Mar 08 2010

Military spymaster to be nominated for head of the TSA

Testing the waters yesterday, White House sources leaked to Reuters and the Associated Press that President Obama plans to nominate retired Army Major General Robert A. Harding to be the Administrator of the TSA.

Harding’s 30-year career as an army officer was spent moving up through the military “intelligence” ranks, culminating as “DoD’s senior HUMINT [human intelligence] officer.”  In other words, he was the U.S. military’s most senior spymaster. Following his retirement out the military-industrial revolving door (through which he would return if confirmed to head the TSA), he double-dipped by founding a military consulting and contracting company which he sold last year to private equity investors. “Harding Security Associates provides identity intelligence and other security services to the federal government, including doing work for the Department of Defense’s biometric-identification analysis and forensics.”

Many of the TSA’s practical problems and abuses of civil liberties have involved schemes like CAPPS-II (later Secure Flight) that were dreamed up by the NSA and other military intelligence agencies and “experts” unaccustomed to operating within the civilian, domestic U.S. legal regime and ignorant of transportation industry technical infrastructure and business practices. Harding’s autobiography gives no indication that he has any experience whatsoever with civilian or domestic civil liberties, with legal constraints on “intelligence gathering” (spying and surveillance) on civilians or U.S. persons or within the U.S., or with the transportation industry.

If Harding is nominated to head the TSA, his military background and lack of any track record on civilian civil liberties makes it especially critical for Senators to question him closely (we have some suggestions to start that questioning) about his views on the fundamental civil liberties and human rights issues facing the TSA, before any confirmation vote, and to resist any calls for an abbreviated or rushed review of his suitability for the position.

Feb 27 2010

U.S. raising fees for travel credentials and permissions

Under a series of new laws and regulatory proposals, almost everyone traveling internationally to or from the USA — US passport holders, visa-free foreign visitors, and foreigners with visas — would have to pay more in government fees for the required credentials and/or permissions.

This week the U.S. Senate passed the “Travel Promotion Act”, a bill designed to encourage foreigners to visit the USA … by making it more expensive for them to do so.

The money would go for advertising, presumably to try to persuade foreigners that the USA is worth the price and the hassle. This ignores the fact that people around the world already want to visit the USA, and don’t need to be told that. What’s standing in the way of more foreigners spending their money in the USA are the xenophobic rules and procedures that make it so difficult and expensive to get permission to travel to the USA — not lack of desire to take the family on a vacation to Disney World or Las Vegas, or a shopping junket to New York or Miami.

The Travel Promotion Act, previously passed by the House and thus now headed to the White House to be signed into law, will add a US$10 fee (good for an unlimited number of visits in a 2-year period from the date it is paid) to the price of obtaining “pre-approval” to travel to the USA through the “Electronic System for Travel Authorization” (ESTA) .

ESTA pre-approval doesn’t guarantee that you will be admitted to the USA, but is required as a de facto exit visa before the USA considers you authorized to depart from your home country for the USA. No, the USA has no authority to impose an exit permit requirement on departure from other countries, as the Identity Project argued in comments to the DHS when the scheme was proposed, but the legality of the ESTA was never brought up in Congressional debate on the Travel Promotion Act.

ESTA pre-approval is required for all those “intending” to enter the USA without a visa under the “Visa Waiver Program” (VWP). Outside of the VWP, which is limited to a short list of mostly-wealthy most-favored nations, most of them populated mostly by white-skinned people, everyone else except US and Canadian citizens and US permanent residents (green-card holders) needs a visa even to change planes in the USA, which costs a minimum of about US$200 depending on the type of visa.

Those fees for US visas would increase substantially under a pending regulatory proposal from the State Department, which would also increase the fees for issuance or renewal of US passports.

The proposed rule published in the Federal Register earlier this month would increase the total price of a new or renewal US passport from US$100 to US$135. Part of that is an increase in the “Security Surcharge” for each passport to US$40, which presumably reflects the additional cost of including a remotely-readable uniquely-numbered RFID chip in each passport.

