Dec 16 2024

Identification as the enabler of ID-based surveillance and control

Edward Hasbrouck of the Identity Project was a guest today with Prof. David Farber (Keio Univ. Cyber Civilization Research Center) and Prof. Dan Gillmor (Arizona State Univ.) for the CCRC / IP-ASIA weekly online gathering on current issues, discussing the expansion of demands for ID, identification as a service provided by the government to commercial entities, the evolution of ID-based surveillance and control, and the human rights work of the Identity Project:

  • How do demands for ID enable ID-based surveillance and ID-based control of offline and online activities, including predictive “pre-crime” controls?
  • When are we required to identify ourselves ourselves or submit to automated identification?
  • How is this changing?
  • What can we do about it?
  • Invitation and Zoom link
  • Slides
Dec 09 2024

Public/private partnerships for financial surveillance

[Email from the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury to some of its banking industry partners forwarding list prepared by Mitsubishi United Financial Group (MUFG) of vendors at DMV (DC, Maryland, and Virginia) airports, train stations, and bus stops, to target reporting of purchases at these locations as “suspicious” .]

The House Committee on the Judiciary and its Select Subcommittee on the Weaponization of the Federal Government have released a ground-breaking report on their investigation of what they describe — accurately, we think — as “the coordination between Big Banks and Big Government” in financial surveillance.

The Judiciary Committee and Subcommittee’s latest report on financial surveillance as well as their earlier interim report on the same issue are part of their broader inquiry into the investigative tactics used in the aftermath of the storming of the US Capitol  on January 6, 2021.

Partisan criticism of the Weaponization Subcommittee may lead to some skepticism or dismissal of its report and recommendations. But that would be a mistake, regardless of what anyone thinks about the Weaponization Subcommittee in general. The report is thoroughly researched and its sources are well documented. It’s based on interviews with witnesses from goverment agencies and the banking industry and tens of thousands of documents provided in response to Congressional subpoenas.

The report on financial surveillance uses the post-January 6th investigation only as a case study. The practices it reports on could have been, and still could be, used against any of us, regardless of party or affiliation (if any). They shouldn’t be used against anyone, even the most stigmatized individuals and groups. What we allow to be done to our enemies, or anyone’s enemies, could be done to any of  us. The report deserves bipartisan public attention and calls for bipartisan action by Congress.

As we’ve noted in surveying what’s likely to lie ahead in demands for ID and ID-based surveillance and control of our real-world and virtual movements and activities, it’s all too easy and all too common for otherwise-principled civil libertarians to allow their distaste for particularly reviled individuals to blind them to the bad precedents being set by the investigative and prosecutorial tactics used against those stigmatized defendants.

We can’t afford to be sanguine about violations of anyone’s rights. The government’s response to the events of January 6, 2021, was a textbook example of the way that unsympathetic defendants are exploited to expand the norms of permissible and publicly-tolerated investigative and prosecutorial practices that can later used more widely.

After January 6th there were misguided calls to add everyone involved in the storming of the Capitol (and perhaps also anyone suspected of possibly having been involved) to the million-and-a-half names already on the US government’s no-fly list — by summary, secret, extrajudical administrative action. It’s unclear whether, or to what extent, that was done. That remains an open question, as does the larger question of how no-fly decisions are made. We hope that the  Weaponization Subcommittee and the Subcommittee on the Administrative State will look into these questions during the next session of Congress.

Suspects were targeted for prosecution after January 6th based on what may have been the most extensive use to date in any single investigation of geofence warrants for cellphone location data. Those general warrants were used not to obtain evidence pertaining to individuals who there was already probable cause to suppect of crimes, but to trawl through records of hundreds of millions of innocent cellphone users to find individuals to place under suspicion based on where their cellphones were logged by Google as having been on that day. Challenges to the Constitutionality of these general warrants for dragnet searchess were all — so far as we can tell — dismissed by the judges hearing these cases.

But that’s not all. The latest Judiciary Committee report shows how logs of routine, entirely legal, financial transactions were subjected to warrantless scrutiny and data mining by banks and financial services providers collaborating with government investigators, and used as the basis for placing individuals under suspicion.

