November 2025 – Papers, Please!

Nov 26 2025

CBP finalizes rule for mug shots of all foreigners entering or leaving the US

Last month US Customs and Border Protection (CBP) issued a final rule on Collection of Biometric Data From Aliens Upon Entry to and Departure From the United States.

If this new rule is Constitutional and otherwise valid, which we don’t think it is, it requires all non-US citizens entering or leaving the US to submit to mug shots. These will be used for a wide range of purposes in conjunction with automated facial recognition systems. Photography and automated facial recognition of all foreigners entering and leaving the US will be expanded from airports to all land border crossings.

This warrantless traveler surveillance and tracking program would cost more than $100 million per year, in CBP’s estimate (which explicitly puts zero value on privacy).

CBP proposed this rule in 2020, and we submitted comments (together with Restore the Fourth, Privacy Times, and the National Workrights Institute) objecting to the proposal as procedurally improper — before even needing to reach the Constitutional issues it presented — and in violation of the Privacy Act and the Paperwork Reduction Act.

CBP says that, “After review of the comments, through this final rule, DHS is finalizing the proposed changes in the NPRM without substantive modification.” But CBP hasn’t cured the defects in the proposal, and brushed off our objections on the basis of patently false factual claims that can be disproved by even cursory review of CBP’s own website or the situation at any of the airports where travelers are being forced to submit to mug shots.

Along with its final rule, CBP announced another 30-day window for public comments, which closes today. But CBP only wants input on how to carry out this warrantless and surveillance and traveler-tracking program, not whether it is legal:

Comments submitted regarding any topic other than the specific collection process and costs and benefits on these newly implemented transportation modalities are out of scope for this final rule and will not be considered.

We have declined the opportunity to submit further comments on the “specific collection process” to be used by CBP for these unlawful warrantless searches. We’re not going to advise CBP on how to break the law. The rule is unlawful. If CBP is uninterested in comments on the validity of the rule, it can and should be challenged in court.

In response to our objection that CBP’s outsourcing of traveler surveillance to airlines and airports violates the Privacy Act, CBP said that:

DHS acknowledges that the Privacy Act requires that ‘‘each agency that maintains a system of records shall . . . collect information to the greatest extent practicable directly from the subject.’’ 5 U.S.C. 552a(e)(2) … Nevertheless, as explained in the NPRM, CBP considered and piloted many types of biometrics collections. Using information gleaned from the pilots as well as public feedback, CBP has concluded that partnering with carriers and airports to capture facial images is the most viable large-scale solution as it is highly effective, cost effective, and less disruptive than other possible methods.

It’s unclear what CBP means by “most viable”, but this response doesn’t satisfy the law. Whether outsourcing to airlines and airports is “cost-effective” or “less disruptive” is irrelevant to whether it is meets the far higher standard in the law that the government must “collect information to the greatest extent practicable directly from the subject”.

Maintaining a system of records about individuals in violation of the Privacy Act is potentially a criminal violation of the Privacy Act, although we won’t hold our breath for Federal prosecutors to seek indictments of Federal officials for such crimes.

In our comments, we also pointed out that the Paperwork Reduction Act requires CBP, like all other Federal agencies collecting information from the public, to provide individuals with specific notices including the consequences, if any, for not providing the information, and the OMB control number for the collection of information.

In response, CBP falsely claims that, “CBP displays the OMB control number on signage.” The final rule that includes this false claim even cites the CBP website that includes model signs and notices— none of which include any PRA notice or OMB control number.

It’s unclear whether the CBP staff and officials who prepared and signed off on the final rule never actually looked at their own website or signage, or whether they were knowingly lying about their signage and notices.

Regardless of the reasons for the absence of proper signage, the PRA (44 U.S.C. §3512) creates an absolute defense for anyone — regardless of citizenship — against any penalty for not providing requested information, including not submitting to airport mug shots, in the absence of a valid PRA notice at the point of collection of information, including a valid OMB control number applicable to the specific collection of information.

“Furthermore”, the final rule claims, “CBP regularly conducts periodic signage audits that include local CBP personnel to ensure signs are accurate and placed appropriately.”

