Mar 21 2023

Airlines want even more people put on the no-fly list

Undeterred by the manifest unfairness of the US government’s current no-fly list, some airlines and their allies are apparently renewing a campaign they began last year to get Congress to create yet another extrajudicial procedure by which the Transportation Security Administration (TSA) could put even more people on the US no-fly list.

Seriously? Can anyone really think that the way to make the current bloated and bigoted no-fly list more fair is to add even more names to it? That what the TSA needs is more authority to impose arbitrary and judicially unreviewable sanctions on disfavored members of the traveling public? That the branch of the government best qualified to exercise the power to make decisions that restrict people’s rights and in some cases would cost them their livelihood, perhaps for life, is the TSA?

Once a no-fly list exists, it’s almost inevitable that some people will see it as a one-stop solution to every problem, and will push to expand it by adding new rules to the no-fly blacklisting algorithm. But this is exactly the wrong way to go. If a bill to protect air travelers is going to be reintroduced and considered in Congress, it should be the Freedom to Travel Act.

Read More

Mar 07 2023

Germany follows US lead in misuse of airline reservation data

[Florian Gutsche of the VVN-BdA: An embarrassment to Germany’s reputation? Or a credit to it? And does his black shirt prove that he’s dangerous?]

On Friday, February 24th, Florian Gutsche, a German citizen and the national chair of the German Association of People Persecuted by the Nazi Regime – Association of Anti-Fascists (VVN-BdA), was intercepted by German federal police at Berlin Brandenburg Airport, prevented from boarding a flight he had planned to take to Sofia, Bulgaria, and served with an order prohibiting him from leaving Germany for the duration of the weekend.

Formal parliamentary questions have already been submitted to the German government by a member of the Bundestag, asking by whom and on what basis the order prohibiting Herr Gutsche from leaving Germany was issued. These are important questions.

But we are also concerned about how this order was effectuated and what this says about the German government’s use of airline reservations to surveil, control, and restrict “resiefreiheit” — the right to freedom of movement. Read More

Feb 06 2023

CBP proposes to require even more information from international air travelers

US Customs and Border and Border Protection (CBP) has proposed new rules to expand its Advance Passenger Information System (APIS) to require all international airlines serving the US to provide additional information about all passengers, prior to flight departures.

CBP’s Notice of Proposed Rulemaking (NPRM), published last Thursday in the Federal Register, falsely claims that the proposed rules would not affect individuals, only airlines. But the mandate for airlines to provide additional information about each would-be passenger makes it a de facto requirement, as a condition of air travel, for travelers to provide this information to airlines and the government.

This would constitute a significant expansion of an ongoing unconstitutional surveillance and profiling program in which all international air travelers are required to respond to suspicionless, warrantless, interrogatories administered through airlines as intermediaries and outsourced government surveillance agents and interrogators.

APIS is not a passive surveillance scheme, however. It is part of a real-time system of  granular, per-passenger, per-flight government control of air travel:

After performing the security vetting, the CBP system transmits to the carrier an electronic message. This message is generally referred to as CBP’s response message. If the carrier is using an interactive transmission system, the response message provides certain instructions to the carrier. Specifically, it states whether each passenger is authorized to board, requires additional security screening, or is prohibited by TSA from boarding… Depending on the instructions received in the response message, the carrier may be required to take additional steps, including coordinating secondary security screening with TSA, before loading the baggage of or boarding the passenger at issue.

The Identity Project has objected to every step in the expansion of APIS since 2006, and we will be filing comments objecting to the latest NPRM. If you’d like to file your own objections, the deadline is April 3, 2023. We’ll post ours for others to use as a model.

