Papers, Please!

The Identity Project

Author Archives: Edward Hasbrouck

Oct 01 2009

Do you need government ID to observe Federal government meetings?

With the public paying more attention ot Federal financial policy, more people might be interested in watching government meetings like those of the Federal Reserve Board.

But what if you don’t have  government-issued identity credentials, or don’t chose to show them? Are you still entitles to observe your tax dollars at work?

We recently came across this 2002 opinion from Office of Legal Counsel of the Department of Justice, advising the the Federal Reserve Board that notwithstanding the open meeting requirements of the Government in the Sunshine Act, the Fed can prevent people from watching its meetings if they don’t give advance notice of their intent to attend, don’t have or won’t reveal their Social Security Number or various other information, or if they don’t have or won’t show a photo ID.

Footnote 4 of the 2002 opinion points out a 1977 DoJ letter that states, “[o]f course, any person may attend a meeting without indicating his identity and/or the person, if any, whom he represents and no requirement of prior notification of intent to observe a meeting may be required.” However, the OLC “disagrees with” that letter.

This took place, ,of course, at a time when the OLC was also advising Federal agencies on the legality of torture, “extraordinary rendition”, and so forth.  But we can find no record of any action by the Obama Administration to rescind or update this advice.

All of which begs the Catch-22 question of what happens to people who want to enter government buildings where ID is required for entry — such as passport offices located in Federal office buildings — in order to apply for the ID credentials they don’t yet have.

Oct 01 2009

Congress, investors won’t let “Trusted Traveler” die

As a hearing yesterday before the Subcommittee on Transportation of the House Homeland Security Committee, Republicans and Democrats joined in urging a re-start of the all-but-bankrupt “Registered Traveler” or “Trusted Traveler” scheme that shut down this June.  Subcommittee members even went to so far as to criticize the TSA for having planned — until members of Congress and a temporary injunction in a customer lawsuit for refunds prevailed on them to hold off — to delete the fingerprints, iris scans, and other personal data collected for use by the TSA and the Registered/Trusted Traveler vendors.  If you think this data should be purged from government files sooner rather than later, let your representative know what you think.

Amazingly, there are even private equity investors who showed up at the hearing to proclaim their readiness to buy some of the assets (including the personal data bank, of course, but not the liability for refunds to no-longer-trusted travelers who now want out) of the largest of the former registered-traveler operator, “Clear” Verified Identity Pass, and to try to bring it back to life.

But the would-be investors made clear that their business model would depend on government support.  The TSA has admitted that the Registered Traveler program has no security value, and stopped conducting, or charging for, background checks on applicants.  That leaves the program as nothing more than a way for members to pay extra to go through a dedicated line at the TSA checkpoint, which is possible only if the TSA allows these private companies to control access to the government checkpoint people have to pass through to travel by common carrier.  Sort of like a government-facilitated scheme to allow you to bribe your way to the front of the line.  Except that it’s more like extortion than bribery, since the point is not to receive government services but to avoid (in part) government restrictions and costs imposed on the exercise of rights.

The government has no business collaborating with this racket, or helping private businesses shake down members of the public who can’t afford the delays imposed by TSA security theater.  “Trusted Traveler” is dead, and the government should leave it in its grave.

Sep 28 2009

Now that Ted Kennedy’s dead, the TSA’s found somebody else in Congress to harass

Senator Edward M. Kennedy (D-MA) used to have constant trouble at airports because a name similar to his was on the TSA’s “no-fly” list.  Even as a senior Senator he couldn’t find out why, and couldn’t get the harassment stopped (which he eventually mentioned publicly during a Senate hearing) for more than three weeks.  For ordinary mortals, “redress” takes months or years, if it ever happens at all.

Now it’s Representative Jason Chaffetz (R-UT) — sponsor of the amendment passed overwhelmingly by the House in June, despite opposition from the leadership of both major parties, to restrict the TSA’s use of virtual strip search (“Whole Body Imaging”) machines at checkpoints in airports — who’s gotten on the TSA’s VIP list for special treatment.

