Nov 30 2023

Senate bill introduced to ban TSA use of facial recognition in airports

Six US Senators led by Sen. Jeff Merkley (D-OR) and Sen. John Kennedy (R-LA) have introduced a bill to prohibit the Transportation Security Administration (TSA) from using automated facial recognition at airports.

S.3361 the “Traveler Privacy Protection Act of 2023”, was introduced on November 29, 2023 by Sens. Merkley, Kennedy,  Edward Markey (D-MA), Roger Marshall (R-KS), Bernie Sanders (I-VT), and Elizabeth Warren (D-MA).

Introduction of this bill comes more than five years after these and other Senators started to raise questions about whether airline passengers can be, should be, or are already being required to submit to automated facial recognition at airports, despite questionable claims by the TSA that passengers can “opt out” of facial recognition.

We find it notable and praiseworthy that this bill (text of bill as introduced), isn’t an attempt to “regulate” TSA use of automated facial recognition or to bolt on controls on how this surveillance technology or facial images or other data (event logs, etc.) collected by such systems. Rather than imposing regulations, the bill would impose a categorical ban on TSA use of automated facial recognition at airports, at least for now. If this bill is enacted, the TSA would be allowed to use facial recognition technology in airports only if that use is explicitly authorized by new legislation enacted after the passage of the “Traveler Privacy Protection Act of 2023”.

The “Traveler Privacy Protection Act of 2023” would close a significant loophole in current and proposed laws. Other proposals for regulation of facial recognition are pending in Congress, but they exempt the TSA and/or fall short of a categorical ban on use of facial recognition. And Federal preemption of regulation of air travel has given the TSA  impunity from state and local attempts to restrict government use of facial recognition.

The “Traveler Privacy Protection Act of 2023” would do nothing about the use of automated facial recognition by US Customs and Border Protection (CBP) at international airports, but it would create a model for legislation that could also be applied to CBP.

Nov 13 2023

Advance Travel Authorization (ATA) and the “CBP One” app

 

As we’ve discussed before in this blog, and as other human rights advocates have noted, asylum requires traveling to a border. Since you can only apply for asylum after you arrive in a country of refuge, freedom to travel from a place where you are subject to persecution to a country of refuge is a prerequisite for asylum.

But as we have also noted, including in comments earlier this year to the U.N. Office of the High Commissioner for Human Rights concerning the rights of migrants, governments including the US government have steadily increased their efforts to undermine the right to asylum by preventing  asylum seekers from traveling to their borders.

The latest step in this direction is the Advance Travel Authorization (ATA) system operated by U.S. Customs and Border Protection (CBP). Under this program, asylum seekers can request permission through the CBP One mobile app to travel to the US. CBP is already operating this system under a temporary “emergency” authorization from the Office of Management and Budget (OMB), but is seeking OMB approval to make it permanent.

As we explain in comments we submitted today to CBP:

Because the US has no jurisdiction and CBP has no statutory authority over travel by non-US citizens within or between other countries or their departure from other countries, and because whether or not a non-US citizen has requested or been granted “permission” from CBP has no bearing on their right to leave any other country or to travel within or between other countries by common carrier or otherwise, this collection of information is of no practical utility for any lawful activity of CBP or any US agency.

Do asylum seekers need permission from the US government to leave other countries where they are being persecuted, or to travel to the US?

No, they do not, as we explain in our comments to CBP: Read More

Aug 02 2023

Challenges to mandatory facial recognition for air travel

[US Senator Jeff Merkley films the signage and what happens when he opts out of facial recognition at the TSA checkpoint at Reagan National Airport]

Attempts by airlines, airports, and government agencies to make facial recognition mandatory for air travel, while pretending that it is “optional” or based on “consent”, are being challenged in both the United States and the European Union.

In the US, the Transportation Security Administration continues to tell Congress and the public that it is “testing” facial recognition and that mug shots are optional for air travel.

But Senators continue to question whether, as the TSA claims, this is really a “field demonstration” or actually a phased rollout,  and whether, “Providing this information is voluntary.”

The latest in a series of increasingly skeptical letters to the TSA from groups of US Senators was sent in February of this year, asking questions including these:

  • How are travelers notified of their right to opt-out of facial recognition?
  • What are the effects on a traveler who chooses to opt-out of facial recognition?
  • Under TSA’s current system, do travelers who choose to opt-out face any additional consequences or additional screenings, pat-downs, interrogations, or even detention, beyond what they would have encountered at a non-facial recognition airport?

If the TSA provided these Senators with any answers, they haven’t been made public. But it seems likely that any response from the TSA was unsatisfactory, since a month after this letter was sent, some of these same Senators and others, along with members of the House of Representatives, reintroduced a bill (S. 681 and H.R. 1404) first introduced in the previous session of Congress that would outlaw use of facial recognition by Federal agencies except with explicit statutory authorization which the TSA lacks.