Current mandatory APIS data fields include name, date of birth, gender, nationality, passport or travel document number, and flight details (airline, flight number, and departure and arrival airports, dates, and times). In addition to the information that CBP has been requiring since 2006, the new NPRM proposes that airlines operating flights to or from the US be required to collect and transmit to CBP additional information including:

  • Street address in the US (currently required of aliens but not of US citizens)
  • Telephone number and “alternate” telephone number (presumably the second phone number is required in order to help the government build social network maps and  guilt-by-association links of First Amendment protected associations between individuals)
  • Email address

What if a US citizen has no fixed address, or no address in the US — or doesn’t want to tell the US government? What if they don’t yet know at which hotel or with which friend or relative  they will be staying — or don’t want their host permanently linked with them in the government’s surveillance and suspicion-generating files?

Are two telephone numbers and an email address required as a condition of air travel?

The proposed rules are silent, but they imply that any airline that transports such a passenger would be subject to sanctions:

CBP cannot require that a passenger be denied boarding. However, if an air carrier boards a passenger who is then denied entry to the United States, the air carrier may have to pay a penalty and bear the costs of transporting that passenger out of the United States.

On arrival in the US, the US government has the duty to allow a US citizen to enter the country unless there is genuine doubt as to their US citizenship. They are not required to provide any information not related to, and needed to determine, their US citizenship.

If a CBP inspector at a border crossing or airport asks a US citizen their address in the US, phone number(s), or email address, they have the right to stand mute or to refuse to answer. CBP can search them, but cannot make them answer questions or deny them entry for standing mute.

If CBP would have no Constitutional authority to require a traveler to answer these questions after they arrive in the US, on what possible grounds would it claim authority to require answers to those same questions before a traveler even boards a flight to the US?

The NPRM does not mention the Bill of Rights or any limits on the authority of the government or a common carrier to demand personal information or answers to interrogatories as a condition of carriage.  We believe that there is no such authority. The proposed rules would violate the First, Fourth, and Fifth Amendments, the Privacy Act, and US obligations as a party to the International Covenant on Civil and Political Rights.

Since the creation  of the Department of Homeland Security (DHS) after September 11, 2001, the DHS has imposed more than a billion dollars in unfunded mandates to the airline industry  to collect additional information about all airline passengers, transmit that information to DHS components (CBP for international flights and the TSA for domestic flights), and receive and process instructions from the DHS before issuing any boarding pass.

The proposed new rules would send the airline IT industry back to the drawing board to modify all of its software, user interfaces, APIs, and business-process layers to collect and transmit additional data fields  about each passenger to CBP prior to departure of each international flight to or from the US.

CBP says that some airlines are already “voluntarily” providing personal information about passengers to CBP beyond what has been required by the current APIS regulations.

Why would airlines be willing to collaborate with the DHS in these schemes?

The proposed rules would leave airlines free to retain, use, share, sell, or otherwise monetize the additional personal information which travelers would be required to provide. This would amount to a huge informational windfall for airlines, and this is the quid pro quo to airlines for collecting this additional data for the government. To put it another way, the proposed rules would constitute a government-compelled taking and transfer to airlines of the value of travelers’ personal information.

Airlines don’t collect this data systemically now, and have not yet developed any standards for normalizing, storing, or exchanging it. This would be a massive unfunded mandate for modifications to airline industry IT systems, at every level from interline messaging protocols to user interfaces, and in training staff. But most of these costs would be one-time costs, and in the long term would be offset by the informational windfall to airlines.

Airlines are already experts in monetizing passenger data, making billions of dollars a year by selling advertising targeted to members of their frequent flyer programs. Compelled provision of additional contact information would enable airlines to expand these customer data monetization and ad targeting programs to all air travelers, including infrequent flyers who aren’t members of these programs.

Many foreign airlines are parastatal entities, so this rule would effectively require many asylum seekers to divulge info to the foreign governments from which they are trying to flee, prior to departure from those countries, placing themselves and their associates (linked to them by e.g. shared contact info)  at even greater peril.

Travelers and airlines should just say no. Travelers should decline to answer questions unrelated to their admissibility to the US, and airlines should transport them anyway and challenge any attempt to impose sanctions on them for refusing to spy on their passengers by interrogating them and collecting surveillance data for the government.

