Apr 30 2018

Is your drivers license or state ID in the national REAL-ID database?

One of the major goals of the REAL-ID Act of 2005 was to create, and to pressure state governments to participate in, a national database of drivers’ licenses and state-issued ID cards.

The REAL-ID Act requires that, “To meet the requirements of this section, a State shall … Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

In practice, the only available or affordable way for a state to comply with this part of the REAL-ID Act is to participate in the “State-to-State” (S2S) data sharing system operated by AAMVA and built by an AAMVA contractor, Clerus Solutions. AAMVA says that, “For those states … choosing to comply with REAL ID… the Department of Homeland Security has indicated that participation in S2S will be required for the state to be REAL ID compliant. This is because… the law and regulations governing REAL ID include requirements for state licensing agencies to connect their databases.”

Despite its name, which might be taken as implying that it is merely a messaging system, S2S relies on a centralized national database, “SPEXS”, which contains a record for each  drivers’ license  or ID card issued by any participating state or territory.

The DHS has been certifying states and territories as “compliant” with the REAL-ID Act, without regard for whether they have complied with this provision of the Federal law.

But that begs the question of how many states have uploaded information about how many of their residents to the national database in order to comply with the REAL-ID Act.

Are records of drivers’ licenses and ID cards issued by your state or territory already included in the national database? If not, when will they be?

Read More

Apr 02 2018

Can US citizens entering the country opt out of CBP mug shots?

US Customs and Border Protection (CBP) has published a new Privacy Impact Assessment (PIA) for its Automated Passport Control (APC) kiosks and Mobile Passport Control (MPC) apps.  Unlike most PIA’s, this one does not say why it was prepared, or what, if anything, about the programs it assesses has changed. But it appears to be a response — although an inadequate and possibly still a factually inaccurate one — to some of our complaints.

At many international airports and some cruise ports  in the US, travelers — including US citizens — have to submit their mug shots to CBP through either an APC kiosk or the MPC smartphone app before they are allowed to proceed to CBP officers for customs, immigration, and agricultural inspections.  This requirement is enforced by “line minders” manning the velvet ropes and directing pedestrian traffic inside “sterile” arrival areas. These line minders are employed by the airline, airport, and/or their contractors or sub-contractors, making it easy for CBP to deny any responsibility for their actions.

In January of this year, we were part of a meeting between civil liberties and human rights organizations and CBP officials on the subject of these  “biometric entry/exit” schemes.

The CBP officials we met with in January denied that anyone is required to use the APC kiosks, contrary to our experience and that of other participants in the meeting.

When we complained that CBP hasn’t complied with even the minimal notice requirements of the Privacy Act and the Paperwork Reduction Act (PRA) for this sort of data collection, CBP’s Privacy Officer responded, “I do not consider this program to be operating in violation of the Privacy Act, therefore, I have nothing to investigate.”

But although CBP didn’t conduct an “investigation”, it does appear to have conducted a new “assessment” and published a new set of claims about what it is doing.

What does CBP now say about its mug shots of arriving travelers? And is it true?

We call B.S.

Read More

Mar 13 2018

Is the DHS using this Unisys pre-crime software?

A press release last week from Unisys gives a disturbing glimpse into the extent to which border guards — possibly including US Customs and Border Protection (CBP) and other components of the US Department of Homeland Security — are making decisions on the basis of automated “pre-crime” predictions of future bad actions or bad intentions.

Unisys describes its “LineSight” (TM)  product as,

[N]ew software that uses advanced data analytics and machine learning to … enable border agents to make … on-the-spot decisions about whether to trigger closer inspection of travelers … before admitting them into a country…. The solution [sic] uses advanced targeting algorithms to continuously ingest and analyze high volumes of data from multiple sources and to flag potential threats in near real time. For travelers crossing borders, LineSight assesses risk from the initial intent to travel and refines that risk assessment as more information becomes available – beginning with a traveler’s visa application to travel, reservation, ticket purchase, seat selection, check-in and arrival.

Think about what this means: This is not a tool for investigation of illegal conduct or prosecution of people who have committed crimes. It presumes that government agencies will be sufficiently deeply embedded in travel industry infrastructure and have the surveillance capability to know as soon as you form an “initial intent to travel”. It’s being marketed to government agencies as a “pre-crime” system alleged to have “pre-cognitive” ability to predict intentions and future actions, and to generate its own algorithms for doing so:

“Many legacy border security solutions identify potentially risky travelers and cargo based on previously known threats – which is kind of like driving a car and only using your rear view mirror,” said Mark Forman, global head of Unisys Public Sector….

LineSight does not depend solely on pre-defined pattern matching rules; it also includes predictive analytics and machine learning that allow the system to learn from experience and automatically generate new rules and algorithms to continuously improve assessment accuracy over time.

Decisions about which travelers should be subjected to more intrusive searches should be be made on the basis of probable cause to believe that  crimes have been committed, not on the basis of fantasies of “pre-cognitive” pre-crime prediction.

