Papers, Please – Papers, Please!

Nov 23 2022

The airport of the future is the airport of today — and that’s not good.

[Facial recognition at each step in airline passenger processing. Slide from presentation by Heathrow Airport Holdings Ltd. to the International Civil Aviation Organization (ICAO) Traveler Identitification Program symposium, October 2018]

Today, the day before Thanksgiving, will probably be the busiest day for air travel in the USA since the outbreak of the COVID-19 pandemic in early 2020.

If you are flying this week for the first time in three years, what will you see that has changed?

Unfortunately, many of the most significant changes made during the pandemic are deliberately invisible — which is part of what makes them so evil.

During the pandemic, largely unnoticed, the dystopian surveillance-by design airport of the future that we’ve been worried and warning about for many years has become, in many places, the airport of today.

While travelers were sheltering in place during the COVID-19 pandemic, airports have taken advantage of the opportunity to move ahead with expansion and renovation projects. While passenger traffic was reduced, and terminals and other airport facilities were operating well below capacity, disruptions due to construction could be minimized.

A characteristic feature of almost all new or newly-renovated major airports in the U.S. and around the world is that they are designed and built on the assumption that all passengers’ movements within the airport will be tracked at all times, and that all phases of “passenger processing” will be carried out automatically using facial recognition, as shown in this video from a technology vendor, Airport of the Future:

[Stills from 2019 vendor video, Airport of the Future.]

In the airport of the future, or in a growing number of present-day airports, there’s no need for a government agency or airline that wants to use facial recognition to install cameras or data links for that purpose. As in the new International Arrivals Facility at Sea-Tac Airport, which opened this year, the cameras and connectivity are built into the facility as “common-use” public-private infrastructure shared by airlines, government agencies, and the operator of the airport — whether that’s a public agency (as with almost all U.S. airports) or a private company (as with many foreign airports).

Oct 04 2022

ICAO expands travel tracking and control through RFID passports

The triennial general assembly of the International Civil Aviation Organization (ICAO) is underway in Montreal for its first session since the outbreak of COVID-19, with speakers at its opening plenary last week including US Secretary of Transportation Pete Buttigieg.

It’s been many years since the US delegation to an ICAO meeting has included a Cabinet member. Secretary Buttigieg’s presence brought greater public attention than usual to the ICAO general assembly and related side events. Unfortunately, news reports have focused on what Secretary Buttigieg said (mainly his comments about Taiwan) rather than on what ICAO is actually doing.

Despite its ostensibly limited role as a specialized international organization with a mandate to administer aviation treaties — a role which would make it logical for the US delegation to be headed by the Secretary of Transportation — police in the US and other ICAO members have coopted ICAO into functioning as a policy laundering venue for imposition of surveillance mandates on all travelers, whether or not they travel by air.

Rather than “faciliating” travel, ICAO’s Facilitation Programme is increasingly devoted to facilitating government control of travel. This includes a new ICAO standard, as discussed below, to enable global blackballing of travelers disfavored by any ICAO member country.

So far as we can tell, no representative of a data protection authority or a ministry primarily responsible for protection of human rights or civil liberties has been included in any country’s ICAO delegation or appointed to any ICAO technical working group.

But that hasn’t stopped ICAO from issuing mandates, under the purported authority of aviation treaties but directly contrary to human rights treaties, for the creation of a new surveillance and pre-crime profiling agency in every ICAO member, and for deployment and use of passports containing remotely-readable RFID chips.

ICAO’s lack of expertise in this non-aviation policy area makes it exceptionally vulnerable to capture — and indeed it has been entirely captured — by a malign convergence of interest between proponents of government surveillance and control of travel and a travel industry which has been given a free ride for its shared use of government surveillance infrastructure and information for its own business process automation.

Here’s the bad news about what’s happening at ICAO with RFID passports:

Sep 22 2022

Freedom to travel to get an abortion

[Arrows indicate populations of states where abortion is, or is likely to become, illegal, and directions and distances to the nearest states where abortion is legal. Note that some of the routes shown are more likely to be followed than others, since abortion is more or less heavily restricted in some states where it is shown on this map as legal. Diagram by Bloomberg News based on data from the Guttmacher Institute.]

