Dec 17 2012

Should sex offenders have to wear a “scarlet letter” on the Internet?

In the novel The Scarlet Letter, Hestor Prynne was required to wear a prominent badge on her clothes, for life, to identify her publicly with the crime she had been convicted of: violating the sexual mores decreed as law by the fundamentalist religious and political leaders of the Massachusetts Bay Colony.

Today a Federal court heard arguments on whether Californians convicted of certain sex-related crimes can similarly be prohibited for life from speaking or acting anonymously on the Internet, and required to declare to the local police, within 24 hours, each of their Internet service providers or “Internet identifiers” (email addresses, user names, etc.).

California’s Proposition 35, enacted by popular vote in October 2012 (can the majority vote to revoke the rights of a disfavored minority?), adds the following provisions (among others) to state law:

Every person described in subdivision (c), for the rest of his or her life while residing in California, or while attending school or working in California, shall be required to register with the chief of police of the city in which he or she is residing, or the sheriff of the county if he or she is residing in an unincorporated area or city that has no police department,… within five working days of coming into, or changing his or her residence within, any city, county, or city and county, or campus in which he or she temporarily resides, and shall be required to register thereafter in accordance with the Act.

(c)  The following persons shall be required to register: Any person who, since July 1, 1944, has been or is hereafter convicted [of specified offenses].

(a) Beginning on his or her first birthday following registration or change of address, the person shall be required to register annually, within five working days of his or her birthday, to update his or her registration…

(b)  If any person who is required to register pursuant to the Act adds or changes his or her account with an Internet service provider or adds or changes an Internet identifier, the person shall send written notice of the addition or change to the law enforcement agency or agencies with which he or she is currently registered within 24 hours….. The registration shall consist of all of the following:…

(4)  A list of any and all Internet identifiers established or used by the person.

(5)  A list of any and all Internet service providers used by the person….

For purposes of this chapter, the following terms apply:

(a) “Internet service provider” means a business, organization, or other entity providing a computer and communications facility directly to consumers through which a person may obtain access to the Internet….

(b)  “Internet identifier” means an electronic mail address, user name, screen name, or similar identifier used for the purpose of Internet forum discussions, Internet chat room discussions, instant messaging, social networking, or similar Internet communication.

The day after the election, the Electronic Frontier Foundation (EFF) and the ACLU of Northern California filed a class-action challenging the new law as unconstitutionally vague (nobody can tell with certainty which “identifiers” or “services” have to be disclosed to the police, or might result in criminal prosecution if they aren’t disclosed) and unconstitutionally “overbroad” (no matter how it is interpreted, its plain language would restrict rights protected by the First Amendment).

Judge Thelton Henderson of the U.S. District Court for the Northern District of California immediately approved a temporary restraining order preventing the law from being implemented.

Today in San Francisco, Judge Henderson heard almost three hours of argument by lawyers from EFF, the ACLU, the California Attorney General’s office (the defendant in the lawsuit), and the sponsors of Proposition 35 (Chris Kelly, who funded the “Yes on Prop. 35” campaign, was present in court) on whether the court should issue a “Preliminary Injunction” continuing the prohibition on enforcement of the law until the federal court’s final decision in the case, which could take months or years.

While the meaning of “Internet identifier” is vague, all parties to the case (and the would-be intervenors) agreed in response to Judge Henderson’s questions about a list of examples — user IDs for banking websites. BestBuy.com, Amazon.com, World of Warcraft, etc. — that a user ID used to read the New York Times online would need to be registered with the government, if the user ever posted any comments about news stories.  And the proponents of the law stressed that the purpose of the registration requirement is not to warn the public about registered users of Internet services, but to facilitate police surveillance and investigation of potential future crimes, including “covert” (sting) operations.

As Michael Risher of the ACLU pointed out, “There’s no historical precedent for stripping people of 1st Amendment rights [after the completion of their sentence] on the basis of their having previously been convicted of a crime.”  But this law, if upheld, would set an important precedent of its own.

