legal obligation for airlines — without the need for the potentially messy and public process of adopting new national laws or ratifying a new treaty.

The US proposal for an ICAO PNR standard also alludes to resolutions regarding government access to and use of PNR data, which the US has pushed through the UN Security Council in a parallel policy laundering campaign:

At the Tenth ICAO Facilitation Panel that took place in Montréal in September of 2018, the Panel noted that UNSCR 2396 had urged ICAO to work with its Member States to establish a Standard for the collection, use, processing and protection of PNR data. This issue was raised as one with some urgency to help address issues relating to the protection of such data and to help resolve the conflict of laws between requirements to disclose and to protect the data. Several States offered to support the Secretariat in working towards developing the Standard in question without which States cannot derive the full benefits of using PNR data.
What this really means is that requiring airlines to allow governments to use their commercial data about travelers for purposes of surveillance and control of air travel would violate national laws which can be overridden only by making this an obligation through an international treaty body such as ICAO.

The US proposal calls for restrictions on freedom of air travel based on “risk-based  assessments” (i.e. pre-crime predictive profiling)  and on “associations” between individuals (i.e. how and with whom individuals exercise rights of assembly and association protected in the US by the 1st Amendment to the Constitution) :

Effective border security incorporates analysis of secure electronic data, some of which is provided at the time a passenger buys a ticket and some that becomes known when a passenger boards an aircraft. Passenger identification controls must be applied before the arrival of the passenger in the country of destination, to enable relevant border agencies to perform risk-based assessments of passengers and the goods they are carrying. Analysis of this data can illuminate the hidden connections between known terrorists and their unknown associates.
The recommendations made by the 2018 High-Level Conference  on Aviation Security will be considered by ICAO’s governing Council of member countries in 2019. There doesn’t yet appear to be a publicly-disclosed PNR standard ready for adoption, but it couldn’t be clearer that this is the goal toward which the US continues to push ICAO.
Jan 22 2019

9th Circuit: Passengers in a car don’t have to identify themselves

Passengers in a car stopped by police don’t have to identify themselves, according to the 9th Circuit Court of Appeals.

That holds even in a state with a “stop and identify” law, and even if the initial stop of the car (for a traffic violation committed by the driver) was legal.

The opinion by a three-judge panel of the 9th Circuit earlier this month in US v. Landeros is one of the most significant decisions to date interpreting and applying the widely-misunderstood 2004 US Supreme Court decision in Hiibel v. Nevada.

Many police think that the Hiibel decision upheld the Constitutionality of requiring anyone stopped by police to show ID. But that’s not what the Supreme Court actually said.

The 9th Circuit panel that decided US v. Landeros read the Hiibel decision carefully and correctly, and gave important and explicit guidance on the narrowness of its findings and what it actually means for people who are stopped and asked for ID by police.

What does this mean for you, especially when or if you are in the 9th Circuit or want to raise the 9th Circuit’s latest decision as persuasive authority in another circuit?

Read More

Jan 21 2019

“Refugees could travel to Europe or America by air. What’s stopping them?”

An article by Saad Hasan for TRT World (the English-language news service of Turkey’s national public broadcasting  network) highlights a life-and-death issue for refugees: Why are thousands of asylum seekers who could afford to buy a plane ticket to Europe or the USA dying every year trying to cross the Mediterranean Sea or the Sonoran Desert to reach a country where they can find sanctuary from persecution?

The answer, as we told TRT World, is that, “These deaths of the asylum seekers during migration are a direct consequence of carrier sanctions. Sanctions imposed by governments on airlines for transporting unsuccessful asylum seekers are killing thousands of people a year directly around the world.”

The article notes that, “The Geneva Convention allows an asylum seeker to board a commercial flight even without a visa. But airlines face the risk of paying a fine if that person’s application is rejected and he has to be flown back.”

