CBP wants more information to surveil and control air travelers
Today the Identity Project and allied civil liberties and human rights organizations submitted comments objecting to a proposal by US Customs and Border Protection (CBP) to require all travelers on international flights to or from the US to provide an address in the US, two phone numbers, and an email address, and prohibit or recommend that airlines not permit anyone who is unable or unwilling to provide this information to board any flight to or from the US. (See our report when this proposal was announced.)
In return for collecting this information and passing it on to CBP, airlines would be allowed to retain and use it for their own purposes, without permission from travelers. Airlines would also be allowed (and in some cases required) to pass it on to foreign governments.
The proposed CBP rule would apply to all travelers, including US citizens (regardless of whether they reside in the US), visitors, and asylum seekers.
The proposed rule is far more significant and far worse than it appears at first glance.
Although the proposal is represented by CBP as a minor change to an existing program that would cost airlines nothing and impose no costs on travelers, it would cost the airline industry hundreds of millions of dollars and impose costs on would-be travelers, especially asylum seekers, that would be measured not only in dollars but also in lives. The proposed rule would also violate multiple provisions of the Privacy Act, including in ways that would force travelers to make personal information available to hostile foreign governments.
Below are excerpts from our objections to the CBP proposal. You can read the complete comments of the Identity Project and our allies here. You can submit your own comments until midnight EDT tonight, Monday, April 3, 2023, by filling out this form.
The undersigned civil liberties and human rights organizations – the Identity Project (IDP), Government Information Watch, Restore The Fourth (RT4), Privacy Times, and the Electronic Privacy Information Center (EPIC) – submit these comments in response to the Notice of Proposed Rulemaking, “Advance Passenger Information System: Electronic Validation of Travel Documents”, Docket Number USCBP-2023-0002, FR Doc. 2023–02139, RIN 1651-AB43, 88 Federal Register 7016-7033 (February 2, 2023).
By this Notice of Proposed Rulemaking (NPRM), U.S. Customs and Border Protection (CBP) proposes to (1) expand the fields of information that all international travelers flying to or from the U.S. by common carrier are required to provide to airlines and that airlines are required to pass on to CBP (while being free to retain copies for their own profitable use); and (2) prohibit airlines from allowing certain individuals including those who don’t have, or are unable or unwilling to provide, two phone numbers, an email address, and an address in the U.S. (even if they are U.S. citizens who reside abroad), to board flights, or recommend that airlines not board them (in violation of airlines’ duties as common carriers to transport all passengers paying the fares in their tariffs, and in violation of travelers’ rights under Federal statutes, the Bill of Rights, Executive Orders, and international human rights treaties to which the U.S. is a party).
The proposed rule is purportedly intended to “enable CBP to determine whether each passenger is traveling with valid authentic travel documents prior to the passenger boarding the aircraft.” Aside from the fact that CBP has no jurisdiction over foreign citizens boarding foreign-flagged aircraft at foreign airports, the proposed rule would have little or no effect on CBP’s ability to detect travelers using documents issued to other people. The proposed rule would not serve its stated purpose, but would only serve to expand CBP’s systematic warrantless, suspicionless, surveillance of air travelers and CBP’s attempt to control airline travel.
As discussed below, the proposed rule exceeds CBP’s authority and jurisdiction and is contrary to law. It is also bad policy. It amounts to an attempt to impose a travel document requirement in the guise of document “validation”, to outsource to airlines surveillance and control of travelers that CBP would have no authority to conduct itself, and to frustrate the human right to asylum by preventing asylum-seekers from reaching the U.S.
Airlines would be induced to collaborate with CBP in (additional) surveillance and control of travelers, in violation of the rights of travelers and airlines’ duties as common carriers, by a carrot-and-stick combination of CBP extortion and CBP bribery.
Airlines would be extorted into denying passage to certain travelers on the basis of extrajudicial CBP recommendations and by CBP threats to impose financial sanctions on them if they fulfill their duties as common carriers. And airlines would be bribed to collaborate in this public-private travel surveillance and control partnership by being given an unrestricted free ride to use valuable and sensitive personal information provided to them by travelers under government duress for their own (likely highly profitable) commercial purposes.
The proposed rule would do no good for its stated purpose, and would do great harm in other ways omitted from the NPRM, at enormous cost to the airline industry and to travelers.
As elaborated in the sections below, the NPRM conflates requirements for entry to the U.S. with requirements for travel, conflates requirements to provide information to CBP with requirements to provide information to airlines and/or other third parties, and ignores the legal rights of travelers and the legal obligations of airlines as common carriers….