The registration requirement and the prohibition on using an unregistered user ID or alias don’t depend on any relationship between the Internet and the crime of which someone was convicted. Nor does anything in the proponents’ arguments for this provision of the law depend on the specific nature of the crimes.  If this provision of the law is upheld as applied to people convicted of crimes related to sex, anyone convicted of any crime, ever, could be subjected to a categorical lifetime ban on anonymous online speech.

As Hanni Foukhoury of EFF has pointed out, a similar thing has already happened with DNA testing: First required in California for people convicted of murder and rape, it has since been gradually extend to people convicted of other specified violent crimes, then to people convicted of all felonies, then to anyone arrested for any felony (including possession of any amount of marijuana with “intent to sell”).

Judge Henderson promised a ruling on the motion for a preliminary injunction “as soon as possible”. In the meantime, the temporary injunction against enforcement of the IISP and Internet ID registration rules remains in effect.

Dec 05 2012

The DHS FOIA Office “is not in service”

We’ve been waiting for years for responses to some of our FOIA requests to the TSA and DHS, including a request for records of what happened to our earlier FOIA requests that were subjected to a special program  of political review and reporting to the White House, a request for records that were previously improperly withheld under a claimed FOIA “exemption” which the Supreme Court eventually ruled didn’t exist, and a request for any records of the TSA having sought or obtained OMB approval for its Certification of Identity form.

Unfortunately, the de facto policy of the Department of Homeland Security is not just to ignore any FOIA requester who isn’t already suing it, but to make it impossible even to communicate with it or obtain proof of having made requests.

As we’ve noted before, the DHS uses a contractor who often fails either to deliver their mail or return the return receipts, making it impossible to prove they have received requests. Recipients have told us that the mail is often so browned and burnt by the contractor’s high-intensity x-ray screening that mail that is eventually delivered to DHS, after a delay of a week or so, is often illegible.

Despite huge expansion, changes, reorganizations, and relocations of DHS offices, the DHS FOIA Regulations and what is required by law to be the definitive list of DHS FOIA contacts hasn’t been updated since 2003, despite our repeated protests. Today, many of those addresses lead only to the dead-letter office.

Many DHS and component offices don’t disclose their physical locations. Even if you can find where their offices are, the doors are barred to those without appointments and government-issued photo ID.

And it’s getting worse.  Now the main phone number for the DHS FOIA Requester Service Center (and, if you want to complain about their unresponsiveness, the DHS FOIA “Public Liaison” as well), has been disconnected or taken out of service. Not that it was usually answered by a human being, or that voicemail messages were usually returned, but turning off the phones entirely (or using only some other undisclosed phone numbers at their undisclosed location) is really a new low.

If you go to the Where to Make a FOIA Request page on FOIA.gov, and choose “Department of Homeland Security” and then either “Headquarters and Privacy Office” or “I don’t know which office”, you are directed to call (703) 235-0790.  (Click the image above for a larger version of the Web page.) Call that number, and you get the recorded message, “Sorry. The number you have reached is not in service.”

We knew the DHS FOIA Office was “not in service”, or at least not serving us. But we didn’t realize that they had gotten the phone company to put a recording on their line telling that to anyone who tries to call.

[Update: The TSA and DHS claim that the “FOIA.gov” website is maintained by the Department of Justice and beyond the control of the DHS. But the same wrong number appears on DHS.gov at http://www.dhs.gov/check-status-your-foia-request as the number to call to find out the status of a FOIA request, along with a self-referential hyperlink for FOIA status information that links back to the same page.]

Dec 02 2012

TSA updates its “notice” of Secure Flight records

The TSA published a revised System of Records Notice in the Federal Register on November 19th, updating its disclosures of what information about our “travel histories” it collects, retains, and uses through its Secure Flight program for airline passenger surveillance and control.

The new notice is both better and worse than it might appear at first glance. The new “Secure Flight” SORN describes some disturbing TSA practices that were not explicitly disclosed in the previous “Secure Flight” SORN published in 2008.