The FBI encouraged banking companies to “voluntarily” submit Suspicious Activity Reports (SARSs) to  the Financial Crimes Enforcement Network (FinCEN), the police division of the Department of the Treasury. These SARs were used to finger to FinCEN as “suspicious” anyone who had engaged in such mundane activities as taking money out of an ATM, buying a meal at an airport, or paying for a hotel or AirBNB anywhere in the DMV (DC, Maryland, and Virginia) area on January 6th or the days before or after:

To be clear: these transactions were, in and of themselves, entirely legal, and weren’t in and of themselves in any way suspicious. They didn’t create probable cause to believe that each such individual was likely to have committed any crime, and they wouldn’t have provided sufficient basis for the issuance of a search warrant. These SARs were used not to investigate people who were already suspected of crimes, but to identify new individuals to be extrajudically placed under suspicion and investigated without probable cause.

Once submitted to FinCEN, these SARs are available for individual search and retrieval by tens of thousands of government agents, without the need to apply for a warrant. SAR data is also exported in bulk by FinCen for import into other agencies’ data mining systems.

Read More

Dec 06 2024

Court stays deadline for IDs and mug shots of corporate principals

A Federal District Court in Texas has issued a nationwide injunction against enforcement of the Corporate Transparency Act (CTA) of 2021.

This injunction is only temorary, pending a decision by the court on the merits of a lawsuit challenging the Consittutionality of the law, which could take months or years. But until that ruling, the preliminary nationwide injunction stays the January 1, 2025, deadline for officers and owners of all types of corporations to obtain ID documents from government agencies and submit copies of those documents, including photos, to the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury.

Another US District Court in Alabama has already ruled that the Corporate Transparency Act is unconstitutional. But that ruling only applied to the plaintiffs in that case.

The Texas District Court’s detailed ruling on the motion for a preliminary nationwide injuction focuses primarily on issues of federalism. It doesn’t mention the issue of corporate officers or owners who don’t have any of the required ID documents, or the implications of requiring  mug shots as well as document numbers and other written information.

The government argued that the plaintiffs in the case against the CTA had not suffered sufficient damage to give them a cause of action, because the reporting burden would be “de minimus” (minmal). The Court rejected that argument, noting that, according to the regulations implmenting the CTA reporting requirement, ” FinCEN estimates that the total cost of filing BOI [Beneficial Owner Information] reports is approximately $22.7 billion in the first year and $5.6 billion in the years after.”

The Court noted with a footnote that, “FinCEN also estimates that it will take approximately twenty minutes to read a beneficial ownership report form and understand it, thirty minutes to collect information about a company’s beneficial owners, and twenty minutes to fill out and file the report, resulting in a seventy-minute endeavor. But the Court notes that as a practical matter, it takes far longer than seventy minutes simply to read the CTA and Reporting Rule alone.”

What we find espcially significant and encouraging in this ruling is that it recognizes explicly that requiring ID is a law enforcement and investigatory device — as FinCEN’s very name, the Financial “Crimes Enforcement” Network, makes clear:

In other words, the CTA is a law enforcement tool—not an instrument calibrated to protect commerce; an exercise of police power, rather than a regulation of an activity…. The CTA regulates reporting companies, simply because they are registered entities, and compels the disclosure of information for a law enforcement purpose.

The Court rightly rejected the government’s argument that mandatory reporting of identifying information (and photos, although that wasn’t mentioned) about all corporate principals is “useful” for law enforcement. Unconstitutional general warrants, dragnet surveillance, or suspiconless, warrantless, house-to-house searches would undoubtedly enable the government to find evidence of crimes, some of which would otherwise have gone undetected, in many homes. But the effectiveness of these police tactics, from the point of view of the police, does not make them Constitutional.

FinCEN hasn’t updated its website yet to mention the nationawide injunction. The Texas case and other legal challenges to the CTA remain pending, and the injunction is likely to be appealed. For now, however, you can ignore the CTA reporting requirements and the January 1, 2025, compliance deadline.

Dec 04 2024

CBP facial recognition is a service for the airline industry

After five years of foot-dragging in responding to our Freedom Of Information Act (FOIA) request, US Customs and Border Protection (CBP) has finally released the pitch it made to the Future Travel Experience airline industry conference in 2019 on why airlines and airport operators should “partner” with CBP on automated facial recognition of airline passengers.

