Edward Hasbrouck – Page 34

Oct 29 2015

Can the US be a “safe harbor” for travel surveillance?

At its plenary session today in Strasbourg, the European Parliament adopted a “Resolution on the electronic mass surveillance of European Union citizens”.

As part of that resolution, the European Parliament, “Calls on the EU Member States to drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistleblower and international human rights defender.”

We’re pleased, of course, to see such a democratically and popularly elected body as the European Parliament coming to Mr. Snowden’s defense and joining the calls for recognition of his claim for asylum. But while the Snowden clause is getting most of the attention, it’s not all that’s included in today’s Europarl resolution.

The resolution adopted today by the European Parliament discusses what needs to be done, and by whom, to address the “electronic surveillance” Mr. Snowden has helped to expose. Notably, the resolution explicitly includes the electronic surveillance of travel and finance along with surveillance of telephone and Internet communications.

We have long argued, and we suspect Mr. Snowden would agree, that warrantless, suspicionless dragnet collection of metadata about the movements of people through root access by governments to PNRs stored in airlines’ Computerized Reservation Systems, warrantless, suspicionless dragnet collection of metadata about the movements of money through government access to electronic funds transfer intemediaries like SWIFT, and warrantless, suspicionless dragnet collection of metadata about the movements of messages through government root access to telecom and Internet backbone networks are all part of the same overarching surveillance program that raises issues common to all of these types of movement metadata. That point of view is implicitly endorsed by today’s Europarl resolution.

Today’s action by the European Parliament was prompted in part by the decision earlier this month by the European Court of Justice (sometimes abbreviated “ECJ”, sometimes “CJEU”) in Schrems v. Facebook. In that case, an Austrian user of Facebook, Max Schrems, asked the data protection authority in Ireland, where Facebook’s European subsidiary is based, to prohibit the transfer of personal data about him to Facebook servers in the USA where it would be subject to uncontrolled and secret access by the NSA and possibly by other US government agencies. The Irish authorities refused to investigate Facebook’s practices and dismissed Mr. Schrems’ complaint on the grounds that the European Commission had already determined that the so-called “Safe Harbor framework” for self-regulation assured adequate protection for personal data transferred from the EU to the US by participating companies.

The ECJ found that, “without there being any need to examine the content of the safe harbour principles,” the Commission’s finding that US law “ensures” adequate protection for personal data transferred to the US was invalid, because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” of Fundamental Rights and Freedoms of the European Union.

Too bad that US courts haven’t yet recognized, as of course they should, that these US laws and government practices also violate fundamental rights guaranteed by the US Constitution.

The European Commission has previously brushed off questions — including questions from Members of the European Parliament and in a more recent expert report commissioned by the Council of Europe — about the legality of outsourcing and transfers of PNR data to CRSs to which the US government has unlogged root access. And EU data protection authorities have dismissed or declined to investigate complaints against airlines, travel agencies, and CRSs.

Now, however, the European Commission and European DPA’s have an explicit mandate to investigate complaints like that of Mr. Schrems against companies that are transferring personal data from the EU to the US, and the explicit authority and obligation to order the termination of such transfers.

It’s in this context that the European Parliament resolved today that it:

Urges the Commission to assess the legal impact and implications of the Court of Justice ruling of 6 October 2015 in the Schrems case (C-362/14) vis-à-vis any agreements with third countries allowing for the transfer of personal data, such as the EU-US Terrorist Finance Tracking Programme (TFTP) Agreement, passenger name record (PNR) agreements, the EU-US umbrella agreement and other instruments under EU law which involve the collection and processing of personal data.

What does this mean for the future of travel surveillance in the EU, the example it might set for other countries, and the prospects for US efforts to globalize a panopticon of travel dataveillance as a new norm?

