Sep 15 2020

DHS lies again about REAL-ID

As it’s been doing for years, the US Department of Homeland Security (DHS) is still lying about the state of compliance by states with the Federal REAL-ID Act of 2005.

The latest DHS whopper is this DHS press release issued September 10, 2010:

The DHS claims that “All U.S. States [Are] Now Compliant” with the REAL-ID Act. But as we’ve noted many times before, the REAL-ID Act explicitly and unambiguously requires that to be “compliant”, a state must “Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

How many states do that today? At most, 28, not all 50, as shown in the map below:The only mechanism available for states that want to share their drivers’ license databases is the outsourced “State to State” (S2S) system operated by the American Association of Motior Vehicle Administators (AAMVA), a private contractor not subject to the Federal or any state Freedom Of Information Act (FOIA) or other laws proviidng transparency and accountability for government agencies. Despite the misleading name, S2S is not a mechanism for messaging directly from state to state. It’s a centralized system which depends on a central national ID database, SPEXS, aggregated from state drivers’ license and ID data.

Here’s the latest list released by AAMVA of states that are particpating in S2S. Each particpating state has uploaded information about all drivers’  licenses and state ID to SPEXS. Together these 28 states include substantially less than half the U.S. population:

We wish we didn’t have to keep saying, again and again, that the DHS is lying about REAL-ID. But as long as Federal and state agencies keep putting these lies in their headlines, we’re going to keep on pointing out that the emperor (still) has no clothes.

Sep 14 2020

10th Circuit: No qualified immunity for police who demand ID

A panel of the 10th Circuit US Court of Appeals has ruled, in the case of Mglej v. Gardner, that it is “clearly established law” that police in Utah may not require suspects (or anyone else they detain, except operators of motor vehicles) to show ID documents, and therefore that the Garfield County Sheriff who wrongly arrested Matthew T. Mglej for “refusing to identify himself” is not entitled to qualified immunity and can be held liable for damages.

In the summer of 2011, Mr. Mglej, then 21 years old, set out on his motorcycle from his family home in Portland, OR, to visit relatives in Dallas, TX. Mid-way on that road trip, his motorcycle developed problems, and he stopped in Boulder, UT (population around 200), to see if he could get his bike repaired and replace a tire that was threatening to blow.

Read More

Sep 01 2020

TSA tries out another (illegal) biometric “ID verification” system

Today the Transportation Security Administration (TSA) announced that it has launched a “pilot” at Washington National Airport (DCA) of yet another scheme for biometric identification and tracking of domestic air travelers.

[Screen capture from TSA video]

The new “touchless ID verification” stations at DCA include a webcam (at top center of photo above) a magnetic-stripe reader (lower left) for drivers licenses and other ID cards, and a photographic scanner for passports (lower right).

Travelers who volunteer to use the new system are directed to insert their drivers license, ID card, or passport into the appropriate reader, stand on a marked spot in front of the webcam, and remove their face mask, so that the image from the ID (or, more likely, from some back-end image database linked to the ID, although that hasn’t been disclosed) and the image from the webcam can be compared by some undisclosed algorithm.

[Traveler being directed by TSA staff to remove her face mask for digital mug shot.]

As we’ve noted previously, it appears to us that (1) the TSA has no general authority to require travelers to show their faces or remove face masks, and (2) in many jurisdictions, orders issued by state or local health authorities currently require all people in public places such as airports to wear masks.

The TSA describes this system as “touchless”. But while TSA staff don’t have to touch travelers’ IDs, each traveler has to touch the same ID card or passport scanner. Then, immediately after touching the scanner, they have to touch their face again to put their mask back on.

Read More

Aug 11 2020

TSA considers new system for flyers without ID

According to a solicitation to potential contractors published last week, the Transportation Security Administration (TSA) wants to outsource its current questioning of airline passengers without ID, and its decisions about which travelers without ID to allow to travel and which to prevent from flying, to a fee-based system operated through a cellphone app provided by a private contractor and based on (secret) commercial databases.

