Dec 06 2024

Court stays deadline for IDs and mug shots of corporate principals

A Federal District Court in Texas has issued a nationwide injunction against enforcement of the Corporate Transparency Act (CTA) of 2021.

This injunction is only temorary, pending a decision by the court on the merits of a lawsuit challenging the Consittutionality of the law, which could take months or years. But until that ruling, the preliminary nationwide injunction stays the January 1, 2025, deadline for officers and owners of all types of corporations to obtain ID documents from government agencies and submit copies of those documents, including photos, to the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury.

Another US District Court in Alabama has already ruled that the Corporate Transparency Act is unconstitutional. But that ruling only applied to the plaintiffs in that case.

The Texas District Court’s detailed ruling on the motion for a preliminary nationwide injuction focuses primarily on issues of federalism. It doesn’t mention the issue of corporate officers or owners who don’t have any of the required ID documents, or the implications of requiring  mug shots as well as document numbers and other written information.

The government argued that the plaintiffs in the case against the CTA had not suffered sufficient damage to give them a cause of action, because the reporting burden would be “de minimus” (minmal). The Court rejected that argument, noting that, according to the regulations implmenting the CTA reporting requirement, ” FinCEN estimates that the total cost of filing BOI [Beneficial Owner Information] reports is approximately $22.7 billion in the first year and $5.6 billion in the years after.”

The Court noted with a footnote that, “FinCEN also estimates that it will take approximately twenty minutes to read a beneficial ownership report form and understand it, thirty minutes to collect information about a company’s beneficial owners, and twenty minutes to fill out and file the report, resulting in a seventy-minute endeavor. But the Court notes that as a practical matter, it takes far longer than seventy minutes simply to read the CTA and Reporting Rule alone.”

What we find espcially significant and encouraging in this ruling is that it recognizes explicly that requiring ID is a law enforcement and investigatory device — as FinCEN’s very name, the Financial “Crimes Enforcement” Network, makes clear:

In other words, the CTA is a law enforcement tool—not an instrument calibrated to protect commerce; an exercise of police power, rather than a regulation of an activity…. The CTA regulates reporting companies, simply because they are registered entities, and compels the disclosure of information for a law enforcement purpose.

The Court rightly rejected the government’s argument that mandatory reporting of identifying information (and photos, although that wasn’t mentioned) about all corporate principals is “useful” for law enforcement. Unconstitutional general warrants, dragnet surveillance, or suspiconless, warrantless, house-to-house searches would undoubtedly enable the government to find evidence of crimes, some of which would otherwise have gone undetected, in many homes. But the effectiveness of these police tactics, from the point of view of the police, does not make them Constitutional.

FinCEN hasn’t updated its website yet to mention the nationawide injunction. The Texas case and other legal challenges to the CTA remain pending, and the injunction is likely to be appealed. For now, however, you can ignore the CTA reporting requirements and the January 1, 2025, compliance deadline.

Dec 04 2024

CBP facial recognition is a service for the airline industry

After five years of foot-dragging in responding to our Freedom Of Information Act (FOIA) request, US Customs and Border Protection (CBP) has finally released the pitch it made to the Future Travel Experience airline industry conference in 2019 on why airlines and airport operators should “partner” with CBP on automated facial recognition of airline passengers.

CBP claims in its presentation that “THIS IS *NOT* A SURVEILLANCE PROGRAM”. Its vision, however, is for CBP’s Traveler Verification Service (TVS) facial recognition system to provide automated identification of travelers at every stage of their journeys.

Airlines and airport operators won’t need to operate their own facial recognition software or databases. CBP will do that for them, allowing them to use TVS (which “integrates into airport infrastructure”, CBP boasts) for any of their business process automation, traveler profiling, personalized pricing, etc. purposes. Airlines and airport operators won’t need to store mug shots, since CBP will re-identify travelers for them as often as they want.

And that’s not all. The TVS facial recognition service will also be made available to cruise lines, bus companies, etc., to automatically identify travelers using all modes of transportation:

CBP will use a traveler’s face as the primary way of identifying the traveler…. This will create the opportunity for CBP to transform air travel by enabling all parties in the travel system to match travelers to their data via biometrics, thus unlocking benefits that… enhances the entire traveler experience.