Oct 28 2015

6th Circuit Court of Appeals rules for right to trial over no-fly order

On October 26th, by a 2-1 vote, a panel of judges of the 6th Circuit Court of Appeals has overruled a District Court’s decision that it lacked jurisdiction to hear a substantive challenge to the order by the “Terrorist Screening Center” (TSC) placing a US citizen on the “No-fly” list.

While the decision was based on arcane-seeming jurisdictional issues, and the government is already maneuvering to evade it and some other similar court decisions, it is a significant victory for the fundamental right to a trial in cases of challenges to no-fly orders.

The decision sends the lawsuit brought by Mr. Saeb Mokdad, represented by the Arab-American Civil Rights League, back to the US District Court in Michigan where it was first filed more than two years ago.

The TSC is an inter-agency and inter-departmental entity, but the government has assigned nominal “ownership” of the TSC and its decisions — including, until recently, final authority for no-fly orders — to the FBI (a component of the Department of Justice).

At the same time, the government has argued that any challenges to the TSC’s no-fly orders must be made first through the kangaroo-court DHS TRIP administrative process, and then in a Court of Appeals that is allowed to consider only the “administrative record” of the TSA’s decision, as supplied to the court by the TSA itself.

Unlike some other people who have tried to challenge the government’s interference with their right to travel, Mr. Mokdad didn’t sue the TSA or DHS for implementing the TSC’s decision to put him on the no-fly list. Instead, he sued the TSC, FBI, and DOJ for ordering the TSA and DHS to put him on the no-fly list.

The government’s position is that no challenge to a no-fly order can be made with the agency that made the decision (the TSC/FBI/DOJ), and that any court review of the TSC decision must be based solely on TSA records (which will show, at most, that the TSA relied on a no-fly order from the TSC, and may not show anything about the factual basis, if any, or the criteria or procedures relied on by the TSC in its decision).

In its decision this week, the 6th Circuit rejected that duplicitous government position:

To the extent that Mokdad brings a direct challenge to his placement by TSC on the No Fly List, … he is challenging a TSC order, not a TSA order…. TSA does not determine who is placed on the No Fly List; TSC does. Notwithstanding the government’s attempts to characterize his claim as a challenge to TSA’s decision to deny him boarding, Mokdad makes clear that he is “challeng[ing] his actual placement on the No Fly List by the TSC.” R. 17, Appellant Br., 11. TSC is administered by the FBI. The fact that TSC is an inter-agency center that is staffed by officials from multiple agencies, including the FBI, DHS, Department of State, Customs and Border Protection, and also TSA, does not transform TSC’s order placing an individual on the No Fly List into an order of the TSA.

The 6th Circuit panel correctly held that the law assigning exclusive jurisdiction over challenges to TSA orders to Circuit Courts of Appeal, based on TSA administrative records, does not apply to challenges to TSC or other FBI orders — including no-fly listing orders.

The FBI’s hypocrisy in Mr. Mokdad’s case hasn’t been limited to its arguments in court. The FBI has told Mr. Mokdad that it can’t tell him anything about why it put him on the no-fly list, and can’t even confirm or deny that he is barred from flying (although that’s obvious from the fact that he is denied boarding whenever he tries to fly). At the same time that the FBI officially declined to comment or give any information to Mr. Moktad, the FBI was happy to disclose derogatory alleagations about him to the local newspaper of record, the Detroit Free Press, in the form of leaks by “sources familiar with Mokdad” about what “the FBI suspects”.

Unfortunately, the next move in this legal chess game was already played by the government between the time that Mr. Mokdad’s case was argued a little over a year ago and when it was decided this week. While the Court of Appeals was contemplating its decision, the government shifted nominal final responsibility for no-fly decisions from the TSC/FBI/DOJ to the TSA/DHS, to try to bring them back within the scope of the jurisdiction-stripping statute, 49 USC §46110 (the Constitutionality of which is already being challenged in another no-fly case).