We’ve raised this  issue repeatedly with the UN Office of the High Commissioner for Human Rights.  Just last week, we asked the UN Human Rights Committee to include it in its list of issues for the upcoming review of US implementation of the International Covenant on Civil and Political Rights:

An asylum claim cannot be made or adjudicated until after a claimant arrives in a country of refuge. Asylum seekers cannot be required to have any specific documents, and their inability to obtain travel documents from a government from which they arefleeing may be part of the evidence supporting their asylum claim.

A common carrier has an obligation to transport all passengers willing to pay the fare in its tariff.

But the U.S. imposes civil fines on airlines and other carriers that transport unsuccessful asylum seekers. These “carrier sanctions” turn inherently unqualified airline ticket sales and check-in clerks into de facto asylum judges of first and last resort, with a government-imposed financial incentive to err on the side of denial of transport. For asylum seekers, denial of air transportation either acts as a categorical bar to reaching U.S. territory to make a claim for asylum, or leads asylum seekers to use irregular and often fatally unsafe routes and modes of land or sea travel to reach the U.S.

Some other sources interviewed by TRT World suggested that the consequences of “carrier sanctions” could be mitigated by issuance of “humanitarian visas” for asylum seekers. But as we pointed out, “Foreign embassies and airports are closely watched by local police. If someone comes to the embassy seeking asylum and isn’t immediately given sanctuary then they can be subject to additional persecution.”

Solving the problem of deaths in transit doesn’t take a lengthy legislative process like introducing a humanitarian visa. Almost by definition, not everybody who applies will be given such a visa. And any visa will have to be applied for at a consulate or embassy in a country where an asylum seeker may be subject to retaliation for visiting such a consulate.

All it takes to reduce these deaths is a small change in administrative practice: Stop fining airlines when they bring people to a border or port of entry and the people are not admitted, and enforce their duty as common carriers to transport anyone willing to pay the fare in their tariff.

If the country and the airline don’t want the expense of returning failed applicants for asylum, airline regulations could require that an airline must transport passengers without visas if they have purchased a return ticket or a ticket onward to another country.  This is already required for most visitors to the US or the European Union, even if they have visas. This would double the revenue to the airline for each such refugee. For legitimate refugees, most of those return tickets would expire unused, making them free money for the airline — but not risking the lives of refugees by denying them access to safe air transport.

It’s tempting to some people to think of freedom of movement as something “abstract” or important only to the “jet set”. But nothing could be further from the truth. Administrative restrictions like carrier sanctions, and failure to enforce the duties of common carriers, are a life-and-death matter for some of the world’s most destitute and deserving refugees, those who would qualify for asylum if they could only reach a country of refuge.

Jan 14 2019

Issues for the next UN review of human rights in the USA

Today the Identity Project submitted recommendation to the UN Human Rights Committee (UNHRC) for two issues to be included in the upcoming periodic review of US implementation of the International Covenant on Civil and Political Rights (ICCPR), including the provisions of the ICCPR recognizing the right to freedom of movement:

  1. Lack of Remedies for Violations of the ICCPR by the USA (joint submission by the Identity Project and the US Human Rights Network)
  2. Interference by the USA with Freedom of Movement (including violations of rights recognized in the ICCPR to freedom of movement, assembly, association, and privacy)

The Identity Project participated actively In the most recent previous periodic review of US compliance with the ICCPR, the fourth since the US ratified the ICCPR.

We reported to the UNHRC in 2013 on violations by the US government of rights recognized in the ICCPR, including the right to travel. A year later, as part of a delegation of nongovernmental organizations coordinated by the US Human Rights Network, we met with members of the UNHRC and with US officials before and during the two days of public questioning of the US  by the UNHRC in Geneva in 2014.

At the conclusion of its review, the UNHRC called out the failure of the US to “effectuate” the ICCPR, leaving most victims of human rights violations by the US government with no means of legal redress. “There was no suggestion that any of those responsible for any of the past criminal violations of our Covenant [i.e. the ICCPR] would be brought to justice or that its victims would have access to their day in court,” the chair of the UNHRC noted at a  press conference announcing the committee’s concluding observations.

