Papers, Please!

The Identity Project

Author Archives: Edward Hasbrouck

Apr 23 2015

Amtrak formats for passenger ID data dumps to governments

Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.

The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (“passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).

Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.

Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.

Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.

CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs

The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.

We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.

Apr 22 2015

DHS expands mining of travel data while reducing logging and controls

The US Department of Homeland Security has announced plans to expand its data mining and “sharing”of DHS files about travelers, while removing some of the limited access controls and audit logging that it had only recently claimed to be putting in place for its Department-wide surveillance data framework:

Privacy Impact Assessment for the DHS Data Framework — Interim Process to Address an Emergent Threat (DHS/ALL/PIA-051, April 15, 2015)

DHS has a critical mission need to perform classified queries on its unclassified data in order to identify individuals supporting the terrorist activities of: (1) the Islamic State of Iraq and the Levant (ISIL), (2) al-Qa’ida in the Arabian Peninsula (AQAP), (3) al-Nusrah Front, (4) affiliated offshoots of these groups, or (5) individuals seeking to join the Syria-Iraq conflict. (These individuals are often referred to as “foreign fighters” by the media and in public discourse.) The ability to perform classified searches of unclassified data for this uniquely time sensitive purpose will allow DHS to better identify and track foreign fighters who may seek to travel from, to, or through the United States. This type of comparison is a long-standing mission need; however, the specific threat has shortened the timeframe in which DHS must meet the need.

To meet this critical mission need, DHS will adopt an interim process that foregoes many of the automated protections of the DHS Data Framework, such as the tagging of necessary data sets in the unclassified data lake. By foregoing these automated protections, DHS will be able to expedite transfers of information from the Electronic System for Travel Authorization (ESTA), the Advance Passenger Information System (APIS), Form I-94 records, and Passenger Name Records (PNR) directly from the unclassified DHS domain to the classified DHS domain through a manual process….

The previously announced “protections”  on DHS use and sharing of personal data are fig leaves of little value to the subjects of DHS travel surveillance. But the DHS decision to “forego” those protections is significant for what it shows about how the DHS carries out its activities.

Read More

Apr 20 2015

Does an airline have the “right” to refuse service to anyone?

This week cyber-security and threat modeling expert Chris Roberts of One World Labs was detained and interrogated for four hours and had his laptop and other electronic devices seized without warrant by the FBI, and later was denied boarding by United Airlines for a flight on which he had a valid ticket, for posting this Tweet questioning the security of IP-based networks on aircraft that commingle in-flight entertainment (IFE) data with data from navigation flight control sensors and avionics systems such as Engine Indication and Crew Alerting System (EICAS) data.

The incident raises important questions about the legality of Mr. Roberts’ detention, the search and seizure of his electronic devices, and the decision by United Airlines to refuse to transport him.

Read More

Apr 17 2015

Bill C-51 would match Canadian no-fly scheme to the US — and go further

This week is Stop C-51 Week, marked by events throughout Canada and elsewhere in opposition to Bill C-51, currently under consideration by the Parliament of Canada, “An Act to enact the Security of Canada Information Sharing Act and the Secure Air Travel Act, to amend the Criminal Code, the Canadian Security Intelligence Service Act and the Immigration and Refugee Protection Act and to make related and consequential amendments to other Acts.”

We’ve joined a who’s who of civil liberties and human rights organizations, activists, and experts from Canada and around the world who have co-signed a letter to Prime Minister Stephen Harper opposing Bill C-51.

It’s only a slight oversimplification to say that Bill C-51 is Canada’s version of the USA Patriot Act, 13 years later but on steroids.  It appears to violate the Canadian Charter of Rights and Freedoms and Canadian obligations pursuant to several human rights treaties including the International Covenant on Civil and Political Rights (ICCPR).  But if enacted, and if not voided on constitutional grounds by Canadian courts, it would purport to authorize a wide range of government spying, “pre-crime” policing (profiling), and preemptive interference with the exercise of fundamental rights.

Read More

Apr 16 2015

Feds change no-fly procedures to evade judicial review

In updates filed with Federal courts in at least two pending challenges to US government “no-fly” orders, lawyers for the government have revealed plans for changes to the internal procedures administrative agencies use in deciding who they “allow” to fly — and who they don’t.

While these changes look like cosmetic but inadequate improvements, they actually include an obscure but much more significant change designed to make it harder for people on the no-fly list to get the factual basis (if any) for the decision to put them on the list reviewed by a judge.