There’s some good news and some bad news in the TSA’s posting of this Request for Information.

First, the good news:

1. The TSA admits that people can and do fly without ID.

According to the TSA’s Request for Information:

Prior to the COVID-19 National Emergency, TSA encountered over 2.5 million passengers a day and, on average, 600 instances of passengers without acceptable ID. These individuals are able to verify their identity via telephone through our National Transportation Vetting Center (NTVC).

That’s almost three times the average daily number of airline travelers without ID disclosed in the most recent of the TSA’s belated and still-incomplete responses to our Freedom of Information Act (FOIA) requests for records of travelers without ID.

2. You will still be able to fly without ID, even after the TSA “implements” and “enforces” the REAL-ID Act.

In their most recent notice of postponement of their REAL-ID threats, the TSA and the Department of Homeland Security (DHS) have said that they plan to fully implement and enforce the REAL-ID Act, with respect to airline travel, beginning October 1, 2021.

The TSA and DHS have repeatedly claimed that after that date, all air travelers will “need” to show ID that the DHS deems compliant with the REAL-ID Act in order to fly. And the TSA has previously indicated — in 2016 and again in May of 2020 —  that it intended to modify its current ID verification procedures to (illegally) deny passage through TSA checkpoints to would-be travelers who don’t present REAL-ID Act compliant ID cards.

But the TSA is now soliciting information preparatory to soliciting bids for a contract to provide outsourced “identity verification” services for air travelers without ID.

The TSA wouldn’t be preparing to solicit bids for a system to deal with air travelers without ID if the TSA planned, in a little more than a year, to stop allowing those people to fly at all.

And the TSA says that the contractor’s ID verification system for flyers without ID must “be able to process thousands of transactions per hour per day [sic] distributed across the TSA enterprise of airports.”  Whether the TSA means “thousands per hour” or “thousands per day”, that’s several times more than the current number of travelers without acceptable ID.

The only plausible explanation for the expected many-fold increase in the number of travelers without acceptable ID is that the TSA’s implementation of the REAL-ACT will result in many more air travelers’ ID’s being deemed unacceptable, and that the outsourced system is the one the TSA plans to use for travelers without REAL-ID compliant ID.

The TSA is looking for a new system for dealing with travelers without ID only because it has been forced to abandon its original plan to prevent all such people from flying.

The most important takeaway from the TSA’s latest notice is that the TSA is (still) lying about what REAL-ID Act enforcement and implementation will mean. You will not need a compliant ID to fly. The procedures may change, but you will still be able to fly without ID.

This is a major victory for our legal objections and for the potential of popular resistance.

The TSA has implicitly acknowledged that — either because it lacks legal authority to prevent everyone without “acceptable” or REAL-ID Act compliant ID from flying, or because doing so would cause riots at airports or other forms of popular resistance, or both — it  won’t be able to stop travelers without ID or without compliant ID from flying.

The bad news is the nature of the TSA’s contemplated new procedures for flyers without ID (or without “acceptable” ID).

Currently, the TSA leaves the final decision on whether or not to allow airline passengers without ID to pass through TSA or contractor-operated checkpoints to the discretion of the Federal Security Director (FSD) or their designee on duty at the individual airport.

That decision can be based on what the FSD thinks of the traveler’s looks, the nature of any “unacceptable” ID they present, whether they are willing to complete and sign the illegal TSA Form 415, and their responses to questions relayed via the TSA’s Identity Verification Call Center (IVCC) from the TSA National Transportation Vetting Center (NTVC) based on information in records about the traveler held by the commercial data broker Accurint.

The new process apparently being considered by the TSA would outsource the questioning of travelers without ID or with unacceptable ID to a private for-profit contractor, with that questioning to be administered through a smartphone app. The questions would be based on some aggregation of government and commercial data, and the answers would be assessed according to some secret algorithm to generate a binary pass or fail result.

