Oct 01 2018

Yes, the DHS wants mug shots of all air travelers

A new report by the DHS Office of Inspector General (OIG) gives perhaps the most detailed official picture to date of the US government’s plans for ed biometric identification, tracking, and control of international air travelers through automated facial recognition.

Contrary to specious claims in DHS propaganda that the current rollout of mug-shot machines at departure gates at airports across the country is “only a test,” the DHS OIG reports that US Customs and Border Protection (CBP) plans to expand the mug shot and automated facial image recognition program from 6 million air travelers in 2018 to 60 million in 2019, 120 million in 2020, and 129 million — 100% of international airline departures from the US — by 2021.

But that’s not all. “Over time, the program plans to … incrementally deploy biometric capabilities across all modes of travel — air, sea, and land — by fiscal year 2025,” according to the OIG report.

The scope of these plans should make clear that the only thing being “tested” is whether travelers will submit to this program, not whether it is justified or what interests it serves.

The OIG report mentions that US citizens have been “allowed” to opt out of the airport mug shot “pilot program “, but doesn’t say whether they were told they had a right to do so:

CBP allowed U.S. citizens to decline participation in the pilot. In such cases, CBP officers would permit the travelers to bypass the camera and would instead check the individuals’ passports to verify U.S. citizenship. When a U.S. citizen opted to participate in the pilot but did not successfully match with a gallery photo, the CBP officer would examine the individual’s passport but did not collect fingerprints. We observed biometric screening at four airports — a total of 12 flights — during our audit and witnessed only 16 passengers who declined to participate.

[Note the absence of any apparent notice that US citizens can “opt-out”.]

In preparing their report, OIG staff “met with a number of external stakeholders, including the Airlines for America trade association, Delta Airlines, JetBlue Airlines, and British Airways.” Notably, however, OIG made no attempt to consult consumer, civil liberties, or human rights organizations or to consider their objections to mandatory mug shots.

The only objections noted in the OIG report came from airlines and airport operators. But it would be a mistake to interpret this as “resistance” from the airline industry to biometric surveillance of airline passengers through automated facial recognition.

The OIG report makes clear that the only thing being disputed by airlines and airports is who will pay for equipment and staff, not whether these systems will be deployed: Read More

Sep 24 2018

Will the government get mug shots of all air travelers?

The dispute over government-mandated biometric identification of travelers through automated facial recognition continues to sharpen.

ID document requirements for air travel have been imposed on a de facto basis by DHS administrative fiat without ever having been approved by Congress or authorized by law.

In a similar way, requirements for US citizens to submit to mug shots — either by components of the Department of Homeland Security or by airlines, airport operators, or contractors who share photos with DHS — are being imposed on a growing scale without any Congressional debate or statutory  basis.

Last week the World Privacy Forum submitted a petition for rulemaking asking the DHS to “provide formal notice and solicit public comments pursuant to the Administrative Procedure Act” before proceeding with further “trials” of biometric identification of travelers: Read More

Sep 18 2018

Globalization and policy laundering of travel control

An interview with the head of US Customs and Border Protection (CBP) published this month by the U.S. Military Academy as part of a “View From The Foxhole” series provides an unusually revealing, and disturbing, picture of the expansion and globalization of surveillance and control of travelers. It also highlights the ways that policy is being “laundered” through the rationale of “compliance with international standards” to avoid any domestic political debate in the US or other collaborating countries.

CBP Commissioner Kevin K. McAleenan begins his overview of the role of the CBP by referring to “people who are… seeking that permission to travel to the United States”.

But US citizens don’t need “permission” from CBP or any other government agency to travel to the US. McAleenan’s comment makes clear the extent to which the US government has arrogated to itself, and now takes for granted, the illegitimate authority to condition the exercise of the right to freedom of movement on government permission.

CBP Commissioner McAleenan doubles down by asserting that “we have the responsibility to interview and inspect all travelers and make decisions on whether they present a risk.”

But that’s not true either. CBP’s authority to inspect travelers is limited to determining whether there is probable cause to charge them with violations of the law. We have a system of criminal law, not a pre-crime system of “risk-based” predictive denial of rights.