The ostensible purpose of the proposed rule is to enable CBP to determine, prior to departure of a flight, whether an airline passenger or crew member is traveling with a valid, authentic, travel document. But requiring travelers to provide an address in the U.S., an email address, and/or two phone numbers will do nothing to authenticate or validate any documents.
If CBP attempts to “authenticate” travel documents by comparing information provided by travelers with information in either government or commercial databases, it is likely that legitimate travelers will provide information that is deemed “incorrect” because it doesn’t match the information in those databases. Identity thieves, on the other hand, who have obtained information from those databases, are more likely than legitimate travelers to be able to provide APIS contact information matching whatever is in those government or commercial records.
As a document “validation” methodology, collection of this additional information for purposes of comparison with government or commercial databases would be less than useless….
Since CBP doesn’t specify the basis for the authority and extraterritorial jurisdiction it claims for itself and airlines, we have to speculate in order to try to respond to those claims.
The implied minor premises of the NPRM appear to be that (1) passports or similar documents are required for travel, not merely for entry to the U.S., and (2) the authority of CBP to inspect documents, search and question travelers, and determine their admissibility to the U.S. at airports and ports of entry implies jurisdiction and authority to delegate similar authority to carry out searches, inspections, and interrogation to commercial airline staff worldwide and to order common carriers not to allow individuals to board foreign aircraft at foreign airports.
But the NPRM provides no support in statute or case law for what would be an extraordinary series of leapfrogging expansions of extraterritorial, outsourced, and privatized CBP authority and jurisdiction….
The highest per-person costs of the proposed rule would be imposed on asylum seekers.
Many asylum seekers will, of course, be unable to provide the information required by the proposed rule, even if they might, on arrival in the U.S., be able to obtain asylum.
It’s difficult to put a dollar value on asylum or on its denial. Every time someone obtains asylum, it’s a triumph of freedom over tyranny. How much is that worth? How much would you pay for asylum from a country in which you are being persecuted or reasonably fear persecution?…
Some asylum seekers, denied their right to travel by common carrier to potential sanctuary in the U.S., will attempt to travel to the U.S. by other means. Some of them will die trying. Irregular means of land or sea travel are dangerous….
Typical fees paid to smugglers, guides, and facilitators for irregular transport to the U.S. border by asylum seekers are at least an order of magnitude greater than typical airfares.
Almost all of those who died in the desert or at sea could have afforded to fly, and would have done so but for CBP’s successful efforts to induce airlines to deny them passage in circumstances in which CBP has no authority to order the airline not to transport them.
Their deaths are solely and directly attributable to the U.S. government’s “carrier sanctions”.
As these sanctions are described in the NPRM, “if an air carrier boards a passenger who is then denied entry to the United States, the air carrier may have to pay a penalty.”
Instead of sanctioning airlines that fulfill their legal duty as common carriers to transport all passengers in compliance with their tariffs, the U.S. government should be sanctioning airlines that refuse to transport undocumented asylum seekers….
Carrier sanctions kill, and the proposed rule would increase the death toll….
A further privacy problem results from the fact that many foreign airlines are government-owned or parastatal entities. Many airports are also government-operated….
The requirement to provide this data to airlines thus amounts to a requirement to provide it to foreign governments, including the world’s most privacy-invasive and repressive regimes….
Malign foreign governments could misuse data obtained through airlines and/or airports for both economic and political purposes. They could use this data for economic espionage against competitors of their state-owned enterprises. And they could use this data to target repressive measures against their own citizens and foreign visitors, including U.S. persons….
The danger of providing contact information would perhaps be greatest for asylum-seekers seeking to flee. Repressive regimes could use this information to intercept and prevent asylum-seekers from leaving, or to harass or persecute their associates even after they escape….
The NPRM, in its entirety, should be withdrawn, and the current API rule should be rescinded.
- Complete comments of the Identity Project (IDP), Government Information Watch, Restore The Fourth (RT4), Privacy Times, and the Electronic Privacy Information Center (EPIC).
- Form to submit comments (deadline midnight EDT, Monday, April 3, 2023).
- Docket with CBP proposed rule and all public comments.
