Papers, Please!

The Identity Project

Author Archives: Edward Hasbrouck

Jan 28 2026

OK legislators sue to block upload of state residents’ data to AAMVA’s national REAL-ID database

Today a bipartisan group of thirty-four members of the Oklahoma state legislature petitioned the Oklahoma Supreme Court to block the upload of information from all Oklahoma drivers licenses and ID cards to the SPEXS national  REAL-ID database operated by the American Association of Motor Vehicle Administrators (AAMVA).

The petitioners, led by Sen. Kendal Sacchieri (R-Blanchard), include sixteen members of the Oklahoma Senate and eighteen members of the Oklahoma House of Representatives. They are represented by Oklahoma City attorney Wyatt McGuire.

Service Oklahoma, the agency that issues drivers licenses and state ID cards, plans an initial bulk upload of data about all Oklahomans to the SPEXS database over the Presidents’ Day weekend of February 14-16, 2026, unless the upload is blocked by the state Supreme Court or suspended or postponed by Service Oklahoma or Gov. Kevin Stitt.

The state legislature convenes for its next session February 2nd, and multiple steps are required before a bill can be enacted. Unless the bulk upload to SPEXS is cancelled or postponed, it will take place just before the legislature can take any action to stop it.

We don’t know whether the upload was scheduled deliberately to preempt the possibility of legislative oversight. But we’ve seen the same pattern in other states where governors and/or driver licensing agencies arranged to join the the SPEXS database and the misleading-named “State to State” (S2S) network — in which data is transmitted through AAMVA, not directly between states — just before the start of a session at which the legislature might have questioned or taken action to stop the upload.

In Alaska, for example, the Department of Administration carried out its initial bulk upload of state residents’ data to SPEXS over the weekend of January 28, 2017, just days after the start of the legislative session and just before hearings were scheduled on legislation to block the upload.

Like many other states, Oklahoma offers residents a choice of a REAL-ID Act “compliant” or “non-compliant” drivers license or state ID card. Many people choose a “noncompliant” license or ID specifically because they want their data kept in-state. But in order for a state to join S2S, AAMVA’s rules — not any law — require it to upload information about all drivers licenses and state IDs, including “noncompliant” ones, to AAMVA’s national SPEXS database.

Sen. Sacchieri introduced a resolution in the Oklahoma state legislature last year to reaffirm that information about Oklahoma residents who apply for a drivers license or ID that doesn’t comply with the REAL-ID Act may not be sent out of state or to the national REAL-ID database. But that bill didn’t get a vote in 2025, and any action by the state legislature in 2026 won’t take effect until after the planned February 14-16 upload.

As the legislators point out in their brief to the state Supreme Court, Oklahoma law, 47 O.S.  § 6-110.3a(A)(C), already prohibits sharing personal information about drivers license or ID card applicants except as required by the REAL-ID Act. As the legislators also point out, the Federal REAL-ID Act does not (and cannot) require states to take any action. Whether to “comply” is a choice for each state to make.

Once personal information is uploaded to SPEXS, it is out of the state’s control. The Federal government could use a subpoena or other legal process to order AMMVA, as a private entity, to hand over SPEXS data and not to disclose the subpoena to the state. No state that participates in SPEXS can really know whether AAMVA has already chosen or been compelled to hand over data about its residents to Federal agencies, or for what purposes.

The thirty-four Oklahoma state legislators joining the petition have asked the state Supreme Court to stay and temporarily enjoin the upload of Okahomans’ data to SPEXS pending consideration of their lawsuit. Their complaint is rooted in the separation of powers and the authority of the legislature: No Oklahoma law authorizes the upload, no funds have been appropriated for it, and it contravenes the intent of the legislature as expressed in current Oklahoma law.

The fact pattern in Oklahoma is typical of what has happened in other states that have uploaded their residents’ personal information to SPEXS without advertising their plans or seeking explicit legislative authorization or funding for joining the national database.

After we were the first to report on the SPEXS database, AAMVA removed the specifications for the database from their public website, and threatened to sue us to get us to take down the legal copy of the specifications we had posted. AAMVA is a private entity with no legal authority, but it acts like a lawless, rogue government agency.  What AAMVA and its Federal and state allies fear most is informed public debate and legislative oversight.

AAMVA, the Federal government, and their state allies don’t want you know that there is a national drivers license database, much less any details about the database or AAMVA.