It’s unclear, in light of this evasive move by the government, what will happen to Mr. Mokdad’s case on remand. The next step will be discovery, and likely an assertion by the government in response that everything about no-fly decisions is a “state secret”. Even if Mr. Mokdad eventually puts the FBI on trial, as has happened in only one no-fly case to date, he might win only a Pyrrhic victory, overturning the TSC’s no-fly order but then having to start from scratch, in a different court, with a new challenge to a new TSA no-fly order. Stay tuned.

Oct 23 2015

Court orders TSA to publish “rules” for use of strip-search machines

Acting on a petition submitted in July 2015 by the Competitive Enterprise Institute, the National Center for Transgender Equality, and the Rutherford Institute, the Court of Appeals for the D.C. Circuit today ordered the Department of Homeland Security to, within 30 days from today, “submit to the court a schedule for the expeditious issuance of a final rule” governing the TSA’s use of virtual strip search machines or body scanners (what the TSA calls “Advanced Imaging Technology “within a reasonable time”.

The court didn’t say what it would consider “expeditious” or a “reasonable” time for the TSA to finalize rules for its use of body scanners. Nor did the court even consider what such a rule should say, or what it would take for such a rule to be Constitutional.

But as we pointed out in the comments we submitted to the TSA three years ago in this as-yet-incomplete rulemaking, any “final rule” on body scanners promulgated by the TSA would be the first and to date only publicly-disclosed definition of any aspect of what the TSA and DHS think travelers are required to do and/or prohibited from doing in order to satisfy our obligation under Federal law to “submit” to “screening” as a condition of the exercise of our right to air travel by common carrier.

Five years ago, we were one of 35 organizations that petitioned the TSA and DHS to conduct a public “rulemaking” — including notice of the proposal, and opportunity for public comment, consideration of the comments by the agency, and finally the publication of rules for what is and isn’t prohibited and/or required — before deploying or continuing to deploy as-though-naked body imaging machines in airports.

In 2011, in response to a lawsuit brought by one of the other petitioners, EPIC, the D.C. Circuit court ordered the DHS to conduct such a rulemaking. The DHS dragged its feet, but under pressure from the Coiurt, finally published proposed (vague and unconstitutional) rules for body scanners in 2013. Basically, the DHS proposed rules that would require travelers to submit to whatever “imaging technology” the TSA chooses to use.

The Identity Project and more than 5000 other organizations and individuals submitted comments to the DHS, the overwhelming majority of which opposed the proposed rules, the TSA’s use of virtual strip-search machines, and the TSA practices of groping travelers including those who “opt out” of the imaging machines.

In response to the latest lawsuit by CEI, the DHS says that it is still working diligently, three years later, to read, analyze, and respond to the public comments and prepare a (possibly revised) final rule.

Today, the Court declined (for now, at least) to set a deadline for the DHS to stop dragging its feet and publish final rules for the body scanners. But the Court ordered the DHS to come up with a timeline of specific dates by which it intends to do so. Once the DHS gives dates certain to the Court, it will risk sanctions for contempt if it fails to meet those deadlines without an explanation satisfactory to the Court.

It’s a small but significant step toward subjecting the TSA, for the first time, to the rule of law.

Oct 14 2015

Fundraiser for “Naked American Hero”

John Brennan, the “Naked American Hero” who took off all his clothes at a TSA checkpoint at the Portland, Oregon, airport to show that he wasn’t carrying any weapons or explosives and in protest of the TSA’s practices, has finally gotten a chance to defend himself in court after more than three years of legal and administrative water torture.

But he needs your help to mount the strongest possible challenge to the TSA, and he’s launched an online crowdfunding appeal for a portion of his legal costs.

The TSA’s first line of attack on Mr. Brennan was, in accordance with TSA standard operating procedures, to call the local police. And the cops, as is equally standard, arrested Mr. Brennan on the TSA’s say-so, and only after the fact came up with a charge (“indecent exposure”) to justify the arrest. But there was nothing “indecent” about the way Mr. Brennan had exposed himself, and a Portland judge acquitted Mr. Brennan of all criminal charges on the grounds that Mr. Brennan’s action was an act of politically expressive conduct protected by Oregon law and the First Amendment.