CBP claims in its presentation that “THIS IS *NOT* A SURVEILLANCE PROGRAM”. Its vision, however, is for CBP’s Traveler Verification Service (TVS) facial recognition system to provide automated identification of travelers at every stage of their journeys.

Airlines and airport operators won’t need to operate their own facial recognition software or databases. CBP will do that for them, allowing them to use TVS (which “integrates into airport infrastructure”, CBP boasts) for any of their business process automation, traveler profiling, personalized pricing, etc. purposes. Airlines and airport operators won’t need to store mug shots, since CBP will re-identify travelers for them as often as they want.

And that’s not all. The TVS facial recognition service will also be made available to cruise lines, bus companies, etc., to automatically identify travelers using all modes of transportation:

CBP will use a traveler’s face as the primary way of identifying the traveler…. This will create the opportunity for CBP to transform air travel by enabling all parties in the travel system to match travelers to their data via biometrics, thus unlocking benefits that… enhances the entire traveler experience.

The CBP “Biometric Pathway” will utilize biometrics to streamline passenger processes throughout the air travel continuum, and will provide airport and airline entities with the opportunity to validate identities against DHS information systems using the data available. CBP will partner with airlines, airports, and TSA to build a device independent, vendor neutral back­end system called the Traveler Verification Service (TVS) that allows for private sector investment in front end infrastructure, such as self­service baggage drop off kiosks, facial recognition self­boarding gates, and other equipment; this service will ultimately enable a biometric­ based entry/exit system to provide significant benefits to air travel partners…. The TVS will also be able to support future biometric deployments in the land and sea environments and throughout the traveler continuum. Figure 4 shows the different environments and touchpoints that will interact with the TVS.

Let’s make a deal”, CBP says to airlines and airport operators. “You provide the camera infrastructure embedded in passenger terminals at airports, and we’ll provide the facial recognition service.” It’s a Faustian bargain in which travelers are the losers, but already by 2019 many airlines and airports had taken CBP up on its offer. In the five years since, many more airlines and airports have joined CBP as collaborators in traveler identification, surveillance, and tracking.

Read More

Nov 25 2024

Do you need ID to read the REAL-ID rules?

[“The welcoming, friendly and visually pleasing appearance” of the TSA’s headquarters at 6595 Springfield Center Drive, Springfield, VA.]

We spent most of a day last week outside the headquarters of the Transportation Security Administration (TSA), trying and failing to find out what the rules are for the TSA’s new digital-ID scheme.  What we did learn is that, by TSA policy and practice, you can’t read the REAL-ID rules, get to the TSA’s front door, or talk to any TSA staff unless you already have ID, bring it with you, and show it to the private guards outside the TSA’s gates.

The problems we have faced just trying to get access to the text of the TSA’s rules raise issuess about (recursive) incorporation by reference of third-party, nongovernmental text in regulations, secret law, and access to Federal services and rights by those without ID, as well as the underlying issues of REAL-ID, mobile driver’s licenses, and digital IDs.

In late October, as we’ve previously reported, the TSA issued a final rule establishing “standards” for smartphone-based digital IDs that would be deemed by the TSA to comply with the REAL-ID Act of 2005. These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.

The standards themselves — the meat of the TSA’s rule — weren’t published in the Federal Register or made public either when the rule was proposed or when it  was finalized. Instead, thousands of pages of documents from private third parties were incorporated by reference into the TSA’s rules, giving them the force of law, on the basis of false and fraudulent claims — the falsehood of which was easy for anyone who checked to verify — that they were “reasonably accessible” to affected individuals.

Secret laws are per se a violation of due process, and should be per se null and void. How can it be that “ignorance of the law is no excuse” if the government has kept you ignorant of the law, even when you try to find out what the law says?

You shouldn’t need ID to read the law, just as you shouldn’t need ID to travel by common carrier. But the TSA doesn’t seem to have read the Constitution.

Read More

Nov 05 2024

What will the future bring for ID demands?

There are elections today in  the USA. But we don’t need to know their outcome to predict many of the issues that the Identity Project and our supporters and allies will continue to face in the coming years. For what it’s worth, everything that was on our agenda for the first Obama Administration, following the 2008 elections, remains on our agenda today.

