Papers, Please!

The Identity Project

Author Archives: Edward Hasbrouck

Sep 06 2013

Why did the NSA hack an airline reservation system (when CBP already has root access)?

The latest revelations about NSA attacks on encrypted electronic communications include this sentence buried in an article in yesterday’s New York Times (first noted today by the travel news website Skift):

But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them.

It’s no surprise that the U.S. government was and is interested in monitoring airline reservations in real time as well as in mining historical airline reservation records.

But why did the NSA feel it was necessary to hack into airline and computerized reservation system (CRS) messaging, when the U.S. Customs and Border Protection division of DHS already had root access to reservations for flights worldwide stored in any of the four largest CRSs (including Amadeus, the only one not based in the USA), and was already extracting copies of all reservations that include flights to, from, via, or over the U.S. and compiling them into tits Automated Targeting System (ATS)?

  • Was the government interested in some airlines (who were these three?) that didn’t use one of the big four CRSs to host their reservations?
  • Was the government afraid that some airline or CRS (which one?) might pull the plug on CBP access, or restrict it to reservations for flights that actually touch the USA?
  • What was it about airline and CRS messaging that interested the NSA?  For what NSA purpose was the content of PNRs insufficient?

Whistleblowers, especially with airlines or CRSs or their contractors and suppliers, we need your help! If you know what was up with the NSA’s hacking of airline and CRS messaging, leave a comment or get in touch.

Sep 05 2013

How the TSA treats FOIA requesters it doesn’t like

The more we learn about the TSA’s handling of our Freedom Of Information Act (FOIA) requests, the uglier it gets. The latest chapter in the TSA’s vendetta against us is described in a FOIA appeal we filed this week.

The DHS, which of course includes the TSA, has long had a department-wide policy requiring special political approval — and often delay — of all FOIA requests from media, watchdog, or activist individuals or organizations, which we know included requests from The Identity Project.

In addition, we have now obtained less redacted versions of internal TSA and DHS email messages (which were officially released to us only with the most incriminating portions blacked out) showing that the TSA’s Chief Privacy Officer engaged in a campaign of character assassination intended to persuade TSA FOIA staff that individuals associated with The Identity Project are lunatics and liars and hold particular opinions and beliefs as a result of which we and our requests should be ignored or not taken seriously.

(Click image for larger version.)

In the libelous internal TSA email message reproduced above, TSA Privacy Officer Peter Pietra had this to say about Edward Hasbrouck, a consultant to The Identity Project who has filed many of our FOIA requests (and asked questions of Mr. Petra and filed other FOIA requests for records related to Mr. Petra’s work):

Ed is crazy as a loon, and as rude and belligerent at [sic] Bill says…. He misrepresents any interaction you have with him, so be wary (even where there is video that contradicts his version of events). He also thought 9/11 was a govt conspiracy because the FBI investigated it instead of the NTSB.

This message was distributed to TSA FOIA officers including those involved in processing our FOIA requests. And it was sent — the TSA itself later found — with the intention of influencing their decisions.

Even if Mr. Hasbrouck held these opinions and beliefs (which he doesn’t — the allegations about his opinions and beliefs are pure fabrications by TSA staff), who we are or what individuals associated with our organization think or believe is irrelevant to our entitlement to access government records pursuant to FOIA.

Attempting to induce FOIA staff to base FOIA processing or decisions on their opinions of the requesters’ beliefs is among the most serious forms of possible misconduct by officials responsible for compliance with FOIA.

If there’s anything worse, it’s withholding requested government records in order to cover up offical misconduct. But that’s exactly what happened when we requested the email message above.

The TSA’s Chief FOIA Officer and FOIA Public Liaison, Yvonne Coates, redacted the libelous portions of the message on the grounds that they were part of the decision-making process (even though she knows that making FOIA decision on the basis of who we are or what we believe is forbidden by FOIA) and that disclosure of these portions of the message “would injure the quality of future agency decisions by discouraging the open and frank policy discussions between subordinates and superiors”:

(Click image for larger version.)

The dismal track record of DHS and TSA noncompliance with FOIA began with the creation of these agencies during the Bush administration, and has continued during the Obama  administration.  Our FOIA requests (like those of other requesters) have routinely been delayed or lost. Responses have been incomplete, improperly and excessively redacted, and almost always months or years later than the deadlines in the law.