In particular, the new SORN discloses that if you are turned down or predetermined to be ineligible for the TSA’s “Pre-Check” or other “Registered Traveler” (a/k/a “Possibly Slightly Less Mistrusted Traveler”) programs, you can be placed on a new watchlist, as a result of which logs of your air travel will be retained by the TSA for 99 years. That’s especially problematic because applicants for the Pre-Check program aren’t told that being turned down could leave them worse off than if they had never applied, and subject to lifetime TSA air travel monitoring and itinerary logging.

Bad as this is, however, it isn’t really a change in what data TSA claims the right to collect, or how long it claims the right to retain and use it. These practices were already covered under “catch-all” clauses of the prior SORN, which are retained in the revised SORN, and that actually purport to authorize a much wider range of even worse practices.

Specifically, the “Secure Flight” SORN already disclosed that “Secure Flight” records might contain:

Records obtained from the TSC [Terrorist Screening Center] of known or suspected terrorists in the TSDB [Terrorist Screening Database] and records regarding individuals identified on classified and unclassified governmental watch lists

There’s no definition or limitation on the sources or purposes of these additional “watch lists”. But it’s clear from the description quoted above that these are watch lists other than those of suspected terrorists: lists of people who are to be watched, and whose air travel itineraries are to be logged for life, for (secret, unrestricted) reasons other than that they are suspected of terrorism. Read More

Nov 29 2012

No place at Department of “Justice” for complaints of human rights violations

It’s been almost fourteen years since President Clinton, in an Executive Order that remains in force, directed each Cabinet-level executive department to designate a single contact officer responsible for insuring that all complaints to that department of violations of human rights treaties are investigated and responded to.

That Presidential order, however, has never been carried out, and remains widely ignored.

In the latest example, the Department of Justice has responded (belatedly, as usual) to our request under the Freedom of Information Act, saying that they can find no record that any Attorney General has ever designated anyone responsible for carrying out this Executive Order or responding to complaints of human rights violations; no policies or instructions for dealing with such complaints; and no records of such complaints, what issues they have raised, or what has been done with them.

Given that the Department of Justice might have been expected to be responsible for investigating various sorts of human rights violations that would also constitute crimes, this failure by the DOJ to do anything about human rights complaints has serious implications for the entirety of the US government.

We got the same answer earlier from the Department of Transportation, which is supposed to be responsible for ensuring that passenger common carriers act as, well, common carriers, and respect the “public right of freedom of transit” guaranteed by federal law as well as international treaties.

Only the DHS has told us they actually designated someone responsible for responding to human rights complaints. But it took the DHS almost five years to actually respond to our complaints, and when they did, they improperly suggested that US law could override international treaties.

We’re still trying to get an answer from the Department of State about its handling of human rights complaints. And we’ll be bringing these issues to the attention of the UN Human Rights Committee next year, when it reviews US compliance with the International Covenant on Civil and Political Rights.

Nov 20 2012

TSA spreads FUD on “Opt Out and Film” week

This week is national Opt Out and Film Week. Across the country, travelers will be documenting the TSA’s practices of groping the genitals of anyone who wants to exercise their right to travel without “voluntarily” submitting to an x-ray or RF virtual strip search.

The TSA even acknowledges Opt Out and Film Week in its official blog, where Blogger Bob sez:

We’re also aware of the Opt Out and Film week, where some are planning on opting out of the body scanner and then filming their experience. TSA respects passengers rights to exercise freedom of speech as well as the rights of fellow travelers trying to get to their destination safely and without unnecessary delay. While the TSA does not prohibit photographs at screening locations, local laws, state statutes, or local ordinances may.

That looks to us like an attempt to sow Fear, Uncertainty, and Doubt (FUD) on clear-cut Constitutional rights.

While the TSA has a history of improperly calling local cops on photographers (for which we are currently suing both the TSA staff and the police who acted on their bogus complaints), it’s not true that  “local laws, state statutes, or local ordinances may” restrict the exercise of First Amendment rights.

As we say in our cheat sheet, What you need to know about your rights at the airport:

You have the 1st Amendment right to film, photograph, and record what happens in public areas of airports, including your interactions with TSA and screeners.  Photography and recording in airports and at TSA checkpoints violates no Federal law or TSA regulation. Any state or local laws that purport to prohibit this are likely to be unconstitutional. You have the right, for your own protection, to document what happens to you and what is done to you.