Unable to get Mr. Brennan convicted of any crime, the TSA put Mr. Brennan through an elaborate administrative proceeding that ended with the TSA deciding to fine him $500 for “interfering” with the TSA by taking off his clothes.

Only after the completion of the TSA’s internal administrative process was Mr. Brennan allowed to ask a court to consider whether the TSA’s proposed fine would violate his First Amendment rights. And that challenge has to be made in the first instance in a Federal Circuit Court of Appeals — an expensive and high-risk legal forum only one step below the US Supreme Court.

Mr. Brennan has petitioned the 9th Circuit Court of Appeals to review whether the TSA violated his Constitutional rights by trying to fine him for expressive conduct that was protected by the First Amendment and that didn’t actually interfere with the TSA at all. (On the contrary, his nakedness made it easier for the TSA staff to tell whether Mr. Brennan was carrying weapons or explosives.)

Mr. Brennan is now waiting to find out whether the 9th Circuit will decide his case on the basis of his written submissions and those of the TSA, or will schedule oral argument before making its decision.

Considering the importance of the case, Mr. Brennan’s appeal for $15,000 in partial payment of his legal expenses is modest. And did we mention that he was unjustly fired for exercising his First Amendment right to protest the TSA, on his own time, in a way that had no impact on his ability to do his job?

John Brennan needs our help to defend our rights.

If you wish you had the balls to strip naked (and keep your cool completely while doing so!) when the TSA tells you you’ve tested positive (falsely) for explosive residues, and they want to put their hands in your pants, here’s your chance to support someone who stood up and stripped down for all of us.

Oct 09 2015

Airline and TSA insecurity

Recent news stories have called new attention to longstanding vulnerabilities in the security of travelers’ luggage and personal information created by TSA and airline practices.

Exhibit A: TSA-mandated “key escrow” for luggage locks:

Before the creation of the TSA, airline passengers were encouraged by airlines to secure their suitcases with locks against pilferage in transit. Some airlines’ rules provided that unless passengers locked their luggage, they would not be reimbursed for items that went missing from their luggage.

The TSA, in its infinite wisdom, initially decided that everyone would be more secure if travelers were forbidden to lock our luggage, so as to make it as easy as possible for anyone (especially, of course, TSA staff and baggage handlers) to introduce dangerous items into luggage, or remove valuables from luggage.

The predictable result was a wave of organized theft from checked luggage by groups of TSA staff and baggage handlers at airports throughout the country who used “security” x-rays of luggage to identify which bags contained things worth stealing. 400 TSA employees have been fired for stealing from luggage since 2003. As for airline and airport staff, 37 have been arrested in multiple cases of organized luggage theft at the Miami airport alone just since 2012.

In response, the TSA proposed a fig leaf of pseudo-security: Starting in 2003, air travelers were once again allowed to lock our bags — but only with TSA-approved “Travel Sentry” locks which could all be opened with one of a small set of master keys provided to all TSA baggage screeners.

That makes no sense, of course, in terms of any rational threat model: Almost the only people who have access to checked luggage in transit are airline, airport, and TSA staff. Unsurprisingly, allowing the use of locks to which all of the likely thieves were given master keys did little or nothing to deter or decrease theft.

But that’s not all. Any “key escrow” system is only as secure as the controls on access to the master keys or the information needed to replicate them. The other shoe has now dropped: Specifications for the TSA master keys (obtained from photos accurate enough to make working keys) have been made public. Anyone with a 3D printer can use these files to make their own complete set of keys to open any Travel Sentry lock.