The CBP “Biometric Pathway” will utilize biometrics to streamline passenger processes throughout the air travel continuum, and will provide airport and airline entities with the opportunity to validate identities against DHS information systems using the data available. CBP will partner with airlines, airports, and TSA to build a device independent, vendor neutral back­end system called the Traveler Verification Service (TVS) that allows for private sector investment in front end infrastructure, such as self­service baggage drop off kiosks, facial recognition self­boarding gates, and other equipment; this service will ultimately enable a biometric­ based entry/exit system to provide significant benefits to air travel partners…. The TVS will also be able to support future biometric deployments in the land and sea environments and throughout the traveler continuum. Figure 4 shows the different environments and touchpoints that will interact with the TVS.

Let’s make a deal”, CBP says to airlines and airport operators. “You provide the camera infrastructure embedded in passenger terminals at airports, and we’ll provide the facial recognition service.” It’s a Faustian bargain in which travelers are the losers, but already by 2019 many airlines and airports had taken CBP up on its offer. In the five years since, many more airlines and airports have joined CBP as collaborators in traveler identification, surveillance, and tracking.

Read More

Nov 25 2024

Do you need ID to read the REAL-ID rules?

[“The welcoming, friendly and visually pleasing appearance” of the TSA’s headquarters at 6595 Springfield Center Drive, Springfield, VA.]

We spent most of a day last week outside the headquarters of the Transportation Security Administration (TSA), trying and failing to find out what the rules are for the TSA’s new digital-ID scheme.  What we did learn is that, by TSA policy and practice, you can’t read the REAL-ID rules, get to the TSA’s front door, or talk to any TSA staff unless you already have ID, bring it with you, and show it to the private guards outside the TSA’s gates.

The problems we have faced just trying to get access to the text of the TSA’s rules raise issuess about (recursive) incorporation by reference of third-party, nongovernmental text in regulations, secret law, and access to Federal services and rights by those without ID, as well as the underlying issues of REAL-ID, mobile driver’s licenses, and digital IDs.

In late October, as we’ve previously reported, the TSA issued a final rule establishing “standards” for smartphone-based digital IDs that would be deemed by the TSA to comply with the REAL-ID Act of 2005. These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.

The standards themselves — the meat of the TSA’s rule — weren’t published in the Federal Register or made public either when the rule was proposed or when it  was finalized. Instead, thousands of pages of documents from private third parties were incorporated by reference into the TSA’s rules, giving them the force of law, on the basis of false and fraudulent claims — the falsehood of which was easy for anyone who checked to verify — that they were “reasonably accessible” to affected individuals.

Secret laws are per se a violation of due process, and should be per se null and void. How can it be that “ignorance of the law is no excuse” if the government has kept you ignorant of the law, even when you try to find out what the law says?

You shouldn’t need ID to read the law, just as you shouldn’t need ID to travel by common carrier. But the TSA doesn’t seem to have read the Constitution.

Read More

Nov 05 2024

What will the future bring for ID demands?

There are elections today in  the USA. But we don’t need to know their outcome to predict many of the issues that the Identity Project and our supporters and allies will continue to face in the coming years. For what it’s worth, everything that was on our agenda for the first Obama Administration, following the 2008 elections, remains on our agenda today.

At least since September, 11, 2001, throughout both Republican and Democratic administrations in the White House, demands for “Your papers, please!” have been supported by (1) a bipartisan consensus in Congress, (2) the lobbying power of an ever-growing homeland security-industrial complex, and (3) the malign convergence of interest between governments that want to identify us in order to track, profile, and control us for political purposes and corporations that want to identify us (or get the government to force us to identify ourselves) in order to track and profile us for commercial purposes.

Read More

Nov 04 2024

TSA launches smartphone-based digital ID scheme

Brushing off objections from the Identity Project and others, the US Transportation Security Administration (TSA) has issued regulations creating the framework for an all-purpose smartphone-based national digital ID and tracking system.

The TSA’s new rules are piggybacked on the REAL-ID Act of 2005, and are ostensibly standards for what states will have to do to issue digital versions of driver’s licenses or ID cards that the TSA and other Federal agencies will accept for Federal purposes, in circumstances where ID is required by other Federal laws. This doesn’t include airline travel, for which no ID is legally required, although the TSA keeps lying about this.

The TSA’s new rules provide that acceptable digital IDs can only be issued to individuals who already have physical driver’s licenses or state-issued ID cards. And individuals are still required by standard state laws to “have their Physical Credential on their person while operating a motor vehicle”, even if they also have a digital ID on their smartphone. So this regulatory scheme isn’t really about driver’s licenses at all. It’s about pressuring states to move from uploading information about all their residents to a national ID database to putting a digital tracking app with a state-issued identifier on each resident’s smartphone.

