Papers, Please!

The Identity Project

Monthly Archives: September 2023

Sep 28 2023

DHS uses travel as pretext for search of researcher and journalist

According to a report by Zack Whittaker on TechCrunch, security researcher, and blogger Sam Curry “was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service’s Criminal Investigation (IRS-CI) unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington DC about a ‘high profile phishing campaign,’ searched his unlocked phone, and served him with a grand jury subpoena to testify in New York the week after.”

How did this happen, and what recourse do you have if you are similarly searched?

Sadly, the used of (entirely unrelated) international travel as a pretext for searches of electronic devices and data, including searches or researchers and journalists, is not new.

A TECS Lookout can be used by the DHS or other Federal agencies to flag, watch for, and intercept any “person of interest” whenever they take an international flight to or from the US, regardless of whether there is probable cause for a search warrant.  A TECS Lookout can be set at the request of any Federal law enforcement agency, for any reason.  It’s also no surprise that this loophole for pretextual searches is being used by IRS agents: As we have noted previously, it’s described in detail in the section of the IRS’s manual on techniques for “Locating Taxpayers and their Assets”.

Mr. Curry reportedly said he was later told that the copies of data seized from his phone by Federal agents had been deleted, and the subpoena was withdrawn. But it also appears that, as a blogger, his data was protected from seizure by the Privacy Protection Act, which provides greater protection for many travelers’ data than most other forms of privilege. If Mr. Curry had known to assert his status and rights under the Privacy Protection Act, he would probably be entitled to damages from the agents who searched and seized his data.

Sep 26 2023

Broader challenge to Federal blacklists filed in Boston

In a nationally-significant lawsuit, the Council on American-Islamic Relations (CAIR) has filed the most comprehensive challenge  to date to the US government’s system of arbitrary and extrajudicial blacklists (“watchlists”) used to stigmatize and impose sanctions on innocent people — almost all of them Muslim — without notice, trial, conviction, or any opportunity, even after the fact, to see or contest the allegations or evidence (if any) against them.

The lawsuit, Khairullah et al. v. Garland et al., was filed last week in Federal District Court in Boston on behalf of twelve Muslims from Massachusetts and other states who have been stopped, prevented from traveling to, from, or within the US by air, harassed, delayed, interrogated, threatened, strip-searched, had all the data on their electronic devices copied, detained at gunpoint, denied permits, and had banking and money-transfer accounts summarily and irrevocably closed, among other adverse consequences:

Plaintiffs, along with over one million other people, have been placed by Defendants on the federal terrorist watchlist. Defendants claim the power to place an unlimited number of people on that list and, as a result, subject them to extensive security screening, impose adverse immigration consequences on them, and distribute their information to thousands of law-enforcement and private entities, which then use it to affect everyday interactions like traffic stops, municipal permit processes, firearm purchases, and licensing applications.

Congress has never statutorily authorized the creation, maintenance, use, or dissemination of the Terrorist Screening Dataset, its subsets like the Selectee List and No Fly List, the Quiet Skies and Silent Partner systems, or any other rules-based terrorist targeting lists.

WHEREFORE, Plaintiffs requests this Honorable Court grant declaratory and injunctive relief….

The complaint includes a depressingly thorough, detailed, and diverse litany of incidents of interference with normal life, especially with normal travel.

One US citizen plaintiff now abroad has been effectively exiled because the US government won’t allow any airline to transport him back to the US from overseas.

The effects of blacklisting can last for life. Because the US government continues to stigmatize “formerly” blacklisted individuals and flag them to its own agents and third parties including foreign governments, some of the plaintiffs continue to suffer these consequences despite having purportedly been “removed” from US “watchlists”.

Because the US government’s blacklisting algorithms incorporate explicit guilt-by-association criteria, some plaintiffs have had their friends, family members, and colleagues targeted for adverse treatment solely on the basis of having “associated” (an act protected by the First Amendment to the Constitution) with a blacklisted person.

As the complaint explains:

[B]ecause Defendants consider being a relative, friend, colleague, or fellow community member of a TSDS [Terrorist Screening Dataset] Listee “derogatory information” supporting placement on the watchlist, Muslim communities are subjected to rapidly-unfolding network effects once one member is watchlisted. One nomination, even if grounded in probable cause or a preexisting criminal conviction, can quickly spiral into Defendants classifying nearly every member of an extended family or community mosque as a suspected terrorist.

A similar lawsuit, also brought by CAIR, led a Federal District Court judge in Virginia to rule in 2019 that the Federal blacklisting system was unconstitutional. But that ruling was overturned in 2021 in a strikingly poorly-reasoned opinion by the 4th Circuit Court of Appeals.

The new lawsuit has been brought in a different circuit (the 1st Circuit), and the new complaint includes more recent information — including the disclosure of the no-fly and “selectee” lists — and arguments to bolster the case and counter the claims made by the 4th Circuit judges.

Lawsuits like this take years to be resolved, but we’ll be watching this one closely.

Sep 04 2023

Transit payment systems and traveler tracking

Last week 404 Media published a report by Joseph Cox on how the New York Metropolitan Transit Agency’s website can be used as a remote stalking tool: anyone who knows a credit card number that was used to purchase or add value to an OMNY transit farecard could view a historical log of the last seven days of trips taken using the card, including the dates, times, and locations where the card was read at subway entrances or boarding buses.

Less than 24 hours after this report was published, this “feature” was removed from the MTA website.

But that doesn’t solve the problem.

The main problem with the MTA payment system — and similar systems in other cities — isn’t that anyone could access your trip history by typing in your credit card number (which every waiter you ever bought a meal from with that credit card has access to,  and every domestic violence abuser in your household also knows).

The real problem is that the MTA transit system is building a permanent database of all your trips, period. The MTA is still logging transit passengers’ movements, and those logs are still available to the MTA itself, police, anyone the MTA chooses to share them with, or anyone who hacks into the TSA’s records.

If the MTA didn’t collect this data in the first place, there would be no way for anyone to abuse it.

Read More