- You can submit your own comments until midnight EDT tonight, Monday, April 3, 2023, by
Pingback: U.S. Government Proposes New Rules For Passengers Flying In And Out Of The Country - View from the Wing
The new proposal to require travelers’ address (physical and/or email) and phone number is a huge invasion of privacy. Please do not ratify this proposal. In addition to the privacy issue, this change will result in increased fees for airlines, which will be passed on to customers. It will also allow the airlines and the CBP to use this information for their own purposes, with NO permission required. It would allow airlines to deny service to anyone who does not or cannot provide this information. All of this is wrong. Please do not pass this proposal.
Ridiculous. AND whenever “Has 2 phone numbers? Everyone I know.. has 1 cell phone ..including me! No. Vote No. Thus must not be put into law.
Pingback: Links 04/04/2023: KDE Plasma 5.27.4 and Arti 1.1.3 | Techrights
I wish I had known about this before the comment period expired. I might have made the following points:
1. Not everyone has even one phone number, much less two. There is in fact NO law that requires a person to have a phone at all, and some choose not to have one for any number of reasons. I personally dislike phones, and I only use a cheap “burner” phone when absolutely necessary; the majority of the time I do without a phone. Technically, I could buy a burner phone before traveling so I could provide a valid phone number to give to CBP, but such a number would not be linked to any records about me and would likely “red flag” me (i.e., raise a false positive alarm that I’m not who I claim to be). In any event, a burner phone wouldn’t give me TWO phone numbers.
2. Not everyone has an email address. My grandmother (now deceased) traveled internationally from time to time, and she never had an email address. She knew very little about computers, and having an email address would only have exposed her to scams, fraud, phishing attacks, and marketers trying to manipulate her into spending money on useless junk. Her son (my uncle), a computer professional, once specifically said that his mother SHOULD NOT use email for the above reasons.
3. Not every US citizen has a US address. Some are expats returning after being away a long time and who have not maintained a home in the US. I once spent more than a year away for volunteer work, and came back without having a home already set up and waiting for me. Some people travel full-time in an RV or a boat and don’t maintain a fixed physical address.
If people are forced to provide invalid information (e.g., an old address when one doesn’t have a current one) they’ll be technically in violation of federal regs, giving CBP an excuse to hassle or arrest innocent people or those they happen to dislike.
This doesn’t make any sense. They already have our finger prints, they have our photo’s, they even have our biometrics. Why are they now Nitpicking, when they already have everyone who leaves or comes in to the USA information that the airlines already collects. When traveling in route we have to fill out customs forms declaring what we carry, the purpose of our flight and where we are staying. This seems even more overreaching red tape by requiring two phone numbers, and email address. My parents are retired and travel so they stay with me, so they have my address but they don’t have an email account or phone number because they don’t need it. And as a second number I’m not going to put down my employers phone number, they don’t need to know where or if I traveled overseas and that goes with using another person’s phone number as a second number, I don’t want everyone to know when I’m traveling. Worse part is that the airlines get to keep the information they collect and do as they wish with no consequences, meaning they can hand it over to a foreign country who you or a even family member were critical about their policies and that government would be able to know when you are traveling, where you are and do what they will to silence you. Not to mention the airlines can have more information they can sell to corporations.
This is more government overreaching policies that won’t stop with this.
Comments on the proposed CBP rule from NetJets (a shared-ownership private jet company):
https://downloads.regulations.gov/USCBP-2023-0002-0045/attachment_1.pdf
“This rule would require the collection of additional information, such as phone numbers and email addresses and the agency has failed to establish a direct connection between gathering that information and the proper performance of the functions of the agency in regard to the security of the United States. CBP has not shown that this information is necessary for the propoer performance of its functions, or the practical utility of the information. The agency has simply stated that it ‘has concluded that the inclusion [of this data]… will enable CBP to further mitigate risks to border, national and aviation security.’ There is no evidence to support this statement.
“Further, while the agency presented anecdotal examples stating that ‘document validation instructions have the potential to increase security and safety for the commercial air industry,’ it provides no actual evidence that this is actually needed or likely to occur….
“The agency states that ‘because the passenger generally provides most of these data elements when booking a ticket for air travel’ the estimated time burden has not increased. This is incorrect however for general aviation operations…. Because no tickets are booked for general aviation flights, this data is not currently collected….
“The agency has presented no valid data to support its claims that there will be a cost benefit or time savings for general aviation operators…. In fact, the cost of implementing and executing the proposed APIS changes would be extremely challenging financially.”
“EPIC, Coalition Urge CBP to Withdraw Proposed Rule Expanding Traveler Surveillance”:
https://epic.org/epic-coalition-urge-cbp-to-withdraw-proposed-rule-expanding-traveler-surveillance/