According to reports in the Salt Lake Tribune and Deseret News, frequent-flyer freshman Congressman Chaffetz — who has refused to move to Washington, sleeps on a cot in a back room of his Congressional office during the week, and flies home to Utah to be with his family every weekend — got into trouble at SLC last week after he (1) refused to “consent” to a virtual strip search (“Chaffetz had told the House, “You don’t have to look at my wife and 8-year-old daughter naked to secure an airplane.” He says he didn’t want the TSA looking at him naked either. He told the Deseret News the TSA has not lived up to promises to post signs about what the whole-body imaging machine does”) and then (2) tried to read the name on a TSA agent’s badge (which the agent only showed him after Chaffetz identified himself as a member of Congress, although the TSA agents said they already knew who he was).

Of course, Chaffetz was then “randomly” selected for extra groping (“secondary screening”).  But we’re sure that had nothing to do with his political opinions or attempts to hold the TSA accountable to the laws he helps make.

Sep 28 2009

FBI wants records from travel data aggregators

Ryan Singel of Wired News has reported that documents (see the links to some of them at the end of the Wired story) provided in response to requests under the Freedom of Information Act show that the FBI’s National Security Branch “National Security Analysis Center” (NSAC) has obtained a variety of commercial travel records from hotel chains and franchisers, car rental companies, and the operator of the financial clearinghouse for most airline tickets (and some other travel services) issued or sold by travel agents in the USA.

The numbers of these records Wired reports that the FBI has already obtained are small compared to the numbers of customers these companies have, but Wired also reports that the FBI documents they obtained also show that the FBI is seeking, as part of a lengthy “wish list” of data types and sources, to get greater and perhaps routine and comprehensive access to these travel records.

Given the lax rules for inter-agency data sharing, and the FBI’s lead role in the inter-agency “Terrorist Screening Center” where no-fly decisions enforced by the TSA are made, it’s less important which specific federal agency has or is seeking this data than what information they are after, and from whom.

Read More

Sep 09 2009

More travel records, more exemptions from the Privacy Act

An anonymous traveler has posted the records of their international travel that were provided by the Customs and Border Protection (CBP) division of the Department of Homeland Security, in response to a request under the Privacy act using these forms updated from those used by the Identity Project in our original investigation of the CBP “Automated Targeting System” (ATS).  As noted by philosecurity.org, which published the latest example of the government’s travel data vacuum cleaner, as provided by one of the site’s readers,

The document reveals that the DHS is storing the reader’s:

  • Credit card number and expiration (really)
  • IP address used to make web travel reservations
  • Hotel information and itinerary
  • Full Name, birth date and passport number
  • Full airline itinerary, including flight numbers and seat numbers
  • Cruise ship itinerary
  • Phone numbers, incl. business, home & cell
  • Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation

There are also the details of a reservation at a hotel the person didn’t end up staying at, but which they had a reservation for when the CBP pulled a snapshot of their PNR from the airline or CRS. Sadly, all this is typical of what’s in a PNR and what we found in our continuing investigation of CBP/DHS travel records.

Meanwhile, even as more travelers are finally getting portions of their travel records, the DHS published a new final rule on August 31, 2009 (74 Federal Register 45070-45072) exempting portions of those records from the Privacy Act. Read More

Aug 27 2009

Of course it’s not a national ID card

Whenever questions are raised about national ID schemes like REAL-ID or PASS-ID, their more public-relations savvy proponents are always quick to say, “But of course this isn’t a national ID card”.  The same goes for L-1 Identity Solutions, the prime drivers license, ID card, and ID and biometric database contractor, aggregator, and data miner for California and the majority of other states (and keynote presenter at ICAO’s upcoming Symposium on Machine Readable Travel Documents next month in Montreal).

So we were interested to see how L-1 describes its products to its customers in this full-page ad on the back cover of the latest issue of ICAO’s Machine Readable Travel Document Report:

But of course, this isn’t a national ID card.

Aug 24 2009

Travelers more worried about TSA than airline safety

Travelers are more concerned about TSA screening than airline safety, according to the results of the first poll conducted by the Consumer Travel Alliance.

