Papers, Please!

The Identity Project

Monthly Archives: December 2025

Dec 03 2025

Airlines Reporting Corp. says it’s ending sales of ticket data to police & Feds

The Airlines Reporting Corporation — the financial clearinghouse that processes payments between U.S. travel agencies and hundreds of airlines in the U.S. and worldwide — plans to sunset the program through which it has given Federal agencies and an unknown range of other customers access to searchable archives of billions of agency-issued tickets for past and future airline flights.

According to a letter (first reported by Joseph Cox of 404 Media) sent by ARC in response to a request by members of Congress to end warrantless access by law enforcement agencies to ticketing data,  ARC says its Travel Intelligence Program (TIP) “is sunsetting this year”.

ARC’s “TIP” program was first uncovered by Katya Schwenk of Lever News in May 2025, and discussed in more detail here on PapersPlease.org and in a series of follow-up stories by Joseph Cox of 404 Media based on his FOIA requests to agencies that subscribe to TIP.

Many of these stories have described ARC as a “data broker”, which is legally correct but somewhat misleading. ARC is a financial clearinghouse that provides its airline and travel agency customers with transaction and payment-processing services.

It’s unclear whether the TIP program was devised by ARC as a profit center, or simply as a way to efficiently manage  and defray the expense of responding to requests by law enforcement agencies for searches of ticketing records.

TIP was always peripheral to ARC’s core business, as is demonstrated by the alacrity with which ARC was willing to end it as soon as it came under criticism from Congress. It’s unlikely that shutting down TIP will have any any material impact on ARC’s bottom line.

ARC could have told police and Federal agencies to go away and not come back without a warrant. But while some travel agencies might have preferred that course of action to protect their customers’ privacy, ARC is controlled by airlines, not agencies. And airlines have never prioritized protecting passengers’ privacy or security against police or anyone else.

Airlines have largely ignored privacy and data protection laws, even in jurisdictions like Canada and the European Union that have them (unlike the US). And data protection authorities (DPSs), even in jurisdictions that have such agencies (again, unlike the US), have largely let airlines get away with this.

When the cops come knocking, the typical response of an airline is, “Please come in! How can we help?” Airlines’ willingness to allow ARC to sell ticketing data is not an anomaly but an indication of the pervasive airline industry culture of collaboration with law enforcement. We can find no record of any airline, anywhere in the world, ever, that has gone to court to challenge government demands or requests for passenger data.

It’s unclear what motivated ARC’s decision to pull the plug on police access to ticketing data through TIP.  A few members of Congress had complained about TIP, but the odds that Congress would finally enact privacy legislation applicable to airlines remain slight.

A more likely explanation may be that publicity about TIP (and inquiries about TIP from local journalists) may have caused some of the airlines that use ARC to process payments for tickets issued by their U.S. agents to fear that DPSs in their home countries might be prompted by the ARC scandal to start asking more general questions about how airlines apply their purported privacy policies to the agents they appoint to execute contracts in their name in other countries such as the US with lax or nonexistent privacy laws.

Agencies and contractors in the US, including computerized reservation systems, have always been among of the skeletons in the closet of airline privacy invasion, and could expose airlines to huge liability if foreign DPA’s ever looked behind the curtain at airlines’ agents and contractors — not just ARC — in the US.

ARC has a nearly total but insecure monopoly, and can ill afford to give airlines a reason to start looking harder for alternatives. The existential threat to ARC for decades has been wider adoption of direct connections between airlines and travel agencies. Some of the largest airlines have already set up direct connections and settlement with some of the largest online and offline travel agencies. ARC might have decided that the incremental revenue from TIP, and the goodwill that being a willing police informer and collaborator generated with governments, weren’t worth possibly driving away some of its core financial-clearinghouse business.

ARC probably assumes that ending the TIP program ends the problem — but it shouldn’t. The TIP program may not have violated any US law, which is why even angry members of Congress could only ask, not demand, that ARC stop selling out travelers to the police. It’s a different story abroad, though.

Foreign airlines that participate in the ARC settlement clearinghouse — and not just those that share in ownership of ARC as a joint venture — have been systematically violating the privacy and data protection laws of their home countries for twenty years. They could, and should, be held to account for that history of misconduct.

ARC still has data on all the ticketing transactions it processes. It could still be ordered to provide ticketing data to the police, as compuerized reservation systems have been, and could be ordered not to disclose this to the airline, travel agency, or passenger involved in the transaction.

The TIP scandal should be the beginning, not the end, of investigation, exposure, and enforcement action against airlines that have been disregarding passengers’ expectations of privacy, willingly and often secretly  collaborating with law enforcement agencies, and failing to protect them against stalkers and other everyday threats to their privacy and security.