Feb 04 2023

A blacklist is not a basis for search or seizure

A lawsuit filed last week in Federal court in Oklahoma City by the Council on American-Islamic Relations on behalf of Oklahoma native Saadiq Long challenges unconstitutional searches and seizures (sometimes at gunpoint) and interference with freedom of movement on city streets and highways on the unlawful basis of a combination of warrantless dragnet surveillance and arbitrary extrajudicial blacklists.

According to Mr. Long’s application for a temporary restraining order and preliminary injunction to protect his rights and his life while the case proceeds:

In the span of only two months, Saadiq Long has been repeatedly pulled over, arrested twice, held at gunpoint, and had his car searched by Oklahoma City Police Department officers. It is not because Saadiq is a criminal or suspected of being one. Mr. Long is an American citizen and Air Force veteran who has never been indicted, tried, or convicted of any kind of violent crime.

There is a different reason behind these obvious Fourth Amendment violations. That reason involves the intersection of two different dystopian webs: the vast network of cameras and computers maintained by the Oklahoma City Police Department and a secret, racist list of Muslims that the FBI makes available to Chief Wade Gourley and his officers.

That secret FBI list—variously called the federal terror watchlist, the Terrorism Screening Database (TSDB), and most recently the Terrorist Screening Dataset (TSDS)—is a list of more than a million names, almost all of them Muslim and Arab. The FBI adds whatever names it likes, without meaningful review and in accordance with secret processes and standards, for a stunning array of flimsy reasons. Government suspicion of ongoing criminal activity is not a prerequisite to being listed.

The FBI distributes its list, via the National Crime Information Center (NCIC) Database, to the Oklahoma City Police Department. That is all that the FBI distributes: a list of names. The FBI keeps its reasons and evidence about the placement to itself. Because of this, the Department knows that the FBI put Saadiq Long on a watchlist but the Department has no idea why.

Mr. Long’s mistreatment by the US government — the government of the country where he was born and of which he was and still is a citizen — began when, while serving in the US Air Force from 1987-1998 and living in Turkey, he converted to Islam and applied for discharge from the Air Force as a conscientious objector on the basis of his new beliefs.

The Air Force denied his application for conscientious objector status, gave him an “other than honorable” discharge — and, unbeknownst to Mr. Long at the time, had him put on the US government’s No-Fly List as a “known or suspected terrorist”.

After leaving the Air Force, Mr. Long moved with his family first to Egypt and later to Qatar, where he found work as a teacher of English. He discovered that he was blacklisted by the US government almost a decade later when he tried to come back to the US to visit his terminally ill mother in Oklahoma City.

Read More

Jan 20 2023

The #NoFly list is a #MuslimBan list

[CommuteAir routes operated as “United Express”]

In news first reported by Mikael Thalen and David Covucci of of the Daily Dot, Swiss hacker maia arson crimew has found versions of the Transportation Security Administration’s “No-Fly” and “Selectee” lists dating from 2019 on insecure Amazon Web Services cloud servers used by the airline CommuteAir for software development and staging.

CommuteAir is little known in its own name, but operates as a subcontractor to United Airlines for flights by regional jets between United hubs and secondary airports marketed under the “United Express” brand with United Airlines flight numbers.

In a statement to the Daily Dot, CommuteAir confirmed that, “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth.”

This isn’t the first time that information about the TSA’s “watchlists” (blacklists) and related procedures has been leaked or left exposed on the Internet. In 2009, the TSA posted an unredacted copy of its Standard Operating Procedures for “screening” of airline passengers on a Federal government website for contractors. In 2014, the Terrorist Screening Center’s Watchlisting Guidance, which describes the methodology and purported basis for entering names on the No-Fly, Selectee, and other blacklists, was obtained and published by The Intercept.

The lists found by maia and shared with journalists and researchers confirm the TSA’s (1) Islamophobia, (2) overconfidence in the certainty of its pre-crime predictions, and (3) mission creep.