“TSA screening” ranked sixth in the survey, with 44.1 percent of respondents saying it was of the highest priority among all possible travel issues (not limited to airlines). “Airline safety” was seventh, with 41.1 percent rating it among the “most important” consumer travel issues.

Congress, are you listening?

Aug 20 2009

“Clear” data temporarily enjoined from sale, but not yet safe

According to news reports today, Verified Identity Pass, Inc., (“VIP”) which operated the defunct Clear traveler registration scheme, has been temporarily enjoined by a Federal court from selling or transferring to any third party any data about its (former) customers.

That doesn’t mean that the personal data about “VIP” travelers — including fingerprints, iris scans, and data about their passage through “Clear” lanes at airports — is safe.  The injunction is only preliminary, and was issued in a case in which Clear customers have sued for refunds.  More importantly, VIP is not (yet) bankrupt and hasn’t yet been sold, although since the shutdown of the Clear service it has no revenue and no way to avoid bankruptcy except through a sale of all or part of its business or assets.

The terms of service and privacy policy for the Clear program contained an explicit provision authorizing the sale or transfer of customer data to another company providing a similar service, as part of a sale of the entire line of business. And if VIP goes bankrupt, the bankruptcy court would still be required to auction the personal data to the highest bidder, unless in the meantime Congress enacts new privacy protection for personal data in bankruptcy cases.

Aug 16 2009

Secure Flight: Frequently Asked Questions

There’s been a lot of confusing (and often confused) reporting recently about the TSA’s so-called “Secure Flight” scheme for surveillance and control of passengers on domestic U.S. airline flights, based on data mining of airline reservations and lifetime travel histories.

If you’re looking for answers, you might start with our FAQ about “Secure Flight”.

Much of the confusion comes from the fact that the TSA’s orders to the airlines to implement “Secure Flight”, setting out which airlines are required to do what, and when, are all contained in secret “Security Directives”.  So we have only the TSA’s press releases — which they have previously told us would “creat[e] public confusion” were the public actually to rely on them, and which have often proven to be lies anyway — as clues to what is really being required.

We do know, however, the essence of what the “Secure Flight” regulations actually require: the shift to a permssion-based system of control of domestic air travelers (similar to the shift already being made for international air travelers under the APIS regulations, and for land border crossings under the WHTI rules), with a default of, “No”.

In addition to the questions in our original our FAQ, recent news reports raise some additional questions worth answering:

  • Was the “Secure Flight” scheme “[b]orn out of recommendations from the 9/11 Commission” (NPR)? No. “Secure Flight” is the latest name for a program originally called “CAPPS-II”, which was conceived almost immediately after 9/11 and well before the 9/11 Commission was even appointed.  More importantly, “Secure Flight” is directly contrary to the recommendation of the 9/11 Commission that, “The burden of proof for retaining a particular governmental power should be on the executive, to explain (a) that the power actually materially enhances security and (b) that there is adequate supervision of the executive’s use of the powers to ensure protection of civil liberties. If the power is granted, there must be adequate guidelines and oversight to properly confine its use…. [There should be a board within the executive branch to oversee adherence to the guidelines we recommend and the commitment the government makes to defend our civil liberties.”
  • Is “Secure Flight” a legal “requirement” (TSA press release)? No. Not only is “Secure Flight” (a) in violation of international treaties to which the U.S. is a party (Article 12 of the ICCPR provides in part that, “Everyone lawfully within the territory of a State shall, within that territory, have the right to liberty of movement”) and (b) the First Amendment to the U.S. Constitution (“Congress shall make no law … abridging … the right of the people peaceably to assemble”), but (c) the TSA has been expressly forbidden by Federal law from implementing “Secure Flight” “on other than a test basis” unless and until the GAO has certified that 10 specific criteria have been met.  The GAO has moved the goalposts set by Congress to certify that most of those criteria have, under clearly distorted interpretations, been met — but not yet all of them.  The assignment to each would-be passenger of a score of “cleared”, “inhibited”, or “not cleared” appears to violate the provision of the same law that, “None of the funds provided in this or any previous appropriations Act may be utilized to develop or test algorithms assigning risk to passengers whose names are not on government watch lists.”  And “Secure Flight” also potentially violates restrictions on data mining. [Update: It appears that the TSA is interpreting the GAO’s statements as constituting the necessary certification, even though the GAO said that “Additional Actions Are Needed”.  According to Business Travel News, “‘There’s nothing more to be tested, and no more approvals we need,’ said program director Paul Leyh…. ‘All it is now is to start the implementation process.'”]
  • Can the TSA or the airline prevent you flying or impose other sanctions as a penalty for non-compliance with “Secure Flight” requirements such as providing my date of birth, gender, etc? No. [Not unless they can successfully claim that the GAO has made the necessary certification, and that “cleared”, “inhibited”, or “not cleared” is not a “risk score”.] The same law that prohibits the TSA from “deployment or implementation, on other than a test basis” of “Secure Flight” also provides that, “During the testing phase … no information gathered from passengers, foreign or domestic air carriers, or reservation systems may be used to screen aviation passengers, or delay or deny boarding to such passengers, except in instances where passenger names are matched to a government watch list.”
Aug 12 2009