We’ve seen no signs in any airport that include the required PRA notice or the OMB control number (1651–0138) which CBP claims apply to traveler mug shots. Any diligent, competent audit would have spotted this. Was CBP lying outright, and there were no audits at all? Or were any audits conducted with a lack of competence and/or diligence?

Regardless of whether the CBP staff and officials knew the claims in final rule were false, didn’t care if they were true or false, or simply didn’t bother to fact-check what they were signing off on, a rule justified by such patently false claims — indicative of bad faith, incompetence, and or gross negligence — fits the definition of a rule that is subject to challenge in court, pursuant to the Administrative Procedure Act, as “arbitrary, capricious, an abuse of discretion, or… unsupported by substantial evidence.”

CBP may not be interested in any further comments from the public about the legality of warrantless mug shots of travelers at airports an borders. But its actions remain subject to challenge in court under multiple Federal statutes as well as the Constitution.

Nov 18 2025

Another court turns down TSA appeal for impunity for checkpoint staff

Another Federal appeals court has overruled arguments by the Transportation Security Administration (TSA) that its checkpoint staff are immune from any liability for sexual assaults or other offenses committed in the course of their official duties.

In its decision last week in Elisabeth Koletas v. USA, the 11th Circuit Court of Appeals didn’t reach the question of whether sexual or other assaults on airline passengers are within the scope of TSA officers’ duties. But a panel of the 11th Circuit held that . The panel was unpersuaded by a decade-old, unpublished, nonprecedential decision by an earlier panel of the 11th Circuit that failed to address the text of the law that makes the US government liable for the wrongful acts of “any officer of the United States who is empowered by law to execute searches.”

It would seem beyond argument that “Transportation Security Officers” (TSOs), as they are identified by the TSA and on their uniforms and badges, are “officers of the United States”. And the entire reason for their job is to “execute searches” of travelers.

But in Circuit after Circuit, the TSA has put forth the absurd (and, we are pleased to report, unsucessful) argument that TSOs aren’t the sort of officers Congress meant when it enacted this law. That argument has now been rejected, in published precedential opinions, by all six Circuit Courts of Appeal that have considered it.

More information about the case of Koletas v. USA:

District Court docket and links to pleadings
Circuit Court docket and links to pleadings
Oral argument (March 4, 2025)
Circuit Court slip opinion (November 12, 2025)
Blog post from plaintiff’s law firm

Despite the rulings in victimized travelers’ favor in each of these courts, we are disturbed that the TSA is so fixated on its quest for absolute impunity that it continues to make this discredited argument. The TSA’s hope, apparently, is to find one sympathetic Court of Appeals that will buy its argument, creating a circuit split that can provide a basis for getting the Supreme Court to weigh in on the question.

Let’s not get bogged down in the details of statutory construction, though. Checkpoint staff — whether they are TSOs or TSA contractors — should be liable to criminal sanctions if they rape or assault travelers. And both thewy and the Federal government in whose name they act and whose power they wield should face civil liability in these cases.

Nov 17 2025

Targeting domestic travelers and restricting the right to leave the US

Political commentator and UK citizen Sami Hamdi was finally allowed by the US government to leave the US on November 12, two and a half weeks after he was arrested at San Francisco International Airport when he went to check in for a domestic US flight.

Mr. Hamdi had been a keynote speaker at the annual banquet of the Central Valley chapter of the Council on American Islamic Relations (CAIR) on October 25 in Sacramento, and was on his way to the next stop on his US speaking tour when he was taken into custody at SFO on October 26.

Mr. Hamdi had obtained a valid US visa prior to his arrival in the US. “Hamdi entered on a B-1/B-2 visa on October 19, 2025, and complied with inspection and admission”, according to the complaint filed on his behalf in Federal court during his detention.

No criminal charges were ever filed against Mr. Hamdi, and there has been no suggestion that he knew his visa had been revoked until he was taken into custody. The government has argued that issuance or revocation of any visa is entirely discretionary, and that once Mr. Hamdi’s was revoked, he was no longer legally entitled to remain in the US.

Even if that were factually and legally correct, it begs two important questions:

First, how did the immigration agents who arrested Mr. Hamdi at SFO know about his travel plans in order to intercept him?