An identity thief (or ‘bot) with access to the commercial database used as the basis for “pass/fail” determinations would be better able to answer questions about the information in that database than would a real person who is unprepared for this questioning and who has no way to know (or to correct) what misinformation is contained in the database.

A traveler who shows up at a TSA checkpoint would, it appears, be told they have to install the mobile app, pay a fee through the app (which presumably would require a credit or debit card or bank account),  complete the in-app questioning, and show a “pass” result from the app to the TSA staff or contractors in order to “complete screening” and proceed through the checkpoint.

  • No cellphone? No fly. (We’ve seen this already in Hawaii.)
  • Your cellphone isn’t a smartphone? No fly.
  • Your smartphone has a different OS that can’t run the contractor’s app? No fly.
  • No charge in your cellphone battery? No fly.
  • No signal in the airport? No fly.
  • No credit or debit card? No fly.
  • Don’t know what misinformation is in data brokers’ records about you? No fly.
  • Your record fits a “fail” profile in the contractor’s secret algorithms? No fly.

Read More

Jun 30 2020

Freedom to travel across state lines

Oral arguments have been scheduled by two different Federal District Court judges for this Thursday, July 2, 2020, on motions for temporary restraining orders against enforcement of separate state health orders mandating 14-day quarantine of all people arriving in New York or Hawaii from out of state.

Corbett v. Cuomo will be argued at 2 p.m. EDT by telephone in New York; Carmichael v. Ige will be argued in person (and not available for remote auditing) at 11 a.m. HST in Hawaii.

The Hawaii quarantine order, as we’ve discussed previously, applies to anyone arriving from out of state. The New York order only applies to people who have visited certain states designated by New York authorities, but those states include almost half the US population. The blacklisted states include Georgia and Texas, so anyone who changes planes in Atlanta, Houston, or Dallas-Ft. Worth — all major airline hubs — en route to New York is affected, even if they are coming from some other, less-infected state.

As the complaint in the New York case notes, it’s unclear whether those involuntarily quarantined in New York will be held in jails, hospitals, or some other locations, but according to a public statements by New York Governor Cuomo cited in the complaint, they are to be detained at their own expense.

On its face, the New York order applies to anyone arriving in New York who has recently been in any of the blacklisted states, even if they don’t intend to stay in New York. This would include people changing planes in New York, or passing through on the short New York section of Interstate 95 or on the Northeast Corridor between New England and New Jersey, Pennsylvania, and points south and west. All routes between New England and the rest of the US pass through either New York or Canada. With the US-Canada border mostly closed, enforcement of the New York travel restrictions would render New England an isolted island accessible only by air.

In addition to the 14-day quarantine, New York state has also begun demanding that each interstate traveler arriving by air (regardless of their state of residence or whether they have visited any of the blacklisted states) complete and sign a written declaration (Exhibit B to the complaint) about themselves, their business affairs, and their travels.

The Hawaii and New York quarantines and the New York questionnaire for interstate air travelers are all backed with threats of arrest and fines for noncompliance.

The New York quarantine order and travel declaration are being challenged by Jonathan Corbett, who has his primary residence and business interests in Brooklyn, New York, but is also a member of the California bar who practices law in California. Before his admission to the bar, Mr. Corbett had brought multiple pro se lawsuits challenging restrictions on air travel and searches of travelers, including the TSA’s use of “virtual strip-search” imaging machines.

Significantly, in light of the written declaration that the state of New York is now ordering arriving air travelers to fill out and sign, Mr. Corbett has also previously challenged administrative interrogations of air travelers (who aren’t suspected of any crime) by, or at the behest of, the TSA. That case was dismissed without the court reaching the Constitutionality of administrative interrogation of travelers. So far as we know, Corbett v. Cuomo is the first time this issue has arisen in a COVID-19 quarantine case.

