Documentary filmmaker Laura Poitras, represented by the Electronic Frontier Foundation, has filed a lawsuit under the Freedom of Information Act (FOIA) against the Department of Homeland Security (DHS), the Department of Justice (DHS), and the Office of the Director of National Intelligence (ODNI, which includes the NSA). The winner of an Oscar and a Pulitzer Prize for her independent journalism, Poitras is seeking the release of records kept by the government about her travels, and about why she has been detained for hours at a time, searched, and interrogated at airports whenever she entered or left the US.

We welcome Ms. Poitras’ lawsuit, and we wish her and EFF all success. But we’ve been down this road before, and the results aren’t encouraging:

• In 2006, Ms. Julia Shearson, Executive Director of the Cleveland Chapter of the Council on American Islamic Relations (CAIR), filed suit pro se against the DHS under the Privacy Act, seeking disclosure of records about why she was detained at gunpoint at the US-Canada border and falsely labeled as a terrorist in government blacklists. Despite years of litigation, Ms. Shearson still hasn’t received any information about why or by whom she was blacklisted as a terrorist, or any confirmation that any of the blacklist entries about her have been corrected.
• In 2008, Ms. Sophie In ‘t Veld, a Member of the European Parliament from the Netherlands, also represented by EFF, sued the DHS under FOIA for records about her travel from the DHS “Automated Targeting System” (ATS). Although Ms. In ‘t Veld eventually received some excerpts from the DHS dossier about her travels, the pre-crime “risk assessment” scores assigned to her each time she traveled to or from the US were redacted and withheld, as was all information about the algorithms and the information used as the basis for those scores.
• In 2010, Mr. Edward Hasbrouck, an award-winning travel journalist and a consultant to the Identity Project, represented by our parent organization the First Amendment Project, sued the DHS under both the Privacy Act and FOIA, seeking disclosure of records about himself and his travels from ATS, including risk assessments and rules used for determining them, and information about ATS search and data-mining functionality. Like Ms. In ‘t Veld, Mr. Hasbrouck eventually received some excerpts from the ATS files about his travels, but with all information about risk assessments and risk assessment algorithms redacted and withheld.  While Mr. Hasbrouck’s requests were pending, DHS exempted ATS from all of the access and disclosure accounting requirements of the Privacy Act, and a US District Court judge upheld the retroactive application of those exemptions to unanswered requests that Mr. Hasbrouck had made three years previously.  The judge also upheld the withholding of all information about DHS data-mining capabilities for ATS travel records, without even looking at any of the requested records.
• In 2011, Mr. David House, a computer programmer associated with the Chelsea Manning (then Bradley Manning) Support Network, represented by the ACLU of Massachusetts, sued the DHS for wrongly searching and seizing Mr. House’s electronic devices and data at the airport when he returned to the US from a vacation abroad.  As part of a settlement of the lawsuit, the government eventually turned over some records from its files about Mr. House and about how the government used its travel surveillance capabilities to target him for his work to publicize Ms. Manning’s case and raise funds for her legal defense.  The records released to Mr. House give a partial picture of how the DHS uses manually-created flags (“lookouts”) to target travelers, but still doesn’t give any information about the algorithms or data inputs used for automated pre-crime profiling and “risk assessment” scores.
• In 2013, Messrs. C.J. Chivers and Mac William Bishop, two reporters for the New York Times represented by the Times’ in-house legal department, sued the DHS under both FOIA and the Privacy Act for records about why the two journalists were targeted for unusually intrusive searches and interrogations at airports while leaving and returning to the US on reporting assignments for the Times. The Times hasn’t (yet) reported on what, if any, records they have received in response to the lawsuit. We presume that means that the government has yet to disclose any significant new information about its targeting of journalists and their travels. [In response to the lawsuit, DHS did release redacted portions of its TECS and Automated Targeting System (ATS) files about the journalists, including PNR data. But the codes indicating profiling results and reasons for DHS actions as well as some entire pages of ATS records were redacted.]

We’ve been involved as plaintiffs, attorneys, or consultants to plaintiffs and their counsel in all but one of these cases, and we support continued litigation on these issues.