Federal agents can use a TECS alert to monitor reservations for international flights for a person of interest, even without any charges or any warrant for search or arrest. This appears to be how Dr. Mark Bray was targeted for questioning by Feds at Newark Airport on the second of his two attempts on successive days last month to flee the US with his family.

However, Mr. Hamdi went to SFO to check in for a domestic flight, not an international flight. The TSA has long wanted to check reservations for domestic flights against warrants listed in the FBI’s aggregated NCIC database. But so far as we can tell, that hasn’t yet been done. If it were, hundreds of air travelers would be arrested every day, given the number of records of arrest warrants — many of them obsolete or inaccurate — in NCIC.

And there’s been no hint that there were any criminal charges or any warrant – – even one based on a sealed indictment — against Mr. Hamdi. So a “warrant check” seems unlikely.

The lists that are checked whenever an airline sends Secure Flight Passenger Data for a domestic flight to the TSA, before the TSA returns a “Boarding Pass Printing Result” (BPPR) to the airline, are the “no-fly” and “selectee” lists which constitute a subset of the names in the Terrorist Screening Database.

We know that the no-fly and selectee lists have been used primarily to target Muslims. But as the name of the TSDB suggests, these are supposed to be used, and have been justified to courts as being used, solely for individuals who pose an identified threat to aviation security. There’s been no suggestion that Mr. Hamdi did anything to offend the US government or cause it to revoke his visa aside from saying things the US doesn’t want said, much less anything — no matter how offensive to anyone — that posed a threat to aviation security.

It thus seems likely — in the absence of any better explanation — that some Federal agency or official put Mr. Hamdi on the no-fly or selectee list as a way to use airports as a dragnet to catch him the next time he tried to fly, solely on the basis of pure speech that did not provide a basis for any criminal charges. If so, that was a gross abuse of the aviation “security” system and a significant foray into its use as a tool of political retaliation against disfavored speakers. If this could be done to Mr. Hamdi, it could be done to US citizens.

Second, why was Mr. Hamdi not allowed to leave the US sooner?

Normally, non-US citizens denied entry on arrival at US airports are detained only until they can be put on the first flight back to their port of embarkation for the US, or any earlier flight to that or any other destination for which they choose to buy a ticket.

There are five nonstop flights every day from San Francisco to London. Why, instead of being put on one of these flights the day he was detained, was Mr. Hamdi shipped in shackles to a private prison near Bakersfield and held there for more than two weeks?

Article 12 of the International Covenant on Civil and Political Rights, to which both the US and the UK are parties, provides that, “Everyone shall be free to leave any country, including his own.” And the UN Human Rights Committee has made clear that, “the scope of article 12, paragraph 2, is not restricted to persons lawfully within the territory of a State.”

So once Mr. Hamdi was deemed no longer entitled to remain in the US, and was not (and never had been) subject to any criminal charges, he had a right, as a matter of international human rights treaty law, to leave the US at any time and for any destination.

Mr. Hamdi’s eventual departure was described as “voluntary”. But it’s hard to see his leaving the country as uncoerced when they only alternative he was offered was to remain indefinitely imprisoned without charges or trial.

Detaining Mr. Hamdi without the opportunity to leave the country, and holding him for more than two weeks without letting him leave, was a clear violation of international law.

Nov 12 2025

A case study in the importance of anonymous travel

The case of Rutgers University professor Mark Bray and his family provides an object lesson in the importance of being able to travel anonymously, and how the practices of governments and airlines endanger travelers by making them identifiable.

Dr. Bray, his partner Dr. Yesenia Barragan (also a professor at Rutgers), and their two young children tried to flee the US last month after being denounced by members of the Rutgers chapter of Turning Point USA, doxxed, and receiving death threats. They planned to spend the rest of this academic year teaching remotely from Spain, where Dr. Bray had lived on previous research trips.

Trying to get away from death threats isn’t an uncommon reason for travel, unfortunately. The factors behind the threats against Dr. Bray and his family — Dr. Bray’s scholarship as a historian of anti-fascist activism in Europe and North America since World War II — may be atypical. But thousands of people in the US flee their homes every day to escape from threats or ongoing patterns of domestic violence, often including credible death threats. We’ll never know how many of them have been stalked through their airline reservations.