By shifting official responsibility for administrative no-fly decisions from the FBI to the TSA, the government hopes to bring those decisions fully within the scope of a special Federal jurisdictional law, 49 U.S.C. § 46110, which is designed to preclude any effective judicial review of TSA decisions — but which doesn’t apply to decisions (nominally) made by the FBI or other agencies outside the DHS.

This law allows TSA administrative orders to be reviewed only by Courts of Appeal (which have no ability to conduct trials or fact-finding), on the basis of the “administrative record” supplied to the Court of Appeals by the TSA itself.  The Court of Appeals is forbidden to second-guess the TSA’s fact-finding, even if it was made through a secret and one-sided internal process: “Findings of fact by the Secretary, Under Secretary, or Administrator, if supported by substantial evidence, are conclusive.”  As long as there is substantial evidence in the record constructed by the TSA to justify its actions, the Court of Appeals is forbidden to consider the weight of contrary evidence, even if it is also in the record.  And the TSA is free to decide that evidence submitted by anyone on the no-fly list is, for that very reason, not credible.

No-fly cases have been considered by District Courts, and one of them has gone to trial, only because the FBI (as the agency nominally responsible for the inter-agency Terrorist Screening Center) has been declared by both TSA and FBI to be the agency officially responsible for no-fly decisions.  When FBI decisions are challenged by people who claim their rights have been violated, those decisions are reviewed in the normal manner by District Courts that can conduct trials, hear testimony, receive evidence, and make their own findings of fact — without being required to rely exclusively on self-serving submissions by the FBI itself.

Read More

Apr 09 2015

Why did the TSA prevent these people from flying?

Documents newly released to us by the TSA strongly suggest that the TSA has been lying about whether people are “allowed” by the TSA to fly without showing ID, and that decisions about whether to allow travelers to fly without ID are being made arbitrarily, on the basis of irrelevant and unreliable commercial data and/or at the “discretion” of individual field-level TSA staff.  The TSA documents also show that, at least for the limited sample of data initially released, the “false-positive” rate of watch-list matches is 100%.

The TSA has for many years been contradicting itself, both in word and in deed, as to whether travelers are required show government-issued (or any other) ID credentials in order to fly, or whether it is possible to fly without ID.

TSA signs at airports say that passengers are “required” to show ID. But the TSA has repeatedly told courts at all levels — from in camera (secret) submissions to the 9th Circuit Court of Appeals in Gilmore v. Gonzales in 2006 to public testimony of the TSA’s witness in the (unsuccessful) state court frame-up of Phil Mocek in Albuquerque in 2011 — that these and other official TSA notices to passengers are false, that ID is not required to fly, and that the TSA does have (secret) “procedures” that allow people to fly without having or showing ID.

The TSA’s actions are equally bipolar.  People who say they have lost their ID cards or had them stolen are “allowed” to fly every day.  But people who the TSA deems (for secret or not-so-secret reasons, or completely arbitrarily) to  be”suspicious” or “uncooperative” are routinely subjected to retaliation and summary sanctions including denial of  their right to travel.  Mr. Mocek, for example, was both prevented from boarding the flight for which he had a valid ticket, and falsely arrested by local police at the behest of TSA staff, when he tried to fly without ID and to document the process that the TSA claimed would have allowed him to do so.

What’s the real story? From our close reading of the available evidence, it appears that:

  1. There are no publicly-disclosed “rules” (and probably not even any unambiguous secret rules) defining what is or is not permitted or required of travelers at TSA checkpoints, or what conditions the TSA imposes on the exercise of the right to travel by air.
  2. The TSA claims to have the legal authority, and in practice exercises actual power, to determine who to allow to fly, and who not to allow to fly, in an entirely secret, standardless, and arbitrary manner, at its sole discretion, which discretion is often delegated to front-line TSA staff.

How does this work in practice? We are just beginning to find out.

Read More

Apr 08 2015

Where can you complain if your human rights are violated?

As we’ve been pointing out for years, the right to travel is not just a right under the First Amendment to the US Constitution (“the right of the people… peaceably to assemble”) but a human right guaranteed by an international treaty ratified by the US (“the right to freedom of movement”).

But what good is a “human right” guaranteed by international treaty if there is no independent entity to which you can complain, and which has the authority to enforce your rights?

At a minimum, what’s needed is the ability of people whose human rights have been violated by the US government to seek redress through US courts, and the ability of those courts to order the government to comply with its treaty obligations.