Increasing variations between state laws related to abortion are prompting an increase in the already large numbers of women who travel across state lines to obtain abortions.

For women in many states, bans on abortion are making the right to interstate travel an essential prerequisite to the right to obtain an abortion.

Both anti-abortion vigilantes and state laws criminalizing actions related to abortion, including facilitating abortion-related travel, are prompting women seeking abortions as well as those who support abortion rights to think about how to protect abortion travelers and their supporters against identification, surveillance, stalking, harassment, or legal sanctions.

In this context, the right to anonymous travel has acquired new importance and urgency. If you’ve wondered, “Why would anyone want to travel anonymously?” now you know one of the reasons. But what’s needed is “right to travel” legislation, not just “privacy” legislation. Current Federal “privacy” bills would do little to protect abortion travelers.

What are the patterns of abortion-related travel? How could state authorities or private vigilantes identify or track the travels of these women — whether they drive or take buses, trains, planes, or automobiles? What, if anything, can women traveling across state lines to obtain abortions do to protect themselves against being identified, tracked, and potentially prosecuted or subjected to retaliation, harassment, or other sanctions? What could the Federal government do to protect these women’s right to travel, and to do so privately and safely?

As discussed in detail below, the possibilities for technical self-defense against threats to the right to travel are limited. Congress needs to act to include protection for the right to travel — regardless of the purpose for which you travel — in any abortion rights legislation.

Sep 19 2022

CBP aggregates and disseminates travel data from warrantless searches

A series of revelations in recent months have highlighted a pattern of misuse by US Customs and Border Protection (CBP) of data about travelers and their activities.

Information obtained without a warrant or probable cause under a under a variety of exceptions to the Fourth Amendment (including administrative searches and mug shots at airports, border searches, and “consent” to collection of location information by private third parties) has been aggregated, indexed, and made available for search and retrieval by other CBP staff, other law enforcement agencies, and foreign governments.

Use of the fruit of this surveillance of travelers hasn’t been limited to the government agency that first obtained it from travelers or commercial third parties, or to the purpose that purportedly allowed CBP to obtain it without warrant or probable cause. No access logs are maintained for some of these databases of travel surveillance data, so it’s impossible to audit how they have been used.

Here’s some of what CBP has been up to with its travel surveillance databases:

Sep 16 2022

Countdown to a crackdown on flying without ID

The Department of Homeland Security has added a Countdown to REAL ID Enforcement at airports to its website. But questions remain as to what this really means, despite our best efforts to find out.

What — if anything — will really change at Transportation Security Administration checkpoints when this countdown clock runs out on May 3, 2023?

Nothing in the law will change on that date. The REAL-ID Act of 2005 established criteria for which ID credentials can be “accepted” by Federal government agencies, in circumstances where individuals are required by Federal law or regulations to possess and/or show some evidence of their identity. But the consistent position of the DHS and TSA in litigation has been that no law or regulation requires air travelers to possess or show any ID. And the REAL-ID Act did not create any new requirement to have or show ID to fly.

Since the REAL-ID Act applies only to which IDs are accepted from those who choose to show ID to fly, it should have no effect, now or at at any date in the future, on those who don’t have, or choose not to show, ID to fly. They still have the right to fly without ID — as more than a hundred thousand people do every year — subject at most to a more intrusive administrative search of their person and baggage.

The “deadline” announced by the DHS and TSA might indicate plans for new regulations that would impose a requirement for air travelers to have or to show ID. But no such regulations have been proposed or included in DHS or TSA agendas of planned rulemaking.

Despite the lack of any apparent legal authority, however, it appears from the latest extrajudicial DHS and TSA rulemaking-by-press-release that these agencies plan to begin preventing anyone from flying without ID on or after May 3, 2023, on unknown grounds.

The following statement now appears on the DHS and TSA websites:

What happens if I show up without a valid driver’s license or state ID?

Starting May 3, 2023, every traveler will need to present a REAL ID-compliant license or an acceptable form of identification to fly within the U.S. Passengers who do not present an acceptable form of identification will not be permitted through the security checkpoint.