Read More

Aug 30 2013

International travel by air is a Constitutional right

In a preliminary ruling in a lawsuit brought by the ACLU three years ago on behalf of a group of people who have been prevented by the U.S. government from traveling by air, a Federal judge in Oregon has found (1) that international air travel is a Constitutional right, and (2) that a categorical ban by the government on the exercise of that right can only be issued in accordance with due process.

Those shouldn’t be surprising findings. But given that the U.S. government has never sought to follow normal legal procedures by asking a court to issue a no-fly injunction against an individual, and that none of the goverment’s extrajudicial administrative no-fly orders has ever been reviewed on its merits by any court, the latest ruling by District Judge Judge Anna Brown in the case of Latif et al. v. Holder is an important step toward bringing DHS controls on travel within the rule of law.

The ruling is the latest in a series of decisions which have finally begun to uphold the right of travelers to due process and juducial review of the restrictins on their movements. The decison in the Oregon no-fly case echoes similar findings in the past year by the 4th Circuit Court of Appeals in the case of Gulet Mohamed and by the 9th Circuit and the District Court for the Northern District of California in the case of Rahinah Ibrahim.

Read More

Aug 22 2013

California considers “enhancing” drivers licenses with radio tracking beacons

California’s legislature is considering a bill to authorize adding radio tracking beacons to drivers licenses and state non-driver ID cards.

Each such card would broadcast a unique tracking number which could legally be intercepted by anyone with a suitable radio transceiver within range, and which would be linked to a national DHS database of drivers license, state ID card, and citizenship information.

The tracking beacons are designed to allow the tracking numbers on ID cards carried by travelers in motor vehicles to be read from outside their vehicles as they approach or pass through checkpoints.

Independent academic studies of actual ID cards issued by other states, using the same standards proposed for use in California, have found that they can sometimes be read from more than 50 yards away.

S.B. 397 has already been approved by the California Senate, and is now under consideration in the Assembly. Because it has been amended by the Assembly, it will need to be reconsidered by the Senate (to decide whether to accept the Assembly amendments) if and when it is approved by the Assembly.

To date, S.B. 397 has been largely unopposed in the California legislature, and it is likely to be approved unless legislators start hearing a groundswell of opposition from their constituents.

What excuse is being offered for this scheme? And what’s its real purpose?

Read More

Aug 19 2013

White House approves new “long forms” for some passport applicants

After a year-long “review”, the White House on August 12, 2013, approved the State Department’s proposed new “long form” questionnaires for some (unspecified) subset of applicants for US passports:

Form DS-5513, “Supplemental Questionnaire to Determine Entitlement for a U.S. Passport”:

Form DS-5520, “Supplemental Questionnaire to Determine Identity for a U.S. Passport”:

In approving these forms, the Office of Management and Budget (OMB) ignored overwhelmingly public outrage at these questionnaires, which ask such questions as:

  • List all your parent(s) residences one year before your birth.
  • Parent(s) place of employment at the time of your birth (Dates of employment, Name of employer, Address of employer).
  • Did your mother receive medical care while pregnant with you and/or up to one year after your birth? (Name of hospital or other facility, Address, Name of Doctor, Approximate dates of appointments).
  • Please provide the names (as well as address and phone number, if available) of persons present at your birth such as medical personnel, family members, etc.
  • Please list any schools, day care centers, or developmental programs you attended from birth to age 18 in or outside of the United States.
  • Please list all of your permanent residences inside and outside of the United States starting with your birth until age 18.

The proposed forms were slightly (but not significantly) revised by the State Department during the review by OMB. But there are still no publicly-disclosed guidelines for which passport applicants would be sent one or both of these “long forms”.  We requested this information from the State Department more than two years ago under the Freedom of Information Act (FOIA), but the State Department has not yet responded to our request. (This is, we’ve been told, typical of the State Department’s failure to comply with FOIA deadlines.)  The most reasonable inference is that the new forms are designed to be impossible to complete, so as to provide a pretext to deny you a passport if the State Department doesn’t like your looks (or your opinions, or whatever).

The State Department has also ignored our formal complaint that these conditions for passport issuance violate U.S. obligations as a party to the International Covenant on Civil and Political Rights, and our FOIA request for any records of what (if anything) was done with that complaint.

OMB declined our written request to meet with them to discuss our objections to the proposed forms. OMB policy is to meet with groups interested in its reviews of proposed regulations, but it doesn’t apply that policy to its reviews of proposed “information collections”.