The UNHRC recommended that, “The State party [i.e. the US] should … Taking into account its declaration that provisions of the Covenant are non-self-executing, ensure that effective remedies are available for violations of the Covenant, including those that do not, at the same time, constitute violations of U.S. domestic law, and undertake a review of such areas with a view to proposing to the Congress implementing legislation to fill any legislative gaps.”

In one of our submissions to the UNHRC today, we remind the committee of this recommendation, and point out that no action has been taken on it by the US in the five years since.

Together with the US Human Rights Network, we recommend that, “The U.S. should enact legislation implementing and effectuating the ICCPR by giving U.S. federal and state courts jurisdiction to hear cases arising under the ICCPR, and creating a federal cause of action for violations of the ICCPR.”

In our other submission today, we call attention to the ongoing and increasing surveillance and control of travelers being carried out by the US government.

We recommend that, “The U.S. should restrict travel by common carrier, including domestic or international air travel, only on the basis of judicial orders issued through adversary proceedings in which the right to freedom of movement is recognized, ” and that, “Personal information pertaining to the exercise of the right to freedom of movement, such as details of airline reservations, should be collected or retained only on the basis of individualized orders based on probable cause to suspect violations of law.”

This March, the UNHRC will adopt a list of issues that it will focus on its next review of the US. Following a report from the US government on those issues, the UNHRC will conduct its fifth review of US implementation of the ICCPR in Geneva in 2020 or 2021.

Jan 10 2019

CBP finalizes rules for social media surveillance

Is suspicionless spying on what US citizens, foreign residents, visitors to the US, and their families, friends and associates do and say on social media an “essential” function of the US government?

Federal employees deemed “inessential” have been furloughed. But those still working for deferred paychecks apparently include staff  of the Department of Homeland Security, including the DHS Privacy Office, responsible for promulgating rules exempting DHS surveillance from the minimal limitations imposed by the Privacy Act.

In 2017, the DHS gave notice of a new system of social media and travel surveillance records, the US Customs and Border Protection (CBP) Intelligence Records System (CIRS). At the same time, the DHS proposed to exempt these records from as many as possible of the requirements of the Privacy Act. The proposed exemptions would purport to authorize the DHS to include social media and other information in the CIRS database without regard to its accuracy or relevance to any investigation or suspicion of unlawful activity, and to keep these files and any recrods of how thety are used and shared secret from the individuals to whom they pertain.

Joined by eight other national civil liberties and human rights organizations, the Identity Project filed comments with the DHS in October 2017 opposing both the creation of this illegal database of records of suspicionless surveillance of activities protected by the First Amendment and the proposed Privacy act exemptions.

More than a year later, on December 27, 2018 — a week after the Federal government had partially shut down, and during a holiday week when fewer people than usual would be scrutinizing the Federal Register —  the DHS finalized the proposed Privacy Act exemptions for CIRS.

The DHS analysis of the comments on the proposed rule completely ignored some our objections. There’s no response from the DHS to our comments on the Privacy Act’s prohibition (from which an agency cannot exempt itself) on the collection of information about how individuals exercise rights protected by the First Amendment without explicit statutory authorization, which is lacking for collection of social media data.

Others of our objections were brushed off with conclusory claims that such broad surveillance is “necessary” for predictive profiling:

Comment: DHS’s collection of records in CIRS is overly broad because, as stated in the NPRM, DHS may be collecting information that ‘‘may not be strictly relevant or necessary to a specific investigation.’’

Response: In order to conduct a complete investigation, it is necessary for DHS/CBP to collect and review large amounts of data in order to identify and understand relationships between individuals, entities, threats and events, and to monitor patterns of activity over
extended periods of time that may be indicative of criminal, terrorist, or other threat.

Comment: Proposed routine uses would circumvent Privacy Act safeguards and contravene legislative intent.
Response: DHS’s collection of records in CIRS is intended to permit DHS/CBP to review large amounts of data in order to identify and understand relationships between individuals, entities, threats and events, and to monitor patterns of activity over extended periods of time that may be indicative of criminal, terrorist, or other threat.
The CIRS database has already been in operation since at least October 2017. The Privacy Act exemptions took effect December 27, 2018, so it is no longer possible for anyone to find out what information about them is contained in CIRS, or to whom it has been disclosed.
Jan 09 2019

How many times will the DHS cry wolf on REAL-ID?