We look forward to a ruling by the Oklahoma Supreme Court that will allow the Oklahoma legislature time to exercise oversight over Service Oklahoma and encourage legislators in other states to exercise their rightful authority over state agencies’ relations with AAMVA.

Jan 23 2026

Exceptions and limitations to your rights

When we posted our latest know-your-rights guide, we noted that it describes the rights of U.S. citizens if you are stopped and/or asked to identify yourself or show ID documents in certain circumstances: as a pedestrian, as a passenger in a car (not the driver), at home, or at the airport for a domestic flight.

Why these exceptions and limitations? What about drivers of motor vehicles, passengers on international flights, and people who aren’t U.S. citizens? Don’t they have rights too?

Yes, everyone has rights. But we limited our guide to circumstances in which we think the law is clearly established. In other situations, U.S. courts have been less clear, and in some cases these issues are the subject of ongoing litigation.

Here are some notes on these exceptions and limitations:

  • Non-U.S. citizens: All people have rights, regardless of their citizenship. The Bill of Rights refers to the rights of “persons”, not citizens. The U.S. is a party to international treaties, including the International Covenant on Civil and Political Rights (ICCPR), which according to the U.S. Constitution are the “supreme law of the land” just as much as the Constitution itself. Human rights, by definition, don’t depend on citizenship. But U.S. courts have often (wrongly, we think) interpreted some of the references to “persons” in the Bill of Rights and other U.S. laws as applying only to U.S. citizens and sometimes to permanent U.S. residents, not to all people. And U.S. courts have made it difficult or impossible to enforce rights recognized by the ICCPR, other international treaties, or customary international law through U.S. courts. In practice, non-U.S. citizens have fewer rights likely to be recognized by U.S. courts. U.S. law requires each non-U.S. citizen 18 or older in the U.S. for more than 30 days to register with the U.S. government and “at all times carry with him and have in his personal possession” their registration certificate. That law is of dubious validity, and hasn’t generally been enforced. It says non-U.S. citizens must “carry” their papers, but is silent on whether or when they are required to show those papers. Recent renewed enforcement of this law has prompted ongoing litigation in which these issues have been raised but not yet resolved. See  this know-your-rights brochure and these other resources from the American Immigration Lawyers Association for more on the rights of non-U.S. citizens.
  • Drivers of motor vehicles: Unlike a mere passenger, the operator of a motor vehicle on a public road must have a license and must show their license to police if they are lawfully stopped. Case law on what constitutes a lawful traffic stop is complex and voluminous, with variations from state to state.  A key unresolved question is whether or in what circumstances ICE agents or other Federal law enforcement officers have the authority to make traffic stops or demand drivers licenses to investigate possible violations of state motor vehicle or traffic laws. In one recent ruling in an ongoing lawsuit in Minnesota, for example, the District Court Judge wrote that, “the Court declines to wade into whether federal immigration enforcement officers have any authority to enforce Minnesota’s traffic laws.”
  • Passengers on international flights to and from the U.S.: Here again the case law is voluminous, complex, and silent on some key issues.  Federal agents have been allowed broad authority to stop and search anyone entering or leaving (or seeking to enter or leave) the U.S., whether at a land border or at an international airport or seaport.  Non-U.S. citizens can, in many cases, be denied entry to the U.S. if they decline to answer questions. But we can find no case law on the limits of the right of a U.S. citizen to remain silent in response to questions at the U.S. border or an international port of entry or exit, once they have declared their U.S. citizenship. (See more here about your rights at the airport for a domestic flight.)

We also noted in our guide that in some states, but not others, you might have to identify yourself verbally, if you have been legally stopped based on reasonable suspicion, but you don’t have to say anything else or show any papers. We think state “stop and ID” laws are unconstitutional. But whether “stop and ID” laws conflict with the 5th Amendment right to remain silent has not, so far as we can tell, been resolved by the courts.

Having the legal “right” to do something doesn’t mean that, in practice, you can do it without the police stopping you or retaliating against you for trying to exercise your rights. Retaliatory policing and retaliatory prosecutions are illegal but common.

Whether you are arrested, prosecuted, tortured, or shot by police, jailers, or prison guards may depend on the color of your skin,  your accent, what neighborhood you are in, whether you are wearing a hijab or other indicia of faith or ethnicity, or other aspects of your appearance and the situation, rather than on whether you are breaking the law.