The State Department is accepting public comments through 10 March 2010 through the Regulations.gov Web site or by e-mail to fees@state.gov. (You must include the docket number, “RIN 1400-AC58” in the subject line of your e-mail message.) This would be a good chance to tell the Obama Administration that they wouldn’t need the proposed passport fee increase if they reconsidered and rescinded the requirement for RFID chips in passports.

Frequent international travelers with US passports will also get socked. Adding pages to a passport that has filled up with visa and entry and exit stamps, previously free, will now cost US$82. Ouch! That’s particularly unfair to those who requested a passport with extra pages, but didn’t get one, since the passport application form still doesn’t include any place to indicate that you want a thicker passport book (48 or 96 pages instead of the standard 24). If you are submitting comments to the State Department, please include a request that they put check-boxes on the application form to indicate a request for a 48 or 96-page passport.

Interestingly, despite the other ostensibly cost-based fee increases the State Department admits that they are deliberately keeping the cost of a passport card, which has a much longer-range RFID chip than a standard passport book, dramatically below cost, in effect giving travelers a large financial incentive to carry a credential with a longer-range tracking beacon.

And lest Canadians feel left out (they are essentially the only nationality that doesn’t need either a US passport, a US visa, or ESTA pre-approval to travel to the USA, and thus escapes these US fee increases), this week Canada’s Transport Minister announced increases in security fees that will be added to all air tickets for departures from Canadian airports, both domestic and international. Why the higher fees? To pay for more virtual strip-search machines (“body scanners”).

Enjoy your trip, and come back and visit us again soon!

[Comments filed by the Identity Project, Consumer Travel Alliance, Center for Financial Privacy and Human Rights, and John Gilmore, which you can use as a template for your own comments; also available in Open Office .odt and MS-Office .doc formats.]

Feb 25 2010

DHS accomplices face legal liability

The most recently filed lawsuit to result from detention of a would-be traveler at a TSA checkpoint highlights an interesting pattern:

While Federal departments themselves, and their agents in their official capacities, have thus far largely escaped legal liability for interference with travelers’ rights, multiple lawsuits against individuals who have enforced secret DHS directives — including DHS officers in their individual capacities as well as city, state, and tribal police acting as their accomplices and/or at their behest — are moving forward.  Yet at the same time, the DHS continues to use local law enforcement officers to carry out its secret orders, and has in some cases revealed policies directing DHS agents to take a literal “hands-off” attitude themselves, even while calling in local police to enforce what are at root (illegal) Federal orders.

Here’s a round-up of some pending cases across the country, leading up to the latest, with apologies for the sometimes tortured procedural histories which tend to characterize such cases and obscure the real issues: Read More

Feb 23 2010

DHS using ICAO again for policy laundering

News reports about recent diplomatic initiatives by the US Department of Homeland Security suggest that the DHS may once again be using the International Civil Aviation Organization (ICAO) as a vehicle for policy laundering.

In the past, ICAO has been the focus of attention for its role in the imposition of RFID passports and the associated systems of automated monitoring and control of international travel.

Now, the DHS appears to be trying to use ICAO as the vehicle through which to impose its ideas of passenger searching (virtual strip-search machines) and passenger surveillance (pre-flight government access to PNR data and its use in conjunction with identity-linked travel histories and personal profiles for control of who is allowed to fly)  as global norms.

Secretary of Homeland Security Napolitano, accompanied by Asst. Secretary for Policy David Heyman (successor to former NSA and DHS attorney Stewart Baker), has been barnstorming the globe in pursuit of this agenda over the last month.  She met with ICAO officials and their airline industry partners at IATA in Geneva, attended a regional European ministerial meeting on aviation security in Spain which issued a joint statement agreeing to “Promote international co-ordination … through ICAO”, followed by a regional ICAO meeting in Mexico for the Americas and the Caribbean (attended by ICAO’s Secretary General) which declared participating goverments’ commitment to “systematically collaborate within ICAO… with a view to convene both international expert and intergovernmental meetings to agree upon actions in the following fields:”