It’s wrong to delegate judicial decisions to administrative agencies, wrong to further delegate those decisions to software ‘bots, and wrong to set those robots loose to make up their own rules to govern whch individuals are subjected to searches or other sanctions.

Read More

Feb 16 2018

Will “continuous vetting” include new demands for travel information?

Congress is currently considering multiple “immigration” bills containing provisions for “continuous screening” or “continuous vetting” of foreign residents, visitors, and would-be visitors to the US. As we have noted previously, “continuous screening” and “continuous vetting” are euphemisms for “continuous surveillance and control”.

These so-called “immigration” bills would not be limited to foreigners. Many of them would include US citizens exercising our right to leave our country, and to return, in pre-crime travel surveillance and control schemes.

One question that has been raised about some of these proposals is (1) whether they would require airlines to provide the DHS with additional information about  air travelers, or require information about potential passengers to be provided further in advance of scheduled flights, and (2) if so, whether this would violate the US “agreement” with the European Union regarding US government use of PNR data obtained from airlines.

Here’s some background, and some analysis, of what “continuous vetting” might mean for US government use of data from airlines, and for the US agreement with the EU:

Read More

Jan 30 2018

Government and industry collaborate in travel surveillance

Senior officials of US Customs and Border Protection (CBP) came to San Francisco last week to meet with representatives of the Identity Project and other civil liberties and human rights organizations regarding CBP “biometric entry/exit” schemes. These CBP programs, some of which are already in operation, involve taking digital mug shots of international travelers — including US citizens — as they enter and leave the US. The meeting in San Francisco was a follow-up to one in Washington, DC, in August 2017.

Debra Danisek, CBP Privacy Officer, and John Wagner, Deputy Executive Assistant Commissioner in charge of the CBP “Office of Field Operations”, were accompanied to the meeting by CBP national, regional, and SF Bay Area local CBP policy and operations staff.

We welcomed the opportunity to point out to the CBP officials in charge of these programs that — especially as they apply to US citizens — they violate multiple Federal laws,  involve unconstitutional warrantless, suspicionless dragnet surveillance of how we exercise our right to assemble  as protected by the First Amendment, and should be abandoned.

It was an infuriating meeting, however. Rather than offering explanations for many of the CBP’s practices, the CBP officials across the table flatly denied much of what is happening at airports throughout the US, even in the face of first-person testimony to the contrary from many of the civil liberties advocates in attendance.

Since they wouldn’t admit that some of the most abusive CBP practices — the ones we thought the meeting had been called to discuss — are actually happening, the CBP officials wouldn’t talk about what, if any, legal basis these practices might have. Meanwhile, these unlawful practices by CBP and other DHS components continue and  expand.

Here are some of the counter-factual claims made by CBP in our meeting, and some of the issues left unaddressed: Read More

Sep 24 2017

Muslim Ban 3.0 blaimed on ICAO passport standards and “ID management”

Invoking memes that we’ve seen and warned about before under both Democratic and Republican administrations, President Trump has attributed the latest version 3.0 of his “Muslim ban”announced today (proclamation, FAQ, explainer) with the need to comply with ICAO and INTERPOL standards for passport issuance, “identity management”, and data sharing about travelers — as though US immigration and asylum policy should be determined by an international technical body for aviation operations, as though such a body has the authority to override US treaty obligations to freedom of movement and “open skies“, and as though predictive pre-crime profiling based on “biographic and biometric data” can be substituted for judicial fact-finding as a basis for denial of the right to travel.

We hope that seeing the “Muslim Ban 3.0” blamed on ICAO standards will lead human rights advocates to pay more attention to ICAO’s standard-setting role and opaque decision-making process in non-aviation matters such as passports, identity management, and data sharing.

Read More

Sep 11 2017

California DMV proposes to “comply” with the REAL-ID Act

On September 1, 2017, the California Department of Motor Vehicles quietly published a notice of proposed regulations that would purportedly allow the California DMV to issue drivers licenses and state ID cards that would be “compliant” with the Federal REAL-ID Act of 2005:

For many years, the California DMV has appeared intent on eventual “compliance” with the REAL-ID Act, regardless of whether that compliance was authorized by the legislature. The current DMV rulemaking proposal to bring California into “compliance” with the REAL-ID Act by administrative fiat is the latest and most significant step along that path, and a disturbing effort to bypass legislative debate.

We encourage all Californians who are concerned about freedom of movement, Federal commandeering of state agencies to function as agents for enforcing Federal restrictions on individual rights, and lack of transparency, oversight and accountability for biometric and ID databases to submit comments opposing the proposed regulations and, if you can make it to Sacramento, to testify at the hearing on October 16th.

Read More

Aug 01 2017

Biometric entry/exit tracking of US citizens

We were invited to a briefing session today at U.S. Customs and Border Protection (CBP) headquarters: “an information sharing session and open dialog …  with external privacy stakeholders” to discuss “recent enhancements to CBP’s biometric exit initiatives” and “CBP’s implementation plans for a biometric exit system“.