Different people face different risks in trying to exercise their rights. Many of these risks are not ones individuals can choose whether to take. You are unavoidably “at risk”, to a greater or lesser degree, whether or not you chose to take additional risks. The law won’t always protect you. But neither will complying with the law always protect you.

One thing is certain: Your legal rights don’t matter if you never try to use them.

Jan 16 2026

Know Your Rights as a U.S. Citizen

ICE agents in Minneapolis violently detain and arrest U.S. citizen for one reason: he refused to prove his citizenshipe

Immigration and Customs Enforcement (ICE) agents and an assortment of other masked Federal officers are arresting U.S. citizens for not showing ID or “proof” of citizenship on the streets, at traffic stops, and in warrantless door-to-door searches in the Twin Cities.

ICE is planning to station agents to “check documents” on the jetbridges at the Minneapolis-St.Paul International Airport.

With all this happening, we’ve posted a new know-your rights FAQ for U.S. citizens, “Do I have to show ID as a pedestrian, passenger in a car (not the driver, for whom the rules are different), at my home, or at the airport for a domestic flight?” (Also available here as a printable one-page PDF.)

This know-your-rights guide is for U.S. citizens. The law is different for those who aren’t U.S. citizens: U.S. law requires non-U.S. citizens in the U.S. for more than 30 days to register with the U.S. government and carry  their papers “at all times”.  But there are many other good resources for non-U.S. citizens such as this brochure. We’ve found few other clear guides to the rights of U.S. citizens in situations like those today in Minnesota, in which U.S. citizens are being (illegally) required to prove their right to walk the streets, live peacefully in their homes, or travel within their own country.

This guide is a work in progress. We’ve posted it quickly because the need seems urgent. We welcome suggestions for corrections or changes.

Knowing and asserting your rights protects everyone in our society — including non-U.S. citizens. It shows other people that they have rights too, and shows police that we know we have rights. Rights are not, in and of themselves, a protection. You can’t count on police to respect your rights. But police act differently when people know and assert their rights.

Liberty lives in its exercise. Freedom dies if it’s not used. Know your rights — and use them.

Jan 16 2026

ICE plans immigration checkpoints at domestic airports

Doubling down on the TSA’s illegal scanning of domestic airline reservations for immigration enforcement —  first reported here and later confirmed by the New York Times — Immigration and Customs Enforcement (ICE) plans to station its agents on jetbridges to question and “check documents” of travelers boarding flights at Minneapolis-St Paul International Airport  (MSP), according to a memo to airport workers leaked by a whistleblower.

Like almost all US airports with scheduled passenger service, MSP is publicly owned and operated. The Metropolitan Airports Commission is governed by a regional board whose members are appointed by the Governor of Minnesota.

The next meeting of the Board of Commissioners is scheduled for this coming Tuesday, January 20, 2026, at 1 p.m. in Room LT-3048A, Terminal 1, MSP Airport. (This location is inside the checkpoint! See instructions at the bottom of this page for public access.)

Minnesotans and others who travel through MSP (it’s a Delta Air Lines hub for flights to and from other places throughout the US) should show up and demand that the Board kick ICE out of all areas of MSP except the customs and immigration inspection areas for arriving international passengers. The airport could also post signs at terminal entrances and jetbridges advising US citizens that they don’t have to show papers or answer questions.

The airports commission and the state of Minnesota have a compelling financial interest in keeping ICE from harassing or kidnapping passengers changing planes at MSP, so that transit passengers won’t start avoiding routes via MSP in favor of other airline hubs.

A Metropolitan Airports Commission spokesman told Fox 9 News that , “Federal regulations provide federal agents with broad access to MSP Airport property. This includes access to … pre- and post-security areas in the terminals.” This claim was repeated in a press release posted on the MAC website.

We can find no such Federal regulation, nor would there be a statutory basis for one. MSP and other airports are under no obligation to consent to ICE agents’ presence on jetbridges for arriving or departing domestic flights, unless they have a warrant, issued by a judge based on probable cause, to search a specific location. MSP can and should revoke any agreement it has entered into with ICE by which it consented to such an ICE presence.

It’s unclear what authority ICE would claim for access to most airport property without consent of the property owner — the airports commission — or for detention of US citizens who stand mute in response to their questions or requests to show their papers.

In the past, as we’ve testified in other cities, the DHS has lied to airport operating authorities and the public about the extent of its authority to override local laws.