  • Broaden existing cooperation mechanisms among our countries and with other parties to the Chicago Convention, and the civil aviation industry, for information exchange …
  • Share best practices in a range of areas related to civil aviation, such as … screening and inspection techniques, airport security, behavioral detection, passenger targeting analysis…
  • Utilize modern technologies to detect prohibited materials and to prevent the carriage of such materials on board aircraft.
  • Transmit in a timely manner passengers’ information prior to takeoff to effectively support screening … as well as develop and improve compatible systems for the collection and use of advance passenger information (API) and passenger name record (PNR) information.

In a detailed video news release, Napolitano herself described this as “an unprecedented international initiative” centered on “a series of regional meetings around the globe facilitated by ICAO”:

There were four broad areas for discussion: Information sharing, passenger vetting, technology, and international standards…. Look for announcement in each of these four areas in the weeks ahead.

The agenda and the forum could not be more clear: Unless defenders of civil liberties and human rights mobilize effective opposition, the goal of the US and the DHS is for ICAO to put forward “international standards”, effectuated by national laws on “compliance with standards”, which will mandate virtual strip-search machines (“modern technology”), worldwide government access to PNR data, and government “vetting” (identity-based and permission-based control) of international air travelers.  That is perfectly in line with the 10-year plan of ICAO’s working group on Machine-Readable Travel Documents (MRTD), “MRTD Vision 2020,” as laid out in the latest ICAO MRTD Report.

ICAO is a UN-affiliated intergovernmental organizing most of whose decisions are made in invitation-only working groups. The interests of citizens are supposed to be represented in ICAO decision-making by their national governments, but national delegations to ICAO are invariably drawn from security, surveillance, law enforcement, and aviation regulatory agencies, and have never included representatives of data protection, civil liberties, or human rights authorities.

In effect, ICAO’s decisions reflect the desires of the world’s police.  By enacting national laws requiring “compliance” with ICAO “standards”, national governments can effectively outsource national law-making to those police, while justifying repressive measures (which their own representatives have proposed and championed at ICAO) as being the reult of an extenral, international mandate for which they aren’t responsible. Policy laundering.

ICAO’s importance to the DHS (and its counterparts in Europe and elsewhere) is heightened by the likelihood that, in the wake of the precedent set by its rejection of the SWIFT agreement on financial transaction data sharing with the US government, the European Parliament will reject the similar PNR agreement for travel transaction data sharing with the US government. The DHS had been pressuring the Europarl to fast-track approval of the PNR agreement. With the writing on the wall that the PNR agreement is headed for defeat in the Europarl, the DHS is already making it clear that ICAO standards are their back-door “Plan B” for how to impose a global PNR and identity-based travel sureveillance and control regime.  They are losing in Brussels, so they are trying to shift to more “Big Brother friendly” ICAO forums in Geneva and Montreal.

ICAO draws on invited technical experts from the aviation industry, but unfortunately their interests in surveillance for commercial purposes coincide with those of the police in the same surveillance for political purposes. Airlines and other travel companies are happy to help governments monitor travelers, as long as they get get paid for collecting the data and are allowed to use it themselves too. We’ve heard them tell ICAO so in so many words.

ICAO’s dual secretariats in Montreal and Geneva, and its process in which most decisions have effectively been made before they are presented to rubber-stamp plenaries, makes effective civil society participation difficult without long-term commitment and international cooperation.  A useful model is provided by environmental activists, who have formed a single-issue international NGO coalition for the sole purpose of obtaining accreditation and observer status with ICAO. Despite previous joint appeals to ICAO by an ad hoc international civil liberties coalition, human rights groups haven’t yet formalized their coalition or sought observer status with ICAO, and have had no presence at ICAO meetings or working groups.

If you are interested in working with the Identity Project to get our voices heard at ICAO, please get in touch — before its too late.