For what it’s worth, while you aren’t allowed to use physical measures to secure your luggage, you still have some legal protection, at least in theory. Up to a liability limit fixed by law, the airline is strictly liable for loss, theft, or damage to luggage or contents between the time the passenger is given a claim check and the time the passenger reclaims their luggage. The TSA and the airlines both want to divert passengers into an arduous claims process against the TSA, but it’s actually the airline that is liable to the passenger for any damage to luggage while it is checked, even if the damage is caused by the TSA or any other third party. You can sue the airline in small claims court for any damage between check-in and baggage claim. The airline can pursue a claim against the TSA, but that’s not your problem and has no affect on the liability of the airline to the passenger. If airlines have to absorb some of these losses, maybe they’ll get motivated to rein in TSA thievery.

Exhibit B: Airlines’ use of non-secrets printed on boarding pass stubs and checked-baggage tags as “passwords” for access to the details of airline reservations and personal profiles:

Airlines store “passenger name records” (PNRs) in “computerized reservation systems” (CRSs) that were developed for purely internal use by airline and travel agency staff. Access to reservations and passenger profiles was controlled by physical controls on access to networked terminals, and by user IDs and passwords for system access. Once a CRS user was logged in, they could retrieve any PNR by “record locator”. There’s never been an individual password in the CRS for each PNR or each passenger profile.

Record locators and passenger names were and are printed on boarding passes, baggage tags and claim checks, and itineraries. At first they were machine-printed in text. More recently they have also been incorporated into barcodes with standard and publicly-disclosed encoding.

Nothing changed when CRSs were connected to Web gateways for self-service booking, ticketing, itinerary review, check-in, and so forth. Once a user is “signed in” to a CRS, all they need is a record locator and name to retrieve all or part of the data in a PNR of interest. But now every Web user in the world is, in effect, already signed in to the CRSs through these Web gateways provided by airlines and directly by each major CRS. Not all of these sites display the same subset of data, but even the most basic information available at any itinerary-viewing or check-in site (Where is this passenger going? When are they coming back?) can pose a major threat in the hands of house-burglars, stalkers, domestic abusers, or kidnappers.

Airlines and CRSs have been alerted and aware for years of the vulnerability created by the lack of passwords for access to PNR data, but have chosen to do nothing. Do they think it wouldn’t be worth the cost? Or do they think that if travelers had to remember and use a password to check in online, they would check in at the airport instead, taking up more airline staff time? Your guess is as good as ours.

The latest report this week from IT security expert Brian Krebs is that some airlines have expanded the information accessible with only the data on a discarded boarding pass (or, we suspect, a baggage tag) from the PNR for a single journey to the passenger’s entire travel history and profile from their frequent flyer record. Krebs found that he could even hijack the password on a frequent flyer account using the information encoded using a public algorithm on a boarding pass barcode. That, in turn, would allow ID thieves to have “free” tickets issued for themselves or other criminals, using the target’s mileage points.

What’s the takeaway? Neither the TSA nor the airlines have paid the least attention to rational risk assessment, risk-based security, or even the most elementary norms of physical and data security. Yet these are the entities to which the government wants to compel us to turn over even more personal information.

Sep 23 2015

Does CBP have access to domestic Amtrak reservations?

Documents released to us by Amtrak suggest that since 2012, US Customs and Border Protection (CBP) has had direct access to Amtrak’s reservation system, possibly including access to reservations for Amtrak passengers traveling entirely within the USA.

What do these documents show? And why would an immigration and border patrol agency want access to records of travel by US citizens and other residents within the borders of the US?

Sep 15 2015

California Dreamin’

Stumbling into the embrace of the homeland-security state, California’s state legislature has sent to Governor Jerry Brown a bill which, unless the Governor vetoes it by October 11th, will require that:

[T]he Department [of Motor Vehicles] shall require an applicant for an original driver’s license or identification card to submit satisfactory proof of California residency and that the applicant’s presence in the United States is authorized under federal law.

A.B. 1465 is unnecessary, would create severe problems for many Californians, and would discourage both immigrants to the US and residents of other states from moving to California.

As our friend Jim Harper of the Cato Institute has noted, the intent of A.B. 1465 appears to be to make it easier for the DHS to claim that California is making “progress” toward compliance with the REAL-ID Act.