MSP is a major international airport, and international customs and immigration inspection areas at airports are considered “ports of entry” and the functional and legal equivalent of border crossings. But we know of no court that has applied this doctrine to boarding gates, jetbridges, or passengers on domestic flights between points within the US.

The Twin Cities are more than 100 miles from any international border, so the rest of the airport or the metropolitan region isn’t subject to the claimed border-area exception allowing domestic immigration checkpoints.

Even if boarding areas or jetbridges for domestic flights at airports that handle international flights were held to fall within that exception, case law on border-area immigration checkpoints is clear: U.S. citizens do not need to have, carry, or show any documents or answer any questions. They must be allowed to proceed after only a “brief” delay unless there is probable cause  to believe that they aren’t US citizens. Not showing ID is not probable cause, nor is not answering questions about citizenship or anything else.

“Administrative searches” of airline passengers are limited to searches for weapons, explosives, and other threats to aviation security — no citizenship or identity documents. TSA directives to its staff and contractors say that “screening may not be conducted to detect evidence of crimes unrelated to transportation security.”

The Constitutional rules for stops, searches, or questioning by ICE or any other law enforcement officers on jetbridges are, so far as we can tell, the same as those for pedestrians or passengers in cars (not drivers) on public rights-of-way:

  1. Police need reasonable articulable suspicion of a violation of the law to stop you at all, even briefly. To protect your rights, ask them, on camera, as soon as they stop you, “What is the reason you are detaining me?”
  2. You don’t have to show any papers.
  3. You have the right to remain silent. (In some states, but not others, you might have to identify yourself verbally, if you are legally stopped based on reasonable suspicion, but you don’t have to say anything else or show any papers.)
  4. You may not be arrested merely for failure or refusal to have or show ID.
  5. You may not be arrested or detained more than “briefly” without probable cause to believe that you have committed a specific crime.
  6. You have the right to film and record law enforcement officers.

To protect yourself against wrongful arrest based on automated facial misrecognition, keep your mask on as much as possible, especially at boarding gates and on jetbridges.

If you are prevented from boarding a domestic flight at MSP or any other airport because you decline to show papers or answer questions from ICE or other Federal agents, please get in touch.

Jan 15 2026

TSA extorts $45 from each air traveler without REAL-ID

screenshot: Step 3: Show your receipt to the TSA officer and follow their instructions

Today the TSA launched a flagrantly illegal new extortion program, TSA ConfirmID,  to collect $45 from each airline passenger who wants to fly without showing REAL-ID.

As of today, only the payment platform for this “ID verification” program is operational. If you want to fly without REAL-ID on or after February 1, 2026, a new TSA video instructs you to pay $45 each through the Pay.gov website, bring your receipt to the TSA checkpoint at the airport, “show your receipt to the TSA officer and follow their instructions”.

Payments are accepted by ACH transfer from a bank account, credit or debit card, Venmo, or PayPal.

What will the TSA officer instruct you to do at the checkpoint? The TSA says that:

TSA will then attempt to verify your identity so you can go through security; however, there is no guarantee TSA can do so. Please note: Using TSA ConfirmID is optional. If you choose not to use it and don’t have an acceptable ID, you may not be allowed through security and may miss your flight.

The TSA says that you “may” not be allowed through the checkpoint, not that you “will” not. And the TSA’s FAQ says that, “In the event you arrive at the airport without acceptable identification (whether lost, stolen, or otherwise), you may still be allowed to fly”.

What are the procedures for this “attempt to verify your identity”? What are the criteria for  whether or not the TSA will allow you to fly? We don’t know.

A TSA propaganda video released last week falsely claims that, “Everyone knows that when you fly you have to bring a REAL-ID or a passport.” In fact, 200,000 people a day fly without REAL-ID and without a passport. (Any passport of any country is considered REAL-ID.)

It’s unclear what will happen to travelers who show up at TSA checkpoints on February 1st without REAL-ID, or with no ID at all, whether or not they have paid the $45 per person “TSA ConfirmID” fee. See our FAQ about your rights and what might happen.

As we pointed out when the TSA announced this plan in December, no law authorizes this scheme. No law requires airline passengers to have, carry, or show any ID — as the TSA itself has consistently argued, at least to date, when the issue has been raised in court.

