Papers, Please!

The Identity Project

Author Archives: Edward Hasbrouck

Feb 06 2012

Yet another US citizen denied their right of return

In the latest variation on what has become a depressingly-familiar theme, US citizen Jamal Tarhuni was denied boarding on a flight home to the USA last month, apparently because while he was abroad the US government put him on the list of those people it has secretly ordered airlines not to transport.

Mr. Tarhuni had been working in Libya for a nonprofit relief agency.  He is now trapped in Tunisia, separated from his home and family in the USA, as he discusses in this Skype video interview.

My Tarhuni’s de facto banishment from the USA is especially disturbing in light of reports that before being naturalized as a US citizen he was granted asylum in the USA in the ’70s. While conditions may  have changed, a grant of asylum means that Mr. Tarhuni has already established, to the satisfaction of US authorities, that he had a well-founded fear of persecution if he were forced to return to the country of his original citizenship. That makes it, we think, especially critical that the US allow him to return home before his permission to remain in Tunisia expires and he risks being deported to some other country of non-refuge.

It’s one more case for the UN Human Rights Committee to ask questions about when it conducts its next review of US (non)compliance with the International Covenant on Civil and Political Rights: “Everyone has the right to leave any country, including his own, and to return to his country.”

[Update: Jamal Tarhuni is not alone. MSNBC reports that another US citizen, Mustafa Elogbi, is also trapped in Libya after being denied passage on a connecting flight from London to the US, and returned to Libya, where his flights has originated (not the country of his citizenship, the USA) after being detained and interrogated in London.  “Elogbi and Tarhuni have booked new tickets and are scheduled to board a flight back to the United States on Feb. 13, arriving in Portland on Feb. 14. Their Portland attorney Tom Nelson is traveling to the region so he can accompany them on the flight. The two men do not know whether they are included on the U.S. government’s secret no-fly list. As per government security policy, the FBI will not confirm or deny it. … Thus they do not know if they will be prevented from boarding in Tunis, or in Paris or Amsterdam, where they change planes.”]

Feb 06 2012

KLM wants you to make the DHS your friend on Facebook

Getting the jump on airline “social seating” startups like SeatID.com, KLM launched a new Meet & Seat service last Friday that allows passengers on certain flights (including some to and from the USA) to make portions of their Facebook and /or LinkedIn profiles available for viewing by fellow passengers — who, presumably, might want to use that profile data to determine whether to sit (or avoid sitting) near a friend, enemy, target of identity theft, someone on whom they want to eavesdrop, someone they are stalking, or someone matching other criteria.

There’s no mention in the terms and conditions for the “Meet & Seat” service of what data is actually imported into KLM’s systems, or where it is stored.

We asked KLM’s US-based publicists about this on Friday when we got the launch announcement. They first referred us to this webpage (which doesn’t mention privacy or data protection or answer our questions), then bounced our query to the p.r. department at their corporate headquarters in Amsterdam. They didn’t respond to our e-mail messages or answer their phone today.

Specifically, we asked KLM:

Does a passenger provide their password to KLM to retrieve info from their Facebook or LinkedIn profile, or authorize KLM to do so as a Facebook app? What’s actually stored by KLM (Facebook user ID? password? authorization code for the app? data retrieved from Facebook), and where (e.g. in the PNR or departure control system)?

The problem is that any data stored in the PNR for a flight to or from the USA is sent to the DHS and included in the passenger’s permanent secret dossier in the DHS Automated Targeting System, for use whenever they travel to or from the USA in the future and for many other purposes. When would-be visitors have already been denied entry to the US based on jokes posted on Twitter, is that what you want to “opt in” to?

PNRs for all KLM flights — not just those to or from the USA — can be retrieved by offices in the USA of KLM, its codeshare partners, and the computerized reservation systems that host those PNRs.

US laws would allow the DHS, FBI, and/or other Federal agencies to require those US offices to retrieve this data, hand it over to the US government, and keep the fact that they had done so secret. KLM has previously claimed, in response to requests for records of whether this has happened, that netiher KLm nor its primary PNR hosting provider Amadeus keep any logs of access to this data, and that it has no agreements with its agents and codeshare partners requiring them to keep such records or to provide them KLM.