Feb 19 2010

Travelport becomes first CRS to claim it complies with EU privacy law

This week Travelport — the holding company that owns two of the big four Computerized Reservation Systems (CRSs) or Global Distribution Systems (GDSs) — announced that it has “certified” that it complies with “Safe Harbor” privacy and data protection principles for companies that want to be eligible to receive transfers to the US of personal data collected in the EU or Switzerland.

As travel industry technology news site Tnooz reports, quoting Identity Project consultant Edward Hasbrouck:

Travelport’s headline on its press release about the issue, “Travelport is First GDS Provider to be Safe Harbor Certified,’ may be true, but can easily be misconstrued because Safe Harbor is a self-certification process.

Privacy expert Edward Hasbrouck, who has written extensively about the issue, notes that what Travelport’s Safe Harbor designation “means is that Travelport has made a formal claim … that Travelport complies with certain Safe Harbor principles. That claim has not been vetted, audited or verified by anyone.”…

“None of the GDS companies comply with EU data protection law, or have made any effort even to pay lip service to it until now,” Hasbrouck says. … Read More

Feb 19 2010

TSA, DHS unresponsive to human rights complaints

After two months, we’ve gotten an initial round of non-responses from the DHS and TSA to our complaint that their procedures for subjecting holders of certain passports to more intrusive search and/or interrogation as a condition of domestic common-carrier air travel violate published TSA civil rights policies, Federal laws, Constitutional rights, and rights guaranteed by international human rights treaties.

The Director of the TSA’s Office of Civil Rights and Liberties refers vaguely and inaccurately to “our letter expressing concerns about recent press reports” (in fact, our letter said nothing about any press reports), but makes no mention of our complaint that specific TSA practices and procedures are illegal, or what if anything any TSA or DHS compliance, oversight, or enforcement office intends to do about it.

The closest they come to engaging with the basis of our complaint is a sentence only a lawyer could love: “Please note that a passport-issuing country is not coextensive with a person’s national origin.”  It remains to be seen what they think is better evidence of national origin than a passport.  Will they issue yet another new travel credential by which someone with a Pakistani passport can establish, for example, that their nation of “origin” is India, and thus that they are not “from” a “country of interest”?  Or vice versa? What are they thinking?

They also completely ignore our mention of international treaties, which are likely to become a growing issue not just for the DHS and TSA but for their counterparts imposing similar restrictions on freedom of movement in other countries, such as mandatory submission to virtual strip searches.

We’ve sent the TSA and DHS a follow-up letter reminding them that we still expect, and are entitled to, a response.

Meanwhile, the DHS has announced similar procedures for more intrusive search and perhaps interrogation of travelers “coming from” a larger list of “countries of interest”.    It’s unclear — since of course the procedures aren’t enforceable rules and are being kept secret, whether “coming from” means having flown directly from, having visited earlier on the same trip, having visited within a specified time period (the life of the current passport?), having ever in one’s life visited, or carrying a passport issued by any of these countries.  These new procedures have prompted a more recent joint complaint similar to ours from a broad coalition of civil rights organizations, as well as separate complaints from some of these groups.

Feb 12 2010

Exporting anti-democracy

As the Winter Olympics open in Vancouver, a Canadian coalition led by the International Civil Liberties Monitoring Group has released a timely Report of the Information Clearinghouse on Border Controls and Infringements to Travellers’ Rights on the human rights issues faced by travellers to, from, and within Canada, based on two years of research and reports submitted to their ongoing monitoring project.

It’s an extremely valuable work of research and reporting, worth reading on its own right and for the comparisons with border controls and infringements to travelers’ rights in the USA.

One thing that stands out clearly in the report is the extent to which these infringements of Canadian travelers’ rights — even those traveling entirely within Canada, or between Canada and countries other than the USA — result from cross-border pressure by the US government, the enforcement by Canadian authorities and airlines of directives from the USA, and the adoption by the Canadian government and travel companies of systems modeled on those of the USA.

There’s an important lesson in the cases studies in the report and on the project website for Canadians and citizens of other countries: This is where your civil liberties end up when you allow the dicta of “homeland security” for the USA to override your own national principles and international commitments to human rights.