The last time we checked in on the status of the seemingly endless game of “chicken” being played by the US Department of Homeland Security with its threats to start harassing air travelers who reside in states the DHS deems insufficiently “compliant”, every state and territory had been given another “extension” of time to demonstrate commitment to compliance until at least January 10,  2019.

Since then, the DHS, in its standardless administrative discretion, has announced further extensions until at least April Fools Day, 2019 (for the US Virgin Islands), for every state and territory except California and Guam.

But as of today, the DHS website says that, “California has an extension for REAL ID enforcement, allowing Federal agencies to accept driver’s licenses and identification cards from California at Federal facilities, nuclear power plants and federally regulated commercial aircraft until January 10, 2019.”

As of this morning, with the “deadline” less than 48 hours away, we got the following response to our questions about this from a spokesperson for the California DMV:

The State of California has been working for the better part of a year to be deemed compliant with the REAL ID act, unfortunately due to a lack of response on the part of the Federal Government with the ongoing shutdown there has been no final confirmation.

So was that a real deadline for REAL-ID in California?

Is the DHS really prepared to have TSA checkpoint staff — working for indefinitely deferred pay — start trying to carry out time-consuming “ID verification procedures” for everyone who shows up at an airport checkpoint with a California drivers’ license or ID, starting the day after tomorrow?

The answer turns out to be, “No.”

The DHS and TSA have blinked yet again in the face of insufficient state “compliance”.

We’ve just received the following updated statement from the DMV:

The California DMV has confirmed with the Department of Homeland Security (DHS) that they will be granting California an extension to April 1, 2019. Due to the furlough, the letter might not arrive until tomorrow and DHS will likely not be updating their website until the furlough ends. All driver licenses will remain valid and can continue to be used for federal purposes.

And this from a spokesperson for the TSA:

I recently learned from DHS that California’s extension has been extended through April 1, 2019…. Updates to their website are underway.

California doesn’t actually comply with the REAL-ID Act. That would require uploading data about all California drivers’ licenses and ID cards to the SPEXS national ID database, which California hasn’t done and which would probably violate multiple provisions of California’s state constitution. But DHS certifications and extensions are discretionary, and need not be based on any specific criteria or on actual compliance.

There’s still no public word about Guam, the extension for which is also scheduled to expire tomorrow.

Phase 4b” of REAL-ID Act enforcement at airports supposedly started on January 22, 2018. Since then, the only state or territory where the DHS has let a REAL-ID  extension lapse, even temporarily, has been American Samoa, for which another extension has now been granted until October 10, 2019. We’re still waiting for any response to our FOIA request for records of what happened to American Samoans who tried to fly during the period last year when the extension had lapsed.

 

Jan 07 2019

Amtrak thinks it’s OK to spy on passengers because it makes the trains run on time

Buried in the final 500-page PDF file of redacted and munged e-mail messages released by Amtrak in December 2018 in response to a FOIA request we made in 2014, we got the first hint at an answer to one of the questions that originally prompted our request:

What did Amtrak  think was its legal basis for requiring passengers to show ID and provide other information, and for handing this data over to DHS components and other police agencies for general law enforcement purposes?

When US Customs and Border Protection (CBP) asked Amtrak to start transmitting passenger data electronically, it described this as a request for “voluntary” cooperation, noting that while the law requires airlines to collect and transmit this data to CBP, “these mandates do not currently extend to land modes of transportation” (as they still don’t today).

Despite this statement from CBP, someone at Amtrak came up with a way to describe the changes to Amtrak’s systems and procedures to require ID information in reservations for all international trains, and to transmit this data to CBP,  as “required by the U.S. Department of Homeland Security (DHS)” and as “being mandated by the US Border Inspection Agencies [sic].”

In 2004, an Amtrak technology manager was asked, “Do you know if such a [Federal] mandate [to collect information about passengers] exists, or is Amtrak not obliged to participate in this program?”