The “Facial Recognition and Biometric Technology Moratorium Act of 2023” has yet to be considered by either the House or the Senate. But in the meantime, Senator Jeff Merkley (D-OR)has been opting out of facial recognition when he flies home to Portland, filming what happens at the TSA checkpoint, and posting the videos on YouTube.

TSA policies are expressed in “standard operating procedures” (SOPs) for checkpoint staff that the TSA refuses to make public. So except to the extent that the SOPs have been leaked or inadvertently released by the TSA itself, this sort of observation-based reverse engineering is the best available evidence of de facto TSA policies and procedures.

On his first tests of TSA signage and practices, Sen. Merkley found that there were no signs at the TSA checkpoint at Reagan National Airport telling travelers that mug shots were optional.   After he posted video of the lack of signage, some signs were added — but with notices about facial recognition buried in fine print and not next to the mug shot cameras.

TSA staff told Sen. Merkley that opting out of TSA mug shots would result in “significant delay” in his passage through the TSA checkpoint, and detained him (although seemingly only briefly), contrary to what the TSA claims is supposed to happen.

In his latest video posted this week, Sen. Merkley encourages air travelers to film the signage or lack of signage at TSA checkpoints and what happens when they opt out of facial recognition:

Know that you can refuse to use facial recognition technology at the airport and you should be easily accommodated by an agent checking your physical ID….

You ARE allowed to take photos and videos at a security checkpoint.

The Algorithmic Justice League is also collecting reports from travelers about facial recognition at TSA checkpoints, including signage and consent (or the lack thereof).

It’s a sad day when a member of the US Senate has to enlist the help of members of the public to find out whether a Federal agency is lying to Congress and the public about its practices.  But the TSA has earned our mistrust and that of Congress. We commend Sen. Merkley for his skepticism and for judging the agency by what it does and not what it says.

Meanwhile, in the European Union, a complaint has been brought against the airline Ryanair for requiring either facial images or earlier check-in from certain passengers.

While this complaint has been made under EU law, it’s significant as the first complaint against an airline anywhere in the world, so far as we know,  for requiring for requiring passengers to provide mug shots or imposing additional burdens on those who opt out.

As we’ve noted before, there’s a malign convergence of interest between airlines, airport operators (public or private), and law enforcement agencies in tracking and control of air travelers. In practice, it’s often impossible to tell whether cameras — including those used for automated facial recognition — are being operated by the airline, the airport, or the police, or are part of a common-use shared surveillance-as-a-service infrastructure. In such cases, there’s no meaningful distinction between a requirement for passenger mug shots imposed by a common carrier that shares photos with the government and a mug shot requirement imposed and carried out directly by a government agency.

The complaint against Ryanair under EU law also has implications for US travelers and US airlines. Most major US and international airlines operate flights, sell tickets, and/or collect personal information in the EU and are thus subject, in at least some of their operations, to EU data protection laws. If they can respect their European customers’ rights, they could — and should — afford their US customers those same rights.

Mar 15 2023

TSA confirms plans to mandate mug shots for domestic air travel

In an on-stage interview yesterday at South By Southwest by a reporter for the Dallas Morning News, the head of the US Transportation Security Administration made explicit that the TSA plans to make collection of biometric data  mandatory for airline travel:

According to a report in today’s edition of the newspaper by Alexandra Skores on the statements by TSA Administrator David Pekoske:

Biometric technology, such as facial recognition, is increasingly being used in TSA’s identity verification process….

He said passengers can also choose to opt out of certain screening processes if they are uncomfortable, for now. Eventually, biometrics won’t be optional, he said.

Mandatory mugshots for all airline passengers have been part of the TSA’s road map since at least 2018, despite objections such as those raised by the ACLU and the Identity Project.

TSA Privacy Impact Assessments have claimed that air travelers could, for now, opt out, of mug shots, but the TSA has never complied with the notice requirements in the federal Privacy Act and Paperwork Reduction Act (PRA).

So far as we can tell, there’s never been any PRA approval for collection of biometrics from domestic air travelers, or any PRA notice at a TSA checkpoint.

Since the TSA has never applied to the Office of Management and Budget (OMB) for approval of this information collection, as required by the PRA, we don’t know what legal basis it would claim for this collection of biometric information.

As at US Customs and Border Protection inspection stations and kiosks for international travelers, domestic travelers asked to submit to mug shots at TSA checkpoints  are protected not only by the US Constitution and international treaties but also by federal laws including the PRA. As with declining to show ID or provide other information, you have the right not to provide biometric information unless and until the TSA gets approval from OMB to collect this information, and provides notices that comply with the PRA.