Dr. Bray and his family bought tickets on United Airlines for a nonstop flight from Newark to Madrid — the most direct route from Rutgers (just a few miles from Newark in New Brunswick, NJ) to Spain. This was, unfortunately, also the most obvious airline and airport for them to use, and the easiest one for any of their local adversaries to stake out.

After they got to the airport, Dr. Bray posted on Bluesky, that, “‘Someone’ cancelled my family’s flight out of the country at the last second. We got our boarding passes. We checked our bags. Went through security. Then at our gate our reservation ‘disappeared.’”

In an interview with the Associated Press from a hotel room where he spent the night before trying again a day later, Prof. Bray said that, “We called the service that made the reservation. They didn’t cancel it. United [Airlines] didn’t cancel it.”

Bary told Mother Jones that airline staff “made a bunch of phone calls and basically said that, somehow, someone at the very last second had canceled our flight reservation—which I didn’t even know was possible.”

Airline staff rebooked the family on the same flight 24 hours later, when they had a different experience. In a later interview after making it to Spain, Dr. Bray described being pulled aside at the departure gate at Newark the next evening by Federal agents for an hour of questioning before being allowed to board the flight to Madrid with his family.

Dr. Bray and his family may never know who cancelled their reservations unless the culprit confesses, but there are two important lessons in this incident:

First, anonymous travel matters, sometimes as a matter of life or death. Both anonymity and the right to travel are never so important as they are for those who are fleeing death threats, whether those threats come from domestic abusers, vigilantes, or the government.

A decision last month by the 9th Circuit Court of Appeals in a case against Lufthansa shows how disclosure of personal information by an airline can put travelers at risk. A gay Saudi Arabian citizen reluctantly provided a copy of his marriage certificate (a same-sex marriage in the US to a US citizen) to Lufthansa. The marriage to a US citizen was relevant to the traveler’s admissibility to the US, but not to the validity of his ticket from Riyadh via Frankfurt to San Francisco, or to Lufthansa’s obligation to transport him. And because homosexuality, as would be conclusively proven by the marriage certificate, is a capital offense in Saudi Arabia, the traveler had not previously disclosed his sexual orientation to the Saudi government. But because Lufthansa staff took actions that may have disclosed his marriage to the Saudi government, he hasn’t dared to return to Saudi Arabia. He has been cut off from his family and community and has been forced to liquidate his real estate there at a loss, among other consequences. The takeaway from the case, at this stage, is that protecting passenger data really can be a life-or-death matter.

Name and ID requirements are touted as measures to “protect” travelers. But for some of the most vulnerable travelers they are a threat to personal security.

We don’t think governments should require passengers on common carriers to identify themselves, or that common carriers should be allowed to require them to do so. On domestic flights in the US, until 1996 anyone could buy a ticket in any arbitrary name and fly without showing any ID. We see no reason not to return to this historic norm.

On international flights, passengers’ names and documents may be relevant to decisions made by governments as to their right to leave the country from which the flight departs or to be admitted to the destination country on arrival. But travelers can show their passports or other documents or make their claims for admission without documents (for example, as asylum seekers) without needing to identify themselves to airlines or other private parties. The right to leave any country is, under international treaty law, almost absolute. And decisions about admissibility, particularly in the case of asylum seekers, can be made only after arrival on the territory of the destination country. Airlines have no legitimate need to require identifying information about passengers.

Second, identifying information about air travelers isn’t adequately protected.

If governments unnecessarily require travelers to identify themselves to airlines or other common carriers, then it must be recognized that (1) names and other potentially life-threatening identifying information are provided to these carriers solely to satisfy government mandates, and could not and would not otherwise be required or provided, and (2) the government therefore has the obligation to make sure that this extremely sensitive information is not retained, used, or disclosed to anyone except the government.

As has long been known, and as the experience of Dr. Bray and his family illustrates yet again, airlines have failed to put in place even minimal protections for passenger data, and governments in the US and other countries, including in Spain and the European Union, have failed to require airlines to protect this data or to sanction airlines for not doing so.

Papers, Please!

The Identity Project