The TSA has promulgated no regulations for “TSA ConfirmID”, has published no Privacy Act notice for the information collected from travelers either when they pay the $45 fee or when they go through the TSA checkpoint, and has neither requested nor received approval from the Office of Management and Budget (OMB) for this collection of information, as is required by the Paperwork Reduction Act (PRA).

“TSA ConfirmID” isn’t mentioned in any of the Privacy Act notices for the TSA’s systems of records. Operation of a system of records by a Federal agency without first publishing a proper notice in the Federal Register is a criminal violation of the Privacy Act on the part of the responsible  agency employees:

Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.

Presumably, data collected from individuals who pay the $45 “TSA ConfirmID” fee is passed on to the TSA and stored in some (undisclosed) TSA system of records. The TSA officers and employees responsible for that system of records are, as of today, criminals.

Even the payment platform for the $45 fee is in flagrant violation of multiple Federal laws. The Pay.gov payment site and TSA ConfirmID payment form display no OMB control number, as is required by the PRA.

The Department of the Treasury, which operates Pay.gov, says specifically that:

An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it provides notice of a currently valid Office of Management and Budget (OMB) control number. Among other things, a notice of the expected time burden is required…. Pay.gov provides services to Federal agencies. These services include the posting of agency forms. Required notices that accompany these forms are the responsibility of those agencies.

There’s a link from the payment page to a Privacy and Security Policy, but the linked page doesn’t mention the Privacy Act, the PRA, or an OMB control number.

Since the TSA hasn’t chosen to follow the law or disclose any of its plans, the only way to figure out the de facto “rules” is to reverse engineer them from travelers’ experiences.

If you show up at a TSA checkpoint on or after February 1st without REAL-ID, or with no ID, please let us know whether or not you paid the “TSA ConfirmID fee” and what happened to you at the cehckpoint..

Keep a copy and/or take a photo or screenshot or any printed or online forms you are asked to fill out. If the forms or user interface pages don’t include a valid OMB control number, you can legally ignore them without penalty.

Are you allowed to fly without REAL-ID? With no ID? Without paying the “TSA ConfirmID” fee? If you are prevented from flying, who stops you? What do they say is the basis for their action?

You have the right to film and record at TSA checkpoints. Please share your experiences so we can better inform future flyers without ID or without REAL-ID.

Jan 14 2026

US wants direct access to police databases worldwide

The US government is seeking direct access to police databases in other countries, as a condition of inclusion in the US Visa Waiver Program (VWP). Citizens of countries in the VWP are allowed to enter the US for limited short visits under the without having to apply or pay for standard visas to the US. So inclusion in the VWP is a valuable incentive the US can use to pressure other countries to make other concessions to the US.

The US says that any country not agreeing to a so-called Enhanced Border Security Partnership (EBSP) giving the US government access to its domestic police database by the end of 2026 will be expelled from, or not admitted to, the VWP.

The first EBSP agreement was signed in September 2025 between the US and Bahrain. The European Union authorized EBSP negotiations with the US in December 2025, despite concerns raised in September 2025 in an opinion by the European Data Protection Supervisor. EBSP negotiations are ongoing between the US and other countries in the VWP.

There’s been almost no discussion in the US of the EBSP negotiations or agreements. None of these agreements have been submitted to the US Senate for ratification as treaties.

The most detailed reporting about EBSP has come from Europe and has been based on documents from European governments.  This presentation at the 39C3 conference earlier this month in Germany by Matthias Monroy gives a good overview of what’s known and the questions that remain.

Labeling these agreements “partnerships” implies reciprocity. But most criminal investigations in the US are carried out by state or local police and aren’t included in any national database. The NCIC database hosted by the FBI is an index to records of arrests, convictions, and court orders such as warrants, but doesn’t identify people who are being investigated but for whom no warrant has been issued. As a result, EBSP agrrements will give US authorities access to much more information about foreigners in countries with entralized police record-keeping than foreign governments will get about people in the US.

The announcement of the signing of the USA-Bahrain EBSP agreement says that it “facilitates the automated exchange of biometric data between Bahrain and DHS”. The EBSP agreements thus provide a self-justifying pretext for integration of the US government’s biometric databases, in order to make them available to foreign police.

US data will be made available not just to democratic foreign governments but to ones like Bahrain — a repressive regime in which the hereditary monarch rules by decree. The US says that data sharing pursuant to the EBSP will “safeguard both countries”, but Bahraini dissidents and asylum seekers probably won’t see it that way. Once data is disclosed by the US to foreign authorities, there’s no way for the US to control, or even to know, how or against whom it’s used, or with which other repressive regimes it’s shared.