This would be a major change, with no legal basis, from current practice or any previously disclosed DHS or TSA plans.

Aug 22 2022

“Sobriety checks” of motorists as pretext for ID checks

In a disturbing decision, a 3-judge panel of the the 9th Circuit Court of Appeals has upheld the arrest of a driver who who refused to show ID on demand of police at what was purportedly a “sobriety” checkpoint for motorists in Vallejo, California.

All charges against the driver, David P. Demarest, were dismissed before Mr. Demarest filed his Federal lawsuit against the police. The 9th Circuit opinion didn’t address whether any conviction would have withstood Constitutional scrutiny. But the 9th Circuit dismissed Mr. Demarest’s complaint against the police and the city of Vallejo for violating his civil rights by demanding that he show ID at a “sobriety” checkpoint without a warrant or probable cause to believe that he had committed any crime, and arresting him when he declined to show ID.

The tortured reasoning of the decision, Demarest v. City of Vallejo, No. 20-15872, decided August 16, 2022, hinges on the dubious and self-serving claim by the police that their “intent” wasn’t to use the “sobriety” checkpoint for general law enforcement purposes, that ID checks are an objectively permissible purpose for a checkpoint as long the subjective intent of the police wasn’t to operate a general law enforcement dragnet (as in fact it almost certainly was), and that the ID checks only minimally delayed most motorists beyond the delay that would have been occasioned by sobriety checks.

The decision notes that drivers were required only to show “facially valid” drivers licenses, which were not checked for outstanding wants or warrants.But that is treated only as evidence of whether or not the checkpoint was intended for general law enforcement purposes, and not as necessary dispositive of whether the ID demand was Constitutional:

The non-law-enforcement nature of the license checks in this case is especially clear, the City [of Vallejo] concededly did not use the license checks to conduct on-the-spot warrant checks. Cf. United States v. Bernacet, 724 F.3d 269, 271, 273–74 (2d Cir. 2013) (addressing a license checkpoint in which officers ran licenses through multiple databases, including a “criminal history database”). The mere request to produce a facially valid license is a relatively modest additional intrusion on the liberty of a motorist who has already been properly stopped at a checkpoint.

In the case cited in this portion of the 9th Circuit opinion, U.S. v. Bernacet, the 2nd Circuit upheld criminal history and warrant checks of drivers, using a system that queries multiple databases including the FBI’s error-ridden NCIC, at a warrantless, suspicionless motor vehicle checkpoint.

The effect of this decision is to invite police to demand ID at “sobriety” checkpoints.

For what it’s worth, the decision in Demarest v. Vallejo does not mention, and by its logic seems to leave intact, the 2019 decision of another 9th Circuit panel that passengers in motor vehicles, as distinct from drivers, cannot be required to show ID at checkpoints without individualized probable cause to believe that they have committed a crime.

[Update: “Demarest’s lawyer David M. Helbraun told the Vallejo Sun that he thought the court made a bad decision ‘because the city admitted it was not using the checkpoint to catch unlicensed drivers.’ Helbraun further said that then-Lt. Michael Nichelini said ‘under oath that the reason they were asking to see drivers licenses was to impress on drivers the authority of the police. That’s not a permissible purpose under the Fourth Amendment, and we are considering our options to appeal further,’ he added.” A “further appeal” would likely mean a petition for rehearing en banc by the 9th Circuit.]

May 20 2022

New reports on DHS surveillance and profiling

Two new reports from university think-tanks call attention to surveillance and profiling — including surveillance of, and action against, domestic and international travelers — by the Department of Homeland Security and its components.

A Course Correction for Homeland Security, a report by the Brennan Center for Justice at New York University, cites to some of our work and some examples of cases we have been involved with in its analysis of DHS data collection (surveillance), and “risk assessments” (algorithmic profiling and control), especially as they relate to travelers.

American Dragnet: Data-Driven Deportation in the 21st Century, a report by the Center on Privacy and Technology at Georgetown University Law School, focuses on DHS’s Immigration and Customs Enforcement (ICE) division, especially ICE access to facial images and other information obtained from drivers licenses and commercial data brokers.