Harassment of journalists and political activists and interference with their right to travel are only part of a bigger picture. Government surveillance and control of travel is a threat to everyone’s rights.  It’s important for the government to disclose what it’s been doing, but it’s equally important to expunge the government’s travel metadata surveillance archives and end the government’s pre-crime profiling and permission-based controls on who it “allows” to travel by common carrier or public right-of-way.

Independent legal experts commissioned by the Council of Europe (COE) to assess proposals for surveillance and profiling of air travellers throughout the European Union have returned a detailed and perceptive critique of the proposed EU directive on government access to, and use of, Passenger Name Record (PNR) data from airline reservations.

Before the revelations by Edward Snowden and other whistleblowers about dragnet surveillance of telephone and Internet communications, few people appreciated the nature of the threat to freedom posed by government acquisition and use of PNR data for dragnet travel surveillance.

The expert report to the Council of Europe marks a breakthrough in the “post-Snowden” understanding of the nature and significance of government demands for PNR data. The report reframes the PNR debate from being an issue of privacy and data protection to being part of a larger debate about suspicionless surveillance and pre-crime profiling. The report also focuses the attention of European citizens, travellers, and policy-makers on the decisions made (in whole or in part) on the basis of PNR data: decisions to subject travellers to search, interrogation, or the total denial of transportation (“no-fly” orders).

The report specifically cites the Kafkaesque case of Dr. Rahinah Ibrahim as an example of the way that decisions made on such a basis tend to evade judicial review or effective redress.

The PNR directive under consideration by the European Union would require each EU member to establish a Passenger Analysis Unit (PAU), if it doesn’t already have one. These PAUs would function as new national surveillance and pre-crime policing agencies. Each PAU would be required to obtain PNR data for all air travellers on flights subject to its jurisdiction, “analyze” this data (i.e. carry out algorithmic pre-crime profiling of air travellers using PNR data as one of its inputs) and share the raw PNR data with its counterparts throughout the EU.

The United Kingdom already has such a Passenger Analysis Unit. It’s not clear which, if any, other EU members already have such units, although staff of the US Department of Homeland Security, based in Germany and elsewhere in Europe, already perform similar functions as “advisors” making “recommendations” to their European counterparts regarding the treatment of European travellers, based on US profiling of PNRs and other travel history and surveillance data.

The COE expert report on Passenger Name Records, Data Mining & Data Protection was commissioned by the COE Directorate General Human Rights and Rule of Law, and prepared by Douwe Korff (Emeritus Professor of International Law at London Metropolitan University, Associate at the Oxford Martin School of the University of Oxford, and currently Visiting Fellow at Yale University in the USA) and Marie Georges (independent expert formerly on the staff of the French national data protection authority, CNIL). The report was presented and discussed at a meeting last week of the “Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD)”.

According to the introduction to the report:

Much has been said and written about Passenger Name Records (PNR) in the last decade and a half. When we were asked to write a short report for the Consultative Committee about PNR, “in the wider contexts”, we therefore thought we could confine ourselves to a relatively straightforward overview of the literature and arguments.

However, the task turned out to be more complex than anticipated. In particular, the context has changed as a result of the Snowden revelations. Much of what was said and written about PNR before his exposés had looked at the issues narrowly, as only related to the “identification” of “known or [clearly ‘identified’] suspected terrorists” (and perhaps other major international criminals). However, the most recent details of what US and European authorities are doing, or plan to do, with PNR data show that they are part of the global surveillance operations we now know about.

More specifically, it became clear to us that there is a (partly deliberate?) semantic confusion about this “identification”; that the whole surveillance schemes are not only to do with finding previously-identified individuals, but also (and perhaps even mainly) with “mining” the vast amounts of disparate data to create “profiles” that are used to single out from the vast data stores people “identified” as statistically more likely to be (or even to become?) a terrorist (or other serious criminal), or to be “involved” in some way in terrorism or major crime. That is a different kind of “identification” from the previous one, as we discuss in this report.

We show this relatively recent (although predicted) development with reference to the most recent developments in the USA, which we believe provide the model for what is being planned (or perhaps already begun to be implemented) also in Europe. In the USA, PNR data are now expressly permitted to be added to and combined with other data, to create the kinds of profiles just mentioned — and our analysis of Article 4 of the proposed EU PNR Directive shows that, on a close reading, exactly the same will be allowed in the EU if the proposal is adopted….