We’ll have more to say in our next article about some of the ways this might be used for surveillance and control of individuals’ activities in the physical and online realms.

The TSA dismissed out of hand our suggestion that an individual could be provided with a digitally-signed file (signed by a government agency) containing the same information as is contained on a physical license or ID card. Such a  file could be carried on any sort of device and presented over any sort of connection. Instead, the TSA’s new rules require that a digital ID must be “provisioned” through an app on a smartphone. The smartphone must be “bound” to an individual (how is this possible?) and must have bluetooth-low energy (BTE) radio connectivity enabled so that the app containing the digital ID can be remotely interrogated by the government (perhaps without the user’s knowledge).

How will this work? What else will these apps do? In what situations, and for what purposes, will these apps and digital IDs be required? We don’t really know.

Read More

Sep 06 2024

Planned new European travel restrictions follow US precedents and pressure

Citizens of the USA and some other most-favored nations have long been able to travel to many European countries for tourism or business without visas or prearrangements and with minimal border formalities, as long as they didn’t stay too long or seek local residence or employment.

This is scheduled to change with the imposition of new controls on foreigners — including US citizens — visiting Europe starting in November 2024. This is to be followed by a further ratcheting up of control and surveillance of  foreign travelers to Europe scheduled for some time in 2025.

Some US citizens are likely to be shocked and humiliated — as any traveler anywhere in the world should be, regardless of their citizenship — to be subjected to fingerprinting and mug shots and additional questionning on arrival in Europe and, starting next year, a de facto visa by another name that they will have to apply and pay for and have approved before they can board a flight (or international ferry or train) to any European destination.

European citizens can and should object to the imposition by their governments of these new restrictions on foreigners, including foreign tourists and business visitors and foreign citizens who reside in Europe. Europe could, and should, set a better example of respect for freedom of movement as a human right that shouldn’t depend on citizenship.

But US citizens who object to these new European measures should direct their objections and, more importantly, their agitation for changes in travel rules to the US government.

These impending new European travel control and surveillance measures are modeled on systems developed in, already in use in, and actively promoted to European and other governments around the world by the US government.

By its precedents and international pressure, the US government is making travel more difficult for everyone, including US citizens, everywhere in the world including in Europe.

Read More

May 06 2024

Facial recognition and “identity verification”

A new effort is being made by some Senators to restrict the use of facial recognition by the Transportation Security Administration (TSA), airlines, and airports in the US.

But the proposed cure may be worse than the disease. The latest version of the proposed legislation, while undoubtedly well intentioned, includes a provision that would, for the first time, provide a basis in Federal law for “identity verification” of airline passengers.

The problem with facial recognition is that it’s a tool for identifying people. Legalizing (unjustified and previously unlawful) demands for travelers to identify ourselves in other ways is not a solution to the problems of either facial recognition or ID demands.

S. 3361, the “Travel Privacy Protection Act of 2023”, was introduced in the Senate in November 2023, and remains pending. But standalone bills like this have very little chance of being considered, especially in the current Congress.

With Congress acting on only a few bills that are considered essential to keep the  government operating, other legislation is likely to be acted on only if it can be attached to one of these “must-pass” bills. So some of the sponsors of S. 3361 have incorporated provisions to restrict the use of facial recognition, plus new provisions for alternative means of “identity verification” of travelers, into an amendment to the pending  bill to authorize continued operations of the Federal Aviation Administration (FAA).

We assume that the new “identity verification” provisions in the proposed amendment to the FAA reauthorization bill were added to the previous version of the legislation to address objections from the TSA, the airline industry, and airport operators, all of whom have invested heavily in shared infrastructure for facial recognition at airports on the assumption that it has already been agreed to as a government and industry standard.

The proposed amendment to the FAA reauthorization bill would explicitly authorize the use of facial recognition at US airports, provided that the TSA “provides each protected individual, at the request of the protected individual, with the option to choose between identity verification with or without facial recognition or facial matching software.”

This would be a major change, since no provision of current law authorizes the TSA to operate, or to require travelers to submit to, any sort of ID verification.

Congress should not be intimidated by the threat of facial recognition into authorizing the TSA, airlines, or airport operators to  require travelers to identify ourselves.

A choice between submitting to facial recognition so that we can be identified, and showing documents so that we can be identified, is not a choice we should have to make.

Regardless of how we are identified, we know how our identity will be used by the TSA and its commercial and governmental partners in the US and around the world.

