Aug 12 2019

CBP databases for travel surveillance and profiling

An advance notice posted last week by US Customs and Border Protection (CBP) of a forthcoming request for bids by IT contractors includes one of the most detailed inventories made public to date of the databases and interfaces used by CBP and its government and commercial partners (some of which are shown in the illustration above from the notice) for tracking, profiling, and control of travelers’ and our movements.

According to the 5-year plan in the draft Request For Quotations (RFQ), CBP’s Passenger Systems Program Directorate (PSPD) already outsources some of these databases to Saleforce.com, but plans to migrate them all to commercial cloud “Software-As-A-Service” contractors in 2020. According to the draft RFQ:

CBP’s vision for primary inspection processing of the future is to transform the way travelers are processed…  The paradigm will evolve from biographic data focused to biometric data centric. CBP will identify travelers biometrically based on information already in CBP holdings as an alternative to having the traveler present their travel document. A biometric-based approach allows threats to be pushed-out further beyond our borders before travelers arrive to the U.S…. Integration of facial recognition technologies is intended throughout all passenger applications.

Throughout the draft RFQ, facial recognition is described as a substitute for document checks, rather than as an (optional) alternative. “GE [Global Entry] kiosks are expected to be replaced with a facial recognition solution to identify GE members,” for example. There’s no mention of any provision in user interfaces for opt-out from facial recognition.

Moreover, “The vision for Global Entry of the Future (GE Next Gen) is a kiosk-less solution that uses facial recognition to identify GE members…. GE-Face aligns with CBP’s Biometric Entry-Exit strategy of identifying travelers with biometrics.”

A “kiosk-less solution” suggests that travelers will be identified by cameras that surveil them as they walk through, with neither the need to “present” themselves at a kiosk nor any way to pass through the airport or checkpoint without being photographed and identified — and having one’s presence at that place and time entered into a permanent ID-based government surveillance log.

Capturing photos of all US citizens — including those who currently opt out — so that their movements can be accurately logged is an explicit goal of the planned systems:

Simplified Arrival (SA) is a new and innovative approach that incorporates advanced facial recognition technologies into the primary inspection…. The new Simplified Arrival application will eventually replace TPAC and TPAC-Face. Simplified Arrival leverages facial recognition technologies in … the processing of arriving passengers and airline crew…. Capturing facial biometrics of all passengers adds additional security, as currently there is no biometric verification of U.S. Citizens, most Canadians, citizens of a few other countries and travelers who are exempted for other reasons such as age and class of admission. Using facial matching as the primary biometric verification modality provides a previously unavailable method to verify and facilitate travel for almost everyone, not just those travelers for whom DHS has fingerprints…. The Simplified Arrival process for air travel … Replaces document scan with facial recognition.

Not all CBP databases or systems and interfaces for populating and accessing them are included in the draft RFQ. These include the “Secure Flight”pre-crime program for profiling and tracking air travelers, which is used by both CBP and the TSA but “owned” by the TSA.

Also not mentioned in the draft RFQ is CBP’s Silent Partner pre-crime program for algorithmic profiling, scoring, and targeting of travelers for more intrusive searches and surveillance, and the associated rule-sets and blacklists of targeted travelers.

Silent Partner was first mentioned publicly in DHS testimony to Congress in 2011 as “an aviation security screening program…. the details of this program are classified.” Quiet Skies, a TSA program which uses a subset of the Silent Partner database to target domestic air travelers within the US, was made public by DHS whistleblowers in 2018. More information about Silent Partner and Quiet Skies was released in Sai v. Pekoske (a pro se challenge to TSA “orders” originally filed as Sai v. Neffenger) and  Elhady v. Kable (a challenge by CAIR to DHS blacklisting originally filed as Elhady v. Piehota). Only then did the DHS publish a years-belated Privacy Impact Assessment for Silent Partner and Quiet Skies. The PIA makes clear that these are pre-crime programs based on algorithmic profiling, not on suspicion of having committed any criminal or civil violation of law. But the profiling and scoring rules remain a secret to those against whom action is taken.

Aug 08 2019

CBP lies about US citizen with ID detained at non-border checkpoint, held for 26 days

Francisco Erwin Galicia, an 18-year-old Dallas-born U.S. citizen, was detained by US Customs and Border protection officers at a checkpoint in Falfurrias, Texas, on June 27th, while on his way to a youth soccer event with a group of relatives and friends, and held until July 23rd. He was held incommunicado for the first several weeks, and was kept in  CBP custody even after he was able to contact his family and a lawyer. He was released less than 24 hours after his detention was reported by the Dallas News.

