Today the Identity Project and allied civil liberties and human rights organizations submitted comments objecting to a proposal by US Customs and Border Protection (CBP) to require all travelers on international flights to or from the US to provide an address in the US, two phone numbers, and an email address, and prohibit or recommend that airlines not permit anyone who is unable or unwilling to provide this information to board any flight to or from the US. (See our report when this proposal was announced.)

In return for collecting this information and passing it on to CBP, airlines would be allowed to retain and use it for their own purposes, without permission from travelers. Airlines would also be allowed (and in some cases required) to pass it on to foreign governments.

The proposed CBP rule would apply to all travelers, including US citizens (regardless of whether they reside in the US), visitors, and asylum seekers.

The proposed rule is far more significant and far worse than it appears at first glance.

Although the proposal is represented by CBP as a minor change to an existing program that would cost airlines nothing and impose no costs on travelers, it would cost the airline industry hundreds of millions of dollars and impose costs on would-be travelers, especially asylum seekers, that would be measured not only in dollars but  also in lives. The proposed rule would also violate multiple provisions of the Privacy Act, including in ways that would force travelers to make personal information available to hostile foreign governments.

Below are excerpts from our objections to the CBP proposal. You can read the complete comments of the Identity Project and our allies here. You can submit your own comments until midnight EDT tonight, Monday, April 3, 2023, by filling out this form.

The undersigned civil liberties and human rights organizations – the Identity Project (IDP), Government Information Watch, Restore The Fourth (RT4), Privacy Times, and the Electronic Privacy Information Center (EPIC) – submit these comments in response to the Notice of Proposed Rulemaking, “Advance Passenger Information System: Electronic Validation of Travel Documents”, Docket Number USCBP-2023-0002, FR Doc. 2023–02139, RIN 1651-AB43, 88 Federal Register 7016-7033 (February 2, 2023).

By this Notice of Proposed Rulemaking (NPRM), U.S. Customs and Border Protection (CBP) proposes to (1) expand the fields of information that all international travelers flying to or from the U.S. by common carrier are required to provide to airlines and that airlines are required to pass on to CBP (while being free to retain copies for their own profitable use); and (2) prohibit airlines from allowing certain individuals including those who don’t have, or are unable or unwilling to provide, two phone numbers, an email address, and an address in the U.S. (even if they are U.S. citizens who reside abroad), to board flights, or recommend that airlines not board them (in violation of airlines’ duties as common carriers to transport all passengers paying the fares in their tariffs, and in violation of travelers’ rights under Federal statutes, the Bill of Rights, Executive Orders, and international human rights treaties to which the U.S. is a party).

The proposed rule is purportedly intended to “enable CBP to determine whether each passenger is traveling with valid authentic travel documents prior to the passenger boarding the aircraft.” Aside from the fact that CBP has no jurisdiction over foreign citizens boarding foreign-flagged aircraft at foreign airports, the proposed rule would have little or no effect on CBP’s ability to detect travelers using documents issued to other people. The proposed rule would not serve its stated purpose, but would only serve to expand CBP’s systematic warrantless, suspicionless, surveillance of air travelers and CBP’s attempt to control airline travel.

As discussed below, the proposed rule exceeds CBP’s authority and jurisdiction and is contrary to law. It is also bad policy. It amounts to an attempt to impose a travel document requirement in the guise of document “validation”, to outsource to airlines surveillance and control of travelers that CBP would have no authority to conduct itself, and to frustrate the human right to asylum by preventing asylum-seekers from reaching the U.S.

Airlines would be induced to collaborate with CBP in (additional) surveillance and control of travelers, in violation of the rights of travelers and airlines’ duties as common carriers, by a carrot-and-stick combination of CBP extortion and CBP bribery.

Airlines would be extorted into denying passage to certain travelers on the basis of extrajudicial CBP recommendations and by CBP threats to impose financial sanctions on them if they fulfill their duties as common carriers. And airlines would be bribed to collaborate in this public-private travel surveillance and control partnership by being given an unrestricted free ride to use valuable and sensitive personal information provided to them by travelers under government duress for their own (likely highly profitable) commercial purposes.

The proposed rule would do no good for its stated purpose, and would do great harm in other ways omitted from the NPRM, at enormous cost to the airline industry and to travelers.