If KLM is storing Facebook or LinkedIn data in its departure control system, it won’t automatically be pushed to the DHS, but it will still be retrievable by the US offices of KLM, its codeshare partners, and its ground handling agents — and hence by the DHS and FBI.

It’s theoretically possible that none of this data is stored in PNRs or the DCS, but only in a separate database not accessible from the US.  Unlikely, we suspect, but possible. If so, KLM should say so, and make that an explicit contractual commitment.

Otherwise, anyone who uses “Meet & Seat” may find that whatever information you “share” with fellow passengers is also shared with the DHS, and your ATS file is permanently linked to your Facebook ID even if you later opt out of the KLM social seating service.

If anyone uses KLM’s “Meet & Seat” and subsequently requests their records from KLM under Dutch data protection law, please let us know (in the comments or privately) what you find out. We’ll be happy to help you try to decipher any response from KLM or its agents or contractors.

[Update: Three days after we published this story, KLM responded to our questions that KLM’s “Meet & Seat” is “authorised as a Facebook or LinkedIn app…. No passwords are stored [in the PNR or the Departure Control System], but the basic data that is imported from the Facebook or LinkedIn profile (name, picture, school, company etc.) will be stored by KLM in a separate, secure database. If the passenger wants to update these details, he has to provide his LinkedIn or Facebook details again. The profile details will be deleted automatically 2 days after the last flight in your reservation has been flown. Nothing is stored in the PNR or DCS.”  We’re seeking further clarification as to where this “separate, secure” database is stored, to whom and from where it is accessible, and what privacy and data protection rules and policies it is subject to. And we remain interested in hearing from anyone who has obtained a copy of their KLM “Meet & Seat” records in response to a request under Dutch or other data protection law.]

[Further update from KLM: “Part of our security is not to tell everybody where we store private information.” That appears to violate EU and Dutch data protection rules requiring disclosure of  (1) by whom personal data is processed and (2) to what other countries it is transferred. We’ve asked KLM about this, but haven’t heard back yet.]

Feb 06 2012

State Dept. finalizes passport fee increases, continues to ignore human rights complaints

On February 2, 2012, the State Department published a final rule in the Federal Register setting fees for issuance and renewal of U.S. passports and related consular services.

Contrary to some press reports, this rule didn’t actually increase the current fees. It merely “finalizes” the fee increases that have already been in effect for the last 18 months since the publication of an interim final rule (don’t you love that bureaucratic doublespeak?) in June, 2010.

What’s noteworthy about the “final rule” is that while it purports to include an updated analysis of the public comments on the fee increases, it continues to ignore our complaints that these fees, and the process by which they were adopted, violate both U.S. treaty obligations related to freedom of movement as a human right, and Federal law that requires an assessment of their economic impact on freelancers and other self-employed individuals.

We filed our complaint in the State Department’s designated docket, but also submitted it directly to the Secretary of State with a request that it be forwarded to the State Department’s designated “single point of contact” responsible for insuring that complaints of human rights treaty violations are responded to.

Our complaint of human rights treaty violations isn’t mentioned in the State Department’s analyses of public comments, and we’ve received no acknowledge or response from the Secretary’s office or anyone else at the Department.  Our FOIA request and appeal for records of who the Secretary of State has designated as responsible for responding to such complaints, and what (if anything) they have done with ours, has been pending without even a partial response since July 2011.

Jan 27 2012

Retroactive Privacy Act exemptions could cost a US citizen his life

In his ruling this week in Hasbrouck v. CBP, Judge Seeborg of the US. District Court for the Northern District of California suggested that US citizens have no “rights” that would be prejudiced by applying newly-issued Privacy Act exemption rules to previously-made requests for government records.

But a parallel case currently before the U.S. District Court in DC shows how retroactive application of Privacy Act exemptions can be a potentially life-or-death issue.

Sharif Mobley is a native-born U.S. citizen who was living in Yemen with his wife (also a US citizen) and their two infant children when he was shot and seized by agents of the Yemeni government in January 2010, and taken to a Yemeni hospital in police custody.  He’s been in a Yemeni prison ever since, and needs US government records to defend himself against capital charges.

Read More

Jan 24 2012

First rulings in our lawsuit over DHS travel records

U.S. District Court Judge Richard Seeborg has issued his first rulings in Hasbrouck v. CBP, our lawsuit seeking information from and about DHS records of the travels of individual US citizens.