There’s extensive case law on administrative searches, but very little on administrative interrogations. Mr. Corbett argues, and we concur, that he has an absolute right to stand mute in response to interrogatories by state authorities at state borders or airports.

In the current circumstances, it’s tempting to give health authorities a free pass for whatever they do, “because pandemic”. But that would be a mistake. We’ve already seen what happened when authorities were given free rein to impose new restrictions on travelers after September 11, 2001, “because terrorism”. Many of those measures had no rational relationship to the prevention of terrorism, were implemented without regard for Constitutional rights, and have become permanent, or effectively so.

How long will the current health emergency last? And will Federal, state, and local government agencies return to their prior practices at airports and borders if and when the emergency is declared to have ended, or will restrictions imposed during the pandemic become the permanent “new normal”?

If our Constitution is to have meaning, and if there is a sufficient justification for restrictions on travel, it should be possible to defend those restrictions on the basis of the Constitution. It should not be necessary to argue for suspending the Constitution.

Read More

Jun 23 2020

TSA wants more authority for ID demands, “vetting”, and data use

The Transportation Security Administration (TSA) wants more power to require ID from travelers (“credentialing”), control who is and who is not allowed to exercise their right to travel (“vetting”), and use and share information about travelers with more third parties and for more purposes (“expanded data use”).

These TSA priorities for the next two years are included in a 2020 update released today to the 2018 implementation road map for the TSA and White House long-term strategic plans for travel surveillance and control.

TSA Administrator David Pekoske’s oddly-named “Intent 2.0” strategy update also prioritizes “biometric vetting and [identity] verification”, a “near-contactless experience” at TSA checkpoints, and “vetting as a service”.

The “near-contactless experience” would be achieved, it appears, not through reduced hands-on groping or fewer demands for ID, but through increased use of remote sensing such as facial recognition.

“Vetting as a service” refers to allowing airlines, airport operators, and perhaps other government agencies and/or commercial third parties to use the TSA’s databases of profiles, risk scores, travel histories, free-text comments in reservations by travel industry workers, unverified aggregated derogatory data form other sources, and biometric and other identifiers for their own purposes. This not only expands the potential adverse impact of arbitrary secret algorithmic profiling based on secret databases, but gives airlines a financial incentive to carry out facial-recognition surveillance on the TSA’s behalf in order to get a free ride to use the TSA’s identification/vetting service for business process automation, personalization (including personalized pricing), or other purposes.

None of the TSA’s strategy documents say how the TSA hopes to acquire “expanded vetting and credentialing authorities” or “expanded approvals for data use”. Will the TSA seek to have these included in new laws? Or will to try to grant itself wider authority through  rulemaking or press releases, as it has often done in the past?

At least now we know, if we didn’t already, what to watch out for from the TSA in the months and years ahead.

Jun 02 2020

“Immunity passports”, opportunism, and COVID-19

Today the Appropriations Committee of the California Assembly held another hearing on A.B. 2004, a bill that would add to state law a provision that:

An issuer, including an issuer that is a public entity, of COVID-19 test results or other medical test results may use verifiable credentials, as defined by the World Wide Web Consortium (W3C) for the purpose of providing test results to individuals.

What does this mean? Why does it matter? Is it part of a larger pattern?

Read More

May 19 2020

TSA tries again to impose an ID requirement to fly

Air travel in the US has been reduced by more than 90%, measured by the numbers of people passing through checkpoints at airports operated by the Transportation Security Administration (TSA) and its contractors.

And the Department of Homeland Security (DHS) has postponed its threat to start unlawfully refusing passage to travelers without ID credentials compliant with the REAL-ID Act of 2005 for another year, from October 1, 2020, to October 1, 2021.

So relatively little attention is being paid right now to air travel or TSA requirements — making it the ideal time for the TSA to try to sneak a new ID requirement for air travel (to take effect in 2021) into place without arousing public protest.

