Papers, Please!

The Identity Project

Monthly Archives: November 2020

Nov 30 2020

CBP proposes to require mug shots of all non-US citizen travelers

Last December we called attention to plans  by US Customs and Border Protection (CBP) to require mug shots of all travelers entering or leaving the US by air or sea, including US citizens.

Within days, CBP issued a press release falsely accusing us of incorrectly reporting  the official CBP notice of its plans, and saying that it would withdraw its notice the next time the regulatory agenda was published.

So what happened?

Earlier this month, CBP withdrew the notice of proposed rulemaking (NPRM)… and issued a new notice of proposed rulemaking the same day that wouldn’t apply to US citizens, but would require all non-US citizens, including permanent US residents (green-card holders) to be photographed whenever they enter or leave the US by any means: air, land, or sea.

(This proposed rule is for collection of biometrics from international travelers at airports, cruise ports, and land borders. There’s a separate pending proposal which we and others have criticized  for collection of biometrics including fingerprints and DNA samples, in advance of travel, from visa applicants, other would-be US visitors, and their US sponsors.)

At airports, the scheme contemplated by CBP would follow the public/private partnership model that CBP and the Transportation Security Administration (TSA) have been collaborating on with airlines and airport operating authorities in the USA and abroad:

Generally, when travelers present themselves for entry or exit, they will encounter a camera connected to CBP’s cloud-based TVS facial matching service via a secure, encrypted connection…. The camera may be owned by CBP, the air or vessel carrier, another government agency such as TSA, or an international partner governmental agency….

At the departure gate, each traveler stands for a photo in front of a partner-provided camera. Aided by the authorized airline or airport personnel, the partner-owned camera attempts to capture a usable image and submits the image, sometimes through an authorized integration platform or vendor, to CBP’s cloud-based TVS facial matching service.

The key element in this partnership, CBP makes clear, is that airlines and airports will pay to operate cameras and send photos of passengers to CBP, in exchange for getting uncontrolled use of the CBP facial recognition system for their own business purposes:

The hardware cost in the regulatory period will be borne by the carriers and airports who partner with CBP.  CBP will give carriers and airports access to its facial recognition system and the carriers and airports will choose (and pay for) the hardware that best fits their needs. While this partnership is voluntary, CBP expects that all commercial carriers and major airports will elect to participate within five years.

Unless airlines and airports were given free use of the CBP facial recognition service for their own purposes, they would have no business reason to bear the cost of installing and operating cameras at all departure gates, or to send the photos to CBP. CBP has limited authority to force airlines to surveil their customers, so CBP’s scheme depends on successfully bribing them — all of them — to collaborate by giving them free access to the facial recognition service. This quid pro quo is the key to CBP’s confidence in its plans.

Read More

Nov 25 2020

Airlines call for new app-based air travel controls

During  its online annual general meeting this week, the International Air Transport Association (IATA) rolled out a  new proposal for an app-based system of control over air travel that IATA is proposing for use by its member international airlines and by governments.

The scheme is being promoted as a response to the COVID-10 pandemic, but would institutionalize structures and practices with the potential for continuing and wider abuse.

IATA is calling its scheme the IATA Travel Pass. As described in these slides,  it would require would-be air travelers to enter both personally identifying information (most likely passport or other ID-card details) and records of tests and/or vaccinations into an IATA  smartphone app.  The data would  be processed by the algorithms of a “rules engine” to detemine whether to issue an “OK to travel” permission message. The output of this algorithmic decision would be available for use by both airlines and governments.

The intent of the IATA proposal is to create an infrastructure for sharing of data and travel permission decisions, at any point before or after the journey, with both airlines and governments, on the basis of an open-ended ruleset:

Of course IATA’s new proposal has all the defects of any smartphone-based travel surveillance or control regime that we discussed back in April when Hawaii tried out such a scheme. IATA is silent on what is to happen to  a traveler who doesn’t have a smartphone, charged-up and operable, with them when they try to travel.

And what about travelers without passport? No passport is currently required, even for international flights, within some free-movement zones such as within Mercosur, ECOWAS, or the European Union, or between the UK and Ireland.

But that’s not the worst aspect of the IATA proposal. Unlike Hawaii’s app-based location reporting system, the IATA app would go beyond surveillance to incorporate an algorithmic decision-making system for prior restraint of the right to travel.  Very disturbingly, there’s no mention in the IATA proposal of who would control the algorithmic ruleset, leaving it wide open to mission  creep and abuse by governments worldwide.  There’s no apparent way to restrict the nature of the rules or the purposes — blacklisting? discrimination? profiling? retaliation? — for which they could be used. Deployment of a general-purpose algorithmic travel control app for use worldwide would invite abuse.

Read More

Nov 10 2020

What does REAL-ID Act “enforcement” really mean?