As elaborated in the sections below, the NPRM conflates requirements for entry to the U.S. with requirements for travel, conflates requirements to provide information to CBP with requirements to provide information to airlines and/or other third parties, and ignores the legal rights of travelers and the legal obligations of airlines as common carriers….

The ostensible purpose of the proposed rule is to enable CBP to determine, prior to departure of a flight, whether an airline passenger or crew member is traveling with a valid, authentic, travel document. But requiring travelers to provide an address in the U.S., an email address, and/or two phone numbers will do nothing to authenticate or validate any documents.

If CBP attempts to “authenticate” travel documents by comparing information provided by travelers with information in either government or commercial databases, it is likely that legitimate travelers will provide information that is deemed “incorrect” because it doesn’t match the information in those databases. Identity thieves, on the other hand, who have obtained information from those databases, are more likely than legitimate travelers to be able to provide APIS contact information matching whatever is in those government or commercial records.

As a document “validation” methodology, collection of this additional information for purposes of comparison with government or commercial databases would be less than useless….

Since CBP doesn’t specify the basis for the authority and extraterritorial jurisdiction it claims for itself and airlines, we have to speculate in order to try to respond to those claims.

The implied minor premises of the NPRM appear to be that (1) passports or similar documents are required for travel, not merely for entry to the U.S., and (2) the authority of CBP to inspect documents, search and question travelers, and determine their admissibility to the U.S. at airports and ports of entry implies jurisdiction and authority to delegate similar authority to carry out searches, inspections, and interrogation to commercial airline staff worldwide and to order common carriers not to allow individuals to board foreign aircraft at foreign airports.

But the NPRM provides no support in statute or case law for what would be an extraordinary series of leapfrogging expansions of extraterritorial, outsourced, and privatized CBP authority and jurisdiction….

The highest per-person costs of the proposed rule would be imposed on asylum seekers.

Many asylum seekers will, of course, be unable to provide the information required by the proposed rule, even if they might, on arrival in the U.S., be able to obtain asylum.

It’s difficult to put a dollar value on asylum or on its denial. Every time someone obtains asylum, it’s a triumph of freedom over tyranny. How much is that worth? How much would you pay for asylum from a country in which you are being persecuted or reasonably fear persecution?…

Some asylum seekers, denied their right to travel by common carrier to potential sanctuary in the U.S., will attempt to travel to the U.S. by other means. Some of them will die trying. Irregular means of land or sea travel are dangerous….

Typical fees paid to smugglers, guides, and facilitators for irregular transport to the U.S. border by asylum seekers are at least an order of magnitude greater than typical airfares.

Almost all of those who died in the desert or at sea could have afforded to fly, and would have done so but for CBP’s successful efforts to induce airlines to deny them passage in circumstances in which CBP has no authority to order the airline not to transport them.

Their deaths are solely and directly attributable to the U.S. government’s “carrier sanctions”.

As these sanctions are described in the NPRM, “if an air carrier boards a passenger who is then denied entry to the United States, the air carrier may have to pay a penalty.”

Instead of sanctioning airlines that fulfill their legal duty as common carriers to transport all passengers in compliance with their tariffs, the U.S. government should be sanctioning airlines that refuse to transport undocumented asylum seekers….

Carrier sanctions kill, and the proposed rule would increase the death toll….

A further privacy problem results from the fact that many foreign airlines are government-owned or parastatal entities. Many airports are also government-operated….

The requirement to provide this data to airlines thus amounts to a requirement to provide it to foreign governments, including the world’s most privacy-invasive and repressive regimes….

Malign foreign governments could misuse data obtained through airlines and/or airports for both economic and political purposes. They could use this data for economic espionage against competitors of their state-owned enterprises. And they could use this data to target repressive measures against their own citizens and foreign visitors, including U.S. persons….

The danger of providing contact information would perhaps be greatest for asylum-seekers seeking to flee. Repressive regimes could use this information to intercept and prevent asylum-seekers from leaving, or to harass or persecute their associates even after they escape….

The NPRM, in its entirety, should be withdrawn, and the current API rule should be rescinded.

• Complete comments of the Identity Project (IDP), Government Information Watch, Restore The Fourth (RT4), Privacy Times, and the Electronic Privacy Information Center (EPIC).
• Form to submit comments (deadline midnight EDT, Monday, April 3, 2023).
• Docket with CBP proposed rule and all public comments.
• You can submit your own comments until midnight EDT tonight, Monday, April 3, 2023, by