In the course of the review by OMB, the State Department admitted that, as we had already reported, it has already been using these forms illegally. According to the latest State Department submission to OMB:

The DS-5520 has been created to correct a procedure that may have been inconsistent with the Paperwork Reduction Act (PRA)….   Field offices have, in the past, sent the applicant a letter containing a questionnaire asking for the supplemental information.  The Department has become aware of this procedure and is now seeking OMB approval to rectify the oversight….

The DS-5520 is a new collection based on the previously internal Information Request Letter (IRL) titled, “Supplemental Identification List”.  To estimate the number of respondents per year, therefore, the Department ran a report using our Management Information System (MIS) to determine the number of these IRLs filed in 2011 by every passport agency and acceptance facility.  The results revealed that in 2011, 54,723 letters were filed along with the DS-11.

Until the forms were approved (as they now have been) by OMB, the Paperwork Reduction Act (PRA) prohibited the State Department from denying anyone a passport or imposing any other penalties for failure or refusal to fill out these forms.

Now that these forms have been approved, objections to the denial of a passport on the basis of failure to complete these forms (or to do so to the satisfaction of the State Department) will have to be based on other grounds than the PRA.  These objections may be more fundamental, but may also be more difficult to establish in administrative or judicial proceedings.

If you are a US citizen but are denied a US passport because you are unable or unwilling to answer these questions, or you are prevented from entering or leaving the USA because you don’t have a passport, we’d like to hear from you.

Jun 18 2013

Our comments on the TSA’s virtual strip-search machines

Today the Identity Project filed our comments on the TSA’s proposed rules to require travelers to submit to “screening” using virtual strip-search machines (“Advanced Imaging Technology” in TSA-speak.

You have until next Monday, June 24, 2013 to submit your own comments.

Here’s the introductory summary of our comments:

Regulations of the Transportation Security Administration (TSA) at 49 CFR § 1540.107 currently require would-be air travelers to “submit to screening”, but neither define nor limit the meaning of “submit” or “screening”. Under this NPRM, the TSA proposes to add a new paragraph (d) to § 1540.107, which would authorize the TSA to include “screening technology used to detect concealed anomalies without requiring physical contact with the individual being screened” as part of the “screening” to which would-be passengers must “submit” (those terms remaining otherwise undefined and unlimited).

The proposed rule would require travelers to submit to virtual strip-searches and/or manual groping of their genitals, as a condition of the exercise of their right to travel by air by common carrier.

The Identity Project objects to the proposed rule on the following grounds:

1. The TSA fails to recognize that travel by air by common carrier is a right, not a privilege to be granted or denied by the government or subjected to arbitrary or unjustified conditions. As a condition on the exercise of a right, a requirement to submit to searches or other aspects of “screening” is subject to strict scrutiny. The burden is on the TSA to show that the current and proposed requirements will actually be effective for a permissible purpose within the jurisdiction of the TSA, and that they are the least restrictive alternative that will serve that purpose. The TSA has not attempted to asses the proposed rule according to this standard, and has not met this burden.

2. The TSA errs in claiming that, “Individuals … are not included in the definition of a small entity” in the Regulatory Flexibility Act (RFA). Nothing in the statutory definition of “small entities” excludes individuals, and in fact many individual travelers affected by the proposed rule are “small entities” as that term is used in the RFA. The TSA must publish and allow comment on a new RFA analysis that takes into consideration the impact of the proposed rule on individuals in their capacity as “small entities”. If the TSA fails to do so, OMB must disapprove the proposed rule, pursuant to the RFA.

3. In the absence of any definitions of “submit” or “screening”, the current and proposed rules are unconstitutionally vague and overbroad. Travelers subject to the rules can’t tell what is prohibited or what is required as a condition of travel by air by common carrier, or which actions at TSA checkpoints are and aren’t subject to TSA civil penalties. The rules reach a significant amount of protected conduct by denying the right to travel to a significant number of individuals who pose no threat to aviation.

The proposed rule should be withdrawn, and the practices it would purport to authorize should be suspended. If the proposed rule is not withdrawn by the TSA, it should be rejected by the Office of Management and Budget (OMB) for failure to include the analysis required by the RFA. The TSA should open a notice-and-comment rulemaking to define “submit” and “screening”, as those terms are used in 49 USC § 44901, 49 CFR § 1540.107, and 49 CFR § 1540.109, with sufficient specificity to enable prospective travelers to know what actions are required and what actions are proscribed.

