Freedom To Travel – Page 37

Apr 26 2012

No-fly case goes forward against Feds, while SFO pays through the nose for false arrest of traveler

We’ve noted previously that, as the DHS increasingly relies on state and local law enforcement officers and private contractors to carry out its extrajudicial “no-fly”, search, and surveillance orders, those individuals and their employers face a growing risk of liability for their actions against travelers.

Case in point: Ibrahim v. DHS et al.

We’ve reported previously on some of the earlier stages in this case, originally filed in 2005 by a Malaysian architect, then a doctoral candidate at Stanford University and today (having received her Ph.D. from Stanford in absentia) a professor and Dean of the Faculty of Design and Architecture at UPM in Malaysia. When she tried to check in at San Francisco International Airport (SFO) for a flight back to Malaysia to give a presentation about her Stanford research, she was arrested by SFO airport police (a branch of the San Francisco police force) on the direction of a private contractor who answered the phone at the TSA’s Transportation Security Operations Center (since renamed — we are not making this up — the “Freedom Center”). She was told she was on the “no-fly” list, but was allowed to fly home to Malaysia the next day, after which her US student visa was revoked.

Through her lawyers in the US, Ibrahim sued the various Federal agencies involved in no-fly decisions; their individual officials, employees, and contractors; and the San Francisco city and county, airport, police department, and individual police officers, for violations of her 1st and 5th Amendment rights.

The case has a had a tortured procedural history. After seven years, there has been no discovery, fact-finding, or rulings on any of the substantive issues. The case has, however, survived a series of District Court rulings and two appeals to the 9th Circuit Court of Appeals, first in 2008 on which, if any, Federal court (district or circuit, in San Francisco or DC) had jurisdiction to hear the case, and then in February 2012 on whether Dr. Ibrahim had standing, as a non-US citizen now residing (involuntarily) outside the US, to bring her Constitutional claims in US courts.

The latest ruling by the 9th Circuit in Ibrahim v. DHS, which allows the case against the government and its agents to go forward, is significant for its rejection of several of the Federal government’s key arguments against judicial review of no-fly decisions:

Apr 25 2012

European Parliament approves PNR agreement with the US. What’s next?

[MEPs picket outside the plenary chamber to ask their colleagues to say “No” to the PNR agreement with the US. (Photo by greensefa, some rights reserved under Creative Commons license, CC BY 2.0)”]

Last week — despite the demonstration shown above (more photos here) by Members of the European Parliament as their colleagues entered the plenary chamber for the vote — the European Parliament acquiesced, reluctantly, to an agreement with the US Department of Homeland Security to allow airlines that do business in the EU to give the DHS access to PNR (Passenger Name Record) data contained in their customers’ reservations for flights to or from the USA. (See our FAQ: Transfers of PNR Data from the European Union to the USA.)

The vote is a setback for civil liberties and the the fundamental right to freedom of movement, in both the US and Europe.

But the vote in the European Parliament is neither the definitive authorization for travel surveillance and control, nor the full grant of retroactive immunity for travel companies that have been violating EU data protection rules, that the DHS and its European allies had hoped for.

Many MEPs voted for the agreement only reluctantly, in the belief (mistaken, we believe), that it was “better than nothing” and represented an attempt to bring the illegal US surveillance of European travelers under some semblance of legal control.

Whatever MEPs intended, the vote in Strasbourg will not put an end to challenges to government access to airline reservations and other travel records, whether in European courts, European legislatures, or — most importantly — through public defiance, noncooperation, and other protests and direct action.

By its own explicit terms, and because it is not a treaty and is not enforceable in US courts, the “executive agreement” on access to PNR data provides no protection for travelers’ rights.

The intent of the US government in negotiating and lobbying for approval of the agreement was not to protect travelers or prevent terrorism, but to provide legal immunity for airlines and other travel companies — both US and European — that have been violating EU laws by transferring PNR data from the EU to countries like the US. The DHS made this explicit in testimony to Congress in October 2011:

To protect U.S. industry partners from unreasonable lawsuits, as well as to reassure our allies, DHS has entered into these negotiations.

But because of the nature of the PNR data ecosystem and the pathways by which the DHS (and other government agencies and third parties outside the EU) can obtain access to PNR data, the agreement does not provide travel companies with the full immunity they had sought.

Most of the the routine practices of airlines and travel companies in handling PNR data collected in the EU remain in violation of EU data protection law and subject to enforcement action by EU data protection authorities and private lawsuits by travelers against airlines, travel agencies, tour operators, and CRS companies in European courts.

Why is that?

Mar 01 2012

Google is now in the PNR hosting business

Today Google and Cape Air announced that Cape Air has migrated its reservations and Passenger Name Records (PNRs) to a new computerized reservation system (CRS) provided by Google’s ITA Software division.