A common theme of both reports is that DHS surveillance is more pervasive, more intrusive, and less visible than is generally recognized.

Airline reservations and demands for ID from travelers are used not merely to check for currently blacklisted would-be travelers, but are retained and used to build travel histories and social networks maps that are then used by suspicion-generating guilt-by-association algorithms to expand the web of surveillance, profiling, and extrajudicial blacklisting.

ICE represents itself as an agency with jurisdiction only over non-US citizens, but in fact runs photos and drivers license and location data about a large fraction of the entire population of US citizens through its profiling and enforcement algorithms. DHS lurks (usually invisibly) in the background, “ingesting” or obtaining access to personal information, when individuals pose for drivers license photos, make airline reservations, or interact with businesses that “share” data directly or indirectly with DHS.

What is to be done about this sorry state of affairs?

Both of these reports suggest that some reforms could be made by policy, at the direction of the President, the Secretary of Homeland Security, or the heads of DHS components.

However, given the thoroughly bipartisan continuity of support by both Democratic and Republican administrations for the continual expansion of DHS surveillance, especially of travelers and foreigners and most especially of border crossers, since its creation 20 years ago, we have little hope for reform from within DHS or at the behest of the White House.

Exposure of abuses is good, but more is needed than a change of administration policy.

While we welcome any additional attention paid to the problems with the DHS, we think they call for court action to uphold the Constitutional and treaty rights of travelers and other individuals, and Congressional action to effectuate those rights and to facilitate judicial review and redress for government actions that violate those rights.

The DHS, as these reports reveal, is an ever-growing dragnet surveillance agency, operating outside the rule of law. What are we going to do to alter or to abolish it?

Mar 17 2022

Alaska may end its compliance with the REAL-ID Act

A bill introduced in the current session of the Alaska state legislature, HB 389, would end the issuance by the state of Alaska of driver’s licenses that comply with the Federal REAL-ID Act of 2005.

In addition, HB 389 would give Alaska residents “the option of having the applicant’s driver’s license photograph captured with a camera that produces a photograph in a format or with a resolution that renders the image quality insufficient for facial recognition.” The bill would require that the state Department of Administration and its Division of Motor Vehicles “shall destroy or render unusable for facial recognition purposes any photograph captured as a result of an application for a driver’s license ,” and prohibit “bulk sharing of facial images captured a result of an application for a driver’s license.”

HB 389 was introduced by Rep. David Eastman (R-Mat-Su) and is co-sponsored by Rep. Ronald Gilham (R-Kenai/Soldotna). We look forward to its consideration in the state legislature in Juneau, and to the opportunity to testify on this issue, as we did when the Alaska Legislature first debated whether to comply with the REAL-ID Act in 2006, 2007, and 2008, and again in 2017 when it reconsidered its initial choice not to comply.

HB 389 reflects longstanding sentiment in Alaska against compliance with Federal mandates for ID credentials and sharing of personal information with “outside” entities.

Even the highest official of the Transportation Security Administration in Alaska, the Federal Security Director for the state, has pointed out to his superiors in Washington that many Alaskans live off the road system and don’t need or have drivers licenses. They may be more likely to fly, and to need to fly, than to need to drive. They don’t want to have to show government-issued papers, which they might not have, in order to do so.

In 2008, Alaska enacted a law that prohibited spending any state funds on implementation of the REAL-ID Act.

Nine years later, though, the Alaska DMV defied the law by uploading information about every Alaskan with a driver’s license or state ID to the SPEXS national ID database that was created as a way for states to comply with the REAL-ID Act.

That action by the DMV to move Alaska toward REAL-ID compliance was taken “without permission from the legislature,” as Rep. Chris Tuck, Majority Leader in the Alaska House of Representatives, noted in an op-ed published in newspapers throughout the state after the batch upload of Alaskan driver’s license data to SPECS became public. The batch upload took place just as the legislature was scheduled to again consider REAL-ID compliance, and appears to have been an executive and administrative effort to preempt legislative debate.