Dec 02 2025

Has the TSA added immigration enforcement to “Secure Flight”?

Arrest warrants have never been disclosed to be part of the Secure Flight algorithm used by the Transportation Security Administration (TSA) to process information about each domestic US airline passenger and decide whether to send the airline a Boarding Pass Printing Result (BPPR) authorizing the airline to issue a boarding pass or take other action.

But at least three incidents have made the news in the last month that together suggest that the TSA may have added  immigration orders to the Secure Flight ruleset, turning US airports and domestic flights into traps for unwitting foreign citizens.

Each of these individuals was unaware that there was an immigration order for their arrest or deportation. And there is no apparent basis or methodology for DHS to have known when and where to intercept them at airports other than matching of airline reservations and immigration enforcement orders — something never previously disclosed.

The Feds could have learned of planned domestic air travel by searching records of tickets settled through the Airlines Reporting Corp. (ARC) clearinghouse under a program that was exposed earlier this year and is supposedly now set to “sunset” by the end of this month.  But that wouldn’t have enabled the Feds to block the issuance of boarding passes, as reportedly happened in some of these recent cases.

At any time, there are millions of records of arrest warrants in the FBI’s National Crime Information System (NCIC) database. Many of these are inaccurate or out of date, such as long-since-quashed bench warrants for failure to appear in traffic court or pay fines on time. Local courts often report to NCIC when warrants are issued, but fail to report when they are cleared. Hundreds of people are arrested every day after traffic stops when local police run check on motorists and find warrants listed in NCIC.

Three million people a day travel by air in the US, sixty times as many as are stopped on the roads by local police. If every domestic airline reservation were checked against NCIC for outstanding warrants, thousands of domestic travelers would be arrested at US airports every day. That simply doesn’t happen. So far as we can tell, at least until the last month, you could be wanted for murder and fly back and forth across the US without ever being stopped — just as you can walk down the street without being required to identify yourself or subjected to a warrant check without probable cause to suspect you of a crime.

This is as it should be. The US Constitution rightly prohibits general warrants or all-purpose law enforcement checkpoints or searches without individualized probable cause.

Earlier this month we noted the unusual arrest of UK citizen and political commentator Sami Hamdi at San Francisco International Airport on October 26th when he went to check in for a domestic flight to the next stop on his US speaking tour. At the time, we speculated that perhaps the government had added Mr. Hamdi to its no-fly or “selectee” lists as a suspected terrorist. We already know that these lists are part of the Secure Flight ruleset. Now we wonder whether Mr. Hamdi’s treatment was an early case of the expansion of Secure Flight from a system ostensibly used for aviation security to a more general police dragnet.

We’ve been getting tips for years that some officials of the TSA, DHS, and other law enforcement agencies want to check all airline passengers for outstanding warrants. That would be technically straightforward. Once an algortithmic checkpoint is in place, it’s relatively easy to add new list-based or attribute-based rules to the algorithm. And the TSA has also wanted all-purpose authority for searches, seizures, and detention.

In court, though, the TSA to date has always pretended that warrantless Secure Flight “vetting” and warrantless administrative searches of airline passengers  are used solely to identify people and things that are demonstrably dangerous to aviation. Using  Secure Flight for immigration enforcement would require a completely new legal rationale, and would open the door to even wider use of airports as general law enforcement checkpoints.

In addition, the most recently-disclosed version of the TSA’s internal staff directive for disclosure of Secure Flight Data (SFD), issued sometime after January 20, 2025, says that:

SFD shall not be shared for purposes of ordinary law enforcement or tracking the movement of an individual who is not a potential or confirmed match to a watch list…. TSA will only respond to a written request for SFD by a law enforcement agency when there is a nexus to terrorism, transportation security, or national security for individuals not listed on the consolidated and integrated terrorist watch list. Exceptions to this policy may be granted on a case-by-case basis where an exigent threat to life or a similar extraordinary circumstance suggests that disclosure is warranted.

Routine use of Secure Flight for general law enforcement (warrant checks) or immigration enforcement would either violate this policv or have required a change in policy.

We welcome any information that can shed light on what’s really happening.

Please let us know of you hear of other immigration or criminal arrests at airports that appear to have been based on matching of domestic airline reservations with NCIC data.

Dec 01 2025

USCIS is trying to make a list of all U.S. citizens

U.S. Citizenship and Immigration Services (USCIS), a Federal agency whose mandate is to administer naturalization and derivative citizenship for those not born as U.S. citizens, has been trying — without the public notice required by law for such a database — to construct a national ID registry of all U.S. citizens including natural-born U.S. citizens.