In 2021, the TSA tried to get Congress to exempt some of its activities from the PRA. But Congress turned it down, making clear that Congress intends the PRA to apply to the TSA.

For now, it remains the law (44 U.S.C. § 3512) that:

(a) Notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information that is subject to this subchapter if—

(1) the collection of information does not display a valid control number assigned by the Director [of the Office of Management and Budget] in accordance with this subchapter; or

(2) the agency fails to inform the person who is to respond to the collection of information that such person is not required to respond to the collection of information unless it displays a valid control number.

(b) The protection provided by this section may be raised in the form of a complete defense, bar, or otherwise at any time during the agency administrative process or judicial action applicable thereto.

Unless and until this changes, no matter what the TSA says, you do have the right to opt of facial imaging at TSA checkpoints.

Nov 23 2022

The airport of the future is the airport of today — and that’s not good.

(video; slides)

[Facial recognition at each step in airline passenger processing. Slide from presentation by Heathrow Airport Holdings Ltd. to the International Civil Aviation Organization (ICAO) Traveler Identitification Program symposium, October 2018]

Today, the day before Thanksgiving, will probably be the busiest day for air travel in the USA since the outbreak of the COVID-19 pandemic in early 2020.

If you are flying this week for the first time in three years, what will you see that has changed?

Unfortunately, many of the most significant changes made during the pandemic are deliberately invisible — which is part of what makes them so evil.

During the pandemic, largely unnoticed, the dystopian surveillance-by design airport of the future that we’ve been worried and warning about for many years has become, in many places, the airport of today.

While travelers were sheltering in place during the COVID-19 pandemic, airports have taken advantage of the opportunity to move ahead with expansion and renovation projects. While passenger traffic was reduced, and terminals and other airport facilities were operating well below capacity, disruptions due to construction could be minimized.

A characteristic feature of almost all new or newly-renovated major airports in the U.S. and around the world is that they are designed and built on the assumption that all passengers’ movements within the airport will be tracked at all times, and that all phases of “passenger processing” will be carried out automatically using facial recognition, as shown in this video from a technology vendor, Airport of the Future:

[Stills from 2019 vendor video, Airport of the Future.]

In the airport of the future, or in a growing number of present-day airports, there’s no need for a government agency or airline that wants to use facial recognition to install cameras or data links for that purpose. As in the new International Arrivals Facility at Sea-Tac Airport, which opened this year, the cameras and connectivity are built into the facility as “common-use”  public-private infrastructure shared by airlines, government agencies, and the operator of the airport — whether that’s a public agency (as with almost all U.S. airports) or a private company (as with many foreign airports).

Read More

Sep 22 2022

Freedom to travel to get an abortion

[Arrows indicate populations of states where abortion is, or is likely to become, illegal, and directions and distances to the nearest states where abortion is legal. Note that some of the routes shown are more likely to be followed than others, since abortion is more or less heavily restricted in some states where it is shown on this map as legal. Diagram by Bloomberg News based on data from the Guttmacher Institute.]

Increasing variations between state laws related to abortion are prompting an increase in the already large numbers of women who travel across state lines to obtain abortions.

For women in many states, bans on abortion are making the right to interstate travel an essential prerequisite to the right to obtain an abortion.

Both anti-abortion vigilantes and state laws criminalizing actions related to abortion, including facilitating abortion-related travel, are prompting women seeking abortions as well as those who support abortion rights to think about how to protect abortion travelers and their supporters against identification, surveillance, stalking, harassment, or legal sanctions.

In this context, the right to anonymous travel has acquired new importance and urgency. If you’ve wondered, “Why would anyone want to travel anonymously?” now you know one of the reasons.  But what’s needed is “right to travel” legislation, not just “privacy” legislation. Current Federal “privacy” bills would do little to protect abortion travelers.

What are the patterns of abortion-related travel? How could state authorities or private vigilantes identify or track the travels of these women — whether they drive or take buses, trains, planes, or automobiles? What, if anything, can women traveling across state lines to obtain abortions do to protect themselves against being identified, tracked, and potentially prosecuted or subjected to retaliation, harassment, or other sanctions?  What could the Federal government do to protect these women’s right to travel, and to do so privately and safely?

As discussed in detail below, the possibilities for technical self-defense against threats to the right to travel are limited. Congress needs to act to include protection for the right to travel — regardless of the purpose for which you  travel — in any abortion rights legislation.

Read More

Sep 19 2022

CBP aggregates and disseminates travel data from warrantless searches

A series of revelations in recent months have highlighted a pattern of misuse by US Customs and Border Protection (CBP) of data about travelers and their activities.

Information obtained without a warrant or probable cause under a under a variety of exceptions to the Fourth Amendment (including administrative searches and mug shots at airports, border searches, and “consent” to collection of location information by private third parties) has been aggregated, indexed, and made available for search and retrieval by other CBP staff, other law enforcement agencies, and foreign governments.