Nov 17 2012

Air Canada lies about government access to reservations

Airlines should have been defending their customers against government demands for information. Instead, they have chosen to collaborate with governments not just in surveillance and violation of the rights of their customers, but in the cover-up of those practices and the attempt to keep travelers from realizing their extent.

We got a letter from Air Canada yesterday informing us that, “Your personal information was not disclosed to a government agency with respect to the flights mentioned in your Request…”

If we didn’t know better, this would be reassuring. But it’s not true.

As it happens, we had gotten another letter earlier this week from the Canadian Border Services Administration (CBSA), containing portions of its records of Passenger Name Record (PNR) and Advance Passenger Information (API) data about our flights on Air Canada, which CBSA had obtained from computerized reservation systems and Air Canada’s Departure Control System (DCS):

[Excerpt from Air Canada API and PNR data from the CBSA “Air Targeting” system]

The information in the CBSA Air Targeting files includes both PNR and API data for Air Canada flights, despite the “claim”: that, “Air Canada is not in a position to provide you with APIs records and logs for the flights listed in your Request since no such APIs records were created.”

And earlier this year, in the last batch of information disclosed by US Customs and Border Protection in response to our Privacy Act and FOIA lawsuit for records from the CBP Automated Targeting System, we received copies of two PNRs that CBP had obtained from different reservation systems for those same Air Canada flights:

[Excerpt from Air Canada PNR from the USCBP Automated Targeting System]

[Excerpt from Air Canada & Swiss International PNR from the USCBP Automated Targeting System]

Read More

Nov 16 2012

The facts on the ground in Arizona

Don’t trust, and don’t verify“, would seem to be the motto of authorities in Arizona when it comes to demands for documents and “proof” of citizenship and status — if your skin is brown.

Arizona’s SB1070 requires police, in certain circumstances, to “attempt” to determine your immigration status. But that obligation on the police does not create any obligation on individuals. In its initial decision on SB1070, the Supreme Court made clear that this provision of the law cannot Constitutionally be used as the basis to detain people without some other lawful basis.

Actions on the ground in Arizona, however, suggest that in practice the burden of proof is being placed on (brown-skinned) Arizonans to prove that they are “not illegal”, on pain of prolonged detention on the basis of mere suspicion (and regardless of the weight of the actual evidence).

The Phoenix New Times has been following the case of Briseira Torres.  She was born (at her mother’s home, which the Department of State seems to find inherently suspicious) in Arizona, and her birth was registered (albeit late, as is common for home births) with the Arizona Office of Vital Records.

One doesn’t have to be registered with the government to be born, or to be a US citizen. But that didn’t stand in the way of Arizona and US authorities.  When Torres went to the Federal Building to apply for a passport for her daughter, after submitting a copy of her own birth certificate as evidence of her daughter’s US citizenship by birth, the State Department employees at the passport office called in Arizona state law enforcement officers to help interrogate Ms. Torres.

Eventually, on the theory that the original registration of Ms. Torres’ home birth had been falsified, the Feds turned her over to state authorities, who had her indicted (withholding from the grand jury the state’s official record of her valid birth certificate, and falsely claiming to the grand jury that her birth registration had been “cancelled”)  for fraud.  She was jailed for 4 1/2 months, during which time she was separated from her child and lost her home and car because she couldn’t make the payments on them, before she got a lawyer and the state withdrew the charges.

Now, to try to retroactively justify their deprivation of Ms. Torres’ rights, state officials have initiated a newly-created administrative process to revoke the registration of her birth.

In other words, the state of Arizona wants to “un-birth” Ms. Torres — at age 31.

We’re glad Ms. Torres has a lawyer, and we hope she collects substantial damages from both Arizona state and county officials and the State Department “special agent” who initially detained her, called in the state cops, and eventually turned her over to their custody.

This incident began with Ms. Torres being called in to answer questions about her passport application for her daughter. The role of the Passport Office and other State Department employees shows exactly why we are so concerned about the State Department’s proposed new questionnaire for passport applicants.