The unnamed Amtrak IT manager’s response was that:

By statute, the federal government … in cooperation with Amtrak “shall maintain, consistent with the effective enforcement of immigration and customs laws, en route customs inspections and immigration procedures for international intercity rail passenger transportation that will (1) be convenient for passenger; and (2) result in the quickest possible international rail passenger transportation.” 49 USC 24709.

In other words,someone at  Amtrak thinks it’s not merely permitted but required by this provision of Federal law to implement whatever level of intrusiveness of data collection and data sharing will make international trains run more quickly.

It’s arguable, to say the least, whether Congress intended this law as a mandate for ID credentials or data collection, whether collection of passenger data prior to ticketing actually expedites international trains (compared to, as used to happen, conducting customs and immigration  inspections onboard while trains are in motion), or whether demands for ID and passenger information are consistent with the clause of this section requiring that measures taken be “convenient for passengers”. But someone at Amtrak seems to have interpreted this statute as such a mandate, and represented it as such to other Amtrak staff and contractors.

Are there any limits to what information or actions Amtrak would think is required of passengers on international trains, if  that would keep US and Canadian border guards from stopping or delaying trains at the border for customs inspection?

Questions about whether Advance Passenger Information (APIS) was required had been asked not only within Amtrak but by Amtrak-appointed travel agencies, as was relayed to Amtrak by a product manager  for the “Worldspan by Travelport” reservation system:

There’s no indication in the documents we received as to whether this Worldspan subscriber, or any other travel agency, was given any answer to this question.

Notably, no legal basis whatsoever for requiring ID from passengers on domestic trains was mentioned anywhere in the records we’ve received from Amtrak. Nor were any records released that related to Amtrak’s privacy policy, or the legal basis for it, although such records were covered by our request.  We’re still following up with Amtrak on this and other issues, and will file administrative appeals if necessary.

As part of Amtrak’s response to a separate FOIA request, however, we’ve received a redacted copy of Amtrak’s internal directive to staff regarding passenger ID requirements. According to this document, Amtrak stopped requiring passengers to show ID in order to buy tickets as of October 25, 2017.  But no records related to this change, or the reasons for it, were released in response to our request.

Amtrak train crews are supposed to check ID of a randomly selected 10% or 20% of passengers. In our experience, however, Amtrak staff rarely require any passengers to show ID.

Although Amtrak is a Federal government entity, Amtrak’s of list of acceptable ID is much more inclusive than the list of ID that comply with the REAL-ID Act. Amtrak’s list of ID acceptable for train travel includes, among other acceptable credentials, any ID issued by a public or private middle school, high school, college, or university, and drivers’ licensed issued by US states and territories to otherwise undocumented residents.

Amtrak even accepts a “California state issued medical marijuana card“, which doesn’t have the cardholder’s name, only their photo. We’ll leave it as an exercise to our readers to figure out what relationship Amtrak thinks there is between being eligible for medical cannabis and being eligible for Amtrak train travel.

The most reasonable inference is that someone at Amtrak has decided that Amtrak should make a show of requiring ID, but that others at Amtrak don’t really want to turn away travelers without ID. Perhaps they recognize that travellers who don’t have or don’t want to show ID are a valuable Amtrak customer demographic.

Read More

Jan 04 2019

Issues for the revitalized Privacy and Civil Liberties Oversight Board

With its recent revival, the Federal government’s Privacy and Civil Liberties Oversight Board (PCLOB) has a chance to take a fresh look at how far the USA has gone since 9/11 in implementing a combination of “pre-crime” policing (à la Minority Report) and “social credit scoring” integrated with commercial service providers (à la China) as a means of control of what people can and cannot do, and where they can and cannot go.

The PCLOB didn’t have a quorum since early 2017, and was down to only one member. But three new members were confirmed in October 2018. An Executive Director – who may end up with longer-term influence than the members of the Board, especially given that the new members weren’t appointed and confirmed until just three months before one of their terms is scheduled to end – is currently being hired. Civil libertarians able to obtain a security clearance and willing to relocate to DC are encouraged to apply.

