Papers, Please!

The Identity Project

Author Archives: Edward Hasbrouck

Sep 28 2009

FBI wants records from travel data aggregators

Ryan Singel of Wired News has reported that documents (see the links to some of them at the end of the Wired story) provided in response to requests under the Freedom of Information Act show that the FBI’s National Security Branch “National Security Analysis Center” (NSAC) has obtained a variety of commercial travel records from hotel chains and franchisers, car rental companies, and the operator of the financial clearinghouse for most airline tickets (and some other travel services) issued or sold by travel agents in the USA.

The numbers of these records Wired reports that the FBI has already obtained are small compared to the numbers of customers these companies have, but Wired also reports that the FBI documents they obtained also show that the FBI is seeking, as part of a lengthy “wish list” of data types and sources, to get greater and perhaps routine and comprehensive access to these travel records.

Given the lax rules for inter-agency data sharing, and the FBI’s lead role in the inter-agency “Terrorist Screening Center” where no-fly decisions enforced by the TSA are made, it’s less important which specific federal agency has or is seeking this data than what information they are after, and from whom.

Read More

Sep 09 2009

More travel records, more exemptions from the Privacy Act

An anonymous traveler has posted the records of their international travel that were provided by the Customs and Border Protection (CBP) division of the Department of Homeland Security, in response to a request under the Privacy act using these forms updated from those used by the Identity Project in our original investigation of the CBP “Automated Targeting System” (ATS).  As noted by philosecurity.org, which published the latest example of the government’s travel data vacuum cleaner, as provided by one of the site’s readers,

The document reveals that the DHS is storing the reader’s:

  • Credit card number and expiration (really)
  • IP address used to make web travel reservations
  • Hotel information and itinerary
  • Full Name, birth date and passport number
  • Full airline itinerary, including flight numbers and seat numbers
  • Cruise ship itinerary
  • Phone numbers, incl. business, home & cell
  • Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation

There are also the details of a reservation at a hotel the person didn’t end up staying at, but which they had a reservation for when the CBP pulled a snapshot of their PNR from the airline or CRS. Sadly, all this is typical of what’s in a PNR and what we found in our continuing investigation of CBP/DHS travel records.

Meanwhile, even as more travelers are finally getting portions of their travel records, the DHS published a new final rule on August 31, 2009 (74 Federal Register 45070-45072) exempting portions of those records from the Privacy Act. Read More

Aug 27 2009

Of course it’s not a national ID card

Whenever questions are raised about national ID schemes like REAL-ID or PASS-ID, their more public-relations savvy proponents are always quick to say, “But of course this isn’t a national ID card”.  The same goes for L-1 Identity Solutions, the prime drivers license, ID card, and ID and biometric database contractor, aggregator, and data miner for California and the majority of other states (and keynote presenter at ICAO’s upcoming Symposium on Machine Readable Travel Documents next month in Montreal).

So we were interested to see how L-1 describes its products to its customers in this full-page ad on the back cover of the latest issue of ICAO’s Machine Readable Travel Document Report:

But of course, this isn’t a national ID card.

Aug 24 2009

Travelers more worried about TSA than airline safety

Travelers are more concerned about TSA screening than airline safety, according to the results of the first poll conducted by the Consumer Travel Alliance.

“TSA screening” ranked sixth in the survey, with 44.1 percent of respondents saying it was of the highest priority among all possible travel issues (not limited to airlines). “Airline safety” was seventh, with 41.1 percent rating it among the “most important” consumer travel issues.

Congress, are you listening?

Aug 20 2009

“Clear” data temporarily enjoined from sale, but not yet safe

According to news reports today, Verified Identity Pass, Inc., (“VIP”) which operated the defunct Clear traveler registration scheme, has been temporarily enjoined by a Federal court from selling or transferring to any third party any data about its (former) customers.

That doesn’t mean that the personal data about “VIP” travelers — including fingerprints, iris scans, and data about their passage through “Clear” lanes at airports — is safe.  The injunction is only preliminary, and was issued in a case in which Clear customers have sued for refunds.  More importantly, VIP is not (yet) bankrupt and hasn’t yet been sold, although since the shutdown of the Clear service it has no revenue and no way to avoid bankruptcy except through a sale of all or part of its business or assets.

