Papers, Please!

The Identity Project

Monthly Archives: September 2020

Sep 17 2020

New CBP propaganda on facial recognition and other biometrics

US Customs and Border Ptotection (CBP) has launched an entire new subdomain of its website, biometrics.cbp.gov, devoted to propaganda intended to persuade the traveling public to submit to, and airlines and airport operating authorities to collaborate in, the use of facial recognition and other biometrics to identify and track travelers.

There’s nothing in CBP’s happy-talk sales pitch for facial recognition on this new website that we haven’t seen before. And there are still no answers to any of the questions we’ve asked CBP officials about these practices and the legal basis (not) for them.

Biometrics.cbp.gov features links to the (nonbinding) Privacy Impact Assessments (PIAs) that are supposed to describe how mug shots obtained by CBP or its airport and airline “partners” are to be used. But the new CBP site doesn’t link to the legally binding System Of Records Notices (SORNs) that disclose a much wider range of routine and permitted uses of these images.

If there’s anything noteworthy on this site, it’s under the Resources tab, where you can download  copies of the official CBP signs that are supposedly posted at airports, seaports, and land border crossings, including those for airport arrivals (shown at the top of this blog post), airport departures, cruise ports, and pedestrian lanes at land borders.

Leaving aside questions of the accuracy of the claims on these signs, they provide definitive confirmation that all of these biometric programs are in flagrant violation of Federal law — as we’ve pointed out repeatedly to CBP, but to no avail.

None of these signs contain any Paperwork Reduction Act (PRA) notice or any OMB Control Number. Even if the collection of photos or other biometric information were authorized by law, even if it were voluntary, even if it were limited to non-US persons, and even if none of the images or other data were retained, this collection of information would still have to be approved in advance by OMB, assigned an OMB Control Number confirming the approval, and accompanied by PRA notices including that OMB Control Number.

Some people wonder why we care about OMB approval or PRA notices. OMB approval is often little more than a rubber stamp. It’s not an onerous burden on the agency, and it doesn’t usually involve any meaningful scrutiny of the legal basis claimed by an agency for collecting information from individuals. PRA notices don’t give much information about how the data that’s being collected will be used.  Few people know to look for PRA notices or OMB Control Numbers, how to interpret them, or what they signify.

The significance of CBP’s complete disregard for the PRA — a minimal administrative formality that CBP could easily comply with — is that it is indicative of CBP’s complete disregard for the law in general. It’s not that CBP or its parent agency the US Department of Homeland Security (DHS) are lazy. The choice not to seek OMB approval for their actions, or to post PRA notices, is not an accident. It’s emblematic of the extent to which CBP and the DHS assume that they can disregard any of the substantive or procedural rules that apply to all other agencies, and make their own laws through secret diktats. The real problem is not the violation of the PRA, but that CBP and DHS have no greater respect for human rights treaties or the US Constitution than they do for Federal laws like the PRA.

Sep 15 2020

DHS lies again about REAL-ID

As it’s been doing for years, the US Department of Homeland Security (DHS) is still lying about the state of compliance by states with the Federal REAL-ID Act of 2005.

The latest DHS whopper is this DHS press release issued September 10, 2010:

The DHS claims that “All U.S. States [Are] Now Compliant” with the REAL-ID Act. But as we’ve noted many times before, the REAL-ID Act explicitly and unambiguously requires that to be “compliant”, a state must “Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

How many states do that today? At most, 28, not all 50, as shown in the map below:The only mechanism available for states that want to share their drivers’ license databases is the outsourced “State to State” (S2S) system operated by the American Association of Motior Vehicle Administators (AAMVA), a private contractor not subject to the Federal or any state Freedom Of Information Act (FOIA) or other laws proviidng transparency and accountability for government agencies. Despite the misleading name, S2S is not a mechanism for messaging directly from state to state. It’s a centralized system which depends on a central national ID database, SPEXS, aggregated from state drivers’ license and ID data.

Here’s the latest list released by AAMVA of states that are particpating in S2S. Each particpating state has uploaded information about all drivers’  licenses and state ID to SPEXS. Together these 28 states include substantially less than half the U.S. population:

We wish we didn’t have to keep saying, again and again, that the DHS is lying about REAL-ID. But as long as Federal and state agencies keep putting these lies in their headlines, we’re going to keep on pointing out that the emperor (still) has no clothes.