Given the US government’s current interpretation of many human rights treaties as not being “self-effectuating”, that would require legislation by Congress to effectuate those treaties by creating a cause of action for treaty violations and give US courts jurisdiction to hear such complaints.

That’s exactly what the UN Human Rights Committee concluded a year ago, following its periodic review of US implementation of the International Covenant on Civil and Political Rights (ICCPR):

The State party [i.e. the US] should … Taking into account its declaration that provisions of the Covenant are non-self-executing, ensure that effective remedies are available for violations of the Covenant, including those that do not, at the same time, constitute violations of U.S. domestic law, and undertake a review of such areas with a view to proposing to the Congress implementing legislation to fill any legislative gaps.

In the year since this recommendation from the UNHRC, neither the Administration nor any member of Congress has proposed such effectuating legislation for the ICCPR or any other human rights treaty.

So in the meantime, where can you turn if your human rights are violated by the US government?

Read More

Apr 07 2015

DHS continues and expands use of commercial vehicle tracking databases

Barely more than a year after publicly cancelling a request for bids on the construction of a national database of vehicle location data compiled from commercial and government-operated license-plate reader (LPR) cameras, the DHS has quietly revealed that it is once again seeking to buy access to commercially-aggregated LPR data, and that some DHS component field offices are already doing so.

Cameras combined with optical character recognition software allow for automated logging of the license-plate number (and of course the associated time, date, plate, and direction of travel) of every passing vehicle. “Some LPR systems also capture within the image the environment surrounding a vehicle, which may include drivers and passengers,” the DHS acknowledges in its latest Privacy Impact Assessment for DHS use of commercial LPR data.

The only apparent difference between the proposal supposedly nixed in February 2014 and the plans revealed in the March 2015 PIA is that the DHS’s own LPR vehicle, driver, and passenger tracking data won’t be completely merged with LPR data from commercial sources and aggregators — at least not by the DHS itself.  The PIA describes a scheme in which the DHS will pay for query-based access to commercially-aggregated LPR data and the ability to set flags that will generate real-time alerts to the DHS whenever license-plate numbers of interest are observed.

Read More

Mar 31 2015

You can’t tell the travelers without a scorecard

The TSA uses appearance profiles to decide whether to search you and/or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from GAO report.)[Point scores assigned by TSA “Behavior Detection Officers” are used  to decide whether to search you or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from 2013 GAO report. Click image for larger version.]

The Intercept has published the scorecard used by TSA “Behavior Detection” precogs to assign points to travelers, as part of the TSA’s “SPOT” pre-crime scheme for deciding which travelers to subject more intrusive search and/or interrogation or “refer” to local police:

Whether you call SPOT and the TSA’s other pre-crime profiling programs “junk science”, “culturally biased”, or simply “unconstitutional”, it’s clear that the TSA can’t tell the terrorist travelers with or without a scorecard.

The SPOT scorecard includes pairs of, “Damned if you do, damned if you don’t,” point categories. “Avoids eye contact with security personnel or LEO [Law Enforcement Officer]”? +1 point. On the other hand, “Cold penetrating stare” or “Widely open staring eyes”? +2 points.

Disturbingly, some of the largest point values are assigned for the exercise of First Amendment rights to express opinions, ask questions, and observe what is in plain sight: “Asks the BDO [Behavior Detection Officer] security-related questions”? +3 points. “Shows arrogance and verbally expresses contempt for the screening process”? +2 points. “Scans area, appearing to look for security personnel or LEO”? +2 points.

In what appears to be flagrant discrimination against people with disabilities, anyone attempting to communicate in sign language is severely penalized: “Exhibiting hand gestures to others”? +3 points.

Part of the scorecard is broken down into “Stress”, “Fear”, and “Deception” categories. Stress and fear would seem to be natural responses to being profiled, judged, interrogated, and groped by government agents in cop-like uniforms who claim discretionary and deliberately unpredictable power to stop us from exercising our rights.  What traveler anywhere in the world doesn’t tense up when they are stopped at a checkpoint, and breathe a sigh of relief when they have made it through?

Points are also assigned for attributes having nothing to do with these factors, and which cannot lawfully be construed as constituting a reasonable basis for suspicion sufficient to justify search or detention.

Are you one of a party of, “Males traveling together who are NOT part of a family”? +1 point. Take that, pairs of traveling salesmen, and pairs of Mormon Elders on a mission! Do you appear to be a “Member of a family”?  -2 points. What’s a “family”? And how can the TSA tell?