As what happened to Mr. Galicia has been more widely reported,  he’s become a poster child for everything that’s wrong with the CBP and it’s checkpoints. That’s appropriate, but it’s also worth noting that:

  1. This isn’t the worst mistreatment that’s been imposed on US citizens by CBP. Mr. Galicia was held in the US rather than being deported (because, despite threats and intimidation, he refused to consent to “voluntary” deportation), held for less than a month, and released without gross physical injuries (although presumably with psychological trauma) Other US citizens, including those cases have been tracked and documented by Prof. Jacqueline Stevens and her students at the Deportation Research Clinic at Northwestern University, whose  have been deported from the US, spend years or in some cases decades abroad before being able to return, or suffered permanent physical injuries from maltreatment, neglect, or violence in custody or in countries to which they were wrongfully deported.
  2. This isn’t about border security, immigration, or US borders. Mr. Galicia wasn’t detained at the US border, while trying to cross the border, or on the basis of any particularized suspicion that he had done so or tried to do so. He was detained at a suspicionless checkpoint operated for general law enforcement purposes (mainly to find small amounts of marijuana and sometimes other drugs) 60 miles from the border. This is about controls on internal movement within the US.
  3. This isn’t about not having, not carrying, or not showing ID. The permanent checkpoint in Falfurrias has been in continuous operation for years, and Mr. Galicia knew that — whether it was legal or not — he’d have to be interrogated by CBP officers, and quite likely have to show his papers, to get to the next town. Mr. Galica was carrying, and showed the CBP officers at the checkpoint, his birth certificate, state ID card, and Social Security card. Ironically, this is exactly the combination of documents that would be required to obtain a “REAL-ID Act compliant” ID: three separate documents providing evidence of citizenship (birth certificate showing birth in the US), state residence (Texas state ID), and Social security number.
  4. It wouldn’t matter if Mr. Galicia were a dual citizen. CBP later claimed to have been confused by other documents carried by Mr. Galicia that they though suggested he might have been a Mexican citizen. But it’s not a violation of US law or a bar to US citizenship to hold by birthright, or to acquire, citizenship of Mexico or of any other country or countries. Millions of US citizens are legal dual citizen or multiple citizens, with the largest numbers of US dual and multiple citizens holding citizenship in Mexico, Canada, Ireland, the UK, and/or Israel in addition to US citizenship. Evidence of Mexican or any other citizenship is not evidence of lack of US citizenship.
  5. CBP officials lied about what happened to try to justify their actions, with one CBP official perjuring himself before Congress in testimony whose falsehood is proven by official CBP records served on Mr. Galicia and his lawyer.  Brian S. Hastings, Chief of Law Enforcement Operations for the US Border Patrol division of CBP, told the House Judiciary Committee in response to questions at an oversight hearing on July 25th that throughout his time in custody Mr. Galicia had never told the CBP officers who arrested or detained him that he was a US citizen. (The question from Rep. Ted Lieu and Rep. Eric Swalwell and the perjured answer by Chief Hastings begin at 4:45:00 of this video of the hearing.) But the Notice to Appear served on Mr. Galicia and signed by the acting Border Patrol agent in charge, alleges on behalf of CBP that Mr. Galicia was “found” at the CBP checkpoint in Falfurrias, “more than 25 miles from the United States border with Mexico”,  on June 27th, and “At that time, you… represented yourself to be a citizen of the United States,” as in fact Mr. Galicia was and is. Rep. Lieu and several other members of Congress have asked for better answers from CBP, but that’s not enough. By now, Mr. Hastings should have been charged with perjury. So far as we can tell, he remains at large, on the job and on the payroll of CBP.
Aug 05 2019

Questions about the REAL-ID Act

Fragmentary and jumbled records related to the REAL-ID Act of 2005 released by the US Department of Homeland Security in response to one of our Freedom Of Information Act (FOIA) requests don’t reveal much about DHS policy, but do provide a glimpse of DHS practices and plans.

The DHS has been threatening to harass, interfere with, or bar access to facilities or passage through checkpoints (including, but not limited to, those at airports) to people who don’t have, don’t carry, or don’t show ID; show ID that the DHS doesn’t deem compliant with the REAL-ID Act; or show ID issued by states or territories that the DHS deems insufficiently compliant with the REAl_ID Act.

These threats to deny equal rights to residents of noncompliant states and territories have been central to the DHS campaign to extort compliance from state and territorial officials reluctant to upload their residents’ data to an outsourced, privately-held national ID database.

But what sort of enforcement problem, at what scale, is this likely to pose for the DHS and those collaborators carrying out its REAL-ID directives? How many people will be affected, at what sorts of facilities and locations, in what circumstances?  Inquiring minds want to know, including opponents of the REAL-ID Act like ourselves, but also including officials at DHS headquarters trying to devise a workable REAL-ID enforcement plan.

Read More