Let us all learn from this example not to make the new travel surveillance and control norms of the USA the new norms of the world.

Feb 11 2010

European Parliament rejects deal for US access to SWIFT financial data. Next on the agenda: PNR deal for access to travel data

Today the European Parliament voted 378 to 196 to reject an “agreement” negotiated between the Council of the European Union and the US Department of Homeland Security which would have created a new extrajudicial basis for the DHS to obtain records of bank transfers and payments made via the Society for Worldwide Interbank Financial Telecommunication (SWIFT).

Understanding today’s EP vote and its significance requires first an explanation of the EU decision-making process for US readers, and then an explanation of some of the parallels between SWIFT and US-based Computerized Reservation Systems (CRSs):

Read More

Feb 08 2010

DHS exempts dossiers used for “targeting” from the Privacy Act

In a final rule published last week at 75 Federal Register 5487-5481, the Customs and Border Protection (CBP) division of the Department of Homeland Security has exempted most of the data used by the illegal “Automated Targeting System – Passenger” (ATS-P) from the various requirements of the Privacy Act that information used to make decisions about individuals must be accessible to them on request, accurate, relevant, collected directly from the data subjects whenever possible, and so forth.

The proposal to exempt ATS records from the Privacy Act has been pending for more than two years. In the final rule, the Obama administration adopts, with no changes whatsoever, all of the exemptions proposed by the DHS under the previous administration.  The analysis accompanying the final rule acknowledges, but dismisses more or less out of hand, our comments from two years ago objecting to the proposed exemptions as illegal.  (These followed two sets of comments we filed in 2006, when the ATS itself was first disclosed, objecting to the entire system as illegal.)

On the same day last week, the DHS published a separate final rule similarly exempting from the Privacy Act portions of the “Border Crossing Information” (BCI) system, a log of each person’s entries to and exits from the U.S. which was first disclosed as a part of ATS before being declared a separate system of records. The final BCI exemption rule similarly adopted all of the proposals the previous administration has proposed in 2008, and dismissed our objections to its illegality out of hand.

You can still request your own ATS and other travel records from the DHS.  Even if the newly-promulgated exemptions are upheld, they leave you entitled to substantial portions of your ATS dossier.  We are continuing to pursue our own pending Privacy Act requests and appeals, some of which are themselves more than two years old and all of which were made before the new exemptions were finalized and thus are not subject to the “exemptions”.

The Privacy Act gives agencies the authority to exempt certain types of information, by rulemaking, from certain of the requirements of the Privacy Act.  The rules published last week are, however, the first time that the DHS has attempted to  exercise this authority with request to ATS records.

In the meantime, the CBP has simply ignored the Privacy Act and its lack of exemptions entirely: Every response we have seen to a request pursuant to the Privacy Act for PNR or other ATS data has been processed by the CBP under the Freedom of Information Act (FOIA) instead of the Privacy Act.  Information exempt from disclosure under FOIA has been withheld or redacted, citing specific FOIA exemptions, even when that same information was required by the Privacy Act to be disclosed. This has been in flagrant violation of the Privacy Act, which has different disclosure requirements and exemptions which only partially overlap with those of FOIA. So far as we know, however, CBP and DHS have never responded to a Privacy Act appeal of these wihtholdings and redactions at all — some of our Privacy Act appeals are more than two years old — and while there have been several lawsuits under FOIA concerning ATS data, there have been none yet under the Privacy Act.

Our primary objection is to the very existence of a system under which the government requires common carriers to identify each would-be traveler and get the government’s permission (“clearance”) before they can travel.  Such a scheme is made far worse, however, when those “fly/no-fly” or “cleared/inhibited/not cleared” decisions are made not only in secret by unknown bureaucrats, not judges, and on the basis of secret files about each citizen.