Today, in collaboration with nine other organizations concerned with freedom of travel, identification, privacy, human rights, and civil liberties, we filed comments with the TSA in opposition to what is ostensibly a “Notice of intent to request approval from the Office of Mangement and Budget” for a new form, TSA Form 415.

Our comments were joined by the Identity Project, Freedom To Travel USA, Fiat Fiendum, Inc., National Center For Transgender Equality (NCTE), Restore The Fourth, Inc., Patient Privacy Rights, Defending Rights And Dissent, The Constitutional Alliance, Privacy Times, and Just Futures Law.

According to our comments, the TSA is attempting to “use the innocuous-seeming device of a request for approval of an information collection to introduce a fundamental and profoundly controversial change in substantive TSA requirements and the rights of travelers”: Read More

May 04 2020

Dare County tries to evade court review of its entry controls

Local government controls on travel to the Outer Banks (barrier-beach islands) of North Carolina remain in place, but local officials are making changes to try to head off a court decision on the Constitutionality of their emergency orders restricting free movement.

A month ago, as we reported earlier,  Dare County, North Carolina, set up checkpoints on all three roads leading into or out of the county. Police began denying passage along these public rights-of-way on the basis of  criteria including whether travelers have government-issued ID (even if they are passengers rather than drivers, or traveling on foot or by bicycle,  for which no drivers’ license is needed); what address is shown on their ID (if any —  U.S. passports, for example, show no address); which direction they are traveling; and whether they have been sponsored for an “entry permit” by an entity with a business license issued in Dare County.

County officials represented their emergency orders imposing these restrictions on travel  as health measures in response to the COVID-19 pandemic. But none of the criteria for who is allowed to pass through the checkpoints, or in which direction, have anything to do with whether travelers were believed, suspected, or likely to be infected with the novel coronavirus.

The emergency orders gave no indication of what, if any, procedures were available for administrative or judicial review of decisions to deny passage in or out of the county. But non-resident owners of homes in Dare County quickly brought suit in Federal court against the prohibition on traveling to their own seasonal, rental, or second homes.

Since then, the case has been referred for mediation, and the parties (non-resident property owners and the Dare County government) have requested and been granted a delay on the basis that they are in negotiations towards a possible settlement.

Today Dare County is beginning to allow passage across the bridges and into the county by non-resident owners of real property in Dare County, if and only if they have both an “entry permit” issued by the county and matching government-issued ID.

Read More

Apr 29 2020

No cellphone? Not at address on your ID? Hawaii threatens arrests.

“Aloha!” Passengers arriving at Honolulu International Airport on April 28th are interrogated and their cellphones are tested. Photo provided by the Hawaii Department of Transportation.

We’ve been puzzling over this press release issued April 24th by the Department of Transportation of the State of Hawaii, entitled, “Improved verification process implemented for airline passenger,” which begins as follows:

The Hawaii Department of Transportation (HDOT) has implemented improved measures to verify incoming passenger information before they leave the airport to help ensure people are abiding by the traveler quarantine order. The enhanced process is underway at the Daniel K. Inouye International Airport (HNL) and will begin statewide in the coming days.

We’ve read through the emergency proclamations by the Governor of Hawaii, and can’t find anything in the quarantine orders purporting to give authority to state officials to “verify passenger information.”

The press release threatens that anyone who arrives without  a working cellphone, charged, with service and coverage in the arrival area at the airport, will be arrested:

An airport representative will collect the two forms and begin verifying their information. First, they will call their mobile phone number to confirm it rings right in front of them. If it does not ring, the person may have listed inaccurate information and is asked to verify the number. If the person refuses to provide a phone number that can be answered on the spot, law enforcement is contacted and they are subject to citation and arrest.

We have no idea what the purported basis would be for arresting someone who isn’t carrying a cellphone, whose phone doesn’t have service in Hawaii (especially likely if they are arriving from another country), or whose cellphone battery has run down from watching  videos or playing games in airplane mode during a trans-oceanic flight.

But that’s not all:

Read More