Yet it is obvious (indeed, even from the information about PNR use that we describe) that these are used not only to “identify” known terrorists or people identified as suspects in the traditional sense, but that these data mountains are also being “mined” to label people as “suspected terrorist” on the basis of profiles and algorithms. We believe that that in fact is the more insidious aspect of the operations.

The report develops these key points about government access to and use of PNR data as a suspicionless dragnet surveillance system and as part of predictive pre-crime policing (outside of normal mechanisms for penal sanctions or for review and redress for police action) in detail.

In addition, the report endorses and highlights the point we have been making for many years that because most PNR data for flights worldwide is hosted by, and communicated through, reservation databases accessible from the USA and worldwide without purpose or geographic access limitations or access logs, the USA and other governments can already obtain and use this data, entirely bypassing putative controls on access to PNRs directly from airlines.

The report specifically directs the attention of European officials to testimony by Edward Hasbrouck of the Identity Project at a European Parliament hearing in 2010 (hearing agenda and witness list, slides, video):

“Europe” must also examine the highly credible claims by Edward Hasbrouck … that the USA has been systematically violating previous agreements, and is still systematically by-passing European data protection law, by accessing the CRSs used in global airline reservation systems hosted in the USA to obtain full PNR data on most flights, including most European flights (including even entirely intra-European ones), outside of any international agreements….

[W]e believe that the supposed safeguards against such further — dangerous — uses of the data are weak and effectively meaningless, both in their own terms and because, as Edward Hasbrouck has shown, the USA can in any case obtain access to essentially all (full) PNRs, through the Computerized Reservation Systems used by all the main airlines, as described next.

Read More →

If the file about you the DHS has compiled from airline reservations, license-plate readers, and other travel surveillance data sources is deemed “suspicious”, does that constitute probable cause for a search of your home and business or seizure of your possessions?

That question has arisen in  the case of Albuquerque antique gun collector and dealer Bob Adams, argued in May 2015 and currently awaiting a decision by the 10th Circuit Court of Appeals in Denver.

On January 23, 2013, Mr. Adams’ home and business was raided by a SWAT team including DHS and other Federal and state agencies.  Various of his possessions, including his collection and inventory of firearms, were seized, damaged, and/or destroyed in the raid. On November 4, 2013, after Mr. Adams had filed suit to recover his property, he was indicted for various technical violations of Federal laws relating to firearms imports and dealer licensing and reporting.

Both the search warrant and the indictment were based, in part, on allegations by Federal law enforcement officers regarding the records of Mr. Adams’ international travel history in the DHS Automated Targeting System (ATS). In an affidavit supporting the application to a Federal magistrate for the search of Mr. Adams’ home and business, “Special Agent” Frank Ortiz of the New Mexico Attorney General’s Office claimed that ATS records showed that Mr. Adams had repeatedly flown to Canada without having return flight reservations to the US, and had subsequently re-entered the US as a passenger in a private car.  This, agent Ortiz opined (based on his purported “expertise” in interpreting such data) was evidence of a pattern of suspicious behaviour characteristic of Mr. Adams’ alleged modus operandi for unlawful firearms imports.

(There’s a long but generally undisclosed history of airlines “voluntarily” giving police access, without warrants, to PNR data, and of police using it as the basis for interrogations and searches.)

The Federal judge to which the criminal case against Mr. Adams was assigned first upheld the search warrant but then, on reconsideration, ordered all the evidence obtained from the search suppressed, on the basis of other materially false statements, made in apparent bad faith, in Agent Ortiz’s affidavit. The government, which would have no case against Mr. Adams without that evidence, has appealed that ruling to the 10th Circuit Court of Appeals.

The ruling by the District Court, the arguments to the Court of Appeals, and most of the publicity about the case have focused on questions related to firearms.  But what concerns us are the issues related to ATS and its use as a surveillance and suspicion-generating system.