Government “un-birthing” of citizens isn’t the only strange thing going on in Arizona, unfortunately.

At the Deconcini border crossing between the central business districts of Nogales, Arizona, and Nogales, Sonora, US Customs and Border protection is requiring some “trusted travelers” to submit to interrogation by allegedly lie-detecting robots developed (with DHS grant money, we presume) by the National Center for Border Security and Immigration at the University of Arizona.

If the robot thinks you are lying, “a more through interview would follow”, according to news reports.

But Ms. Torres’ example shows that if a human Fed in Arizona thinks you are lying about your papers, they will detain you and turn you over to the state of Arizona to be locked up without bail for months, without bothering even to look at your actual papers (not that you have to have any “papers” in the first place to be born or have rights).

In that light, we hope courts will look skeptically at the legality of prolonging the detention of a border crosser based on the statement of a semi-anthropomorphic animated robot that, “I think you are lying.”

Nov 13 2012

How Australia profiles travelers: A look inside the “black box”

At a “Big Data” conference in Sydney earlier this month, the head of Australia’s traveler tracking and profiling office (his actual title — we are not making this up — is “Director Intent Management & Analytics“) gave an  unusually revealing presentation (PDF) [also here] about the nature of the government’s travel data warehouse and how it is used to predict the “intent” of travelers to and from Australia.

Klaus Felsche of the Australian Department of Immigration and Citizenship (DIAC) didn’t mince words, referring explicitly to “data mining”, “risk scoring”, and “profiling” systems and algorithms, although lamenting that DIAC doesn’t (yet) have access to social media profiles or some data from other Australian  government agencies.

The US government has rarely used the words “scoring, “profiling”, or “data mining” with respect to its warehousing and use of Passenger Name Records (PNRs) and other travel data.  Most of the architecture, as well as all of the rules and algorithms, have been withheld from public disclosure, even when we have requested this information under the Privacy Act, FOIA, and/or through foreign governments and airlines that have allowed PNR data subject to their jurisdiction to be fed into these data warehouses and data-mining systems.

The “threat analysis” component of US travel control systems like Secure Flight has remained an unexplained “black box” whose operations are part of the magical secret sauce that justifies the government in enforcing  whatever its oracle decrees.  In this diagram — the most detailed yet provided by the TSA — it’s the red box at right center.

So we are grateful to Mr. Felsche of the Australian DIAC for providing a clearer picture of what data governments are archiving about us and our travels, and how they are using it.  Just remember, as you study his presentation, that:

  1. “Targeting” — the one euphemism that still permeates Mr. Felshe’s presentation — means search, seizure, interrogation, and prohibition of travel. In other words, deprivation of fundamental rights, to a greater or lesser degree depending on whether it means mere delay and intrusion or whether it means being confined by a no-fly order to the island of Australia for the remainder of one’s natural life.
  2. Australia is a relatively small country in population and (as his presentation makes clear) computing resources available to this component of the government.  Presumably, what’s being done with travel data by DIAC is only a subset of what is being done by the DHS, and perhaps in the European Union.
Nov 06 2012

DHS Scrooge says U.S. citizen can’t come home for the holidays to see his ailing mother

In the latest episode in the increasingly bizarre but all too real saga of standardless secret administrative no-fly orders from the DHS to airlines, prohibiting the transportation back to their home country of US citizens,  Oklahoma native Saadiq Long is being prevented from returning home to the US to spend the holiday season with his terminally ill mother.

Long is a US citizen and a veteran of the US Air Force, never charged with any crime in the US or any other country, who has been living and working as an English teacher in Qatar for the last several years.  He’s also a convert to Islam, which shouldn’t be relevant but probably is.

When he learned of his mother’s illness back home in Oklahoma, he made reservations and bought tickets from KLM for flights from Qatar to the US for what might be a last visit with his mother.

Less than 24 hours before his scheduled departure from Qatar in May, KLM told Mr. Long that the airline (and all others serving the US) had been forbidden from allowing him to board any flight to the US.