Jan 02 2026

Collection of biometrics from anyone “associated” with a foreigner

As part of an array of proposals and rules issued by components of the US Department of Homeland Security to collect a widening array of biometric information and systems from widening categories of individuals, US Citizenship and Immigration Services  (USCIS) is proposing a new rule that would authorize collection of any form of biometric information or samples from anyone, including US citizens, “encountered” by USCIS or “associated with” any applicant for admission to the US, US residency, or US citizenship.

The proposed rule would give USCIS blanket authority, at its discretion, to order any such individual to report to any location worldwide specified by USCIS, and to submit to collection of facial images (“digital image, specifically for facial recognition”), fingerprints, palm prints, iris scans, retinal scans, voice prints, and/or DNA samples.

Underlying the proposal is an implicit but impermissible assumption that merely to “associate” with foreigners is sufficiently suspicious to create probable cause for a search.

Today the Identity Project and Fiat Fiendum, Inc., filed comments objecting to this proposal for warrantless, suspicionless searches as unconstitutional and contrary to US treaty obligations pursuant to the International Covenant on Civil and Political Rights:

U.S. Citizenship and Immigration Services (USCIS) component of the Department of Homeland Security (DHS) is proposing to “expand its routine biometric collections to include individuals associated with immigration benefit requests or other requests or require[d] collection of information…. DHS is proposing to revise 8 CFR 103.16 to require that any applicant, petitioner, sponsor, beneficiary, or individual filing or associated with a benefit request, other request, or collection of information, to include U.S. citizens, U.S. nationals, and lawful permanent residents, and without regard to age, must submit biometrics, unless DHS otherwise exempts the requirement.”

These individuals would be required to submit to intrusive searches at U.S. borders and ports of entry and exit, at places outside the U.S., and at places in the interior of the U.S.

These searches and collections of biometric information and samples would include facial photography (“mug shots”), fingerprinting, iris and retina scans, voice samples, and DNA samples, on a dragnet basis for all applicants or “associates” of applicants or at the “discretion” of USCIS, rather than on the basis of warrants, probable cause, or individualized suspicion.

The NPRM does not mention the Constitutional rights or human rights treaties it implicates, much less justify the proposed rules as Constitutional or permitted by treaty.

The proposed searches would be unconstitutional and violate U.S. treaty obligations.

Warrantless, suspicionless searches, solely on the basis of citizenship, immigration status, exercise of the right to freedom of movement, and/or “association” with other individuals, would violate the First and Fourth Amendments to the U.S. Constitution and U.S. obligations as a party to the International Covenant on Civil and Political Rights (ICCPR).

The proposed rule should be withdrawn.

Thousands of comments, almost all objecting to the proposed rule, are still being docketed. Once they are docketed, you can find all of the comments on this proposal here.

 

Dec 10 2025

CBP wants all visitors to install and use its smartphone app

Permisisons requeste by ESTA Android app

[Permissions requested by ESTA Android app. Why does CBP want to be able control your flashlight?]

By a notice published today in the Federal Register, US Customs and Border Protection (CBP) is requesting approval not only to make all foreigners visiting the US without visas submit a comprehensive set of biometric identifiers (“face, fingerprint, DNA, and iris”) but to do so by installing and using a closed-source CBP smartphone app that requires permission to access Wi-Fi scanning and network data; take photos and video; access any fingerprint, iris scan, or other biometric sensors, and even turn on and off your flashlight.

Each visitor to the US under the Visa Waiver Program (VWP), for which the fee has recently been raised from $21 to $40 per person, would be required to submit, in advance, through this smartphone app, identifiers for all social media accounts they have used in the last five years.

Each visitor would also be required to submit what CBP calls “High Value Data Elements”. According to the notice:

The high value data fields include:

a. Telephone numbers used in the last five years;
b. Email addresses used in the last ten years;
c. IP addresses and metadata from electronically submitted photos;
d. Family member names (parents, spouse, siblings, children);
e. Family number telephone numbers used in the last five years;
f. Family member dates of birth;
g. Family member places of birth;
h. Family member residencies;
i. Biometrics—face, fingerprint, DNA, and iris;
j. Business telephone numbers used in the last five years;
k. Business email addresses used in the last ten years.