Read More

Aug 28 2018

CBP expands partnership with airlines on facial recognition

This month US Customs and Border Protection (CBP) posted the latest in a series of Privacy Impact Assessments (PIAs) for its Traveler Verification Service (TVS) program.

The  latest PIA gives notice (although not in the form required by Federal law) that CBP and its airline and airport  partners are carrying out a second expanded phase of “demonstrations” of TVS, an identity-as-a-service scheme designed to use automated recognition of images from a shared CBP/airline/airport database of facial photos for purposes including surveillance and control (for CBP) and business process automation and price personalization (for airlines and airports).

CBP (1) describes TVS as a “biometric exit” program, (2) describes the current use of TVS as merely a “demonstration”, (3) continues to claim that airlines and airports “have no interest in keeping or retaining” facial images any longer , or using them for any other purposes, than is required by CBP for “security”, and (4) says that U.S citizens aren’t required to submit to mug shots.

These claims are intended to lull the public into not protesting: “This is only a test, using photos for limited purposes. The photos will be deleted once you get on the plane, and not used for nay commercial or other purpose.” And so forth.

All that might be somewhat reassuring, if any of it were true. But  none of it is:

Read More

Jul 23 2018

Airlines, airports, and cruise lines “partner” with DHS

This month some cruise lines are joining airlines and airports in taking mug shots of travelers and passing them on to US Customs and Border Protection (CB P). CBP uses these facial images (“biometrics”) for border and travel control and general law enforcement (policing and surveillance) purposes, and shares them with other Department of Homeland Security components and other domestic and foreign entities.

Read More

Jun 08 2018

“Governance” of the REAL-ID database

Attendance at the most recent face-to-face (F2F) meeting of the AAMVA S2S Governance Committee, Milwaukee, WI, March 22, 2018

We’ve been trying for years to find out who is really in charge of the national ID database being created to enable states that choose to do so to comply with the  Federal REAL-ID Act of 2005.

The national ID records system includes the SPEXS database and the S2S data network and system of central-site applications. S2S, including SPEXS, is operated by AAMVA (a non-governmental non-profit organization whose members are the directors of state driver licensing agencies) and Clerus Solutions (a for-profit  private contractor most of whose executives are revolving-door former staff of AAMVA).

But who is setting policy? Who decides what information from state drivers’ license and ID records is included in the central “pointer” database? Who decides what other entities are able to retrieve, mine, or otherwise obtain or use these records?

Are state governments really in control of their residents’ data once it is uploaded to the central site (outsourced to Microsoft as a cloud hosting provider)? Or is Is the US Department of Homeland Security, AAMVA, or Clerus Solutions in the driver’s seat?

Documents we’ve recently received in response to a request to the state of Alaska under that state’s public records law don’t answer many of our questions, but shed more light on on this little-known, aggregated, privately-held database of personally identifying information obtained from state records that already contains data about roughly 50 million US citizens and residents.

We also received explicit confirmation from the minutes of a June 2017 meeting (p. 64 of this PDF file) that AAMVA staff and state driver licensing officials expect that participation in S2S and SPEXS will be added to the criteria used by the DHS to determine whether to certify or re-certify states as “compliant” with the REAL-ID Act: The latest batch of records we received (see related records released to us earlier here) is a disordered jumble bundled into a single PDF file. Below are some of the other noteworthy details, with references to page numbers in this PDF file:

Read More

May 24 2018

DHS aggregating commercial biometric data and position logs

The DHS is proposing to expand its biometric identification and surveillance programs, and its collaboration with commercial entities in biometric-based surveillance, with the creation of a new database of “External Biometric Records” (EBR). EBR would include (1) biometric identifiers (such as facial photos, iris scans, fingerprints, DNA profiles, etc.) and (2) logs of the location, date, and time where each image or biometric sample is created.   EBR records would be aggregated from commercial sources, and available for use by all DHS components and sharing  with other Federal, state, local, and foreign entities.

The DHS is also proposing to exempt EBR from most of the requirements of the Privacy Act, including the right of individuals to find out what information about them is in the database and to what other government agencies or third parties it has been disclosed.

Today we filed comments, together with four other national civil liberties and human rights organizations — Government Information Watch, the Cyber Privacy Project (CPP), Restore the Fourth, Inc., and the National Immigration Law Center (NILC) — objecting to the DHS proposals as unconstitutional and contrary to Federal law.