The terms of service and privacy policy for the Clear program contained an explicit provision authorizing the sale or transfer of customer data to another company providing a similar service, as part of a sale of the entire line of business. And if VIP goes bankrupt, the bankruptcy court would still be required to auction the personal data to the highest bidder, unless in the meantime Congress enacts new privacy protection for personal data in bankruptcy cases.

Aug 16 2009

Secure Flight: Frequently Asked Questions

There’s been a lot of confusing (and often confused) reporting recently about the TSA’s so-called “Secure Flight” scheme for surveillance and control of passengers on domestic U.S. airline flights, based on data mining of airline reservations and lifetime travel histories.

If you’re looking for answers, you might start with our FAQ about “Secure Flight”.

Much of the confusion comes from the fact that the TSA’s orders to the airlines to implement “Secure Flight”, setting out which airlines are required to do what, and when, are all contained in secret “Security Directives”.  So we have only the TSA’s press releases — which they have previously told us would “creat[e] public confusion” were the public actually to rely on them, and which have often proven to be lies anyway — as clues to what is really being required.

We do know, however, the essence of what the “Secure Flight” regulations actually require: the shift to a permssion-based system of control of domestic air travelers (similar to the shift already being made for international air travelers under the APIS regulations, and for land border crossings under the WHTI rules), with a default of, “No”.

In addition to the questions in our original our FAQ, recent news reports raise some additional questions worth answering:

  • Was the “Secure Flight” scheme “[b]orn out of recommendations from the 9/11 Commission” (NPR)? No. “Secure Flight” is the latest name for a program originally called “CAPPS-II”, which was conceived almost immediately after 9/11 and well before the 9/11 Commission was even appointed.  More importantly, “Secure Flight” is directly contrary to the recommendation of the 9/11 Commission that, “The burden of proof for retaining a particular governmental power should be on the executive, to explain (a) that the power actually materially enhances security and (b) that there is adequate supervision of the executive’s use of the powers to ensure protection of civil liberties. If the power is granted, there must be adequate guidelines and oversight to properly confine its use…. [There should be a board within the executive branch to oversee adherence to the guidelines we recommend and the commitment the government makes to defend our civil liberties.”
  • Is “Secure Flight” a legal “requirement” (TSA press release)? No. Not only is “Secure Flight” (a) in violation of international treaties to which the U.S. is a party (Article 12 of the ICCPR provides in part that, “Everyone lawfully within the territory of a State shall, within that territory, have the right to liberty of movement”) and (b) the First Amendment to the U.S. Constitution (“Congress shall make no law … abridging … the right of the people peaceably to assemble”), but (c) the TSA has been expressly forbidden by Federal law from implementing “Secure Flight” “on other than a test basis” unless and until the GAO has certified that 10 specific criteria have been met.  The GAO has moved the goalposts set by Congress to certify that most of those criteria have, under clearly distorted interpretations, been met — but not yet all of them.  The assignment to each would-be passenger of a score of “cleared”, “inhibited”, or “not cleared” appears to violate the provision of the same law that, “None of the funds provided in this or any previous appropriations Act may be utilized to develop or test algorithms assigning risk to passengers whose names are not on government watch lists.”  And “Secure Flight” also potentially violates restrictions on data mining. [Update: It appears that the TSA is interpreting the GAO’s statements as constituting the necessary certification, even though the GAO said that “Additional Actions Are Needed”.  According to Business Travel News, “‘There’s nothing more to be tested, and no more approvals we need,’ said program director Paul Leyh…. ‘All it is now is to start the implementation process.'”]
  • Can the TSA or the airline prevent you flying or impose other sanctions as a penalty for non-compliance with “Secure Flight” requirements such as providing my date of birth, gender, etc? No. [Not unless they can successfully claim that the GAO has made the necessary certification, and that “cleared”, “inhibited”, or “not cleared” is not a “risk score”.] The same law that prohibits the TSA from “deployment or implementation, on other than a test basis” of “Secure Flight” also provides that, “During the testing phase … no information gathered from passengers, foreign or domestic air carriers, or reservation systems may be used to screen aviation passengers, or delay or deny boarding to such passengers, except in instances where passenger names are matched to a government watch list.”
Aug 12 2009