Judge Seeborg granted some of the government’s motions for summary judgment and some of ours, ordered US Customs and Border Protection (CBP) to conduct further searches and disclose any non-exempt responsive records they find, and ordered the parties to confer on the remaining unresolved issues.

We’re still studying the order, which we received notice of late yesterday. But here are some key aspects of the ruling — including some issues of first impression for any Federal court — and some issues it raises:

Read More

Jan 12 2012

What’s it like to be labeled an “armed and dangerous terrorist”?

We’ve written before about the case of Julia Shearson, a US citizen who was detained in handcuffs at gunpoint, and separated from her four-year-old daughter, when she tried to re-enter the US by land after a weekend holiday in Canada.

The DHS has admitted that they had improperly flagged her as a “suspected terrorist” on the terrorist watch list and in the (illegal) travel records system that later came to be known as the Automated Targeting System, but to this day — despite her ongoing Privacy act and FOIA lawsuit — Ms. Shearson doesn’t know why.

We urge anyone who wants to know what it’s like to be caught up in the post-9/11 dragnet to listen to this talk given by Ms. Shearson at an event last month in San Francisco, and this video also shown at that event.

Jan 12 2012

US report on human rights ignores complaints

On December 30th, 2011, the US government filed its latest report (and appendices; also here in PDF format) to the United Nations Human Rights Committee (UNHRC) concerning US implementation of, and compliance with, the International Covenant on Civil and Political Rights (ICCPR).

The ICCPR is one of the most important human rights treaties to which the US is a party. By the terms of the ICCPR, each party to the treaty, including the US, is required to report to the UNHCR, every five years, on its implementation of, and compliance with, its obligations under the treaty.  Following each such self-report by a national government, the UNHCR has the opportunity to pose questions both in writing and during a face-to-face hearing concerning the report and other issues of treaty compliance by that government. The UNHCR also meets with, and receives “shadow” reports (such as these regarding the previous US report) from, non-governmental organizations with concerns about the government’s self-reporting or other treaty compliance issues concerning that country.

Since the US doesn’t recognize the jurisdiction of most other international human rights tribunals, the UNHCR is one of the only independent bodies empowered to cross-examine the US government and demand answers to questions about its actions and its compliance with international law.

The fourth US report concerning the ICCPR filed in December 2011 was due a year earlier, in 2010. The UNHCR will schedule its review and response to the US report for one of its future sessions in Geneva or New York, perhaps in late 2012 or sometime in 2013.

What’s most notable about the latest US report is how much goes unmentioned, even with respect to topics raised in the previous US report. There’s no substantial discussion, for example, of the comprehensive system of control and surveillance of travelers that has been set up by the DHS, or of whether it complies with the standards established by the UNHCR for government actions which restrict the right to freedom of movement guaranteed by Article 12 of the ICCPR. We’ll be raising that issue in detail, of course, in our shadow report to the UNHCR, as we have in our previous complaints to the DHS and the Department of State. Read More

Jan 03 2012

The EU-US PNR Agreement — A Legal Analysis of Its Failures

[The following complete article (27 pages) or a summary of the key points (3 pages) can be downloaded in PDF format. Additional analyses and critiques of the proposed EU-US PNR agreement have been published by, among others, the Identity Project, the Electronic Frontier Foundation, and a coalition of US and EU NGOs.]

FROM THE DESK OF BARRY STEINHARDT

Chair, Friends of Privacy USA
Bsteinhardt@friendsofprivacy.us
December 26, 2011

Introduction

The proposed agreement regarding Passenger Name Records (PNR) between the United States and the European Union is riddled with faulty assertions and assumptions about US law and the actual operations of the US Government.

These faulty assertions and assumptions go to the heart of the agreement and undercut the claims of protections for European travelers.

As an American lawyer with substantial experience on the PNR and related issues, I want to set the record straight for the European officials who must act on the proposed agreement.

This memo highlights the most serious of those faulty claims and assumptions.