ITA Software was working on a CRS even before it was acquired by Google last year, but had appeared to lack a launch customer to fund the project after its original partner, Air Canada, backed out. In his first public statement last November after the Google acquisition was completed, Google Vice President and former ITA Software CEO Jeremy Wertheimer anticipated today’s announcement and said that with Google’s new backing, his division was “burning the midnight oil” to complete the project.

Cape Air, Google’s CRS launch customer, is a very small US airline that mainly flies 9-seat piston-engined propeller planes to small resort islands. Most of what might look like “international” destinations on their route map are actually US colonies. But Cape Air does serve some British colonies in the Caribbean, including Anguilla and Tortola. All reservations for those flights, as well as any reservations for Cape Air’s domestic US and other flights made through travel agencies, tour operators, or “interline” airline partners in the European Union, are subject to EU data protection laws.

So as of today Google should have in place an airline reservation system, including PNR hosting functionality, which fully complies with EU laws including in particular UK data protection law and the EU Code of Conduct for Computerized Reservation Systems.

We’re doubtful that Google (or Cape Air) have complied with these requirements of EU law. Cape Air’s privacy policy says, “CapeAir does not fly routes within Europe, so this Privacy Policy is not adapted to European laws.” It appears to be true that Cape Air doesn’t fly within Europe, but it does operate flights to and from UK territories that are legally part of the EU. Cape Air also says, “By agreeing to Cape Air’s Privacy Policy, you consent to Cape Air applying its Privacy Policy in place of data protections under your country’s law.” It’s not clear whether such a waiver of rights is valid. The “Privacy Policy” link on ITAsoftware.com goes directly to Google’s new global privacy policy, which appears to say that Google may merge information from all Google services, presumably including Google’s new PNR-hosting service.

At the same time, in accordance with the Advance Passenger Information System (APIS) and PNR regulations of US Customs and Border Protection (CBP, a division of the DHS), that also means that Google has connected its system to CBP’s Automated Targeting System (ATS). Whether Google has given CBP logins to “pull” data whenever CBP likes (as the other CRSs have done), or whether Google “pushes” PNR data to CBP, remains unknown until some Cape Air passenger requests their PNR data under EU law.

In accordance with the US Secure Flight rules, the Google CRS for Cape Air must also have a bi-directional connection to the US Transportation Security Administration to send passenger data to the TSA and receive permission-to-board (“cleared”) fly/no-fly messages in response.

This is, so far as we can tell, an unprecedented level of direct connection between Google’s databases and any government agency. Has Google complied with EU law? Probably not, but we can’t tell. We invite Google to allow independent verification of how it handles PNR data, and whether its CRS system and its connections to the US government comply with EU rules.

[It’s also important to note that the privacy and data protection practices of CRSs, including Google’s “ITA Software” division, are outside the jurisdiction of the Federal Trade Commission and subject to policing only by the do-nothing Department of Transportation.]

There are also interesting questions about what profiling and data mining capabilities are built into Google’s CRS system. “Legacy” CRSs store PNRs in flat files in which PNRs for different trips by the same traveler can be difficult to link. But a report on the new Google CRS in the online trade journal Tnooz says it “enables … call center agents ‘to see customers’ history,’ including past trips and upcoming flights, ‘right in front of them’.” Greater designed-in profiling and data mining capabilities are selling points of Google’s CRS compared to its “legacy” competitors.

EU oversight and enforcement bodies should have demanded answers as well. Last May the European Parliament approved a resolution calling on the European Commission to carry out, “an analysis of … PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” In November, shortly after Google’s announcment that they were moving forward with their CRS project, a Member of the European Parliament submitted written follow-up questions to the Commission as to whether the EC has conducted such an analysis, as well as whether the EC has “considered the technical or policy implications of potential new CRS providers such as Google, which may use different technology platforms from those of legacy CRS vendors?”

As we’ve noted, the “response” to these questions by Commission Cecilia Malmström said nothing about Google or other new CRS providers, contradicted the statements that have been made by European airlines, and largely ignored the issues raised by the European Parliament.

Cape Air is a small first step into the CRS industry by Google, but it won’t be the last. Everyone concerned with how PNR data is stored and processed, including data protection authorities in countries that (unlike the US) have such entities, should carefully scrutinize and demand satisfactory, verifiable answers as to what this means about Google’s relationship to US government agencies and the need for oversight and enforcement of privacy data protection rules applicable to all CRS companies.

Feb 06 2012

Yet another US citizen denied their right of return

In the latest variation on what has become a depressingly-familiar theme, US citizen Jamal Tarhuni was denied boarding on a flight home to the USA last month, apparently because while he was abroad the US government put him on the list of those people it has secretly ordered airlines not to transport.

Mr. Tarhuni had been working in Libya for a nonprofit relief agency. He is now trapped in Tunisia, separated from his home and family in the USA, as he discusses in this Skype video interview.