Possession of duct tape “which the passenger has no apparent reason to possess”? +1 point. Isn’t the reason to carry duct tape that you never know for what purpose you will need it?

Cash is considered presumptively and for outbound international travelers conclusively suspicious. Possession of, “Large sum of monies leaving U.S.”, or “Large sum of monies with no apparent reason to possess”? Automatically notify a law enforcement officer.

Some of the scoring categories appear to be purely cultural or fashion bigotry: “Face pale from recent shaving of beard”? +1 point.  Others show age and/or gender bias: “Facial flushing while undergoing screening”? +1 point. So much for any woman who happens to have a hot flash at a checkpoint. “Apparent married couple with both spouses over 55 years old”? -2 points.

The Intercept quotes two unnamed former TSA “Behavior Detection Officer” managers. One says the scorecard is, “designed in such a way that virtually every passenger will exhibit multiple ‘behaviors’ that can … justify BDO interaction with a passenger. A license to harass.” Another describes the SPOT porgram as, “Bullshit. Complete bullshit.”  We couldn’t have said it better.

Mar 23 2015

Smile for the camera, citizen!

The Department of Homeland Security is extending its photography of travelers at US border crossings, ports, and international airports from foreign nationals to US citizens entering and leaving our own country.

On January 5, 2004, under an “interim final rule” for the “US-VISIT” program effective the same day it was published in the Federal Register, agents of US Customs and Border Protection (CBP) began fingerprinting and photographing foreign visitors on their arrival and again on their departure from the US.

At first, only those foreign citizens who required visas to enter the US were given this treatment.  A few countries. starting with Brazil, took this as a sign of their “least favored nation” status with the US government, and reciprocated by photographing and fingerprinting US citizens arriving in and departing from their countries. Many other countries didn’t take things quite so far, but partially reciprocated to the extent of increasing their visa or entry fees for US visitors, or imposing new fees where entry for US tourists had been free, to match the US$135 minimum fee for a tourist or transit visa to the US for citizens of most other countries.

On August 31, 2004, under yet another “interim” rule effective the same day it was published, fingerprinting and photography at US airports and borders was extended to citizens of countries in the US “visa waiver program”.

For the third phase of expansion of US-VISIT fingerprinting and photography of border crossers, the DHS published a notice of proposed rulemaking in 2006, giving organizations and individuals a chance to object before the rules were finalized. But the numerous objections, including ours, were ignored. In December 2008, the DHS promulgated a final rule extending the fingerprinting and photography of visitors to all non-US citizens, including permanent US residents (green-card holders).

Now, without bothering to propose or finalize any new regulations, DHS has announced through a non-binding “Privacy Impact Assessment” (PIA) posted on its website that CBP is already conducting a “Facial Recognition Air Entry Pilot” program under which some unspecified fraction of US citizens entering the US by air are being required to submit to facial photography by CBP agents:

U.S. citizens with U.S. e-passports arriving at air ports of entry testing the technology may be selected to participate in the pilot at port discretion. Individuals that are selected do not have the option to opt out of this process.

Facial recognition software is being used to compare the photos to the digital photos stored on the RFID chips in US citizens’ passports, and to assign a score indicating the robot’s “confidence” that the photo in the passport and the photo taken at the airport depict the same person. “The facial recognition system is a tool to assist CBPOs [CBP officers] in the inspection process.”

The selection is supposedly random, but there is no specified limit on how large the percentage of US citizens subjected to this requirement might be:

Supervisory CBPOs (SCBPO) will set the standard for the random selection criteria and have discretion to change the criteria as needed. For example, the SCBPO may choose to select every fifth traveler but may change to every third or every seventh traveler at his or her discretion.

DHS has a history of prolonging and expanding “tests” as cover for de facto full implementation of controversial requirements. There’s nothing in this PIA to rule out the extension of the “pilot” program to nine out of ten arriving US citizens, or 99 out of 100.

Disturbingly but characteristically, DHS suggests that US citizens returning to our own country can be required to do whatever is necessary to “satisfy” CBP officers:

A person claiming U.S. citizenship must establish that fact to the examining [CBP] officer’s satisfaction [emphasis added] and must present a U.S. passport or alternative documentation as required by 22 CFR part 53. If such applicant for admission fails to satisfy the examining immigration officer that he or she is a U.S. citizen, he or she shall thereafter be inspected as an alien.

Read More