CBP thinks that the average visitor could compile and enter all of this data (typing on a smartphone) in 22 minutes,  including the time needed to contact each of their siblings and children to find out their five-year history of addresses and phone numbers.

Welcome to the 2026 World Cup!

Applicants for US visas are already required to provide a much more extensive set of personal data, including biometrics and identifiers for all social media accounts they have used. So this proposal, if approved, would expand collection of biometrics, social media identifiers, and the additional “high value data elements” to almost all foreign visitors to the US, with or without visas. The only remaining exception, which CBP doesn’t mention, is for asylum seekers who may have no documents and who require no pre-approval.

We continue to oppose warrantlesss, suspicionless compelled disclosure of social media or biometric identifiers or other information as unconstitutional and a violation of the human rights of travelers. And we oppose any requirement to provide this information in advance, when it could be collected on arrival in the US, when visitors apply for admission.

Read More

Dec 05 2025

TSA Confirm.ID: TSA plans to charge air travelers without ID or without REAL-ID $3B a year in extra fees for extra questioning

TSA Coinfirm.ID

Since scare tactics haven’t gotten everyone in the U.S. to sign up for REAL-ID or show ID whenever they fly, the Transportation Security Administration (TSA) is turning to extortion through the threat of a new $45 fee to fly without “acceptable” ID.

The proposed fee and the modified “ID verification” program it would pay for are being described by the TSA as a fait accompli. But even if they were authorized by Congress and Constitutional — which we don’t think  they are — they have several months-long procedural hurdles to clear before they could legally be put into effect, and even then they would face the possibility of litigation by travelers, states, airlines, and perhaps others.

$3 billion dollars a year in extra fees for extra questioning of flyers

In its latest round of rulemaking by press release, the TSA has issued a series of procedurally irregular announcements indicating that the agency plans a new fee-based procedure for air travelers without “acceptable” ID, including those presenting ID that the TSA deems not to comply with the REAL-ID Act and those who don’t have or don’t show any ID at all:

  • A notice published by the TSA in the Federal Register on November 20th said the fee for flying without ID or without REAL-ID would be $18 per person for each ten-day period.
  • A second notice published on December 3rd, just two weeks later, announced that “based on review and revision of relevant population estimates and costs… and a revised methodology… TSA recalculated overall costs and determined that the fee necessary to cover the costs of the TSA Confirm.ID program is slightly more than $45.”

The drastic revision of the cost estimate and fee, so soon after the initial announcement, suggests that the initial estimate was sloppy,  rushed, or both, and perhaps that the entire new program is being hastily implemented, may not yet be clearly defined, and may fit the definition of agency action that is “arbitrary, capricous, an abuse of discretion, or otherwise contrary to law”. Any such action is liable to be “set aside” by the courts on the basis of the Administrative Procedure Act (APA).

According to a press release posted on the TSA website on December 1st, “Currently, more than 94% of passengers already use their REAL ID or other acceptable forms of identification.” That’s only one percentage point higher than the 93% compliance the TSA announced after the first few weeks of REAL-ID “enforcement” in May 2025. These largely unchanged numbers suggest that the TSA is making little progress in persuading more travelers to sign up for a national-ID scheme or show their papers at TSA checkpoints.

Based on the current rate of roughly three million people a day passing through TSA checkpoints, 6% of whom don’t show ID the TSA deems “acceptable” (or don’t show any ID), 180,000 people a day would be assessed the proposed new $45 fee. That would generate $8.1 million a day, or $2.96 billion a year, in new revenue for the TSA.

The TSA’s initial notice claimed that currently “taxpayers pay[] for an individual’s identity verification services provided by TSA”. But each airline passenger already pays a fee of $5.60, collected by the airline, each time they pass through a TSA checkpoint at an airport.

This “9/11 Security Fee” was imposed when the TSA was created, and is supposed to cover the TSA’s costs  of searching air travelers. Air travelers, not taxpayers, pay for the TSA to grope, interrogate, and delay us. Charging a fee for this “benefit” is like charging a “police user fee” to be pulled over in a traffic stop, even if no violation is found and no citation is issued.

Read More

Dec 03 2025

Airlines Reporting Corp. says it’s ending sales of ticket data to police & Feds

The Airlines Reporting Corporation — the financial clearinghouse that processes payments between U.S. travel agencies and hundreds of airlines in the U.S. and worldwide — plans to sunset the program through which it has given Federal agencies and an unknown range of other customers access to searchable archives of billions of agency-issued tickets for past and future airline flights.