Rumors of a new administrator for the TSA

One reason there’s been no change in TSA “policy” under the Obama administration — if you can call it “policy” when there are no rules and the people in charge think their decisions aren’t subject to judicial review —  is that President Obama hasn’t yet appointed an Assistant Secretary of Homeland Security for Transportation Security (a/k/a “TSA Administrator”).  So the TSA is still being run by temprary caretaker holdovers, who are forging ahead with the deployment of several schemes promulgated last year by the previous administration, such as Secure Flight, which would transform domestic air travel into a permission-based surveillance and control system with a default of “No”, and the international APIS and WHTI rules for international travel.

Now there are beginning to be rumors of who Obama may appoint.  We haven’t yet seen any discussion of what (if any) policies the rumored nominee might favor, but perhaps it’s time to remind Senators of the questions for such nominees that we put forward last year, after the elections, as part of our Proposed Agenda on the Right to Travel (PDF) for the Obama Administration and Congress:

Questions for nominees for the DHS and TSA:

“As the nominee for Secretary of Homeland Security or Administrator of the Transportation Security Administration, …

  1. Do you believe that individuals should have a right to travel in the USA? Why or why not?
  2. What substantive (e.g probable cause) and procedural (e.g. due process and judicial review) standards do you believe should apply to actions by or directed by your agency, or other government agencies, that would restrict that right?
  3. Should individuals in the USA be required to have or display government ID in order to travel by common carrier or on public rights-of-way by plane? By train? By bus? By ship or ferry? By private car? On foot? Why or why not?
  4. Should individuals in the USA be required to obtain government permission in order to travel by common carrier or on public rights-of-way by plane? By train? By bus? By ship or ferry? By private car? On foot? Why or why not?
  5. Should US citizens be required to have a passport and/or obtain government permission in order to leave the USA? Why or why not?
  6. Should US citizens be required to have a passport and/or obtain government permission in order to return to the USA from abroad? Why or why not?
  7. Should the government maintain records of the travel or movement of people who are not suspected of a crime or subject to a court order authorizing surveillance and logging of their movements? Why or why not?
  8. Should the government mandate the collection or maintenance by travel companies of records of the travel or movement of people who are not suspected of a crime or subject to a court order authorizing surveillance and logging of their movements? Why or why not?
  9. Should travel companies or other third parties to whom individuals are required by the government to provide personal information be free to use, sell, or “share” that information, or should it be protected by laws? Why or why not?
  10. What do you think should be done with existing government files of travel records about innocent people?

The Senate should also ask whether a TSA nominee is willing to commit the agency to the rule of law, by promising to enforce only those sanctions against travelers prescribed by publicly-promulgated rules, and by ensuring that all TSA snactions against travelers (including , of ocurse, “no-fly” orders), are subject to judicial review.

If you agree that these are the key issues for the TSA, let your Senators and the members of the Committee on Homeland Security know that you want these questions asked and answered before any new head of the TSA is confirmed.

Jul 17 2009

PASS ID or REAL-ID? Tweedle-dum or Tweedle-dee?

The Senate Homeland Secuirty Committee hearing this Wednesday on “Reevaluating the REAL ID Act” was a sham, in which the only”opponents” or “critics” of the current REAL-ID law allowed to testify were those who prefer the PASS-ID bill to substitute an alternate national ID card mandate.  Critics of any national ID need not apply to be heard as part of this debate between Tweedle-dee and Tweedle-dum.

Eevn the few positive features of  the PASS-ID bill came under attack.  Senator Collins of Maine wanted to know whether the bill would allow the sort of airport “security” measures that are used in Israel (notorious for ethnic profiling), and specifically whether the PASS-ID provision that, ““no person shall be denied boarding a commercial aircraft solely on the basis of failure to present a driver’s license or identification card issued pursuant to this subtitle,” would still allow denail of boarding, regardless of ID, solely on the basis of “behavioural profiling”.  And the National Retail Association wants to make sure that the PASS-ID prohibition on non-governmental scanning or use of machine-readable (bar-code, mag stripe, or RFID) data on government-issued ID cards would still allow stores to skim this data in order to profile patterns of “suspicious” merchandise returns.  Would anyone object, they want to know, to an exception to this provision that would allow scanning and tracking of machine-readable ID data to detect or prevent “fraud or other illegal activity”?