The TSA will check our identity against the million and a half mostly Muslim names on the TSA’s no-fly blacklist, use our identity as one of the inputs to the algorithmic black box they use to decide whether to send the airline a Boarding Press Printing Result (BPPR) that “permits” the airline to issue a boarding pass for each of our flights, and use it to link its record of our flight to the permanent file it keeps about each of us. None of this is lawful or serves any legitimate purpose. Congress should put a stop to all of this.

The TSA offers the misleading reassurance that unless we are determined to pose a threat, it won’t retain facial images and other information about our travel. But since the threat-assessment algorithms and outcomes are secret, there’s no way to know whether information about us and any particular flight we take has been retained.

Compelled warrantless, suspicionless ID requirements violate the Fourth and Fifth Amendments to the US Constitution and international treaties protecting the right to freedom of movement both internationally and within the US.

If Congress wants to rein in the TSA and its use of facial recognition, Congress can and should explicitly prohibit the TSA from requiring travelers to identify ourselves, regardless of whether that identity verification is conducted by inspection of ID documents, facial recognition, or other means. Unless our right to travel has been restricted by court order, who we are is irrelevant to our right to travel by common carrier.

Nov 30 2023

Senate bill introduced to ban TSA use of facial recognition in airports

Six US Senators led by Sen. Jeff Merkley (D-OR) and Sen. John Kennedy (R-LA) have introduced a bill to prohibit the Transportation Security Administration (TSA) from using automated facial recognition at airports.

S.3361 the “Traveler Privacy Protection Act of 2023”, was introduced on November 29, 2023 by Sens. Merkley, Kennedy,  Edward Markey (D-MA), Roger Marshall (R-KS), Bernie Sanders (I-VT), and Elizabeth Warren (D-MA).

Introduction of this bill comes more than five years after these and other Senators started to raise questions about whether airline passengers can be, should be, or are already being required to submit to automated facial recognition at airports, despite questionable claims by the TSA that passengers can “opt out” of facial recognition.

We find it notable and praiseworthy that this bill (text of bill as introduced), isn’t an attempt to “regulate” TSA use of automated facial recognition or to bolt on controls on how this surveillance technology or facial images or other data (event logs, etc.) collected by such systems. Rather than imposing regulations, the bill would impose a categorical ban on TSA use of automated facial recognition at airports, at least for now. If this bill is enacted, the TSA would be allowed to use facial recognition technology in airports only if that use is explicitly authorized by new legislation enacted after the passage of the “Traveler Privacy Protection Act of 2023”.

The “Traveler Privacy Protection Act of 2023” would close a significant loophole in current and proposed laws. Other proposals for regulation of facial recognition are pending in Congress, but they exempt the TSA and/or fall short of a categorical ban on use of facial recognition. And Federal preemption of regulation of air travel has given the TSA  impunity from state and local attempts to restrict government use of facial recognition.

The “Traveler Privacy Protection Act of 2023” would do nothing about the use of automated facial recognition by US Customs and Border Protection (CBP) at international airports, but it would create a model for legislation that could also be applied to CBP.

Nov 13 2023

Advance Travel Authorization (ATA) and the “CBP One” app

 

As we’ve discussed before in this blog, and as other human rights advocates have noted, asylum requires traveling to a border. Since you can only apply for asylum after you arrive in a country of refuge, freedom to travel from a place where you are subject to persecution to a country of refuge is a prerequisite for asylum.

But as we have also noted, including in comments earlier this year to the U.N. Office of the High Commissioner for Human Rights concerning the rights of migrants, governments including the US government have steadily increased their efforts to undermine the right to asylum by preventing  asylum seekers from traveling to their borders.

The latest step in this direction is the Advance Travel Authorization (ATA) system operated by U.S. Customs and Border Protection (CBP). Under this program, asylum seekers can request permission through the CBP One mobile app to travel to the US. CBP is already operating this system under a temporary “emergency” authorization from the Office of Management and Budget (OMB), but is seeking OMB approval to make it permanent.

As we explain in comments we submitted today to CBP:

Because the US has no jurisdiction and CBP has no statutory authority over travel by non-US citizens within or between other countries or their departure from other countries, and because whether or not a non-US citizen has requested or been granted “permission” from CBP has no bearing on their right to leave any other country or to travel within or between other countries by common carrier or otherwise, this collection of information is of no practical utility for any lawful activity of CBP or any US agency.

Do asylum seekers need permission from the US government to leave other countries where they are being persecuted, or to travel to the US?