The data in the files found by maia is limited to first and last name and date of birth and a sequence number for each listing, but there are headers for several other fields that are blank in most of the records: place of birth, citizenship, passport or ID number, “MISC”, and a blank field labeled “CLEARED” which may have been used to indicate those entries that were intended to be to be whitelisted rather than blacklisted.

The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming  names. More than 10% of the entries on the No-Fly list (174,202 of 1,566,062)  contain “MUHAMMAD” in either the first or last name fields. “It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” maia told the Daily Dot.

[Some of the listings for Osama Bin Laden — already long dead — on the 2019 No-Fly List]

The “NOFLY.csv” file found by maia contains 1,556,062 entries. The “SELECTEE.csv” file contains 251,169. The youngest of those on this version of the No-Fly List, as of 2019, were three four-year-olds. The oldest were twenty-five centenarians.

Read More

Dec 06 2022

TSA argues for impunity for checkpoint staff who rape travelers

[Jonathan Corbett argues on behalf of Michele Leuthauser]

Two years ago, at least a dozen women on a Qatar Airways flight to Sydney were ordered off the plane at Doha Airport in Qatar and subjected to forced vaginal examinations.

Australia made diplomatic protests, as both the airline and the airport are controlled by the government of Qatar. The Qatari government issued a public apology and said that, “Those responsible for these violations and illegal actions have been referred to the Public Prosecution Office.” Last month, just before the start of the World Cup soccer tournament in Qatar, some of the women filed a lawsuit in an Australian court  against the airport operator and the airline.

If you think that this couldn’t happen in the USA, or that the victims would fare better with government authorities and in the courts in the USA than in Qatar, think again.

Today a panel of judges of the 9th Circuit Court of Appeals heard oral argument in San Francisco in a lawsuit (Michele Leuthauser v. USA) brought by a woman who complained that a Transportation Security Administration staff person pushed their finger into her vagina — i.e., raped her — in 2019 after they ordered her into a back room at the airport in Las Vegas for a “pat-down” after she went through a whole-body imaging  machine.

It’s bad enough to require that, if anything “anomalous” is spotted on the images taken by  the “virtual strip-search” machine, you have to go through a hands-on strip search. It’s another thing to turn that into a body cavity search involving groping and penetration.

Local police who were standing by refused to take a complaint from Ms. Leuthauser. Traumatized and unable to face TSA checkpoints again, she lost her job, which required frequent air travel. Eventually, after her claim against the US government for damages was administratively denied, she sued the TSA employees and the US government for damages.

Unlike the government of Qatar, however, the US government hasn’t apologized, said that what happened was illegal (or would be illegal if the complaint is proven to be true), or referred the TSA checkpoint staff for investigation and possible prosecution.

The TSA hasn’t even tried to dispute the truth and factual accuracy of the complaint.

Instead, the TSA has argued that, even if all of the allegations in Ms. Leuthauser’s complaint are true, the TSA and its employees have absolute impunity. Regardless of what “torts”, even rape, TSA checkpoint staff commit against travelers, the government claims that Federal courts have no jurisdiction to hear lawsuits or consider claims against them.

One might think that “sovereign immunity” would be a doctrine invoked by, say, the Qatari monarchy to dismiss lawsuits against the Emir. But in this case, it’s being invoked by the US government to exempt the TSA and an accused TSA rapist from any legal accountability.

Read More

Dec 05 2022

DHS resets the clock on its threat to stop flyers without ID

 

Soccer fans have been noticing unusually large amounts of stoppage time added on to extend the final whistle in many of this year’s World Cup matches. But FIFA and World Cup referees have nothing on the US Department of Homeland Security when it comes to extending the end of the game of REAL-ID chicken that the DHS has been playing with air travelers.

Just a few months after adding a countdown clock to its website to add artistic verisimilitude to its threat to start “enforcing” a nonexistent law prohibiting flying without ID, the DHS has set that clock back by two more years.

The change announced today — only the most recent in a seemingly endless series of postponed empty REAL-ID threats — again postpones, but does not withdraw, the DHS threat to start preventing people without ID from traveling by airline within the US.

The DHS says it plans to promulgate another set of amendments to its regulations implementing the REAL-ID Act of 2005, postponing “enforcement” of the REAL-ID Act at airports until May 7, 2025. Conveniently for current Federal officials, that punts the problem of how to respond to the inevitable resistance to an attempted ban on flying without ID into the next Presidential administration.

Today’s press release from the DHS says, in part:

Under the new regulations, beginning May 7, 2025, every traveler 18 years of age or older will need a REAL ID-compliant driver’s license or identification card, state-issued enhanced driver’s license, or another TSA-acceptable form of identification at airport security checkpoints for domestic air travel.

We  doubt, however, that the revised regulations will contain any such provision. None of the previous versions of the REAL-ID regulations contained any provision requiring air travelers to identify themselves, and any such regulatory provision would exceed the implementing authority granted to the DHS by the REAL-ID statute.

The REAL-ID Act restricts what ID credentials a Federal agency can accept, in circumstances where ID is required by some other Federal law or regulation. But neither the REAL-ID Act nor any other current or proposed Federal law or regulation requires travelers to show any ID to pass through Transportation Security Administration checkpoints or board domestic flights within the US — as the TSA itself has argued whenever ID to fly has become an issue in court.

It should go without saying that one doesn’t have to take a “flying test” to obtain a drivers license. A drivers license is not a permit to fly, and possession (or not) of a valid drivers license is entirely unrelated to entitlement to travel by common carrier. The REAL-ID Act has done nothing to make flying safer, any more than preventing people without ID from flying would make flying safer. The only real impact of the REAL-ID Act  has been the creation of an (outsourced, privately held, opaque and uncontrolled) national ID database  (SPEXS) aggregated from state and territorial driver’s license records.

By the time the two more years of added “stoppage time” runs out on the DHS threat clock, twenty years will have passed since the REAL-ID Act was rushed through Congress in post-9/11 panic, without debate and with hardly time for legislators to read the bill.

Time is running out on the REAL-ID Act. It’s time for Congress to admit that the REAL-ID Act was wrong from the start, has enabled the creation of a de facto national ID database  overwhelmingly opposed by the American public, and should be repealed.

Sep 22 2022

Freedom to travel to get an abortion

[Arrows indicate populations of states where abortion is, or is likely to become, illegal, and directions and distances to the nearest states where abortion is legal. Note that some of the routes shown are more likely to be followed than others, since abortion is more or less heavily restricted in some states where it is shown on this map as legal. Diagram by Bloomberg News based on data from the Guttmacher Institute.]

Increasing variations between state laws related to abortion are prompting an increase in the already large numbers of women who travel across state lines to obtain abortions.

For women in many states, bans on abortion are making the right to interstate travel an essential prerequisite to the right to obtain an abortion.

Both anti-abortion vigilantes and state laws criminalizing actions related to abortion, including facilitating abortion-related travel, are prompting women seeking abortions as well as those who support abortion rights to think about how to protect abortion travelers and their supporters against identification, surveillance, stalking, harassment, or legal sanctions.

In this context, the right to anonymous travel has acquired new importance and urgency. If you’ve wondered, “Why would anyone want to travel anonymously?” now you know one of the reasons.  But what’s needed is “right to travel” legislation, not just “privacy” legislation. Current Federal “privacy” bills would do little to protect abortion travelers.

What are the patterns of abortion-related travel? How could state authorities or private vigilantes identify or track the travels of these women — whether they drive or take buses, trains, planes, or automobiles? What, if anything, can women traveling across state lines to obtain abortions do to protect themselves against being identified, tracked, and potentially prosecuted or subjected to retaliation, harassment, or other sanctions?  What could the Federal government do to protect these women’s right to travel, and to do so privately and safely?