Yes, we would object to such an open-ended exception.  More importantly, we object to any mandatory national ID.  So do tens of millions of Americans, regardless of whether Congress does’t want our views to be part of the debate.

Jul 17 2009

Secure Flight to use same data mining tools as CAPPS-II

The TSA has been anxious to convince us that the renamed Secure Flight scheme for airline passenger profiling, surveillance, and control is fundamentally different and (despite the great new name) less Orwellian than its prdecessor, the thoroughly discredited CAPPS-II (“Computer-Assisted Passenger Pre-Screening System, version 2”).

The TSA also wants us to believe that Secure Flight “does not use commercial data” (actually, it relies primarily on commercial data in airline reservations or Passenger Name Records) or data mining.

Now we learn from the boasts of one of the TSA’s contractors that “Secure Flight” will rely on the same fuzzy matching and data mining software that was used in the first trials of CAPPS-II in 2002 — which were unsuccessful, and which used illegally obtained PNRs for real travelers on real flights.

And despite the TSA’s claims that it isn’t a data-mining system, the contractor, Infoglide Software, describes the software being incorporated into “Secure Flight” as a tool for “mining today’s evergrowing sources of data”.  Oops!  perhaps the TSA forgot to tell them the party line about how to describe their products, or their marketing department didn’t get the message.

Nothing has really changed in CAPPS-3, a/k/a “Secure Flight”.  Depite all the minor tweaks from CAPPS-II, it still doesn’t meet the standards required by international human rights treates, the Constitution, or Federal statutes. Nothing has changed, including the need to stop it now — before another billion dollars or more is spent over the next year or two on implementing this system of surveillance and control of our movements.

Jul 14 2009

D.C. Circuit court enjoins checkpoints on public streets

Striking down both a permission-based system of controls of movement (under which motorists on public streets in the District of Columbia were required to explain the purposes of their intended movements to the satisfaction of police before being permitted to pass police checkpoints, with the burden of justification placed on the would-be travellers), and the use of “security”, generalized crime prevention or deterrence, and general law enforcement as justifications for the use of checkpoints as de facto general warrants to stop, detain, interrogate, and compel responses to questions by travellers on public rights of way, the Court of Appeals for the D.C. Circuit has overturned the denial by the D.C. District Court of a permanent injunction against the Metropolitan Police scheme of so-called Neighborhood Safety Zones.

In Mills v. District of Columbia (No. 08-7127, decided July 10, 2009), the D.C. Circuit Court explicitly addressed, and reaffirmed, both the right to movement on public ways (“It cannot be gainsaid that citizens have a right to drive upon the public streets of the District of Columbia or any other city absent a constitutionally sound reason for limiting their access”) and the unconstitutionality of checkpoint stops, searches, or seizures “whose primary purpose was to detect evidence of ordinary criminal wrongdoing…. Because the primary purpose of the … checkpoint program is ultimately indistinguishable from the general interest in crime control, the checkpoints violate the Fourth Amendment” (quoting City of Indianapolis v. Edmond, 531 U.S. 32).

It’s also notable that the Court ruled as it did despite explicitly noting that the checkpoints at issue applied only to travellers by motor vehicle, and not to pedestrians.  (It’s unclear from the appellate opinion how bicyclists and other travellers by non-motoirized vehicle were treated.)  The undisputed fact that there existed an alternative, unrestricted mode of travel — by foot — was not a factor in the decision.

We’ll leave it as an exercise for the reader, and the TSA, to consider how the logic of this decision — and the Supreme Court precedent in Indianapolis v. Edmond on which it relies — would apply to TSA checkpoints at airports.

Our friends at Checkpoint USA have more details in their Roadblock Revelations blog.