No, they do not, as we explain in our comments to CBP: Read More

Aug 02 2023

Challenges to mandatory facial recognition for air travel

[US Senator Jeff Merkley films the signage and what happens when he opts out of facial recognition at the TSA checkpoint at Reagan National Airport]

Attempts by airlines, airports, and government agencies to make facial recognition mandatory for air travel, while pretending that it is “optional” or based on “consent”, are being challenged in both the United States and the European Union.

In the US, the Transportation Security Administration continues to tell Congress and the public that it is “testing” facial recognition and that mug shots are optional for air travel.

But Senators continue to question whether, as the TSA claims, this is really a “field demonstration” or actually a phased rollout,  and whether, “Providing this information is voluntary.”

The latest in a series of increasingly skeptical letters to the TSA from groups of US Senators was sent in February of this year, asking questions including these:

  • How are travelers notified of their right to opt-out of facial recognition?
  • What are the effects on a traveler who chooses to opt-out of facial recognition?
  • Under TSA’s current system, do travelers who choose to opt-out face any additional consequences or additional screenings, pat-downs, interrogations, or even detention, beyond what they would have encountered at a non-facial recognition airport?

If the TSA provided these Senators with any answers, they haven’t been made public. But it seems likely that any response from the TSA was unsatisfactory, since a month after this letter was sent, some of these same Senators and others, along with members of the House of Representatives, reintroduced a bill (S. 681 and H.R. 1404) first introduced in the previous session of Congress that would outlaw use of facial recognition by Federal agencies except with explicit statutory authorization which the TSA lacks.

The “Facial Recognition and Biometric Technology Moratorium Act of 2023” has yet to be considered by either the House or the Senate. But in the meantime, Senator Jeff Merkley (D-OR)has been opting out of facial recognition when he flies home to Portland, filming what happens at the TSA checkpoint, and posting the videos on YouTube.

TSA policies are expressed in “standard operating procedures” (SOPs) for checkpoint staff that the TSA refuses to make public. So except to the extent that the SOPs have been leaked or inadvertently released by the TSA itself, this sort of observation-based reverse engineering is the best available evidence of de facto TSA policies and procedures.

On his first tests of TSA signage and practices, Sen. Merkley found that there were no signs at the TSA checkpoint at Reagan National Airport telling travelers that mug shots were optional.   After he posted video of the lack of signage, some signs were added — but with notices about facial recognition buried in fine print and not next to the mug shot cameras.

TSA staff told Sen. Merkley that opting out of TSA mug shots would result in “significant delay” in his passage through the TSA checkpoint, and detained him (although seemingly only briefly), contrary to what the TSA claims is supposed to happen.

In his latest video posted this week, Sen. Merkley encourages air travelers to film the signage or lack of signage at TSA checkpoints and what happens when they opt out of facial recognition:

Know that you can refuse to use facial recognition technology at the airport and you should be easily accommodated by an agent checking your physical ID….

You ARE allowed to take photos and videos at a security checkpoint.

The Algorithmic Justice League is also collecting reports from travelers about facial recognition at TSA checkpoints, including signage and consent (or the lack thereof).

It’s a sad day when a member of the US Senate has to enlist the help of members of the public to find out whether a Federal agency is lying to Congress and the public about its practices.  But the TSA has earned our mistrust and that of Congress. We commend Sen. Merkley for his skepticism and for judging the agency by what it does and not what it says.

Meanwhile, in the European Union, a complaint has been brought against the airline Ryanair for requiring either facial images or earlier check-in from certain passengers.

While this complaint has been made under EU law, it’s significant as the first complaint against an airline anywhere in the world, so far as we know,  for requiring for requiring passengers to provide mug shots or imposing additional burdens on those who opt out.

As we’ve noted before, there’s a malign convergence of interest between airlines, airport operators (public or private), and law enforcement agencies in tracking and control of air travelers. In practice, it’s often impossible to tell whether cameras — including those used for automated facial recognition — are being operated by the airline, the airport, or the police, or are part of a common-use shared surveillance-as-a-service infrastructure. In such cases, there’s no meaningful distinction between a requirement for passenger mug shots imposed by a common carrier that shares photos with the government and a mug shot requirement imposed and carried out directly by a government agency.

The complaint against Ryanair under EU law also has implications for US travelers and US airlines. Most major US and international airlines operate flights, sell tickets, and/or collect personal information in the EU and are thus subject, in at least some of their operations, to EU data protection laws. If they can respect their European customers’ rights, they could — and should — afford their US customers those same rights.