Why would Californians want that?

The DHS has repeatedly threatened that if states don’t comply with the REAL-ID Act, including connecting their state drivers license and ID databases to the outsourced REAL-ID “hub” operated by the AAMVA, residents of those states won’t be allowed through Federal checkpoints at airports and at entrances to Federal facilities.

But as we discussed here and here and in this presentation at Cato earlier this year, these threats are hollow.

The TSA allows people to fly without ID every day, despite false notices in airports that ID is required.

As for access to federal buildings, the DHS says that “REAL-ID does not apply to … applying for or receiving Federal benefits, … accessing hospitals and health clinics…, or constitutionally protected activities.”

We’re not sure why else ordinary people would want to access most Federal facilities.

Aug 28 2015

In the wrong place at the wrong time? You might end up on the no-fly list.

If you exercise your right to travel, will the US government use your past travel as the basis for denying you the right to travel in the future?

Reading between the lines of the redacted public versions of recent filings in one of the ongoing legal challenges to US government no-fly orders, the answer appears to be, “Yes”.

Merely having visited the “wrong” place at the “wrong” time (as subsequently and secretly determined by the precogs who devise the government’s algorithms for predicting future terrorist behavior) can be sufficient to get you put on the no-fly list.

Did you visit Yemen in 2009? Now you might be on the no-fly list — for that reason, and maybe that alone.

Jul 27 2015

Laura Poitras sues DHS et al. for records of her airport detentions and searches

Documentary filmmaker Laura Poitras, represented by the Electronic Frontier Foundation, has filed a lawsuit under the Freedom of Information Act (FOIA) against the Department of Homeland Security (DHS), the Department of Justice (DHS), and the Office of the Director of National Intelligence (ODNI, which includes the NSA). The winner of an Oscar and a Pulitzer Prize for her independent journalism, Poitras is seeking the release of records kept by the government about her travels, and about why she has been detained for hours at a time, searched, and interrogated at airports whenever she entered or left the US.

We welcome Ms. Poitras’ lawsuit, and we wish her and EFF all success. But we’ve been down this road before, and the results aren’t encouraging:

In 2006, Ms. Julia Shearson, Executive Director of the Cleveland Chapter of the Council on American Islamic Relations (CAIR), filed suit pro se against the DHS under the Privacy Act, seeking disclosure of records about why she was detained at gunpoint at the US-Canada border and falsely labeled as a terrorist in government blacklists. Despite years of litigation, Ms. Shearson still hasn’t received any information about why or by whom she was blacklisted as a terrorist, or any confirmation that any of the blacklist entries about her have been corrected.
In 2008, Ms. Sophie In ‘t Veld, a Member of the European Parliament from the Netherlands, also represented by EFF, sued the DHS under FOIA for records about her travel from the DHS “Automated Targeting System” (ATS). Although Ms. In ‘t Veld eventually received some excerpts from the DHS dossier about her travels, the pre-crime “risk assessment” scores assigned to her each time she traveled to or from the US were redacted and withheld, as was all information about the algorithms and the information used as the basis for those scores.
In 2010, Mr. Edward Hasbrouck, an award-winning travel journalist and a consultant to the Identity Project, represented by our parent organization the First Amendment Project, sued the DHS under both the Privacy Act and FOIA, seeking disclosure of records about himself and his travels from ATS, including risk assessments and rules used for determining them, and information about ATS search and data-mining functionality. Like Ms. In ‘t Veld, Mr. Hasbrouck eventually received some excerpts from the ATS files about his travels, but with all information about risk assessments and risk assessment algorithms redacted and withheld. While Mr. Hasbrouck’s requests were pending, DHS exempted ATS from all of the access and disclosure accounting requirements of the Privacy Act, and a US District Court judge upheld the retroactive application of those exemptions to unanswered requests that Mr. Hasbrouck had made three years previously. The judge also upheld the withholding of all information about DHS data-mining capabilities for ATS travel records, without even looking at any of the requested records.
In 2011, Mr. David House, a computer programmer associated with the Chelsea Manning (then Bradley Manning) Support Network, represented by the ACLU of Massachusetts, sued the DHS for wrongly searching and seizing Mr. House’s electronic devices and data at the airport when he returned to the US from a vacation abroad. As part of a settlement of the lawsuit, the government eventually turned over some records from its files about Mr. House and about how the government used its travel surveillance capabilities to target him for his work to publicize Ms. Manning’s case and raise funds for her legal defense. The records released to Mr. House give a partial picture of how the DHS uses manually-created flags (“lookouts”) to target travelers, but still doesn’t give any information about the algorithms or data inputs used for automated pre-crime profiling and “risk assessment” scores.
In 2013, Messrs. C.J. Chivers and Mac William Bishop, two reporters for the New York Times represented by the Times’ in-house legal department, sued the DHS under both FOIA and the Privacy Act for records about why the two journalists were targeted for unusually intrusive searches and interrogations at airports while leaving and returning to the US on reporting assignments for the Times. The Times hasn’t (yet) reported on what, if any, records they have received in response to the lawsuit. We presume that means that the government has yet to disclose any significant new information about its targeting of journalists and their travels. [In response to the lawsuit, DHS did release redacted portions of its TECS and Automated Targeting System (ATS) files about the journalists, including PNR data. But the codes indicating profiling results and reasons for DHS actions as well as some entire pages of ATS records were redacted.]