Sep 14 2020

10th Circuit: No qualified immunity for police who demand ID

A panel of the 10th Circuit US Court of Appeals has ruled, in the case of Mglej v. Gardner, that it is “clearly established law” that police in Utah may not require suspects (or anyone else they detain, except operators of motor vehicles) to show ID documents, and therefore that the Garfield County Sheriff who wrongly arrested Matthew T. Mglej for “refusing to identify himself” is not entitled to qualified immunity and can be held liable for damages.

In the summer of 2011, Mr. Mglej, then 21 years old, set out on his motorcycle from his family home in Portland, OR, to visit relatives in Dallas, TX. Mid-way on that road trip, his motorcycle developed problems, and he stopped in Boulder, UT (population around 200), to see if he could get his bike repaired and replace a tire that was threatening to blow.

Read More

Sep 09 2020

Portland bans facial recognition by city agencies or in places of public accommodation

Today the City Council of Portland, Oregon, voted unanimously to ban the use of facial recognition technology by City agencies or by private entities in places of public accommodation within the City limits, including at the Portland International Airport (PDX), effective immediately.

Many local and national organizations and individuals testified eloquently in favor of these proposals. We don’t need to repeat all of their general arguments.

But a point of particular concern and particular pleasure for us is that the Port of Portland asked the City Council for an exemption from the ban to allow use of facial recognition “for air carrier passenger processing” — and was turned down.

No member of the City Council mentioned the Port’s request for a carve-out for facial recogntion of air travelers during the City Council discussion, and the proposals were adopted without amendment except for making the ban on private use of facial recognition in places of public accommodation effective immediately, as had already been proposed for the ban on use by city agencies. (The amendment to make the private entity ban effective immediately was made verbally during the City Council meeting, so it isn’t reflected in the advance text of the proposal.)

This is an important precedent , as Portland is only the second jurisdiction in the US to consider local rules related to facial recognition at its airport.

Earlier this year, after behind-the-scenes threats by the US Department of Homeland Security (DHS) to make life difficult for the Port of Seattle if it didn’t collaborate with DHS facial recognition schemes at Sea-Tac International Airport (SEA) and allow airlines and contractors also to do so, the Port of Seattle Commission reneged on the aspirational policy principles it adopted in 2019  and decided to buy and operate common-use facial recognition cameras integrated with DHS and airline databases and operations.

(See our written testimony to the Seattle Port Commission on use of facial recognition at SEA: 1, 2, 3., and articles in our blog here and here.)

The decision by the Port of Seattle was made just before the COVID-19 pandemic drastically reduced traffic at SEA and other airports and delayed the need for the new gates at SEA where the DHS-linked cameras were to be installed. A broad coalition of local and national community and civil liberties organizations has called on the Seattle Port Commission to use the opportunity provided by this delay to reconsider its decision on facial recognition.

Portland did significantly better than Seattle in working to distance itself from and isolate the DHS — not surprisingly in light of the object lesson the DHS has provided in Portland recently with respect to DHS trustworthiness (not), self-restraint (not), commitment to the rule of law (not), and respect for civil and human rights (not). Portlanders don’t trust the DHS to behave any better at PDX Airport than it’s been behaving on the streets of Portland.

PDX airport is located within the City of Portland but operated by the Port of Portland, a special-purpose agency of the state of Oregon governed by a board appointed by the Governor of Oregon. The City of Portland can’t prevent use of facial recognition by the DHS or the Port of Portland, but can regulate or prohibit its use by private entities, including airlines, within the city limits, including at the airport.

The Port of Portland has the authority to enter into contracts, borrow and spend money, manage its employees, and enact rules for activities at PDX Airport. But in addition to the requirements of due process and other Constitutional rights, and the obligations on the airport as a publicly owned and operated place of public accommodations and common-carrier facility, the legislative authority of the Port is limited to the issuance of rules consistent with city ordinances. That appears to mean that the Port may not prohibit that which the city has duly prohibited. (If readers have more expertise on this jurisdictional issue, feel free to leave a comment or drop us a line.)

The Federal government could preempt the Portland ordinances if it enacted valid laws or promulgated valid regulations mandating use of facial recognition by Federally-regulated airlines and/or airports. But no law mandates use of facial recognition for US citizens, even when traveling internatoinally, or for passengers on domestic flights

The DHS has refrained from promulgating any such regulations, preferring to operate outside the law than to establish any legal framework for its use of facial recognition or subject it claim of authority to notice-and-comment rulemaking or judicial review. A petition for rulemaking on use of biometrics for traveler identification submitted to the DHS by the Portland-based World Privacy Forum has been ignored by the DHS for almost two years.