In summary:

  1. The Agreement does not apply to the agency – the Terrorist Screening Center – which actually decides which travelers will be subject to the No Fly rules.
  2. The US Laws cited in the agreement as offering protections to European travelers actually provide very little benefit or are completely irrelevant to the international transfer of PNR data;
  3. Europeans cannot, as the agreement suggests, obtain independent and adequate relief from unlawful actions by the US Executive Branch (USG) by appealing those decisions under the Administrative Procedure Act (the APA).There are virtually insurmountable substantive and procedural hurdles to the use of the APA in “appealing” decisions of the Department of Homeland Security (DHS).Of greatest importance, most of the relevant actions taken pursuant to the agreement will not qualify as a “Final Order” that can be appealed under the APA;
  4. Beyond that the APA is of little use to travelers who want to challenge the centrally important actions taken by the Terrorist Screening Center (TSC) of the Department of Justice (DOJ).The Agreement is focused on the TSA’s screening of air passengers. It gives short shrift to and offers very little protection from the Automated Targeting System (ATS) operated by Customs and Border Protection (CBP) which is a wholly separate branch of DHS.It is CBP – not the TSA – that use the ATS to decide how Europeans will be treated when they enter exit the US;
  5. There are substantial uncertainties about which, if any, court would be empowered to hear an “appeal” and which agencies would need to be sued. Complex jurisdictional rules regarding APA appeals and transportation security issues throw air passengers into a procedural thicket from which they may never escape;
  6. The DHS Chief Privacy Officer has neither the independence nor the authority claimed in the Agreement. Nor does the CPO of the Justice Department whose jurisdiction includes the TSC, and;
  7. The Agreement does not cover the USG’s uses of private commercial data e.g. data obtained from the Computer Reservation Services (CRS) and the USG has wide power under the Patriot Act and related law to obtain data them.

Read More

Dec 07 2011

Civil liberties principles for border policy

In anticipation of the announcement today of new, secretly-negotiated plans for a “North American Security Perimeter” agreement between the US and Canada, Privacy International, the American Civil Liberties Union, the Canadian Civil Liberties Association, and a coalition of other Canadian organizations have released a joint statement of the core civil liberties and human rights principles that ought to apply to any such agreement.

We strongly endorse this statement, and commend it to the attention not just of Canadian and US politicians, activists, and public citizens but also to people in Europe and elsewhere concerned with US efforts to internationalize and globalize the Homeland Security state and “War on Terror”. (It’s clear, for example, that the proposed European Union-US agreement on DHS access to PNR data, and current procedures for “no-fly” decisions related to flights to and from the EU, would not meet these criteria.)

In contrast to previous commentary on the surveillance and control of cross-border travel as solely a “privacy” issue, the core legal principles in the PI/ACLU/CCLA statement include both the substantive right to freedom of movement as protected by the International Covenant on Civil and Political Rights (ICCPR, Article 12) and the U.S. Constitution, and the procedural right to due process not just in how travel data is handled (“data protection”) but with respect to any decision impinging on the right to travel or imposing other ill effects.

Those interested in civil liberties and privacy protection in the particular context of USA-Canada cross-border travel should also see the Canadian Privacy Commissioner’s audit report on Privacy and Aviation Security: An Examination of the Canadian Air Transport Security Authority (November 7, 2011) and statement regarding Fundamental Privacy Rights within a Shared Vision for Perimeter Security and Economic Competitiveness (July 7, 2011).

Dec 05 2011

Open letter to Members of the European Parliament on EU-US PNR agreement

The Identity Project joins 20 other nonprofit, nongovernmental organizations from Europe and the USA in a joint letter being sent today to Members of the European Parliament (MEPs) to inform them about the real facts of the proposed EU-US agreement on U.S. DHS access to PNR (travel reservation) data from the EU, and to ask that MEPs reject the proposed and highly controversial agreement.

Press release: Concerned NGOs send letter to inform Members of the European Parliament about the EU-USA Agreement on Passenger Name Records.

German version of press release: VIBE!AT und NoPNR.org senden offenen Brief an EU Parlamentarier um sie über das Fluggastdatenabkommen mit den USA zu informieren.

Text of letter (letter in PDF format):

Information on the upcoming vote on the EU-USA PNR Agreement

Dear MEP,

Soon you will be deciding on the EU-US agreement on passenger name records (PNR).

Since there is confusing information on this agreement, there are a few things we would like to clarify.

Please consider the following issues for your decision on the EU-US PNR Agreement:

Read More