We’ve been involved as plaintiffs, attorneys, or consultants to plaintiffs and their counsel in all but one of these cases, and we support continued litigation on these issues.

Harassment of journalists and political activists and interference with their right to travel are only part of a bigger picture. Government surveillance and control of travel is a threat to everyone’s rights. It’s important for the government to disclose what it’s been doing, but it’s equally important to expunge the government’s travel metadata surveillance archives and end the government’s pre-crime profiling and permission-based controls on who it “allows” to travel by common carrier or public right-of-way.

Jul 06 2015

Expert critique of European travel surveillance and profiling plans

Independent legal experts commissioned by the Council of Europe (COE) to assess proposals for surveillance and profiling of air travellers throughout the European Union have returned a detailed and perceptive critique of the proposed EU directive on government access to, and use of, Passenger Name Record (PNR) data from airline reservations.

Before the revelations by Edward Snowden and other whistleblowers about dragnet surveillance of telephone and Internet communications, few people appreciated the nature of the threat to freedom posed by government acquisition and use of PNR data for dragnet travel surveillance.

The expert report to the Council of Europe marks a breakthrough in the “post-Snowden” understanding of the nature and significance of government demands for PNR data. The report reframes the PNR debate from being an issue of privacy and data protection to being part of a larger debate about suspicionless surveillance and pre-crime profiling. The report also focuses the attention of European citizens, travellers, and policy-makers on the decisions made (in whole or in part) on the basis of PNR data: decisions to subject travellers to search, interrogation, or the total denial of transportation (“no-fly” orders).

The report specifically cites the Kafkaesque case of Dr. Rahinah Ibrahim as an example of the way that decisions made on such a basis tend to evade judicial review or effective redress.

The PNR directive under consideration by the European Union would require each EU member to establish a Passenger Analysis Unit (PAU), if it doesn’t already have one. These PAUs would function as new national surveillance and pre-crime policing agencies. Each PAU would be required to obtain PNR data for all air travellers on flights subject to its jurisdiction, “analyze” this data (i.e. carry out algorithmic pre-crime profiling of air travellers using PNR data as one of its inputs) and share the raw PNR data with its counterparts throughout the EU.

The United Kingdom already has such a Passenger Analysis Unit. It’s not clear which, if any, other EU members already have such units, although staff of the US Department of Homeland Security, based in Germany and elsewhere in Europe, already perform similar functions as “advisors” making “recommendations” to their European counterparts regarding the treatment of European travellers, based on US profiling of PNRs and other travel history and surveillance data.