You can see all 5,000+ comments submitted to the TSA here.

Jun 15 2013

4th Circuit Court of Appeals upholds right to judicial review of no-fly order

In an important victory for judicial review of no-fly orders, the 4th Circuit Court of Appeals has rejected the government’s motion to dismiss the case brought by Gulet Mohamed, overturned the transfer of the case from the District (trial) Court to the Court of Appeals, and sent the case back to the District Court for consideration of the merits of Mr. Mohamed’s complaint.

Gulet Mohamed is truly the poster child for what’s wrong with secret administrative no-fly decision-making. A native-born U.S. citizen of Somali-American ancestry, Mr. Mohamed was placed on  the U.S. “no-fly” list as a teenager, while visiting relatives in Kuwait, as a way to pressure him to become an FBI informer as the only way to get “permission” from the U.S. government to return home to the USA.

When his visa expired, Mr. Mohamed was imprisoned for violation of Kuwaiti immigration law, then tortured by his Kuwaiti captors — at the behest, he plausibly alleges, of the U.S. government.

Kuwait eventually tried to deport Mr. Mohamed back to the U.S., but the U.S. government refused to let him on a flight home, and he was taken back to his cell.

Finally Mr. Mohamed smuggled out a message to his family, and they obtained a lawyer for him in the U.S. He was allowed to return home the day before the U.S. government had been ordered to show cause justifying the denial of Mr. Mohamed’s right of return — after which the government tried to get his case dismissed as moot.

But Mr. Mohamed remains on the no-fly list, so far as he knows (although for unknown reasons). He has continued to pursue his lawsuit against those responsible for his detention and torture and the denial of his right to travel.

As in other cases, the U.S. government has sought to avoid judicial review of the basis for no-fly orders.

The U.S. government has argued that trial courts cannot hear these cases, and that courts of appeals are limited to a review of the TSA’s “administrative record”.  But the TSA doesn’t decide what names to place on the no-fly list. The FBI-controlled Terrorist Screening Center (TSC) makes those decisions, based on “nominations” from itself and various other agencies. A review of the TSA’s “administrative record” would be limited to confirming that the TSA received a no-fly listing from the FBI (as part of the secret Terrorist Screening Database, TSDB), and prevented the person named in that listing from boarding a flight. Nothing in the TSA’s records identified the basis for the TSC’s no-fly designation.

In an unpublished order issued May 28, 2013,  the 4th Circuit Court of Appeals became the second Court of Appeals (following the 9th Circuit’s rulings in the case of Rahinah Ibrahim) to reject the government’s theory. The 4th Circuit ruled that there  was neither sufficient provision for administrative review by the TSA of the no-fly order against Mr. Mohamed, nor a clear indication that Congress intended to preclude District Court trials in cases like this.

The next step, we expect, will be for the government to invoke the “state secrets” doctrine to try to get the case dismissed. But as in Dr. Ibrahim’s case, the fact of Mr. Mohamed having been denied the right to travel and to return to the U.S. can be established without the need to introduce any evidence obtained from the U.S. government.

We look forward to someday seeing a trial on the merits of a U.S. government no-fly order.

Jun 14 2013

How many people fly without ID? How many are denied the right to fly?

Buried in the TSA’s response last month to our FOIA request for information about its ID verification forms a and procedures was a fragmentary report on how many people try to fly without ID, and what happens to them.

An e-mail message discussing the changes made in 2008 to the TSA’s (secret) procedures for flying without ID — the last time TSA Form 415 for air travelers without ID was revised — included a TSA Operation Center (TSOC) “ID Verification Report” for the 15-hour period from 5 p.m. on June 21, 2008, to 8 a.m. on June 22.

On what was described as a “quiet” night, 74 people (nationwide, apparently) tried to fly without ID and were subjected to the TSA “ID verification” procedures between 5 p.m. and 5 a.m., and an additional 45 between 5 and 8 a.m. the next morning, for a total of 119. This didn’t include what is presumably the busiest shift, from 8 a.m. to 5 p.m., but what still suggest that tens of thousands of people try to fly without ID each year.