At least since September, 11, 2001, throughout both Republican and Democratic administrations in the White House, demands for “Your papers, please!” have been supported by (1) a bipartisan consensus in Congress, (2) the lobbying power of an ever-growing homeland security-industrial complex, and (3) the malign convergence of interest between governments that want to identify us in order to track, profile, and control us for political purposes and corporations that want to identify us (or get the government to force us to identify ourselves) in order to track and profile us for commercial purposes.

Read More

Nov 04 2024

TSA launches smartphone-based digital ID scheme

Brushing off objections from the Identity Project and others, the US Transportation Security Administration (TSA) has issued regulations creating the framework for an all-purpose smartphone-based national digital ID and tracking system.

The TSA’s new rules are piggybacked on the REAL-ID Act of 2005, and are ostensibly standards for what states will have to do to issue digital versions of driver’s licenses or ID cards that the TSA and other Federal agencies will accept for Federal purposes, in circumstances where ID is required by other Federal laws. This doesn’t include airline travel, for which no ID is legally required, although the TSA keeps lying about this.

The TSA’s new rules provide that acceptable digital IDs can only be issued to individuals who already have physical driver’s licenses or state-issued ID cards. And individuals are still required by standard state laws to “have their Physical Credential on their person while operating a motor vehicle”, even if they also have a digital ID on their smartphone. So this regulatory scheme isn’t really about driver’s licenses at all. It’s about pressuring states to move from uploading information about all their residents to a national ID database to putting a digital tracking app with a state-issued identifier on each resident’s smartphone.

We’ll have more to say in our next article about some of the ways this might be used for surveillance and control of individuals’ activities in the physical and online realms.

The TSA dismissed out of hand our suggestion that an individual could be provided with a digitally-signed file (signed by a government agency) containing the same information as is contained on a physical license or ID card. Such a  file could be carried on any sort of device and presented over any sort of connection. Instead, the TSA’s new rules require that a digital ID must be “provisioned” through an app on a smartphone. The smartphone must be “bound” to an individual (how is this possible?) and must have bluetooth-low energy (BTE) radio connectivity enabled so that the app containing the digital ID can be remotely interrogated by the government (perhaps without the user’s knowledge).

How will this work? What else will these apps do? In what situations, and for what purposes, will these apps and digital IDs be required? We don’t really know.

Read More

Oct 14 2024

Comments on TSA proposal for decentralized nonstandard ID requirements

Today the Identity Project joined almost 8,000 individuals who have filed comments with the Transportation Security Administration opposing the TSA’s latest bizarre proposal for  decentralized, nonstandard, selective enforcement of the REAL-ID Act of 2005.

The introduction to our comments summarizes our objections as follows:

By this NPRM [Notice of Proposed Rulemaking], the Transportation Security Administration (TSA) proposes to grant to itself and to delegate to other agencies… authority to establish rules (“phased enforcement plans”) governing who is, and who is not, under what conditions, allowed to access Federal facilities or exercise Federally-recognized rights including the right to travel by air by common carrier. These rules could be adopted by the TSA and other agencies without notice, public comment, publication in the Federal Register, or codification in the Code of Federal Regulations (CFR). Instead of standards for the acceptance of IDs, the TSA is proposing to delegate authority to itself and other agencies for decentralized and nonstandard acceptance or rejection of noncompliant IDs. Congress has given the TSA no such authority.

This NPRM is premised on erroneous explicit and implicit legal and factual findings, including claims that some or all states and territories have complied with the requirements of the REAL-ID Act of 2005 and that airline passengers are required to have, carry, and/or show ID. These findings are arbitrary, capricious, contrary to law, and not entitled to deference.

Compliance with the REAL-ID Act requires a state to electronically share information concerning all driver’s licenses and state-issued IDs with all other states, but not all states do so.

Because no state complies with this provision of the REAL-ID Act, or could do so unless and until all states do so, no state-issued driver’s licenses or ID cards comply with the REAL-ID Act. No state is currently able to issue licenses or IDs that comply with the REAL-ID Act….

The proposed rules exceed the authority of the TSA. They would violate the Administrative Procedure Act (APA) and rights including the “public right of transit” by air.