The COE expert report on Passenger Name Records, Data Mining & Data Protection was commissioned by the COE Directorate General Human Rights and Rule of Law, and prepared by Douwe Korff (Emeritus Professor of International Law at London Metropolitan University, Associate at the Oxford Martin School of the University of Oxford, and currently Visiting Fellow at Yale University in the USA) and Marie Georges (independent expert formerly on the staff of the French national data protection authority, CNIL). The report was presented and discussed at a meeting last week of the “Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD)”.

According to the introduction to the report:

Much has been said and written about Passenger Name Records (PNR) in the last decade and a half. When we were asked to write a short report for the Consultative Committee about PNR, “in the wider contexts”, we therefore thought we could confine ourselves to a relatively straightforward overview of the literature and arguments.

However, the task turned out to be more complex than anticipated. In particular, the context has changed as a result of the Snowden revelations. Much of what was said and written about PNR before his exposés had looked at the issues narrowly, as only related to the “identification” of “known or [clearly ‘identified’] suspected terrorists” (and perhaps other major international criminals). However, the most recent details of what US and European authorities are doing, or plan to do, with PNR data show that they are part of the global surveillance operations we now know about.

More specifically, it became clear to us that there is a (partly deliberate?) semantic confusion about this “identification”; that the whole surveillance schemes are not only to do with finding previously-identified individuals, but also (and perhaps even mainly) with “mining” the vast amounts of disparate data to create “profiles” that are used to single out from the vast data stores people “identified” as statistically more likely to be (or even to become?) a terrorist (or other serious criminal), or to be “involved” in some way in terrorism or major crime. That is a different kind of “identification” from the previous one, as we discuss in this report.

We show this relatively recent (although predicted) development with reference to the most recent developments in the USA, which we believe provide the model for what is being planned (or perhaps already begun to be implemented) also in Europe. In the USA, PNR data are now expressly permitted to be added to and combined with other data, to create the kinds of profiles just mentioned — and our analysis of Article 4 of the proposed EU PNR Directive shows that, on a close reading, exactly the same will be allowed in the EU if the proposal is adopted….

Yet it is obvious (indeed, even from the information about PNR use that we describe) that these are used not only to “identify” known terrorists or people identified as suspects in the traditional sense, but that these data mountains are also being “mined” to label people as “suspected terrorist” on the basis of profiles and algorithms. We believe that that in fact is the more insidious aspect of the operations.

The report develops these key points about government access to and use of PNR data as a suspicionless dragnet surveillance system and as part of predictive pre-crime policing (outside of normal mechanisms for penal sanctions or for review and redress for police action) in detail.

In addition, the report endorses and highlights the point we have been making for many years that because most PNR data for flights worldwide is hosted by, and communicated through, reservation databases accessible from the USA and worldwide without purpose or geographic access limitations or access logs, the USA and other governments can already obtain and use this data, entirely bypassing putative controls on access to PNRs directly from airlines.

The report specifically directs the attention of European officials to testimony by Edward Hasbrouck of the Identity Project at a European Parliament hearing in 2010 (hearing agenda and witness list, slides, video):

“Europe” must also examine the highly credible claims by Edward Hasbrouck … that the USA has been systematically violating previous agreements, and is still systematically by-passing European data protection law, by accessing the CRSs used in global airline reservation systems hosted in the USA to obtain full PNR data on most flights, including most European flights (including even entirely intra-European ones), outside of any international agreements….

[W]e believe that the supposed safeguards against such further — dangerous — uses of the data are weak and effectively meaningless, both in their own terms and because, as Edward Hasbrouck has shown, the USA can in any case obtain access to essentially all (full) PNRs, through the Computerized Reservation Systems used by all the main airlines, as described next.

Read More →

Papers, Please!

The Identity Project