Although we weren’t able  to make it to Washington for today’s meeting, we have many questions about CBP’s ongoing (and illegal, as discussed below)  photographing of the faces of US citizens entering the US, and the agency’s plans to expand the current (also illegal) trials of exit photography to include most or all US citizens leaving the country.

We look forward to another chance to quiz CBP officials about these programs and their (lack of) legal basis. More importantly, we hope that members of Congress and the public will ask hard questions about these programs if regulations or legislation are proposed that would purport to authorize them.

We share the general concerns raised by others about the use of biometric information such as facial photos (mug shots) for suspicionless dragnet surveillance of any travelers. The right to leave any country is explicitly guaranteed by international treaty (Article 12 of the ICCPR) as a human right independent of citizenship.

But we find it especially objectionable — and likely to be illegal — that CBP is extending these surveillance schemes to US citizens. Here are some of the issues: Read More

Jul 16 2017

CBP is taking mug shots of US citizens who leave the country

US Customs and Border Protection (CBP) has expanded its photography of the faces of all non-US citizens entering or leaving the US (under the “US-VISIT” program) to add mug shots of US citizens leaving the country, starting with all passengers on a daily flight on United Airlines from Washington Dulles Airport (IAD) to Dubai, U.A.E. (DXB).

This exit photo scheme is part of a larger program of biometric traveler tracking for which CBP and DHS recently opened an entire new database management and airport procedures simulation facility.

US citizens have the legal right not to submit to this mass surveillance and travel control scheme. But as with your right to fly without ID, CBP notices at airports won’t tell you that. You need to know your rights and be prepared to assert them.

Read More

Aug 10 2016

DEA recruits airline & travel industry staff to inform on travelers

Brad Heath reports in USA Today that the Drug Enforcement Administration (DEA) has been recruiting airline and other travel industry staff to inform on travelers. The DEA has been using these tips from industry insider informers with access to travel reservations as the basis for searches, seizures, and “civil forfeiture” proceedings to confiscate cash from travelers on the basis of allegations that it was somehow associated with illegal drugs:

USA TODAY identified 87 cases in recent years in which the Justice Department went to federal court to seize cash from travelers after agents said they had been tipped off to a suspicious itinerary. Those cases likely represent only a small fraction of the instances in which agents have stopped travelers or seized cash based on their travel patterns, because few such encounters ever make it to court.

Those cases nonetheless offer evidence of the program’s sweep. Filings show agents were able to profile passengers on Amtrak and nearly every major U.S. airline, often without the companies’ consent. “We won’t release that information without a subpoena,” American Airlines spokesman Ross Feinstein said.

In almost none of these cases has the DEA actually brought any criminal charges against the travelers whose cash has been confiscated:

A DEA group assigned to Los Angeles’ airports made more than 1,600 cash seizures over the past decade, totaling more than $52 million, according to records the Justice Department uses to track asset seizures. Only one of the Los Angeles seizure records included an indication that it was related to a criminal indictment…. Of the 87 cases USA TODAY identified in which the DEA seized cash after flagging a suspicious itinerary, only two resulted in the alleged courier being charged with a crime. One involved a woman who was already a target of a federal money-laundering investigation; another alleged courier was arrested a month later on an apparently unrelated drug charge.

According to USA Today, “The DEA would not comment on how it obtains records of Americans’ domestic travel, or on what scale.” USA Today wasn’t able to identify any of the travel industry informers who have been tipping off the DEA about customers they thought might be carrying cash. But DEA spokesman Russ Baer said DEA agents “receive information from employees at ‘airlines, bus terminals, car rental agencies, … or other businesses.'”

Because airlines and computerized reservation systems don’t keep any access logs, it’s impossible for anyone to tell, after the fact, which travel industry personnel looked at a reservation and might have been DEA informers (or any other sort of attacker or threat: identity thief, stalker, industrial spy, etc.).

Some of the examples reported in USA Today relate to DEA access to Amtrak reservations. In court filings quoted in the USA Today story, DEA agents described their review of reservations for domestic Amtrak travel within the US as “routine”. From one of Amtrak’s responses to our FOIA requests, we know that Amtrak has a special “police GUI” for police to use in mining and reviewing data from Amtrak’s “Arrow” reservation system. We’ve asked Amtrak for all records pertaining to access to reservations by law enforcement agencies. After more than a year and a half, Amtrak is still continuing to process responsive records, as discussed in our previous articles about Amtrak. But Amtrak hasn’t yet disclosed anything to us about DEA access to Arrow or other Amtrak data.

The story in USA Today notes that the DEA isn’t supposed to have access to the information about travelers on domestic flights that airlines are required to transmit to the TSA before they can get permission to issue boarding passes. The TSA has defended the Secure Flight passenger surveillance and control scheme as an administrative search for the limited purpose of aviation safety. But we’ve heard rumors that the TSA is under pressure from other law enforcement agencies to open up the Secure Flight database of domestic air travel itineraries for general law enforcement uses. Those uses would likely include both arrest warrants and lookouts derived from NCIC, and profiling for forfeiture targeting by the DEA.