For the last fifteen years, as both Republican and Democratic administrations have come and gone, the US Department of Homeland Security (DHS) has been using the threat of “enforcement” of the REAL-ID Act of 2005 to extort state legislators, governors, and driver licensing agencies into complying with the REAL-ID Act of 2005 and uploading their residents’ drivers license and state-issued ID card data to the national REAL-ID database, “SPEXS”.

The threat has been that the DHS and/or its components (such as the Transportation Security Agency) will harass or turn away residents of noncompliant states when they try to pass through TSA or other Federal checkpoints or enter Federal facilities.

Not wanting to provoke riots or protests at airports, the DHS has repeatedly postponed its arbitrarily self-imposed “deadlines” for REAL-ID enforcement at TSA checkpoints, most recently until October 1, 2021.  And the TSA, despite repeated trial balloons suggesting what new rules it might try to adopt to require ID to fly, has not yet tried to finalize such a  rule. So we don’t really know what, if anything, REAL-ID Act enforcement at airports might mean.

However, the REAL-ID Act has supposedly been being enforced for access to some other Federal facilities for more than five years, starting on October 15, 2015.

We’ve been trying for almost that long to find out what that “enforcement” has really meant, so that we and the public can assess the meaning and impact of the DHS threats.

How many people have been turned away for lack of acceptable or compliant ID, or ID issued by a “compliant” state, when they tried to enter Federal facilities? At what types of facilities has this happened? And for what purposes were these people seeking entry?

Read More

Nov 06 2020

Canada copies US “Secure Flight” air travel controls

While we were watching US election returns, our neighbors to the north were adopting new travel regulations that incorporate some of the worst aspects of the US system of surveillance and control of air travel, and in some respects go even further in the wrong direction.

Canadian authorities don’t generally want to be seen as imitating the US or capitulating to US pressure. There was no mention in the official analysis of the latest amendments to the Canadian regulations of the US models on which they are based. But according to the press release this week from Public Safety Canada, the latest version of the Canadian Secure Air Travel Regulations  which came into force this week for domestic flights within Canada as well as international flights to or from Canada include the following elements, each of which appears to be based on the US Secure Flight system:

  1. All air travelers will be required to show government-issued photo ID. The Canadian ID requirement to fly is now explicit, unlike the de facto ID requirement that the US Department of Homeland Security is attempting to impose and already wrongly enforcing, in some cases, without statutory or regulatory authority. The Canadian rules appear to reflect the authority to deny passage to air travelers without ID that the DHS has sought, but has not yet been granted, in the US.
  2. Fly/no-fly decision-making will be transferred from airlines (making binary fly/no-fly decisions on the basis of a no-fly list provided by the government) to a government agency. After receiving information about each passenger from the airline, Public Safety Canada will transmit a permission messages to the airline with respect to each would-be passenger on each flight,  with a default of “not permitted to board” if no message is received by the airline from the government. Exactly this change was made in the US through the Secure Flight regulations promulgated in 2008. This change serves two purposes for the government: (A) it provides a basis for building positive real-time government control over boarding pass issuance into airline IT infrastructure, converting every airline check-in kiosk or boarding-pass app into a virtual government checkpoint that can be used to control movement on any basis and for any reason that the government later chooses, and (B) it enables the switch from blacklist-based no-fly decision-making to more complex and opaque real-time algorithmic pre-crime profiling  based on a  larger number of factors.
  3. Air travelers in Canada will be required to provide the airline  with their full name, gender, and date of birth, as listed on government-issued ID, and airlines will be required to enter this data in each reservation and transmit it to the government 72 hours before the flight or as soon as the reservation is made, whichever comes first. All of this is exactly as has bene required for flights within the US since the coming into force of the DHS Secure Flight regulations. This additional information about each passenger enables the government to match passengers’ identities, in advance, to other commercial and government databases, and thus to incorporate a much wider range of surveillance and data mining into its profiling algorithms.
  4. Travelers will be able to apply to the government for a “Canadian Travel Number” which, if issued, they can enter in their reservations to distinguish themselves as whitelisted people from blacklisted people with similar names and/or other similar personal data.  This Canadian Travel Number is obviously modeled on the “redress number” incorporated in the US Secure Flight system. The goal of this “whitelist number” is to reduce the complaints and political embarrassment of the recurring incidents of innocent people with similar names, including  children, being mistakenly identified as blacklisted people, and denied boarding on Canadian flights. The problem, of course, is that this does nothing to help the innocent people who are correctly identified as having been blacklisted by the government, but who were wrongly blacklisted in the first place.

As our Canadian friends at the  International Civil Liberities Monitoring Group put it in a statement this week:

These regulations do not address the central, foundational problems that plague Canada’s No Fly List system and will continue to result in the undermining of individuals’ rights as they travel….

The Canadian government had a solution from the beginning, and they still do: abolish the No Fly List. If someone is a threat to airline travel or to those in the region they are traveling to, charge them under the criminal code and take them to court where they can defend themselves, in public.

It’s time to be done with secret security lists once and for all.