It appears that most of these people were allowed to fly without ID. Of the total of 119, only 8 were reported as “denials” (presumably meaning that they were identified, but deemed on the basis of that identification to be subject to no-fly orders), while 23 were reported a “not verified”. It’s unclear if those “not verified” were denied travel,  or were allowed to travel despite not being “verified”.

Now that we know that records are being kept of how many people try to fly without ID, and of what happens to them, we’ve filed a follow-up FOIA request for all “TSOC ID Verification Reports” as well as any records of how incidents and outcomes are categorized for reporting purposes.

May 29 2013

TSA never got OMB approval for “Certification of ID” (Form 415)

In June 2008, the TSA began requiring would-be travelers who didn’t show government-issued ID credentials to fill out and sign — under penalty of perjury — a new “Certification of Identity” form, and answer questions based on the records about them retrieved by a TSA contractor from some commercial data-aggregation company.

Since then, we’ve made a series of FOIA requests to try to obtain the current form, the rules (if any) for its use, and whether the TSA had gotten this collection of information approved by the Office of Management and Budget (OMB), as required by the Paperwork Reduction Act (PRA).

We’ve recently received a response to one of our FOIA requests, filed more than two years ago, which includes the latest version of TSA Form 415 and makes clear that the TSA has never obtained the requisite OMB approval.

In the absence of OMB approval and a valid OMB control number on TSA Form 415, travelers who decline to respond to these questions or fill  out or sign this form cannot be subjected to any government sanctions, including TSA “civil penalties”.

There are several noteworthy features of the latest documents released by the TSA in response to our FOIA request, particularly TSA Form 415 itself and this email thread regarding how the form is used and whether it requires OMB approval.

First, the e-mail correspondence with the FOIA Office to identify records responsive to our request appears to have been completed within a few weeks. Then the TSA sat on the response for more than two years, presumably while waiting for approval from the DHS FOIA “front office”. From responses to our previous requests, we know that the FOIA “front office” has ordered the TSA not to respond to our requests without this approval, even if responses are complete and otherwise ready to go out.

Second, if the TSA’s latest FOIA response to our request for the “most recent version” is to be believed, the version of the “Certification of Identity” currently in use is this TSA Form 415 dated August 2008.

Third, the TSA never even applied for OMB approval for TSA Form 415 or its unnumbered predecessor “Certification of Identity” form, because the office responsible for obtaining OMB approval was led to believe that the form was to be completed by TSA staff, not by travelers (a manifestly implausible claim, since all versions of the form have included a space labeled for the signature of the would-be traveler).

Fourth, the TSA completely misunderstood the statutory criteria for determining when OMB approval is required. Who fills out the form, or whether there even is a paper form (or information is collected by verbal questioning), is completely irrelevant to the definition in the Paperwork Reduction Act of a “collection of information” for which OMB approval is required:

[T]he term “collection of information” … means the obtaining, causing to be obtained, soliciting, or requiring the disclosure to third parties or the public, of facts or opinions by or for an agency, regardless of form or format, calling for … answers to identical questions posed to, or identical reporting or recordkeeping requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the United States….

The consequence is that you aren’t required to complete TSA Form 415 (since it doesn’t have an OMB control number),  you aren’t required to answer any TSA questions (if the same questions are asked of ten or more people), and you can’t be penalized for declining to fill out the form or answer such questions.

May 28 2013

TSA “Glomar” response to request for Terrorist Screening Database records

An individual who used our forms to ask the DHS for its records about their travel  has received response of a sort that we haven’t previously seen to a request of this sort: a “Glomar” response that the DHS will neither confirm nor deny that there are any records about the requester in the DHS mirror copy of the FBI’s “Terrorist Screening Database” (TSDB).

It has long been the policy of the FBI, which is nominally “responsible” for the TSDB, neither to confirm nor deny the existence of TSDB records about any individual.

In 2011, DHS published a notice that it planned to make its own mirror copy, for which it would be responsible, of the FBI’s database. At the same time, the DHS exempted the DHS copy of the TSDB from the Privacy Act.

This is the first DHS response we have seen to a request for records from the DHS copy of the TSDB. It’s no real surprise, but it’s different from the typical DHS responses to requests for records about individuals, which include ignoring requests, producing obviously incomplete responses with no explanation of the missing records, and producing pages and pages of completely blacked-out records.

So the TSA won’t say if you are listed in its copy of the Terrorist Screening Database, but will use it against you if you are.