According to a letter (first reported by Joseph Cox of 404 Media) sent by ARC in response to a request by members of Congress to end warrantless access by law enforcement agencies to ticketing data,  ARC says its Travel Intelligence Program (TIP) “is sunsetting this year”.

ARC’s “TIP” program was first uncovered by Katya Schwenk of Lever News in May 2025, and discussed in more detail here on PapersPlease.org and in a series of follow-up stories by Joseph Cox of 404 Media based on his FOIA requests to agencies that subscribe to TIP.

Many of these stories have described ARC as a “data broker”, which is legally correct but somewhat misleading. ARC is a financial clearinghouse that provides its airline and travel agency customers with transaction and payment-processing services.

It’s unclear whether the TIP program was devised by ARC as a profit center, or simply as a way to efficiently manage  and defray the expense of responding to requests by law enforcement agencies for searches of ticketing records.

TIP was always peripheral to ARC’s core business, as is demonstrated by the alacrity with which ARC was willing to end it as soon as it came under criticism from Congress. It’s unlikely that shutting down TIP will have any any material impact on ARC’s bottom line.

ARC could have told police and Federal agencies to go away and not come back without a warrant. But while some travel agencies might have preferred that course of action to protect their customers’ privacy, ARC is controlled by airlines, not agencies. And airlines have never prioritized protecting passengers’ privacy or security against police or anyone else.

Airlines have largely ignored privacy and data protection laws, even in jurisdictions like Canada and the European Union that have them (unlike the US). And data protection authorities (DPSs), even in jurisdictions that have such agencies (again, unlike the US), have largely let airlines get away with this.

When the cops come knocking, the typical response of an airline is, “Please come in! How can we help?” Airlines’ willingness to allow ARC to sell ticketing data is not an anomaly but an indication of the pervasive airline industry culture of collaboration with law enforcement. We can find no record of any airline, anywhere in the world, ever, that has gone to court to challenge government demands or requests for passenger data.

It’s unclear what motivated ARC’s decision to pull the plug on police access to ticketing data through TIP.  A few members of Congress had complained about TIP, but the odds that Congress would finally enact privacy legislation applicable to airlines remain slight.

A more likely explanation may be that publicity about TIP (and inquiries about TIP from local journalists) may have caused some of the airlines that use ARC to process payments for tickets issued by their U.S. agents to fear that DPSs in their home countries might be prompted by the ARC scandal to start asking more general questions about how airlines apply their purported privacy policies to the agents they appoint to execute contracts in their name in other countries such as the US with lax or nonexistent privacy laws.

Agencies and contractors in the US, including computerized reservation systems, have always been among of the skeletons in the closet of airline privacy invasion, and could expose airlines to huge liability if foreign DPA’s ever looked behind the curtain at airlines’ agents and contractors — not just ARC — in the US.

ARC has a nearly total but insecure monopoly, and can ill afford to give airlines a reason to start looking harder for alternatives. The existential threat to ARC for decades has been wider adoption of direct connections between airlines and travel agencies. Some of the largest airlines have already set up direct connections and settlement with some of the largest online and offline travel agencies. ARC might have decided that the incremental revenue from TIP, and the goodwill that being a willing police informer and collaborator generated with governments, weren’t worth possibly driving away some of its core financial-clearinghouse business.

ARC probably assumes that ending the TIP program ends the problem — but it shouldn’t. The TIP program may not have violated any US law, which is why even angry members of Congress could only ask, not demand, that ARC stop selling out travelers to the police. It’s a different story abroad, though.

Foreign airlines that participate in the ARC settlement clearinghouse — and not just those that share in ownership of ARC as a joint venture — have been systematically violating the privacy and data protection laws of their home countries for twenty years. They could, and should, be held to account for that history of misconduct.

ARC still has data on all the ticketing transactions it processes. It could still be ordered to provide ticketing data to the police, as compuerized reservation systems have been, and could be ordered not to disclose this to the airline, travel agency, or passenger involved in the transaction.

The TIP scandal should be the beginning, not the end, of investigation, exposure, and enforcement action against airlines that have been disregarding passengers’ expectations of privacy, willingly and often secretly  collaborating with law enforcement agencies, and failing to protect them against stalkers and other everyday threats to their privacy and security.