My Tarhuni’s de facto banishment from the USA is especially disturbing in light of reports that before being naturalized as a US citizen he was granted asylum in the USA in the ’70s. While conditions may have changed, a grant of asylum means that Mr. Tarhuni has already established, to the satisfaction of US authorities, that he had a well-founded fear of persecution if he were forced to return to the country of his original citizenship. That makes it, we think, especially critical that the US allow him to return home before his permission to remain in Tunisia expires and he risks being deported to some other country of non-refuge.

It’s one more case for the UN Human Rights Committee to ask questions about when it conducts its next review of US (non)compliance with the International Covenant on Civil and Political Rights: “Everyone has the right to leave any country, including his own, and to return to his country.”

[Update: Jamal Tarhuni is not alone. MSNBC reports that another US citizen, Mustafa Elogbi, is also trapped in Libya after being denied passage on a connecting flight from London to the US, and returned to Libya, where his flights has originated (not the country of his citizenship, the USA) after being detained and interrogated in London. “Elogbi and Tarhuni have booked new tickets and are scheduled to board a flight back to the United States on Feb. 13, arriving in Portland on Feb. 14. Their Portland attorney Tom Nelson is traveling to the region so he can accompany them on the flight. The two men do not know whether they are included on the U.S. government’s secret no-fly list. As per government security policy, the FBI will not confirm or deny it. … Thus they do not know if they will be prevented from boarding in Tunis, or in Paris or Amsterdam, where they change planes.”]

Feb 06 2012

State Dept. finalizes passport fee increases, continues to ignore human rights complaints

On February 2, 2012, the State Department published a final rule in the Federal Register setting fees for issuance and renewal of U.S. passports and related consular services.

Contrary to some press reports, this rule didn’t actually increase the current fees. It merely “finalizes” the fee increases that have already been in effect for the last 18 months since the publication of an interim final rule (don’t you love that bureaucratic doublespeak?) in June, 2010.

What’s noteworthy about the “final rule” is that while it purports to include an updated analysis of the public comments on the fee increases, it continues to ignore our complaints that these fees, and the process by which they were adopted, violate both U.S. treaty obligations related to freedom of movement as a human right, and Federal law that requires an assessment of their economic impact on freelancers and other self-employed individuals.

We filed our complaint in the State Department’s designated docket, but also submitted it directly to the Secretary of State with a request that it be forwarded to the State Department’s designated “single point of contact” responsible for insuring that complaints of human rights treaty violations are responded to.

Our complaint of human rights treaty violations isn’t mentioned in the State Department’s analyses of public comments, and we’ve received no acknowledge or response from the Secretary’s office or anyone else at the Department. Our FOIA request and appeal for records of who the Secretary of State has designated as responsible for responding to such complaints, and what (if anything) they have done with ours, has been pending without even a partial response since July 2011.

Jan 27 2012

Retroactive Privacy Act exemptions could cost a US citizen his life

In his ruling this week in Hasbrouck v. CBP, Judge Seeborg of the US. District Court for the Northern District of California suggested that US citizens have no “rights” that would be prejudiced by applying newly-issued Privacy Act exemption rules to previously-made requests for government records.

But a parallel case currently before the U.S. District Court in DC shows how retroactive application of Privacy Act exemptions can be a potentially life-or-death issue.

Sharif Mobley is a native-born U.S. citizen who was living in Yemen with his wife (also a US citizen) and their two infant children when he was shot and seized by agents of the Yemeni government in January 2010, and taken to a Yemeni hospital in police custody. He’s been in a Yemeni prison ever since, and needs US government records to defend himself against capital charges.

Jan 24 2012

First rulings in our lawsuit over DHS travel records

U.S. District Court Judge Richard Seeborg has issued his first rulings in Hasbrouck v. CBP, our lawsuit seeking information from and about DHS records of the travels of individual US citizens.

Judge Seeborg granted some of the government’s motions for summary judgment and some of ours, ordered US Customs and Border Protection (CBP) to conduct further searches and disclose any non-exempt responsive records they find, and ordered the parties to confer on the remaining unresolved issues.

We’re still studying the order, which we received notice of late yesterday. But here are some key aspects of the ruling — including some issues of first impression for any Federal court — and some issues it raises:

Jan 12 2012

What’s it like to be labeled an “armed and dangerous terrorist”?

We’ve writ ten before about the case of Julia Shearson, a US citizen who was detained in handcuffs at gunpoint, and separated from her four-year-old daughter, when she tried to re-enter the US by land after a weekend holiday in Canada.

The DHS has admitted that they had improperly flagged her as a “suspected terrorist” on the terrorist watch list and in the (illegal) travel records system that later came to be known as the Automated Targeting System, but to this day — despite her ongoing Privacy act and FOIA lawsuit — Ms. Shearson doesn’t know why.

We urge anyone who wants to know what it’s like to be caught up in the post-9/11 dragnet to listen to this talk given by Ms. Shearson at an event last month in San Francisco, and this video also shown at that event.

Jan 12 2012

US report on human rights ignores complaints

On December 30th, 2011, the US government filed its latest report (and appendices; also here in PDF format) to the United Nations Human Rights Committee (UNHRC) concerning US implementation of, and compliance with, the International Covenant on Civil and Political Rights (ICCPR).

The ICCPR is one of the most important human rights treaties to which the US is a party. By the terms of the ICCPR, each party to the treaty, including the US, is required to report to the UNHCR, every five years, on its implementation of, and compliance with, its obligations under the treaty. Following each such self-report by a national government, the UNHCR has the opportunity to pose questions both in writing and during a face-to-face hearing concerning the report and other issues of treaty compliance by that government. The UNHCR also meets with, and receives “shadow” reports (such as these regarding the previous US report) from, non-governmental organizations with concerns about the government’s self-reporting or other treaty compliance issues concerning that country.

Since the US doesn’t recognize the jurisdiction of most other international human rights tribunals, the UNHCR is one of the only independent bodies empowered to cross-examine the US government and demand answers to questions about its actions and its compliance with international law.

The fourth US report concerning the ICCPR filed in December 2011 was due a year earlier, in 2010. The UNHCR will schedule its review and response to the US report for one of its future sessions in Geneva or New York, perhaps in late 2012 or sometime in 2013.

What’s most notable about the latest US report is how much goes unmentioned, even with respect to topics raised in the previous US report. There’s no substantial discussion, for example, of the comprehensive system of control and surveillance of travelers that has been set up by the DHS, or of whether it complies with the standards established by the UNHCR for government actions which restrict the right to freedom of movement guaranteed by Article 12 of the ICCPR. We’ll be raising that issue in detail, of course, in our shadow report to the UNHCR, as we have in our previous complaints to the DHS and the Department of State. Read More →

Jan 03 2012

The EU-US PNR Agreement — A Legal Analysis of Its Failures

[The following complete article (27 pages) or a summary of the key points (3 pages) can be downloaded in PDF format. Additional analyses and critiques of the proposed EU-US PNR agreement have been published by, among others, the Identity Project, the Electronic Frontier Foundation, and a coalition of US and EU NGOs.]

FROM THE DESK OF BARRY STEINHARDT

Chair, Friends of Privacy USA
Bsteinhardt@friendsofprivacy.us
December 26, 2011

Introduction

The proposed agreement regarding Passenger Name Records (PNR) between the United States and the European Union is riddled with faulty assertions and assumptions about US law and the actual operations of the US Government.

These faulty assertions and assumptions go to the heart of the agreement and undercut the claims of protections for European travelers.

As an American lawyer with substantial experience on the PNR and related issues, I want to set the record straight for the European officials who must act on the proposed agreement.

This memo highlights the most serious of those faulty claims and assumptions.

In summary:

The Agreement does not apply to the agency – the Terrorist Screening Center – which actually decides which travelers will be subject to the No Fly rules.
The US Laws cited in the agreement as offering protections to European travelers actually provide very little benefit or are completely irrelevant to the international transfer of PNR data;
Europeans cannot, as the agreement suggests, obtain independent and adequate relief from unlawful actions by the US Executive Branch (USG) by appealing those decisions under the Administrative Procedure Act (the APA).There are virtually insurmountable substantive and procedural hurdles to the use of the APA in “appealing” decisions of the Department of Homeland Security (DHS).Of greatest importance, most of the relevant actions taken pursuant to the agreement will not qualify as a “Final Order” that can be appealed under the APA;
Beyond that the APA is of little use to travelers who want to challenge the centrally important actions taken by the Terrorist Screening Center (TSC) of the Department of Justice (DOJ).The Agreement is focused on the TSA’s screening of air passengers. It gives short shrift to and offers very little protection from the Automated Targeting System (ATS) operated by Customs and Border Protection (CBP) which is a wholly separate branch of DHS.It is CBP – not the TSA – that use the ATS to decide how Europeans will be treated when they enter exit the US;
There are substantial uncertainties about which, if any, court would be empowered to hear an “appeal” and which agencies would need to be sued. Complex jurisdictional rules regarding APA appeals and transportation security issues throw air passengers into a procedural thicket from which they may never escape;
The DHS Chief Privacy Officer has neither the independence nor the authority claimed in the Agreement. Nor does the CPO of the Justice Department whose jurisdiction includes the TSC, and;
The Agreement does not cover the USG’s uses of private commercial data e.g. data obtained from the Computer Reservation Services (CRS) and the USG has wide power under the Patriot Act and related law to obtain data them.

Papers, Please!

The Identity Project