First, ATS data is neither accurate nor complete, and should not be relied on. For example, even experts may be unable to tell, from a particular PNR, whether or not it corresponds to actual travel or issuance of a ticket. (Mr. Adams says some of the DHS records of flights he allegedly took to Canada don’t correspond to flights he actually took, which is an inevitable consequence of the DHS orders to airlines to transmit copies to DHS of all reservations for such flights, including reservations that were unticketed and/or cancelled.) And license plate readers and the associated optical character recognition systems are, of course, subject to an unknown but substantial percentage of errors. (Mr. Adams says he has never traveled in some of the private vehicles in which ATS records that he crossed the US-Canada border.) Most importantly, the DHS has itself exempted ATS from the requirements of the Privacy Act for accuracy and completeness, on the basis of a claim that it is necessary to include inaccurate and incomplete data. Having done so, the government should be “estopped” from suggesting that any court or jury rely on this data.

Second, if the purpose of the ATS dragnet of warantless, suspicionless travel surveillance is to develop or support suspicions of criminal activity, that is a general law-enforcement purpose that goes far beyond the scope of permissible administrative searches or seizures of personal information incident to air travel or for purposes of aviation security.

Third, the evidence presented to the court in support of the application for a search warrant, to the grand jury in support of the indictment, and to Mr. Adams as part of pre-trial discovery, appears to have included only excerpts from TECS records (entry/exit logs which are one of the components of ATS), but not the complete TECS records, and none of the Passenger Name Record (PNR) data also included in ATS.  Full TECS records would include indications of the source of the data, and PNRs might well have made clear whether airline reservations had actually been ticketed and used, or had been cancelled as Mr. Adams claims.

It seems likely that the complete contents of the ATS records about Mr. Adams’ travel, including full TECS records and all PNR data, constituted potentially exculpatory evidence known to, and in the possession of, the government, which it was required to disclose to the defense pursuant to the decision of the Supreme Court in Brady v. Maryland.

More generally, it would seem that a complete ATS file for any involved individual, including complete TECS and PNR data, would constitute potentially exculpatory evidence in virtually any prosecution in which international travel might be relevant: smuggling, facilitating unlawful immigration, etc. It would be almost impossible for the government to know in which cases such data might support an alibi, support or undermine the credibility of a witness, or support or refute some other testimony or claim. If the government doesn’t proactively produce this material (as it is required to do), defense attorneys should object to this as a violation of the Brady doctrine, and/or specifically include it in routine discovery motions.  (We are available to assist defense counsel in interpreting such disclosures, and/or in explaining to courts how they could be exculpatory.)

Having carried out this extensive (although unreliable) surveillance of travelers, DHS appears to be using it selectively, introducing only those excerpts, in those cases, which it thinks it can spin as suspicious — and not mentioning other portions of these files that might refute these or other government allegations.  We wonder how many other criminal prosecutions this has tainted.

The US Department of Homeland Security has announced plans to expand its data mining and “sharing”of DHS files about travelers, while removing some of the limited access controls and audit logging that it had only recently claimed to be putting in place for its Department-wide surveillance data framework:

Privacy Impact Assessment for the DHS Data Framework — Interim Process to Address an Emergent Threat (DHS/ALL/PIA-051, April 15, 2015)

DHS has a critical mission need to perform classified queries on its unclassified data in order to identify individuals supporting the terrorist activities of: (1) the Islamic State of Iraq and the Levant (ISIL), (2) al-Qa’ida in the Arabian Peninsula (AQAP), (3) al-Nusrah Front, (4) affiliated offshoots of these groups, or (5) individuals seeking to join the Syria-Iraq conflict. (These individuals are often referred to as “foreign fighters” by the media and in public discourse.) The ability to perform classified searches of unclassified data for this uniquely time sensitive purpose will allow DHS to better identify and track foreign fighters who may seek to travel from, to, or through the United States. This type of comparison is a long-standing mission need; however, the specific threat has shortened the timeframe in which DHS must meet the need.

To meet this critical mission need, DHS will adopt an interim process that foregoes many of the automated protections of the DHS Data Framework, such as the tagging of necessary data sets in the unclassified data lake. By foregoing these automated protections, DHS will be able to expedite transfers of information from the Electronic System for Travel Authorization (ESTA), the Advance Passenger Information System (APIS), Form I-94 records, and Passenger Name Records (PNR) directly from the unclassified DHS domain to the classified DHS domain through a manual process….

The previously announced “protections”  on DHS use and sharing of personal data are fig leaves of little value to the subjects of DHS travel surveillance. But the DHS decision to “forego” those protections is significant for what it shows about how the DHS carries out its activities.

Read More →