Use of the fruit of this surveillance of travelers hasn’t been limited to the government agency that first obtained it from travelers or commercial third parties, or to the purpose that purportedly allowed CBP to obtain it without warrant or probable cause. No access logs are maintained for some of these databases of travel surveillance data, so it’s impossible to audit how they have been used.

Here’s some of what CBP has been up to with its travel surveillance databases:

Read More

May 20 2022

New reports on DHS surveillance and profiling

Two new reports from university think-tanks call attention to surveillance and profiling — including surveillance of, and action against, domestic and international travelers — by the Department of Homeland Security and its components.

A Course Correction for Homeland Security, a report by the Brennan Center for Justice at New York University, cites to some of our work and some examples of cases we have been involved with in its analysis of DHS data collection (surveillance), and “risk assessments” (algorithmic profiling and control), especially as they relate to travelers.

American Dragnet: Data-Driven Deportation in the 21st Century, a report by the Center on Privacy and Technology at Georgetown University Law School, focuses on DHS’s Immigration and Customs Enforcement (ICE) division, especially ICE access to facial images and other information obtained from drivers licenses and commercial data brokers.

A common theme of both reports is that DHS surveillance is more pervasive, more intrusive, and less visible than is generally recognized.

Airline reservations and demands for ID from travelers are used not merely to check for currently blacklisted would-be travelers, but are retained and used to build travel histories and social networks maps that are then used by suspicion-generating guilt-by-association algorithms to expand the web of surveillance, profiling, and extrajudicial blacklisting.

ICE represents itself as an agency with jurisdiction only over non-US citizens, but in fact runs photos and drivers license and location data about a large fraction of the entire population of US citizens through its profiling and enforcement algorithms. DHS lurks (usually invisibly) in the background, “ingesting” or obtaining access to personal information, when individuals pose for drivers license photos, make airline reservations, or interact with businesses that “share” data directly or indirectly with DHS.

What is to be done about this sorry state of affairs?

Both of these reports suggest that some reforms could be made by policy, at the direction of the President, the Secretary of Homeland Security, or the heads of DHS components.

However, given the thoroughly bipartisan continuity of support by both Democratic and Republican administrations for the continual expansion of DHS surveillance, especially of travelers and foreigners and most especially of border crossers, since its creation 20 years ago, we have little hope for reform from within DHS or at the behest of the White House.

Exposure of abuses is good, but more is needed than a change of administration policy.

While we welcome any additional attention paid to the problems with the DHS, we think they call for court action to uphold the Constitutional and treaty rights of travelers and other individuals, and Congressional action to effectuate those rights and to facilitate judicial review and redress for government actions that violate those rights.

The DHS, as these reports reveal, is an ever-growing dragnet surveillance agency, operating outside the rule of law. What are we going to do to alter or to abolish it?

Apr 12 2022

Facial recognition signage at new Sea-Tac terminal flunks legal test

For several years the Identity Project has been engaging with the Port of Seattle over its expansion of automated facial recognition to track travelers at Sea-Tac Airport.

Today we made yet another (virtual) visit to the Port of Seattle Commission to give the following comments (PDF) on the latest test of the new International Arrivals facility at Sea-Tac, scheduled to open  next week:

Comments of the Identity Project to the Port of Seattle Commission
for the Commission meeting of April 12, 2022, re: signage for travelers about the collection of facial images at the International Arrivals Facility at Sea-Tac Airport

Members of the Port of Seattle Commission:

The Identity Project (PapersPlease.org) is a nonprofit civil liberties and human rights organization with expertise in identity-based surveillance and control of travelers.

We are submitting these comments to call to your attention the failure of both the Port of Seattle and US Customs and Border Protection (CBP) to provide notice to travelers of CBP’s collection of facial images (“biometrics”) at the new International Arrivals Facility (IAF) at Sea-Tac International Airport, as required both by Federal law and by the policies on use of biometrics adopted by the Port Commission.

Read More

Jan 30 2022

ID-Me-Not

The IRS is reportedly reconsidering its previously-announced plan to require taxpayers to share facial images and other personal data with an unregulated private company, ID.me, in order to file tax returns online or access information about their filings, payments, and returns through the IRS website.

The hesitation by the IRS comes after ID.me was caught lying about whether it uses “one to many” facial recognition to try to identify facial images against large databases of selfies or other mug shots. ID.me had falsely claimed that it only uses “1 to 1” matching to “verify” that a selfie matches previously stored images of a specific person. But the company has now admitted that’s incorrect. ID.me actually  compares selfies submitted by taxpayers (or by hackers or identity thieves, who could easily copy a facial image from a targeted victim’s or their friend’s social media posts) to its own “internal” database of images of tens of millions of people aggregated from unknown sources.

Read More