Rumors of a new administrator for the TSA

One reason there’s been no change in TSA “policy” under the Obama administration — if you can call it “policy” when there are no rules and the people in charge think their decisions aren’t subject to judicial review —  is that President Obama hasn’t yet appointed an Assistant Secretary of Homeland Security for Transportation Security (a/k/a “TSA Administrator”).  So the TSA is still being run by temprary caretaker holdovers, who are forging ahead with the deployment of several schemes promulgated last year by the previous administration, such as Secure Flight, which would transform domestic air travel into a permission-based surveillance and control system with a default of “No”, and the international APIS and WHTI rules for international travel.

Now there are beginning to be rumors of who Obama may appoint.  We haven’t yet seen any discussion of what (if any) policies the rumored nominee might favor, but perhaps it’s time to remind Senators of the questions for such nominees that we put forward last year, after the elections, as part of our Proposed Agenda on the Right to Travel (PDF) for the Obama Administration and Congress:

Questions for nominees for the DHS and TSA:

“As the nominee for Secretary of Homeland Security or Administrator of the Transportation Security Administration, …

  1. Do you believe that individuals should have a right to travel in the USA? Why or why not?
  2. What substantive (e.g probable cause) and procedural (e.g. due process and judicial review) standards do you believe should apply to actions by or directed by your agency, or other government agencies, that would restrict that right?
  3. Should individuals in the USA be required to have or display government ID in order to travel by common carrier or on public rights-of-way by plane? By train? By bus? By ship or ferry? By private car? On foot? Why or why not?
  4. Should individuals in the USA be required to obtain government permission in order to travel by common carrier or on public rights-of-way by plane? By train? By bus? By ship or ferry? By private car? On foot? Why or why not?
  5. Should US citizens be required to have a passport and/or obtain government permission in order to leave the USA? Why or why not?
  6. Should US citizens be required to have a passport and/or obtain government permission in order to return to the USA from abroad? Why or why not?
  7. Should the government maintain records of the travel or movement of people who are not suspected of a crime or subject to a court order authorizing surveillance and logging of their movements? Why or why not?
  8. Should the government mandate the collection or maintenance by travel companies of records of the travel or movement of people who are not suspected of a crime or subject to a court order authorizing surveillance and logging of their movements? Why or why not?
  9. Should travel companies or other third parties to whom individuals are required by the government to provide personal information be free to use, sell, or “share” that information, or should it be protected by laws? Why or why not?
  10. What do you think should be done with existing government files of travel records about innocent people?

The Senate should also ask whether a TSA nominee is willing to commit the agency to the rule of law, by promising to enforce only those sanctions against travelers prescribed by publicly-promulgated rules, and by ensuring that all TSA snactions against travelers (including , of ocurse, “no-fly” orders), are subject to judicial review.

If you agree that these are the key issues for the TSA, let your Senators and the members of the Committee on Homeland Security know that you want these questions asked and answered before any new head of the TSA is confirmed.