While the DHS has engaged in heavy-handed behind-the-scenes lobbying and threats to “persuade” airlines and airport operating agencies to become its “partners” in biometric surveillance and control of air travelers, as it did in Seattle, the DHS has continued to maintain — correctly — that this “cooperation” is entirely voluntary. In declining to participate, and by exercising its jurisdiction to prohibit airlines or other contractors form doing so within the city limits, the City of Portland is doing only what the DHS has consistently said that local jurisdictions have the authority to do, if they so choose.

The July 14, 2020, letter from the Port of Portland to the Portland City Council requesting exemption from the facial recognition ban made numerous false factual claims and specious arguments. Since these bogus arguments are likely to be raised again in other cites despite having failed to persuade any of the members of the Portland City Council, it’s worth noting and debunking them:

Read More

Sep 04 2020

ICAO mandates worldwide government surveillance of air travelers

Playing out the endgame we predicted last year of a two-decade campaign by the US government to establish a global regime of government surveillance of air travelers, the International Civil Aviation Organization (ICAO) has adopted an amendment to the Chicago Convention on Civil Aviation that will require each of the 193 state parties to that treaty — essentially every national government in the world — to require all airlines operating international flights to provide a designated government agency with complete mirror copies of all reservation records (“Passenger Name Records“) in a standard PNRGOV transmission format.

This is an extraordinary and, so far as we can tell, unprecedented globalization and normalization of suspicionless mass surveillance of the innocent exercise of legal rights.

To the best of our knowledge, this is the first time that any industry — much less an industry of common carriers required by law (including by international aviation treaties) to transport all would-be passengers, without discrimination, in the exercise of a right to freedom of movement also recognized by international treaties — has been mandated by international treaty to provide government agencies worldwide with complete copies of its commercial records of each of its transactions with a customer. No such treaty obligation exists, for example, with respect to records of postal, telephone, Internet, or financial transactions.

The exercise of rights should not be deemed per se suspicious or a legitimate grounds for surveillance.

The requirement for PNR-based surveillance of air travelers is included in Amendment 28 to Annex 9 to the Chicago Convention. This amendment was approved by ICAO’s Council — an executive committee of countries elected by ICAO’s members to make decisions between ICAO’s triennial General Assembly of all member states — on June 23, 2020.

Read More

Sep 03 2020

GAO report on DHS use of facial recognition on travelers

The Government Accountability Office (GAO) has released a new report requested by Congressional oversight committee chairs describing and assessing the ways that US Customs and Border Protection (CBP) and the Transportation Security Administration (TSA) use facial recognition to identity and track international (CBP) and domestic (TSA) travelers.

Here’s how the GAO says it works  (click flowchart for larger version): The GAO report doesn’t address several of the most significant issues with DHS use of facial recognition to identify travelers, including:

Read More

Sep 01 2020

TSA tries out another (illegal) biometric “ID verification” system

Today the Transportation Security Administration (TSA) announced that it has launched a “pilot” at Washington National Airport (DCA) of yet another scheme for biometric identification and tracking of domestic air travelers.

[Screen capture from TSA video]

The new “touchless ID verification” stations at DCA include a webcam (at top center of photo above) a magnetic-stripe reader (lower left) for drivers licenses and other ID cards, and a photographic scanner for passports (lower right).

Travelers who volunteer to use the new system are directed to insert their drivers license, ID card, or passport into the appropriate reader, stand on a marked spot in front of the webcam, and remove their face mask, so that the image from the ID (or, more likely, from some back-end image database linked to the ID, although that hasn’t been disclosed) and the image from the webcam can be compared by some undisclosed algorithm.

[Traveler being directed by TSA staff to remove her face mask for digital mug shot.]

As we’ve noted previously, it appears to us that (1) the TSA has no general authority to require travelers to show their faces or remove face masks, and (2) in many jurisdictions, orders issued by state or local health authorities currently require all people in public places such as airports to wear masks.

The TSA describes this system as “touchless”. But while TSA staff don’t have to touch travelers’ IDs, each traveler has to touch the same ID card or passport scanner. Then, immediately after touching the scanner, they have to touch their face again to put their mask back on.

Read More