>What should the PCLOB focus on, with its limited time and resources? The PCLOB is an advisory committee with neither legislative nor prosecutorial authority. The best use it can make of its limited mandate is to ask hard questions and raise issues that Federal agencies won’t otherwise acknowledge or address.

The TSA and DHS were created in haste after 9/11 without consideration of the privacy and civil liberties implications of their new activities, many of which have never been explicitly approved by Congress. The reactivation of the PCLOB after the latest hiatus is a chance to take a fresh look at the big picture of what these agencies are doing, and what this means for privacy and civil liberties. It might be tempting to focus on “emerging” threats, but the first priority should be to assess the DHS surveillance and control systems that are already in place:

  1. Conversion of state licensing of motor vehicle operators into a national ID system. More than a decade after Congress enacted the REAL-ID Act of 2005, we are entering the endgame of DHS efforts to pressure states into participating in an outsourced, privately-operated, national ID database created to enable compliance with the REAL-ID Act. SPEXS already includes records sourced from states about more than 50 million Americans, but is not subject to any direct government control and has never been the subject of any publicly-disclosed review of its implications for privacy and civil liberties.

  2. Mass surveillance and permission-based predictive control of movement and travel. Congress has never debated whether air travelers should be required to identify themselves,whether the government should keep histories of innocent citizens’ movements (compiled from commercial airline reservations for common carrier travel, license plate readers for travel by private vehicle, and facial recognition for pedestrian movement), or whether existing judicial mechanisms for restricting the right to travel and movement through injunctions or restraining orders should be replaced with secret, extrajudicial administrative prior restraint and similar orders. How has travel been transformed from a right to a privilege exercised only by government permission? How does this implicate the 1st Amendment right to assemble and the right of freedom of movement recognized by international human rights treaties? How widely, and with what implications for privacy and civil liberties, has the precedent set by real-time “pre-crime” predictive control of travel expanded to other activities and transactions?

  3. Suspicionless dragnet administrative searches. Today, the most common hands-on interaction between a Federal agent and a person not suspected of any crime is a TSA pat-down. But there’s never been any comprehensive review of the legality or the implications for privacy and security of the proliferation of suspicionless administrative searches since the creation of the DHS and TSA: security theater in airports, warrantless searches at internal checkpoints (domestic airports, CBP roadblocks on roads that don’t cross the US border, and attempts to claim the right to impose searches on the public in other forms of transportation.

There’s much more that we and others could say about each of these issues, if the PCLOB choses to consider them. But the first challenge for the PCLOB is whether it will tackle these big-picture issues.

Jan 03 2019

Plaintiff in first no-fly trial wins another appeal on attorneys’ fees and government lawyers’ bad faith

Fourteen years to the day after she discovered she was on the no-fly list when she was arrested at SFO, and five years after her legal victory in the first trial of a challenge to a government no-fly order (a Pyrrhic victory as she has still been denied a visa to return to the US), Dr. Rahinah Ibrahim won a third decision in her favor in the same case in 9th Circuit  Court of Appeals yesterday, this time en banc and on the issue of reimbursement by the government of Dr. Ibrahim’s attorneys’ fees and costs.

Read More

Jan 02 2019

Who’s paying for the national ID database?

As part of a flurry of overdue year-end responses to our Freedom Of Information Act (FOIA)  requests, we’ve gotten some curious messages about Federal government funding for SPEXS, the national database of drivers’ license and state ID-card data being created — with no apparent consideration of its impact on privacy and civil liberties — to enable states to comply with the Federal REAL-ID Act of 2005.

The DHS continues to claim that SPEXS isn’t a Federal database: “REAL ID does not create a federal database of driver license information.” But we know that much of the funding for the SPEXS database and the “State-To-State” (S2S) system of which it is a component has come from Federal grants laundered through grants to states and then reassembled by the American Association of Motor Vehicle Administrators (AAMVA) to pay the contractors building and operating the database and network.

Read More