This process began in April and May of 2025 with a ten-fold expansion of the USCIS “Systematic Alien Verification for Entitlements Program” (SAVE) database to add records about hundreds of millions of native-born U.S. citizens to those already in the system about tens of millions of naturalized citizens and immigrants.

Information about a new category of individuals (native-born U.S. citizens) was added to SAVE from new sources including Social Security and state drivers’ license records.

The Privacy Act requires prior notice in the Federal Register of the categories of individuals, information, and sources of personal data in Federal databases. To deter Federal officials or employees form keeping secret databases about the citizenry, the Privacy Act makes the maintenance of such a database of personal information without proper notice a crime on the part of the responsible Federal officials and employees.

USCIS converted the SAVE database about immigration and naturalization into a comprehensive  database about all U.S. citizens without the required notice.

Six months later, in response to a lawsuit led by the League of Women Voters, USCIS published a notice of the changes to the SAVE system, with the notice to take effect today unless the changes are rescinded in response to public comments. But USCIS has kept the the revised SAVE system in operation, illegally, during the comment period.

In our comments submitted today to USCIS, the Identity Project points out that the ongoing maintenance of the revised SAVE system without proper notice has been a crime on the part of the responsible Federal officials and employees.

We also argue that “the revisions to the SAVE system of records exceed the statutory authority of USCIS and violate multiple provisions of the Privacy Act.”

According to our comments:

The statutory mandate of USCIS is to carry out various functions with respect to naturalization and derivative citizenship. No statute requires USCIS to carry out any function whatsoever with respect to natural-born U.S. citizens, or to collect information about them. Nor does any statute require any agency to maintain a national registry of U.S. citizens.

Even if Congress were to authorize  a national ID registry, “records of Social Security numbers and account information and state drivers’ license records would not be ‘relevant or necessary’ to accomplish that purpose”:

Pursuant to the U.S. Constitution, an individual born in the U.S. acquires U.S. citizenship by birth. In the absence of a valid renunciation of citizenship — which would be executed and recorded by the Department of State, not by USCIS, the Social Security Administration (SSA), or state drivers’ license agencies — the sole fact that is relevant or necessary to ascertain their U.S. citizenship is the fact of their birth in the U.S., not whether they have a Social Security number or drivers’ license, much less any other information in SSA or drivers’ license records.

What is the relevance of whether someone has a Social Security number to whether they are a U.S. citizen? Non-U.S. citizens can and routinely do (and in many cases must) have Social Security numbers and accounts. What is the “relevance” of whether an individual has a driver’s license to whether they are a U.S. citizen? Many states can and do issue driving permits to non-U.S. citizens, on the basis of their demonstrated competence to operate motor vehicles safely rather than on the basis of citizenship. Neither the Social Security Administration nor state driver licensing agencies are authoritative adjudicators of U.S. citizenship, and neither of them has any need, for any of their official purposes, to ensure that whatever information about U.S. citizenship they may incidentally collect and maintain is either accurate or up to date.

Will anyone who doesn’t have a drivers’ license be presumed not to be a U.S. citizen?

A “citizenship” registry constructed in garbage-in, garbage-out fashion by aggregating state drivers’ license records that have nothing to do with citizenship will inevitably be incomplete, inaccurate, and unfit for the purpose of judging citizenship, eligibility to vote, or eligibility for other Federal programs.

Finally, we call out USCIS for violating the provision of the Privacy Act that requires information that is to be used to determine eligibility for Federal programs (the stated purpose of the SAVE citizenship database) to be collected directly from the individuals to whom it pertains:

The Privacy Act at 5 U.S.C. § 552a(e)(2) also requires that, “Each agency that maintains a system of records shall… (2) collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs.”

None of the additional information in the revised SAVE system would be collected directly from the subject individuals, as required by this provision, although all of it could be.

If USCIS wants to create a registry of all U.S. citizens (and if a valid law has authorized it to do so, which it has not), USCIS must “to the greatest extent practicable” sign individuals up directly for that registry, first providing them with the notices required by the Privacy Act.

You can submit your own comments here through midnight EST tonight, December 1, 2025.

Given that the criminals at USCIS responsible for maintaining the SAVE system ignored the law when they expanded it into a  national ID registry, kept it in operation for six months before publishing a proper notice of what they were already doing, and have kept it in operation in its illegally revised and expanded form during the comment period, we have little hope that they will now come to their senses and rescind the changes, much less that they will be prosecuted for their criminal violations of the Privacy Act.

We wish all success to the League of Women Voters and their partners in their ongoing litigation against the unlawful transformation of this immigration and naturalization system into a national database of aggregated (mis)information about all U.S. citizens.