Mr. Long has been trying ever since to find out why the government of his country has forbidden all airlines from transporting him, or to find a way to get those orders rescinded. But to date, the DHS has maintained its position that it will neither confirm nor deny whether it has issued any no-fly orders with respect to any specific person, much less the basis (if any) for such orders.

KLM explicitly informed Mr. Long that it had received a no-fly order from the DHS. So in theory, KLM would be required by Dutch data protection law to disclose that order to Mr. Long on request. That wouldn’t tell Mr. Long why he had been banned form returning to his country (the DHS probably didn’t share the reasons for its order with the airline), but would prevent the DHS from claiming in court that whether Mr. Long has been prohibited form flying is a state secret.

Given KLM’s poor track record when individuals have requested KLM’s records of its communications with governments, and the Dutch data protection authority’s poor track record of enforcing the law, it’s hard to predict whether KLM would comply with a request from Mr. Long for all orders or communications pertaining to him between KLM and the US government.

Mr. Long is being assisted by the Council on American-Islamic Relations (CAIR), which has led the struggle for judicial review of no-fly orders. CAIR staff attorney Gadeir Abbas, the leading advocate for US citizens exiled by no-fly orders, told Glenn Greenwald that, “Every few weeks I hear of another Muslim citizen who cannot return to the country of which he is a citizen.”

[Update: Mr. Long was again denied boarding by KLM in Qatar on November 8, 2012.]

Nov 01 2012

TSA wants airlines to “share” frequent flyer records

The DHS already has root access to airlines’ computerized reservation systems to “pull” passenger name records (PNRs), even for flights that don’t touch the US.

Airlines serving or even merely overflying the US are required to “push” Advance Passenger Information to CBP before each international flight, and Secure Flight Passenger Data to the TSA before each domestic flight, and receive individualized permission from DHS before issuing each boarding pass.

But that’s not enough for the TSA.  In a Bloomberg news story that appears to have been planted by the TSA as a trial balloon, the TSA suggests aggregating frequent flyer and identity data, across airlines, for storage by a private contractor and use by the TSA:

PreCheck’s structure makes it difficult to clear passengers on more than one airline, said Douglas Hofsass, the TSA’s assistant administrator for the office of risk-based security….

Some airlines are reluctant to share customer information with competitors, Hofsass said. They’ve indicated they’re willing to work with TSA, he said….

“Technically, we don’t have the ability right now, based on the way the eligibility requirements are transmitted to the individual carrier, the way those individuals opt in and the way those records come into us, to validate those individuals,” Hofsass said.

“We don’t have the ability to cascade that to other carriers when those individuals make reservations,” he said. “It doesn’t mean we don’t have an idea as to how we might solve that.”

The agency needs to turn to a private-industry partner who can … create a database of PreCheck fliers, said U.S. Representative Mike Rogers, who oversees the agency through his Transportation Security subcommittee.

“PreCheck” is the latest incarnation of the TSA’s “registered traveler” (“more surveilled and maybe less-mistrusted traveler”) program, currently open only to those members of airline frequent flyer programs invited to apply based on some secret scoring, according to TSA algorithms, of their frequent flyer profiles.

Frequent flyer data is already included in PNR data pushed to CBP for all international flights, but isn’t included in Secure Flight Passenger Data provided by airlines to TSA for domestic flights.  So if you aren’t known to have traveled abroad, or if you use a passport for international travel and some other ID (or no ID) for domestic flights so your domestic and international travel histories are harder to match, the TSA might not yet have a comprehensive dossier of everything you’ve done that’s linked to your frequent flyer account(s).

To the TSA, any incompleteness in the coverage of its travel panopticon is obviously a security (read: surveillance) loophole that needs to be closed.

Under US law, frequent flyer records are the property of airlines, not travelers, and the airlines are free to “share” them with each other, governments, or other third parties without customer notice or consent.

So there’s no legal barrier to the creation of such a master database of frequent traveler records.

However, if the government maintained a copy of the database, it would be subject to the requirements of the Privacy Act.  So outsourcing hosting of the database to a private aggregator (most likely one of the existing computerized reservation systems or other travel data aggregators and intermediaries) would be the architecture that maximizes the government’s easy access to the data while minimizing legal accountability.