Read More

May 14 2018

Senators say US citizens shouldn’t have to submit to airport mug shots

Senators Mike Lee (R-UT) and Ed Markey (D-MA) have sent another joint letter to Secretary of Homeland Security Kirstjen Nielson renewing their objections to requiring US citizens to submit to mug shots (“facial recognition”) as part of a DHS “biometric exit” program for identifying and tracking international travelers departing from US airports and seaports.

The letter sent last Friday is a follow-up to an earlier letter six months ago, in which the Senators told the DHS that such a requirement for US citizens is “facially unauthorized”:

Most crucially, while Congress has repeatedly voted to authorize biometric entry-exit scanning of foreign nationals, it has never authorized biometric exit screening for U.S. citizens. In fact, Congress has pointedly neglected to authorize DHS to use the program on U.S. citizens for any purpose. Additionally, while airport infrastructure may not be conducive to separate boarding procedures for U.S. citizens and non-citizens, convenience should not be placed above congressionally mandated requirements. We are concerned that the use of the program on U.S. citizens remains facially unauthorized.

Read More

Apr 30 2018

Is your drivers license or state ID in the national REAL-ID database?

One of the major goals of the REAL-ID Act of 2005 was to create, and to pressure state governments to participate in, a national database of drivers’ licenses and state-issued ID cards.

The REAL-ID Act requires that, “To meet the requirements of this section, a State shall … Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

In practice, the only available or affordable way for a state to comply with this part of the REAL-ID Act is to participate in the “State-to-State” (S2S) data sharing system operated by AAMVA and built by an AAMVA contractor, Clerus Solutions. AAMVA says that, “For those states … choosing to comply with REAL ID… the Department of Homeland Security has indicated that participation in S2S will be required for the state to be REAL ID compliant. This is because… the law and regulations governing REAL ID include requirements for state licensing agencies to connect their databases.”

Despite its name, which might be taken as implying that it is merely a messaging system, S2S relies on a centralized national database, “SPEXS”, which contains a record for each  drivers’ license  or ID card issued by any participating state or territory.

The DHS has been certifying states and territories as “compliant” with the REAL-ID Act, without regard for whether they have complied with this provision of the Federal law.

But that begs the question of how many states have uploaded information about how many of their residents to the national database in order to comply with the REAL-ID Act.

Are records of drivers’ licenses and ID cards issued by your state or territory already included in the national database? If not, when will they be?

Read More

Apr 02 2018

Can US citizens entering the country opt out of CBP mug shots?

US Customs and Border Protection (CBP) has published a new Privacy Impact Assessment (PIA) for its Automated Passport Control (APC) kiosks and Mobile Passport Control (MPC) apps.  Unlike most PIA’s, this one does not say why it was prepared, or what, if anything, about the programs it assesses has changed. But it appears to be a response — although an inadequate and possibly still a factually inaccurate one — to some of our complaints.

At many international airports and some cruise ports  in the US, travelers — including US citizens — have to submit their mug shots to CBP through either an APC kiosk or the MPC smartphone app before they are allowed to proceed to CBP officers for customs, immigration, and agricultural inspections.  This requirement is enforced by “line minders” manning the velvet ropes and directing pedestrian traffic inside “sterile” arrival areas. These line minders are employed by the airline, airport, and/or their contractors or sub-contractors, making it easy for CBP to deny any responsibility for their actions.

In January of this year, we were part of a meeting between civil liberties and human rights organizations and CBP officials on the subject of these  “biometric entry/exit” schemes.

The CBP officials we met with in January denied that anyone is required to use the APC kiosks, contrary to our experience and that of other participants in the meeting.

When we complained that CBP hasn’t complied with even the minimal notice requirements of the Privacy Act and the Paperwork Reduction Act (PRA) for this sort of data collection, CBP’s Privacy Officer responded, “I do not consider this program to be operating in violation of the Privacy Act, therefore, I have nothing to investigate.”

But although CBP didn’t conduct an “investigation”, it does appear to have conducted a new “assessment” and published a new set of claims about what it is doing.

What does CBP now say about its mug shots of arriving travelers? And is it true?

We call B.S.

Read More