Officials from the Alaska DMV and the U.S Department of Homeland Security claimed that REAL-ID “compliant” ID would soon be required in order to travel by air, but were unable to provide any basis for this false claim. At one of the legislative committee meeting in 2008, Rep. Tuck himself testified to his colleagues about how he had flown between Juneau and Anchorage with no ID at all when he accidentally left his wallet in his office.

The Identity Project provided extensive testimony and FAQ’s fact-checking the claims being made by the DHS and the Alaska DMV in support of REAL-ID Act compliance.

A week after we provided Alaska legislators with written testimony about the right to fly without ID, Rep. Jonathan Kreiss-Tomkins, Chair of the State Affairs Committee, passed on a very similar set of questions to TSA officials in Alaska and in Washington, DC. More than a decade after the fact, when the TSA finally responded to one of our FOIA requests, we received copies of TSA internal e-mail messages discussing how to respond to Rep. Kreiss-Tomkins’ questions — but no indication of what, if any, answer was ever provided.

At the end of the 2017 legislative session, however, Alaska legislators reversed their 2008 decision, and authorized the DMV to begin issuing driver’s licenses and ID cards that “comply” with the REAL-ID Act.

From discussion at the public committee meetings we attended, it seemed clear that legislators didn’t like the REAL-ID Act or want Alaska to comply. They didn’t like it that the Alaska DMV had taken matters into its own hands by sending information about all Alaskan drivers and ID card-holders to a private database that’s stored outside Alaska and outside the jurisdiction of any government transparency or oversight laws. But legislators felt powerless to stand up to threats — even illegal threats — from Federal officials.

We welcome the opportunity provided by HB 389 for the Alaska legislature to reconsider its 2017 capitulation to Federal extortion, and reassert Alaskans’ freedom to travel without ID.

Mar 15 2022

How many people fly without REAL-ID?

[Slide from internal TSA presentation, Identity Verification Staffing Support Overview, March 2017, released in response to FOIA request by the Identity Project.]

As of 2016, almost 2,000 people a day were allowed through TSA checkpoints at US airports either without showing any ID at all, or with other forms of ID that the TSA or its contractors initially considered “unacceptable”.

According to an internal TSA presentation, there were 149,068 calls (an average of 407 per day) for “ID Verification” to the TSA’s ID Verification Call Center (IVCC) in 2016.

The previous year, 2015, there were 112,016 such calls (an average of 306 per day).

Each of these calls presumably corresponds to a person seeking to fly without ID, or with ID that was initially deemed unacceptable by checkpoint staff.

These are just the people who were required to go through the TSA’s “ID verification” questioning for people with no ID. The TSA estimates — based on a smaller sample of incident reports for a 13-day period in February 2016 — that an additional 1575 people per day are allowed to fly with “other forms of” ID that are initially deemed unacceptable, for a total of just under 2,000 people per day who fly with no ID or unacceptable ID.

These numbers are from records recently released by the Transportation Security Administration in response to one of our Freedom Of Information Act requests.

This is a substantial increase from the most recent figures previously released by the TSA.

Sep 22 2021

A vaccine mandate hides an ID mandate

As we have long feared, and as has already happened in other countries, COVID-19 vaccination requirements are being used to impose unrelated ID requirements.

There’s a difference between “unvaccinated” and “undocumented” — a difference that’s gotten lost in some recent regulations and orders imposing “vaccination mandates”.

Case in point: the San Francisco Department of Public Health.

An order from the SFDPH purports to require people entering indoor businesses or other indoor venues including anywhere food or beverages are served, gyms, and other “large indoor events” to show “proof” of having been fully vaccinated against COVID-19.

But proof of vaccination is not what the order actually mandates. Its only real mandate is a an ID mandate, and in practice its effects would be felt primarily by undocumented people (including vaccinated but undocumented people) who don’t have or don’t choose to show ID, not by unvaccinated people.

Regardless of whether you’ve been vaccinated or whether you think other people should be vaccinated, the ID mandate hidden in this order, like similar ID mandates lurking in other “vaccination” regulations and directives, is a step backward for civil liberties. It is vulnerable to, and deserving of, Constitutional challenge.

Here’s what the SFDPH order would actually require: