Freedom To Travel – Page 30

Nov 30 2013

DHS collects foreign visitors’ medical histories

This week Ellen Richardson, a Canadian citizen trying to fly from Toronto to New York to board a cruise ship bound for international destinations in the Caribbean, was denied permission to transit the U.S. by the DHS, on the basis of her history of clinical depression and her previous suicide attempts in Canada — none of which had involved the police or any criminal charges.

Canadian citizens normally don’t need visas for short-duration visits to the U.S. as tourists. But U.S. law, Title 8 USC Section 1182(A)(iii)(II), forbids entry to any non-U.S. citizen who is determined “to have had a physical or mental disorder and a history of behavior associated with the disorder, which behavior has posed a threat to the property, safety, or welfare of the alien or others and which behavior is likely to recur or to lead to other harmful behavior,” unless they obtain a waiver from one of the doctors specially appointed by the DHS to examine applicants for admission to the U.S.

DHS files about people who aren’t U.S. citizens or residents aren’t subject to the Privacy Act, and the DHS and the NSA claim the authority to collect and retain pretty much any information they can obtain about foreigners, including (at least implicitly) health information and medical records.

The questions being asked in Canada are how the DHS learned of Ms. Richardson’s medical history, whether any Canadian entities disclosed private information to U.S. government agencies, and whether any Canadian laws such as PIPEDA or the Canadian Privacy Act were violated.

There appear to have been at least four ways that the DHS could have learned of Ms. Richardson’s medical history:

Some Canadian entity might have knowingly disclosed information about Ms. Richardson to the DHS. This probably wouldn’t violate any U.S. law (foreigners have essentially no statutory privacy protection under U.S. law), but would almost certainly constitute a grave violation of PIPEDA and/or the Canadian Privacy Act by the responsible Canadian entity.
Some Canadian entity might have outsourced or disclosed information about Ms. Richardson to an entity in the U.S., which in turn disclosed it to the DHS. Once personal data is in the U.S., no U.S. law restricts its onward transfer to third parties including the DHS or other government agencies. Many Canadian companies (including, as we’ve previously documented, Air Canada) outsource storage and processing of personal information to companies in the U.S., or share information with U.S. business partners, affiliates, or the like. When the details are scrutinized, almost all such cross-border data transfers violate PIPEDA and/or the Canadian Privacy Act.
The NSA might have hacked some Canadian entity or intercepted intra-Canadian data transfers, and shared its findings with the DHS. Health and medical information hasn’t been specifically mentioned as a target of the NSA’s dragnet or its hacking of foreign databases, but can’t yet be ruled out.
The DHS might have searched for “publicly available” information about Ms. Richardson, and happened upon her history of suicide attempts. This seems the most likely explanation, but raises the further question of how often, how systematically, and how deeply DHS components conduct these sorts of Internet or other searches. Unfortunately, the investigations now being undertaken by Canadian privacy officials are unlikely to shed any light on this question.

We’d love to hear from any whistleblowers or leakers who can shed light on what happened to Ms. Richardson or, more generally, what sorts of Internet or “public-source” data about Canadian and other visitors to the U.S. the DHS is trolling and entering into its permanent files about individuals.

Nov 19 2013

Does the TSA have any “precogs”?

[The TSA uses appearance profiles to decide whether to search you and/or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from GAO report. Click image for larger version.)”]

We’ve likened the TSA’s attempts to predict which travelers are would-be terrorists on the basis of their identities and profiles to the “pre-crime” police in the fictional film, Minority Report, who use “pre-cogs” with supernatural powers to predict who will commit future crimes.

We’ve also pointed out that in reality, as distinct from Hollywood fantasy, there’s no such thing as a “precog”. The Constitution presumes that we are innocent until proved guilty, and requires probable cause (as determined by a judge, not a self-proclaimed or TSA-certified psychic) to believe that we have already committed a crime before we can lawfully be arrested.

Having said that, we’re pleased to see that members of Congress and government auditors are (finally) beginning to come to their senses — as the characters in “Minority Report” eventually did — and questioning whether the TSA really has any “pre-cogs” on its payroll, or what the TSA has gotten for its $900 million outlay on “Behavior Detection Officers” and “Screening Passengers by Observation Techniques” (SPOT).

At a hearing last week before the Subcommittee on Transportation Security of the House Committee on Homeland Security, Rep. Mark Sanford asked John Pistole, the former FBI agent who is now Administrator of the TSA, whether travelers should “have to go through a screening process based on somebody’s interpretation of what might be in your brain.” Rep. Sanford pointed that a wide variety of factors — including the TSA’s own actions — might lead to stress, fear, and the “behaviors” that the TSA has defined in a (secret) point-scoring system as indicia of terrorist intentions.

In response, Pistole admitted that, “There’s no perfect science, there’s no perfect art of this.”

“Imperfect” isn’t the right word for the SPOT program. In fact, there’s no scientific basis for it at all, according to a report and testimony at the same hearing by the Government Accountability Office.

In addition to a detailed debunking of the lack of scientific evidence to support the TSA’s claims to paranormal ability, the GAO report gives more information than has previously been made public concerning what the TSA’s “behavior detection officers” (BDOs) actually do.

The TSA’s goal is mind reading. TSA “Behavior Detection Officers” (BDOs) are supposely trained to deduce mental states from external appearances and visible behaviors:

According to TSA’s strategic plan and other program guidance for the BDA [Behavior Detection and Analysis] program released in December 2012, the goal of the agency’s behavior detection activities, including the SPOT program, is to identify high-risk passengers based on behavioral indicators that indicate “mal-intent.”

But can BDOs read our minds? Presumably, the measure of their success in doing so would be how many (if any) of the travelers they flag as “mal-intentioned” are eventually found guilty of aviation-related terrorist offenses. Does that ever happen? The GAO couldn’t tell, because the TSA doesn’t keep records of that:

TSA was unable to provide documentation to support the number of referrals that were forwarded to law enforcement for further investigation for potential ties to terrorism. Further, according to FAMS [Federal Air Marshalls Service] officials, when referrals in TISS [Transportation Information Sharing System] are forwarded to other law enforcement officials for further investigation, the FAMS officials do not necessarily identify why the referral is being forwarded. That is, it would not be possible to identify referrals that were forwarded because of concerns associated with terrorism versus referrals that were forwarded because of other concerns, such as drug smuggling. [emphasis added]

Like most TSA personnel, and despite the job title of “officer”, BDOs and TSOs are not law enforcement officers. As the diagram above makes clear, they can and do impose “administrative” sanctions including more intrusive searches of travelers and our luggage, interrogation of travelers, and denial of the right to travel. The TSA also claims the right to impose administrative fines for insufficient, or insufficiently groveling, “cooperation” with their search, interrogation, or anything else it decides is part of “screening”. But beyond that, unless they want to take the risk of liability for making a citizens arrest, TSA employees and contractors depend on local law enforcement officers (LEOs) to provide their muscle.

What happens when the TSA refers travelers picked out by its BDO “pre-cogs” to local police?

99.4 percent of the passengers that were selected for referral screening — that is further questioning and inspection by a BDO — were not arrested. The percentage of passengers referred to LEOs that were arrested was about 4 percent; the other 96 percent of passengers referred to LEOs were not arrested. The SPOT database identifies 6 reasons for arrest, including (1) fraudulent documents, (2) illegal alien, (3) other, (4) outstanding warrants, (5) suspected drugs, and (6) undeclared currency…. According to the validation study, the majority of the arrested passengers were arrested because of possession of a controlled substance. [emphasis added]

“Terrorist” offenses aren’t even a sufficiently large proportion of TSA checkpoint arrests to warrant their own category in the database. If there were any at all, they are merely a subset of the “miscellaneous” category.

Rather than predicting terrorist intent, the TSA is using the “behavior detection” program as a pretext for warrantless searches for general law enforcement purposes, primarily for enforcement of drug laws. That’s exactly the sort of pretextual use of a special-purpose administrative checkpoint detention and search as a general-purpose law enforcement dragnet which, as numerous courts have recognized, is prohibited by the Fourth Amendment.

Any actual interdiction of would-be terrorists is so infrequent and insignificant (or of so little relevance to the true purposes and criteria for success of the program) as not to be worth bothering to track.

Both the GAO (Congressional auditors) and the DHS’s own Office of Inspector General (OIG), in separate audits and investigations, found evidence that these warrentless searches and other sanctions were being imposed on the basis of “appearance profiles”, including profiles of ethnic and racial appearance:

With regard to information provided related to profiling, DHS stated that DHS’s OIG completed an investigation at the request of TSA into allegations that surfaced at Boston Logan Airport [“These accusations included written complaints from BDOs who claimed other BDOs were selecting passengers for referral screening based on their ethnic or racial appearance.”] and concluded that these allegations could not be substantiated. However, while the OIG’s July 2013 report of investigation on behavior detection officers in Boston concluded that “there was no indication that BDOs racially profiled passengers in order to meet production quotas,” the OIG’s report also stated that there was evidence of “appearance profiling.”

In other words, the DHS’s own investigators found that the TSA was basing its decisions (searches, interrogations, no-fly orders, referrals to police, etc.) on the basis of racial and ethnic appearance profiles — it just wasn’t using racial and ethnic profiling to meet specific quotas. All profiling by BDOs is, of course, “appearance profiling”, since all that BDOs are able to observe is external appearance. Is the absence of explicit racial or ethnic quotas supposed to make such profiling OK?

GAO auditors also received first-hand complaints of profiling from BDOs at every airport they visited:

During our visits to four airports, we asked a random sample of 25 BDOs at the airports to what extent they had seen BDOs in their airport referring passengers based on race, national origin, or appearance rather than behaviors…. Of the 25 randomly selected BDOs we interviewed, 20 said they had not witnessed profiling, and 5 BDOs (including at least 1 from each of the four airports we visited) said that profiling was occurring at their airports, according to their personal observations. Also, 7 additional BDOs contacted us over the course of our review to express concern about the profiling of passengers that they had witnessed.

If there is any small silver lining in the GAO’s latest report, it’s that despite complete disregard for the Fourth Amendment, the TSA has at least begun to pay lip service to the Fifth Amendment rights of travelers to remain silent when questioned by TSA employees or contractors:

In August 2012, the Secretary of Homeland Security issued a memorandum directing TSA to take a number of actions… These actions include a revision of the SPOT standard operating procedures to, among other things, clarify that passengers who are unwilling or uncomfortable with participating in an interactive discussion and responding to questions will not be pressured by BDOs to do so. [emphasis added]

Oct 22 2013

TSA’s lying “response” to today’s story in the New York Times

We’re quoted on the front page of today’s New York Times in a story by Susan Stellin, “Security Check Now Starts Long Before You Fly”:

The Transportation Security Administration is expanding its screening of passengers before they arrive at the airport by searching a wide array of government and private databases that can include records like car registrations and employment information….

“I think the best way to look at it is as a pre-crime assessment every time you fly,” said Edward Hasbrouck, a consultant to the Identity Project, one of the groups that oppose the prescreening initiatives. “The default will be the highest, most intrusive level of search, and anything less will be conditioned on providing some additional information in some fashion.”

“TSA proposes arbitrarily individualized surveillance-based searches”
Comments filed with the DHS by the Identity Project in response to the latest proposals for the TSA’s “Pre-Check” (Pre-Crime) databases

The TSA refused to say anything to the Times on the record, but published a blog post today (with the misleading title “Expediting Screening for the Traveling Public”) responding to the Times’ story with a succession of lies and prevarications.

We call “bullshit” on the TSA:

“We are not using “private databases.”” This is an out-and-out lie, as “Blogger Bob” and the TSA surely know. All TSA pre-secreening systems relie primarily on information from private commercial databases of airline reservations (PNRs). Since there is no requirement for a U.S. citizen to notify the government directly before taking a trip by common carrier, “pre-screening” would be impossible without access to, and reliance on, these private commercial databases. The US government has gone to great effort, through the APIS, PNR, and Secure Flight regulations and through lobbying for changes to Canadian privacy law and exceptions to European privacy law, to implement requirements for DHS access to this data. If these databases are no longer “private”, that is only because the TSA and other DHS components have compelled airlines and reservation hosting companies to make this data available to government agencies.
“TSA does not monitor a passenger’s length of stay in any location.” The TSA doesn’t always retain the travel itinerary information it compels airlines to provide for domestic travel, but it claims the right to do so for anyone deemed (arbitrarily or according to secret criteria) to be “suspicious” or to “match” an entry on any of the government’s (arbitrary, secret) “watchlists”. And for international travel, CBP (another DHS component agency) does retain complete PNR data, including travel itineraries, and comprehensive border crossing and entry/exit logs, for all travelers, in its Automated Targeting System (ATS) — and claims the right to “share” all this data with the TSA. (And that doesn’t even begin to consider the NSA’s apparently independent hacking of airlines and reservation systems and potential sharing of PNR and other travel data with DHS.)
“We are not using car registrations.” Again, it’s CBP rather than the TSA that is logging license plates and vehicle movements (using cameras near borders and optical character recognition software), linking them to individual ATS records, and using them to generate “risk” scores and watchlist messages — which are then passed on to the TSA. TSA is using this data, just (slightly) indirectly. According to the latest System Of Records Notice for ATS, published in the Federal Register in 2012, “ATS maintains the official record for … the combination of license plate, Department of Motor Vehicle (DMV) registration data and biographical data associated with a border crossing”.
“[W]e rely on the same security information passengers have been required to submit at time of booking for many years…. [T]he info we rely on is the same info that passengers have provided for years when they book their flight.” Actually, we didn’t used to have to provide our ID number, date of birth, or gender in order to make an airline (or Amtrak train, or Greyhound bus) reservation. It used to be possible to hold airline reservations in “dummy” names, or with no names at all. The TSA relies on information that has only been required since the creation of the TSA. And in the past, we “provided” that information, if at all, only to airlines and travel companies. Prior to the creation of the TSA, we never had to provide any information to the government to book a flight. (Unless we were traveling in a foreign country where a foreign government agency like the Stasi required us to show our ID cards or permission papers to book a flight.)
“Anyone who has never traveled outside the United States would not have a passport number on file and would therefore not be subject to the rules that the agency uses to determine risk.” Nonsense. Many people have our passport numbers on file with the TSA because we’ve used our passports as ID for domestic flights. Many people have no government-issued ID except a passport. Despite the State Department’s moves to make it more difficult to get a passport, the REAL-ID law sometimes makes it even more difficult to get a drivers license or other state-issued ID than to get a passport.
“We are not expanding the type of information we use.” If that were true, why would the TSA have published formal notices in the Federal Register of new systems of records and new uses for existing systems of records? They don’t publish these legal notices just for fun. Either (a) the TSA has already been illegally collecting and/or using this data without proper notice, in violation of the Privacy Act (as DHS did for years with the Automated Targeting System), (b) the TSA is doing what is says in the notices it is doing, and collecting and using new information in new ways, or (c) the TSA plans to do so in the future, and wants to be able to say, if someone later complains, “But we gave you fair notice that this was what we were going to do. If you wanted to object, you should have done so back in 2013 when we published that notice.”
“[W]e are not using any new data to determine low risk passengers.” Applicants for the TSA’s Pre-Check program — i.e. people who want to be relieved of suspicion-by-default and the associated more intrusive search each time they travel — are being required to provide information that the TSA has never before requested, including fingerprints, other biometric information, and authorization for checks of criminal, financial, and other government and commercial records. If the TSA isn’t using any of this new data, why is it compiling it? More than likely, this new data is being or will soon be used — and retained for possible additional future uses for an unknown range of purposes.

[TSA Pre-Crime graphic from Leaksource]

Oct 10 2013

TSA proposes arbitrarily individualized surveillance-based searches

In the latest version of TSA’s endless series of “trusted traveler” (or “less mistrusted traveler”) schemes, the agency is currently proposing to impose more intrusive searches on any traveler who doesn’t “voluntarily” enroll in the TSA Pre-Check program and authorize the TSA to create a new permanent file with everything from your fingerprints to any “other information provided by … government agencies or other entities”.

These files would be exempted from the normal requirements of the Privacy Act that records used as the basis for decisions about individuals’ exercise of our rights be made available to us and be limited to information that is sufficiently accurate, complete, and relevant to form a legitimate basis for such decisions.

The proposal is contained in a package of three regulatory filings (one new and one revised “System of Records Notice” and a “Notice of Proposed Rulemaking” proposing Privacy Act exemptions) published last month in the Federal Register. All three have to be read in combination to appreciate their full implications.

The deadline for public comments on two of these proposals is today, and for the third is tomorrow. We filed consolidated comments today objecting to all three of these proposals:

Read in combination, this new and revised SORN and these proposed regulations describe a system in which an essentially unlimited range of personal information collected from an essentially unlimited range of sources, and known to include inaccurate and irrelevant information, would be (or perhaps already is being) compiled into the “TSA Pre-Check Application Program” system of records.

These records would be used – either according to criteria which are illegally being kept secret, or in an entirely arbitrary manner at the “discretion” of the TSA – to determine who is and who is not deemed “eligible” to exercise the right to travel without being subject to unreasonable searches.

The results of that decision-making would be incorporated into the “Secure Flight” system of records, and used as part of the basis (also either pursuant to secret rules or entirely arbitrarily) for deciding to issue or withhold the issuance of individualized “boarding pass printing results”, including instructions to TSA staff and contractors as to the degree of intrusiveness of the search to which each would-be traveler is to be subjected as a condition of exercising our right to travel.

Maintenance and use of these systems of records in the manner contemplated by these SORNs and the proposed exemptions would violate the 1st, 4th, and 5th Amendments to the U.S. Constitution, the presumption of innocence, due process, the Freedom Of Information Act (FOIA), the Privacy Act, and Article 12 (Freedom of Movement) of the International Covenant on Civil and Political Rights (ICCPR.

These records should be expunged, and the proposed regulations should be withdrawn….

We also point out that the TSA is only pretending to give the required consideration to public comments:

According to the “TSA Pre-Check Application Program” SORN published on September 10, 2013, “The Secretary of Homeland Security has exempted certain records from this system from the notification, access, and amendment procedures of the Privacy Act because it may contain records or information related to law enforcement or national security purposes.”

This claim was, and is, false. As of the date of the SORN, no such exemption had even been proposed: the NPRM proposing such an exemption, and requesting public comments (such as this one) concerning that proposed exemption for consideration by the DHS, was not published until a day later, on September 11, 2013. Even now, the Secretary has promulgated no final rule for such an exemption. Nor could he or she promulgate any such final rule, consistent with the Administrative Procedure Act, unless and until the current period for public comment on the proposed exemption rule has concluded and the comments submitted (including these comments) have been considered by the DHS.

The false claim that “The Secretary of Homeland Security has exempted certain records from this system from the notification, access, and amendment procedures of the Privacy Act”, when in fact the Secretary has not done so, appears to be intended to mislead individuals about what rights we have, and to dissuade us from attempting to exercise our rights. In addition, by stating the outcome of the current exemption rulemaking as a fait accompli, it constitutes prima facie evidence of bad faith in the consideration of public comments. It is not enough for an agency to accept submissions of comments from the public to the circular file, after making a decision. An agency must give genuine consideration to public comments before deciding whether to finalize, modify, or withdraw a proposed rule.

You can read our complete comments here. You can submit comments at Regulations gov (here, here , and here) but your comments won’t be processed or visible online until after the DHS Privacy Office re-opens.

[TSA Pre-Crime graphic from Leaksource]

Oct 10 2013

US government thinks human rights are not essential

Representatives of the US government were scheduled to appear next week for public, in-person questioning in Geneva by the UN Human Rights Committee, as part of the UNHRC’s periodic treaty-mandated review of US implementation of the International Convention on Civil and Political Rights (ICCPR).

Each party to the ICCPR, including the US, is required by Article 40 of the treaty to report to the UNHRC, “whenever the Committee so requests”, on “the measures they have adopted which give effect to the rights recognized herein and on the progress made in the enjoyment of those rights.”

We were looking forward to next week’s session, at which the UNHRC was scheduled to consider issues we had raised in our submissions to the UNHRC, including US violations of Article 12 (Freedom of Movement) of the ICCPR and US failure to consider, respond to, log, or report on complaints of human rights treaty violations.

Today, however, the US requested and received a postponement until March 2014 of its appearance before the UNHRC, “due to the ongoing government shutdown.”

But the US government is not, of course, shut down.

Agencies, departments, and contractors deemed “essential”, including police, prisons, surveillance agencies, and travel “screeners” (searchers and interrogators), remain on the job. These “essential” operations include, of course, many of those engaged in human rights violations.

The real meaning of the US request for postponement of the review of its human rights record by the UNHRC is that the US does not consider compliance with international human rights treaties to be “essential”.

The government continues to violate our human rights during the “shutdown”. What have been shut down are any mechanisms for accountability, oversight, or enforcement of human rights treaty obligations.

This is nothing new or surprising, but it is nonetheless appalling. Human rights are essential. Compliance with treaties is as essential as compliance with any other provision of the US Constitution.

Unfortunately, this is typical of the way that decisions have been made as to which government functions are “essential”.

For example, the TSA and DHS offices responsible for responding to Freedom Of Information Act (FOIA) requests have been closed for the duration, even though FOIA mandates, and provide statutory deadlines for, responses to these requests. Meanwhile, TSA and DHS press offices, who perform no statutorily mandated function, remain open. Propaganda has been prioritized over both the substance of transparency and compliance with the law in making decisions about which offices will be kept open.

The postponement of the UNHRC’s review of US compliance with the ICCPR will give the Department of State more time to respond to our complaint of violations of the ICCPR by the State Department, and our FOIA request for State Department records related to complaints of human rights violations. That request and complaint have been pending for more than two years. Shortly before all FOIA offices were shut down, however, we were told by the State Department that it doesn’t expect to complete its response to our FOIA request until 2015. That’s too late, conveniently, for it to be considered by the UNHRC in its review of the US human rights recrod, even at a postponed 2014 session.

Sep 29 2013

How the NSA obtains and uses airline reservations

A front-page report in today’s New York Times based on documents leaked by NSA whistleblower Edward Snowden confirms that the NSA, like the DHS, uses airline reservation data as part of its profiling and social network analysis of US citizens and foreigners. Today’s report also raises new questions, and suggests some answers, as to how the NSA obtains and uses this airline data.

The Times’ report today on NSA social network analysis mentions that:

The [NSA] can augment the communications data with material from public, commercial and other sources, including … passenger manifests…, according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners….

[T]he N.S.A. correlates 164 “relationship types” to build social networks and what the agency calls “community of interest” profiles, using queries like “travelsWith“.

In their most basic form, passenger manifests list each passenger individually and do not indicate which passengers were traveling together. At a minimum, either “Advance Passenger Information” (API) data, some other source of “enhanced” passenger manifest data, or complete Passenger Name Records (PNRs) would be needed to identify which passengers on a given flight had reservations in the same PNR (a single PNR can contain the reservations for an entire party or group traveling together) and thus who “travelsWith” whom.

We’ve long known that the DHS collects API and PNR data about US citizens and foreigners alike, compiles this data in its Automated Targeting System and Secure Flight databases, and mines this data both to target individuals (including journalists and activists) and for social network analysis (correlating e.g. telephone numbers and airline reservations) to identify and target new suspects on the basis of their association with current suspects (i.e. as a suspicion-generating or guilt-by-association system).

A typical PNR like the one shown above (from a DHS Automated Targeting System dossier; click the thumbnail for a larger image) includes a timestamped IP address (line 5 of the “remarks” in the example above), email address, home address, credit card number, mobile phone number, etc., so it can readily be correlated with Internet, communications, and financial records.

The NSA would presumably have been interested in flights worldwide, including flights within parts of the world far from the USA, while the DHS claims to collect PNR data only for flights to, from, within, or via the US. But we know that the DHS can, and sometimes does, collect PNR data about flights elsewhere.

As we reported in 2007, and as was mentioned in a front-page story in the Washington Post based on our research, ATS records released by DHS in response to our requests (you can request your own ATS file using the forms here) confirmed that the DHS already had “root” access to the computerized reservation systems (CRSs), so that the DHS could retrieve any PNR in those CRSs, even if it didn’t include any US flights.

The “smoking gun” confirming DHS root access to CRSs was this PNR for someone who traveled from San Francisco to Berlin (TXL) on United Airlines and a United/Lufthansa codeshare flight, stayed in Berlin for six days, continued from Berlin to London (LHR), stayed in London for another six days, and then returned to SFO on United:

The portion of the journey from Berlin to London via Prague was on Czech Airlines (OK), an airline which does not (and did not then) fly to, from, or via any point in the US. Additional details in the PNR showed that a separate ticket was issued for the OK flights, which did not connect to flights to or from the US. A CRS user with a United Airlines user ID and privileges would not have been able to see these flights. Only a user with an ID from the travel agency that made these reservations, or a user with “root” privileges (such as a user with an ID from the CRS company), would have been able to see all of the data that the DHS was able to see and import into ATS.

So could the NSA have obtained its copies of PNR and/or API data from DHS, or by using the root-user credentials that CRS companies had provided to the DHS? Maybe. Since neither DHS nor the CRSs keep logs of who accesses their respective copies of PNR data, there’s no way to know for sure except through leaks or the testimony of whistleblowers.

But we suspect that the NSA has some way to obtain PNR and/or API data independent of the DHS.

Sep 17 2013

How airline reservations are used to target illegal searches

One of the most detailed pictures to date of how the US government uses airline reservations to target illegal searches is provided by documents released recently by the US government as part of an agreement to settle a lawsuit brought by David House, an activist with the Pvt. Manning Support Network.

Mr. House was detained and searched and had his electronic devices confiscated and copied by DHS personnel at O’Hare Airport as he was re-entering the US after a vacation in Mexico in 2010.

The government learned of Mr. House’s travel plans through their systems for real-time monitoring and mining of airline reservations:

The ACLU analysis of the documents released to Mr. House, and reports by the New York Times and the Associated Press, focus on the DHS seizure and copying of the data from Mr. House’s electronic devices. An article in Mother Jones highlights the technical ineptness of the government’s attempts to analyze the data seized from Mr. House. (It took DHS “experts” more than a month, for example, to realize that a portion of the data dump from Mr. House’s netbook was a Linux partition.)

But as discussed below, more is revealed by these documents about DHS access to, and use of, airline reservations.

The documents released to Mr. House may also help explain how David Miranda, the domestic partner of journalist Glenn Greenwald, was detained and searched last month while changing planes at Heathrow Airport in London.

And in that context, they may also suggest an explanation for why Mr. Miranda was detained and searched in the UK, and Mr. House in the US, but Mr. Greenwald himself has not been detained or similarly searched when he travels to the US.

Aug 30 2013

International travel by air is a Constitutional right

In a preliminary ruling in a lawsuit brought by the ACLU three years ago on behalf of a group of people who have been prevented by the U.S. government from traveling by air, a Federal judge in Oregon has found (1) that international air travel is a Constitutional right, and (2) that a categorical ban by the government on the exercise of that right can only be issued in accordance with due process.

Those shouldn’t be surprising findings. But given that the U.S. government has never sought to follow normal legal procedures by asking a court to issue a no-fly injunction against an individual, and that none of the goverment’s extrajudicial administrative no-fly orders has ever been reviewed on its merits by any court, the latest ruling by District Judge Judge Anna Brown in the case of Latif et al. v. Holder is an important step toward bringing DHS controls on travel within the rule of law.

The ruling is the latest in a series of decisions which have finally begun to uphold the right of travelers to due process and juducial review of the restrictins on their movements. The decison in the Oregon no-fly case echoes similar findings in the past year by the 4th Circuit Court of Appeals in the case of Gulet Mohamed and by the 9th Circuit and the District Court for the Northern District of California in the case of Rahinah Ibrahim.

Aug 22 2013

California considers “enhancing” drivers licenses with radio tracking beacons

California’s legislature is considering a bill to authorize adding radio tracking beacons to drivers licenses and state non-driver ID cards.

Each such card would broadcast a unique tracking number which could legally be intercepted by anyone with a suitable radio transceiver within range, and which would be linked to a national DHS database of drivers license, state ID card, and citizenship information.

The tracking beacons are designed to allow the tracking numbers on ID cards carried by travelers in motor vehicles to be read from outside their vehicles as they approach or pass through checkpoints.

Independent academic studies of actual ID cards issued by other states, using the same standards proposed for use in California, have found that they can sometimes be read from more than 50 yards away.

S.B. 397 has already been approved by the California Senate, and is now under consideration in the Assembly. Because it has been amended by the Assembly, it will need to be reconsidered by the Senate (to decide whether to accept the Assembly amendments) if and when it is approved by the Assembly.

To date, S.B. 397 has been largely unopposed in the California legislature, and it is likely to be approved unless legislators start hearing a groundswell of opposition from their constituents.

What excuse is being offered for this scheme? And what’s its real purpose?

Aug 19 2013

White House approves new “long forms” for some passport applicants

After a year-long “review”, the White House on August 12, 2013, approved the State Department’s proposed new “long form” questionnaires for some (unspecified) subset of applicants for US passports:

Form DS-5513, “Supplemental Questionnaire to Determine Entitlement for a U.S. Passport”:

Form DS-5513 as approved (OMB Control Number 1405-0216)
Supporting Documents for Form DS-5513 (click on “all” at top of page for more details)

Form DS-5520, “Supplemental Questionnaire to Determine Identity for a U.S. Passport”:

Form DS-5520 as approved (OMB Control No: 1405-0215)
Supporting Documents for Form DS-5520 (click on “all” at top of page for more details)

In approving these forms, the Office of Management and Budget (OMB) ignored overwhelmingly public outrage at these questionnaires, which ask such questions as:

List all your parent(s) residences one year before your birth.
Parent(s) place of employment at the time of your birth (Dates of employment, Name of employer, Address of employer).
Did your mother receive medical care while pregnant with you and/or up to one year after your birth? (Name of hospital or other facility, Address, Name of Doctor, Approximate dates of appointments).
Please provide the names (as well as address and phone number, if available) of persons present at your birth such as medical personnel, family members, etc.
Please list any schools, day care centers, or developmental programs you attended from birth to age 18 in or outside of the United States.
Please list all of your permanent residences inside and outside of the United States starting with your birth until age 18.

The proposed forms were slightly (but not significantly) revised by the State Department during the review by OMB. But there are still no publicly-disclosed guidelines for which passport applicants would be sent one or both of these “long forms”. We requested this information from the State Department more than two years ago under the Freedom of Information Act (FOIA), but the State Department has not yet responded to our request. (This is, we’ve been told, typical of the State Department’s failure to comply with FOIA deadlines.) The most reasonable inference is that the new forms are designed to be impossible to complete, so as to provide a pretext to deny you a passport if the State Department doesn’t like your looks (or your opinions, or whatever).

The State Department has also ignored our formal complaint that these conditions for passport issuance violate U.S. obligations as a party to the International Covenant on Civil and Political Rights, and our FOIA request for any records of what (if anything) was done with that complaint.

OMB declined our written request to meet with them to discuss our objections to the proposed forms. OMB policy is to meet with groups interested in its reviews of proposed regulations, but it doesn’t apply that policy to its reviews of proposed “information collections”.

In the course of the review by OMB, the State Department admitted that, as we had already reported, it has already been using these forms illegally. According to the latest State Department submission to OMB:

The DS-5520 has been created to correct a procedure that may have been inconsistent with the Paperwork Reduction Act (PRA)…. Field offices have, in the past, sent the applicant a letter containing a questionnaire asking for the supplemental information. The Department has become aware of this procedure and is now seeking OMB approval to rectify the oversight….

The DS-5520 is a new collection based on the previously internal Information Request Letter (IRL) titled, “Supplemental Identification List”. To estimate the number of respondents per year, therefore, the Department ran a report using our Management Information System (MIS) to determine the number of these IRLs filed in 2011 by every passport agency and acceptance facility. The results revealed that in 2011, 54,723 letters were filed along with the DS-11.

Until the forms were approved (as they now have been) by OMB, the Paperwork Reduction Act (PRA) prohibited the State Department from denying anyone a passport or imposing any other penalties for failure or refusal to fill out these forms.

Now that these forms have been approved, objections to the denial of a passport on the basis of failure to complete these forms (or to do so to the satisfaction of the State Department) will have to be based on other grounds than the PRA. These objections may be more fundamental, but may also be more difficult to establish in administrative or judicial proceedings.

If you are a US citizen but are denied a US passport because you are unable or unwilling to answer these questions, or you are prevented from entering or leaving the USA because you don’t have a passport, we’d like to hear from you.

Papers, Please!

The Identity Project