The new exemptions, applicable to future requests for ATS records, are sweeping.  But we are particularly disturbed that the exemption rules purport to authorize the DHS to collect and use an entirely undefined and open-ended category of commercial data obtained from airlines as part of their Passenger Name Records (PNR), and withhold that commercial data, on grounds of “business confidentiality”, from the would-be travelers against whom it is used.

That exemption for commercial data in PNRs creates a limitless loophole through which the DHS could secretly make use, in passenger profiling and “targeting” decisions, of commercial data of any sort.  As long as it is channeled to the DHS through inclusion in PNRs (which as commercial records are themselves subject to no U.S. privacy or disclosure requirements at all), the DHS could base passenger “targeting” decisions on derogatory free-text remarks by customer service representatives, commercial blacklists, credit scores, or records or ratings by data aggregators.  But those are not legal grounds to prevent travel by common carrier.

Feb 04 2010

“No scan, no fly.” What can a would-be traveler do?

With some British airports introducing “No scan, No fly” policies, we’ve been seeing renewed questions about what you can do if a government agency or agent, airline, or private third party won’t let you into or through an airport or onto a flight on a common carrier.

A would-be traveler holding a valid ticket and complying with the conditions of the airline’s published tariff, but denied passage by the airline, could bring a civil lawsuit for breach of contract, and possibly seek enforcement action against the airline for failing to comply with its obligation (under the terms of its tariff, operating license, applicable national laws, and the treaties pursuant to which it is authorized to operate international flights) to operate as a “common carrier” and transport all would-be passengers complying with its tariff.

Government action to deny passage to such a person for refusal to “consent’ to a virtual strip-search would violate Article 12 of the International Covenant on Civil and Political Rights, which as interpreted (pursuant to the treaty itself) by the U.N. Human Rights Committee, allows only such administrative rules that burden free movement as can be shown to be “necessary” for national security (i.e. actually effective, and more effective than any less restrictive alternative). The fact that a rule is intended to protect national security is, quite properly and explicitly, not sufficient, since most such rules restrictive of human rights (old South African passbook laws, etc.) have been justified on grounds of national security and counter-terrorism.

The UK and the USA have both signed and ratified the ICCPR, the US with explicit reservations that it is not “self effectuating”. That make it difficult to raise in a US court unless and until Congress passes a law creating a Federal civil cause of action, with a right of private action, against violators of the ICCPR. (This should be high on the agenda of any US administration desirous of showing that the US holds itself accountable to international human rights law). We don’t know whether there is any history of cases brought under the ICCPR in UK courts. If any is familiar with UK case law or precedent for invocation of the ICCPR, please tell us about it in a comment.

In addition, Optional Protocol #1 to the ICCPR creates a private right for any individual to bring a complaint to the U.N. Human Rights Committee against any state that is a party to the Optional Protocol.

Unfortunately, neither the USA nor the UK are among those that has ratified Optional Protocol #1 to the ICCPR. Thirty-five nations have ratified that protocol, however, and anyone denied passage by agencies or agents or state action of any of those governments (including inter alia Mexico, Australia, New Zealand, and most European Union members other than the UK) could bring such a complaint to the U.N. That remedy would seem to be available for denial of passage on the basis of any rule that doesn’t meet the test of necessity, including not just mandatory submission to body scanners but also extra-judicial no-fly orders or inability to present government-issued credentials.

[Update: the U.K. Department of Transport Interim Code of Practice for the Acceptable Use of Advanced Imaging Technology (Body Scanners) in an Aviation Security Environment contains an explicit, “No Scan, No Fly” provision:  “All passengers selected for screening by a body scanner must be scanned. If a passenger declines to be scanned that passenger must be refused access to the Restricted Zone, with the result that the passenger will not be able to fly. Information should be adequate, clear and provided ideally before ticket purchase.”  Since some people have already purchased tickets for travel as much as a year in the future, that would require at least a year’s delay, after notice begins to be provided by every one of the hundreds of thousands of travel agencies around the world.  More importantly, the new “Code of Practice for Body Scanners” appears to violate U.K. obligations under the ICCPR as well as potentially those respecting “common carriers” under international aviation treaties.]