Pursuant to the APA, neither the TSA nor any other agency has the authority to issue rules through the procedures contemplated by the proposed rules. And the REAL-ID Act does not authorize the TSA to delegate the promulgation of implementing regulations to other agencies or departments. Neither the TSA nor any other agency has the authority to issue regulations rescinding the statutory and Constitutional right to travel by air…

The proposed rules must be withdrawn in their entirety.

Read More

Sep 16 2024

TSA again backs down from its REAL-ID threats

The Transportation Security Administration (TSA) has again backed down from its decades-old threats to start requiring all airline passengers to show ID that the TSA deems to be compliant with the REAL-ID Act of 2005. But the new rules proposed by the TSA would create new problems that won’t go away until Congress repeals the REAL-ID Act.

In a notice published in the Federal Register on September 12th , the TSA has proposed another two-year postponement of the most recent  of the “deadlines” the agency has imposed on itself for REAL-ID enforcement.  But that postponement would be combined  with interim rules for the next two years that ignore the law and invite arbitrariness in how travelers are treated.

The TSA notes that “frustrated travelers at the checkpoint may also increase security risks” if the TSA stopped allowing travelers to fly without REAL-ID. But the TSA doesn’t mention its current procedures for flying without any ID or its position in litigation that no law or regulation requires airline passengers to show any ID. Instead, The TSA claims without explanation that without this postponment, “individuals without  REAL ID-compliant DL/ID or acceptable alternative would be unable to board federally regulated aircraft.”

Comments from the public on the proposed rule are due by October 15, 2024. Dozens of comments have already been submitted, almost all of them opposing requiring REAL-ID to fly.

We’ll be submitting comments opposing the proposed rules and reminding the TSA that (1) no state is yet in compliance with the REAL-ID Act, which would require sharing of driver and ID databases with all other states, and (2) neither the REAL-ID Act nor any other Federal law requires air travelers to have, to carry, or to show any ID.

Unless the law is changed to try to impose an unconstitutional ID requirement as a condition on the right to travel by common carrier, the TSA must continue to recognize the right to fly without ID. Any distinction by the TSA or other Federal agencies between state-issued ID, when no state complies with the REAL-ID Act or could do so until all states participate in the national REAL-ID database (SPEXS), would be arbitrary and unlawful.

Read More

Aug 27 2024

100,000 passport applicants have gotten the long form

More than 100,000 US citizens — almost ten times as many as the State Department had projected — have been required to complete one or both of two impossible “long form” supplements to their applications for US passports, according to records we received this month in response to a Freedom Of Information Act (FOIA) request we filed in 2011.

[Numbers of passport applicants sent each of the two version of the long form passport application each year since 2014, as reported to us this month by the State Department in response to our 2011 FOIA request.]

Back in 2011, the State Department proposed an outrageous long form to be sent to some subset of applicants for US passports. The form includes a bizarre list of questions which most applicants would be unable to answer.

Do you know, or do you have any way to find out, the dates, addresses, and names of doctors for each of your mother’s pre-natal medical appointments, or the names, addresses, and phone numbers of everyone who was in the room when you were born?

Sending someone the supplemental long form is a pretext for denying their application for a passport. As we said in our comments to the State Department:

The proposed form reminds us unpleasantly of the invidious historic “Jim Crow” use of a literacy or civics test of arbitrary difficulty, required as a condition of registering to vote and administered in a standardless manner. By making the test impossible to pass, voter registrars could use it as an arbitrary and discriminatory – but facially neutral – excuse to prevent any applicant to whom they chose to give a sufficiently difficult test from registering to vote, on the ostensible basis of their having “failed” the test.

In a similar way, choosing to require an applicant for a passport to complete the proposed Form DS-5513, which few if any applicants could complete, would amount to a de facto decision to deny that applicant a passport. And that decision would be standardless, arbitrary, and illegal.

After we publicized this proposal, thousands of people submitted comments to the State Department calling for the proposed form to be withdrawn.

Although the State Department had falsely claimed in its application for approval that this was a “new” form, commenters reported that they had already (illegally) been required to fill out a version of this form, even though it had not been approved.

As soon as we learned this, we filed a Freedom of Information Act (FOIA) request in April 2011 to find out how long the long form had been in use illegally without approval, how many people had been told to fill out the long form, and what if any criteria had been established for when to require a passport applicant to fill out the long form.

Read More