As discussed in detail below, the possibilities for technical self-defense against threats to the right to travel are limited. Congress needs to act to include protection for the right to travel — regardless of the purpose for which you  travel — in any abortion rights legislation.

Read More

Jun 21 2022

European Court ruling on air travel surveillance

The highest court of the European Union ruled today that an EU mandate for dragnet surveillance of travelers through government access to airline reservations might be permissible under EU law — but only under conditions that governments of EU member countries, and the US government, may be unable or unwilling to meet.

In 2016, the EU enacted a directive requiring each EU member state to enact a law requiring airlines to hand over copies of passenger name records (PNRs) to the government, and establish a new surveillance agency to profile travelers based on this PNR data.  This EU PNR Directive was modeled on US law and on the extrajudicial practices — never tested against the provisions of international human rights treaties, which generally can’t be invoked in US courts — of the US Department of Homeland Security.

The Belgian “Ligue des droits humains” (LDH) filed a lawsuit in the Belgian Constitutional Court challenging the law enacted in Belgium to implement the EU PNR Directive as contrary to multiple provisions of Belgian and EU law.

Before deciding the questions of Belgian law, the Belgian court requested a preliminary ruling from the Court of Justice of the European Union (CJEU), the highest EU court, as to whether the EU PNR Directive is consistent with fundamental EU human rights law.

In today’s ruling (press release and summary in English, full text of judgment in French, provisional translation of judgment in English), the CJEU finds that the EU PNR Directive is not, on its face, invalid — but only if it is implemented and applied in accordance with a long list of conditions specified by the CJEU in its decision.

Governments of EU member states may be unable or unwilling to comply with all of those conditions.

The decision by the CJEU addresses the implications and validity of the EU PNR Directive both as a mandate for suspicionless dragnet surveillance and as a mandate for control of travel, in which PNR data is used as the basis for profiling and other actions.

Of the many conditions set by the CJEU, we find this one on secret law, secret evidence, and judicial review among the most significant. According to the court’s press release:

[T]he Court also stresses that the competent authorities must ensure that the person concerned can  understand the operation of the predetermined assessment criteria and programs applying those criteria, so that it is possible for that person to decide with full knowledge of the relevant facts whether or not to exercise his or her right to judicial redress. Similarly, in the context of such an action, the court responsible for reviewing the legality of the decision adopted by the competent authorities as well as, except in the case of threats to State security, the persons concerned themselves must have had an opportunity to examine both all the grounds and the evidence on the basis of which the decision was taken, including the predetermined assessment criteria and the operation of the programs applying those criteria.

In cases where EU governments act on “recommendations” from the US government to restrict travel to, from, or within the EU, the EU authorities nominally responsible for these actions may not know what evidence (if any) or algorithms for the basis for US recommendations. And the US may not be willing to share that information with EU governments, especially if EU law might require EU governments to disclose that information to European judges, much less to individuals who are “targeted” on the basis of US recommendations.

The court case now returns to the Belgian courts, but it  seems likely that changes to the laws implementing the EU PNR Directive in Belgium and most if not all other EU member states will be required to conform these laws to the conditions laid down today by the CJEU. Another round of litigation in EU member states and perhaps again in the CJEU is likely to be needed to determine whether amended laws have met those tests. Stay tuned!

Jun 06 2022

Another legal “victory” but still no justice for tortured traveler

For more than a decade (see our articles from 2012 and 2018), we’ve been monitoring the saga of Yonas Fikre, a US citizen who was placed on the US government’s “No-Fly List” and blacklisted by his government as a “suspected terrorist” while he was overseas on business.

Last week, after nine years and counting in the courts, Mr. Fikre “won” a second successive favorable decision on pre-trial appeals to the 9th Circuit US Court of Appeals, but his quest for justice remains unfulfilled. The history of this case to date is a case study in the lack of accountability or judicial review for no-fly decisions and decision-makers.

Read More