Papers, Please!

The Identity Project

Category Archives: Papers, Please

Apr 08 2021

TSA posts video showing how you can fly without ID

For years Transportation Security Administration (TSA) and Department of Homeland Security (DHS) officials and their state government collaborators have been repeating the big lie that all airline passengers must have government-issued ID credentials. That lie has been included in TSA and DHS press releases, airport signage, and Tweets from the official DHS and TSA accounts.

This public relations lie has been disclaimed, over and over, in TSA and DHS court filings and sworn testimony. But now it has been contradicted on the TSA’s official Twitter feed.

Tonight the TSA Tweeted a video showing some of the ways you can fly without “acceptable” ID or without any ID at all.

If the TSA deems your ID “unacceptable”, you can still fly if you can show two or more pieces of suitable (according to the TSA’s ecret non-rules) although “unacceptable” ID.

The TSA video also shows that even if you have no ID at all, you can fly if your answers to questions relayed by phone by the TSA’s ID Verification Call Center match the information in the (secret) file of information that has been linked to you by the commercial data aggregator Accurint (originally part of the discredited “Total Information Awareness” program but now a division of Lexis-Nexis).

No ID at all, much less “acceptable” ID,  is actually required to fly. So changes in REAL-ID Act regulations or TSA/DHS orders to airlines as to what ID is “acceptable” are irrelevant to whether you have right to fly without ID. Nothing in the REAL-ID Act negates this right.

In the screengrab above (one minute in), the video) shows a traveler filling out a copy of TSA Form 415, “Certification of Identity”. The TSA has been using versions of this form illegally since at least 2008, without ever having obtained the approval from the Office of Management and Budget (OMB) required before any collection of information such as this by a Federal agency. The TSA has twice said it intends to seek approval from OMB for Form 415. But in the face of our objections, the TSA has yet to request, much less obtain, that approval. It’s unclear whether when the TSA will actually do so.

To avoid having to give public notice of its planned information collection or respond to our objections, the TSA tried to get Congress to enact a special airport exception from  the Paperwork Reduction Act (PRA). But Congress declined to do so.  It’s unclear whether and if so when the TSA will actually apply to OMB for the required approval, or what additional illegal actions it may try to take in the meantime.

All use of both Form 415 and the associated questioning of travelers continues to be in violation of the PRA. As we noted in 2008 when the TSA first started asking travelers to fill out the form later labeled Form 415, the PRA provides an absolute defense against any sanctions the TSA might try to impose for refusing to fill out this unapproved form or cooperate with the TSA’s “20 questions” game of ID verification security theater.

Travelers can and should say no. Fly without ID, and exercise your right to remain silent.

Feb 10 2021

ID demand was unconstitutional, but sheriffs get “qualified immunity”

[Dashcam video of George Wingate being wrongfully arrested by Stafford County, VA Deputy Sheriffs, April 2017]

In its 2004 decision in Hiibel v. Nevada, 2004, the U.S. Supreme Court upheld a demand for a pedestrian to identify himself to police only on the basis that (1) there was already a reasonable articulable basis for suspicion that he had committed some crime before the police demanded that he identify himself, and (2) the state law at issue, as interpreted by the Supreme Court,  required only verbal self-identification (“My name is John Smith”) and not the production of ID credentials or other evidence of his identity.

You might think that a precedent established by the Supreme Court would be “clearly established”. But that would often be wrong, at least in the topsy-turvy world “qualified immunity“.

Some Federal Court of Appeals have held that police who unconstitutionally demand ID can be held liable for violating the civil rights of their victims — as, of course, they should be.

In other cases, however, such as that of Philip Mocek, Courts of Appeal have let ID-demanding police off the hook. The judges theory in these cases has been that, although the police demands for ID were unconstitutional, that illegality wasn’t yet “clearly established. The police might, judges speculated, have had a good-faith, although mistaken, belief that they had a right to demand ID in the particular circumstances at issue.

The latest example of this strained excuse for police impunity comes from the Fourth Circuit Court of Appeals in its recent decision in Wingate v. Fulford.

George Wingate was accosted by Stafford County, VA, Deputy Sheriffs while standing by his car, which he had pulled off the road to try to diagnose the cause of an engine warning light. Nothing about the circumstances gave the sheriffs reason to suspect Mr. Wingate of any crime, the court found. But the sheriffs nonetheless wanted to know who he was.

As captured on this dashcam video, Mr. Wingate knew and properly asserted his rights. The conversation between Mr. Wingate and Deputy Sheriff Scott Fulford went like this:

Fulford: Well, in Stafford County —
Wingate: Have I committed a crime?
Fulford: — it’s required.
Wingate: Have I committed a crime?
Fulford: No. I didn’t say you did.
Wingate: All right then.
Fulford: You’re still required to —
Wingate: Am I free to go?
Fulford: — identify yourself.
Wingate: Am I free to go?
Fulford: Not right now, no.
Wingate: Am I being detained?
Fulford: You’re not detained.
Wingate: Am I free to go?
Fulford: No.
Wingate: Am I being detained? If I’m not being detained, then I’m free to go.
Fulford: You’re not free to go until you identify yourself to me.

All this was, the Court of Appeals found, unconstitutional. And “You’re not being detained, but you’re not free to go” sound a lot more like a pretext for logging the identity and movements of a Black man than good faith. But the Court of Appeals let Fulford and his partner, Deputy Sheriff Dimas Pinzon, off scott-free on the basis of qualified immunity.

Congress needs to end this nonsense by repealing qualified immunity.

Dec 02 2020

Speaking Spanish is a not a lawful basis for being made to show ID

US Customs and Border Protection (CBP) has agreed to pay a “monetary sum” to two native-born US citizens and Montana residents  who were made to show ID and detained for about 40 minutes (including continuing detention even after they showed their Montana drivers licenses) solely because a CBP agent overhead them speaking Spanish to each other.

The amount of the settlement has not been made public.

The ACLU of Montana represented the two Latinx residents of Havre, MT, in their lawsuit, which initially sought a declaratory judgement “that race, accent, and language cannot create suspicion to justify seizure and/or detention” (which ought to go without saying) in addition to money damages.

The facts alleged in the complaint are supported by cellphone video of a CBP agent’s admission that the detention and ID demand were based solely on the language spoken by the agents’ Latinx victims. On discovery, CBP turned over additional self-incriminating video of statements made by CBP agents in interviews with internal CBP investigators, as well as grossly racist text messages exchanged by the CBP agents. Havre is a border town with two crossing points to Canada, where French is a national language, but the Havre-based CBP agents freely admitted that they wouldn’t treat speaking French as suspicious.

After the lawsuit got local and national publicity, the two plaintiffs and their families were harassed and driven out of town. “At his high school, a teacher asked Mimi’s son whether he had brought his ID to class,” one of the victims says. “Our clients bore the brunt of local backlash as a result of coming forward. They both ultimately left Havre for fear of their families’ safety,” according to the executive director of the ACLU of Montana.

Nov 25 2020

Airlines call for new app-based air travel controls

During  its online annual general meeting this week, the International Air Transport Association (IATA) rolled out a  new proposal for an app-based system of control over air travel that IATA is proposing for use by its member international airlines and by governments.

The scheme is being promoted as a response to the COVID-10 pandemic, but would institutionalize structures and practices with the potential for continuing and wider abuse.

IATA is calling its scheme the IATA Travel Pass. As described in these slides,  it would require would-be air travelers to enter both personally identifying information (most likely passport or other ID-card details) and records of tests and/or vaccinations into an IATA  smartphone app.  The data would  be processed by the algorithms of a “rules engine” to detemine whether to issue an “OK to travel” permission message. The output of this algorithmic decision would be available for use by both airlines and governments.

The intent of the IATA proposal is to create an infrastructure for sharing of data and travel permission decisions, at any point before or after the journey, with both airlines and governments, on the basis of an open-ended ruleset:

Of course IATA’s new proposal has all the defects of any smartphone-based travel surveillance or control regime that we discussed back in April when Hawaii tried out such a scheme. IATA is silent on what is to happen to  a traveler who doesn’t have a smartphone, charged-up and operable, with them when they try to travel.

And what about travelers without passport? No passport is currently required, even for international flights, within some free-movement zones such as within Mercosur, ECOWAS, or the European Union, or between the UK and Ireland.

But that’s not the worst aspect of the IATA proposal. Unlike Hawaii’s app-based location reporting system, the IATA app would go beyond surveillance to incorporate an algorithmic decision-making system for prior restraint of the right to travel.  Very disturbingly, there’s no mention in the IATA proposal of who would control the algorithmic ruleset, leaving it wide open to mission  creep and abuse by governments worldwide.  There’s no apparent way to restrict the nature of the rules or the purposes — blacklisting? discrimination? profiling? retaliation? — for which they could be used. Deployment of a general-purpose algorithmic travel control app for use worldwide would invite abuse.

Read More

Nov 10 2020

What does REAL-ID Act “enforcement” really mean?

For the last fifteen years, as both Republican and Democratic administrations have come and gone, the US Department of Homeland Security (DHS) has been using the threat of “enforcement” of the REAL-ID Act of 2005 to extort state legislators, governors, and driver licensing agencies into complying with the REAL-ID Act of 2005 and uploading their residents’ drivers license and state-issued ID card data to the national REAL-ID database, “SPEXS”.

The threat has been that the DHS and/or its components (such as the Transportation Security Agency) will harass or turn away residents of noncompliant states when they try to pass through TSA or other Federal checkpoints or enter Federal facilities.

Not wanting to provoke riots or protests at airports, the DHS has repeatedly postponed its arbitrarily self-imposed “deadlines” for REAL-ID enforcement at TSA checkpoints, most recently until October 1, 2021.  And the TSA, despite repeated trial balloons suggesting what new rules it might try to adopt to require ID to fly, has not yet tried to finalize such a  rule. So we don’t really know what, if anything, REAL-ID Act enforcement at airports might mean.

However, the REAL-ID Act has supposedly been being enforced for access to some other Federal facilities for more than five years, starting on October 15, 2015.

We’ve been trying for almost that long to find out what that “enforcement” has really meant, so that we and the public can assess the meaning and impact of the DHS threats.

How many people have been turned away for lack of acceptable or compliant ID, or ID issued by a “compliant” state, when they tried to enter Federal facilities? At what types of facilities has this happened? And for what purposes were these people seeking entry?

Read More

Nov 06 2020

Canada copies US “Secure Flight” air travel controls

While we were watching US election returns, our neighbors to the north were adopting new travel regulations that incorporate some of the worst aspects of the US system of surveillance and control of air travel, and in some respects go even further in the wrong direction.

Canadian authorities don’t generally want to be seen as imitating the US or capitulating to US pressure. There was no mention in the official analysis of the latest amendments to the Canadian regulations of the US models on which they are based. But according to the press release this week from Public Safety Canada, the latest version of the Canadian Secure Air Travel Regulations  which came into force this week for domestic flights within Canada as well as international flights to or from Canada include the following elements, each of which appears to be based on the US Secure Flight system:

  1. All air travelers will be required to show government-issued photo ID. The Canadian ID requirement to fly is now explicit, unlike the de facto ID requirement that the US Department of Homeland Security is attempting to impose and already wrongly enforcing, in some cases, without statutory or regulatory authority. The Canadian rules appear to reflect the authority to deny passage to air travelers without ID that the DHS has sought, but has not yet been granted, in the US.
  2. Fly/no-fly decision-making will be transferred from airlines (making binary fly/no-fly decisions on the basis of a no-fly list provided by the government) to a government agency. After receiving information about each passenger from the airline, Public Safety Canada will transmit a permission messages to the airline with respect to each would-be passenger on each flight,  with a default of “not permitted to board” if no message is received by the airline from the government. Exactly this change was made in the US through the Secure Flight regulations promulgated in 2008. This change serves two purposes for the government: (A) it provides a basis for building positive real-time government control over boarding pass issuance into airline IT infrastructure, converting every airline check-in kiosk or boarding-pass app into a virtual government checkpoint that can be used to control movement on any basis and for any reason that the government later chooses, and (B) it enables the switch from blacklist-based no-fly decision-making to more complex and opaque real-time algorithmic pre-crime profiling  based on a  larger number of factors.
  3. Air travelers in Canada will be required to provide the airline  with their full name, gender, and date of birth, as listed on government-issued ID, and airlines will be required to enter this data in each reservation and transmit it to the government 72 hours before the flight or as soon as the reservation is made, whichever comes first. All of this is exactly as has bene required for flights within the US since the coming into force of the DHS Secure Flight regulations. This additional information about each passenger enables the government to match passengers’ identities, in advance, to other commercial and government databases, and thus to incorporate a much wider range of surveillance and data mining into its profiling algorithms.
  4. Travelers will be able to apply to the government for a “Canadian Travel Number” which, if issued, they can enter in their reservations to distinguish themselves as whitelisted people from blacklisted people with similar names and/or other similar personal data.  This Canadian Travel Number is obviously modeled on the “redress number” incorporated in the US Secure Flight system. The goal of this “whitelist number” is to reduce the complaints and political embarrassment of the recurring incidents of innocent people with similar names, including  children, being mistakenly identified as blacklisted people, and denied boarding on Canadian flights. The problem, of course, is that this does nothing to help the innocent people who are correctly identified as having been blacklisted by the government, but who were wrongly blacklisted in the first place.

As our Canadian friends at the  International Civil Liberities Monitoring Group put it in a statement this week:

These regulations do not address the central, foundational problems that plague Canada’s No Fly List system and will continue to result in the undermining of individuals’ rights as they travel….

The Canadian government had a solution from the beginning, and they still do: abolish the No Fly List. If someone is a threat to airline travel or to those in the region they are traveling to, charge them under the criminal code and take them to court where they can defend themselves, in public.

It’s time to be done with secret security lists once and for all.

Sep 15 2020

DHS lies again about REAL-ID

As it’s been doing for years, the US Department of Homeland Security (DHS) is still lying about the state of compliance by states with the Federal REAL-ID Act of 2005.

The latest DHS whopper is this DHS press release issued September 10, 2010:

The DHS claims that “All U.S. States [Are] Now Compliant” with the REAL-ID Act. But as we’ve noted many times before, the REAL-ID Act explicitly and unambiguously requires that to be “compliant”, a state must “Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

How many states do that today? At most, 28, not all 50, as shown in the map below:The only mechanism available for states that want to share their drivers’ license databases is the outsourced “State to State” (S2S) system operated by the American Association of Motior Vehicle Administators (AAMVA), a private contractor not subject to the Federal or any state Freedom Of Information Act (FOIA) or other laws proviidng transparency and accountability for government agencies. Despite the misleading name, S2S is not a mechanism for messaging directly from state to state. It’s a centralized system which depends on a central national ID database, SPEXS, aggregated from state drivers’ license and ID data.

Here’s the latest list released by AAMVA of states that are particpating in S2S. Each particpating state has uploaded information about all drivers’  licenses and state ID to SPEXS. Together these 28 states include substantially less than half the U.S. population:

We wish we didn’t have to keep saying, again and again, that the DHS is lying about REAL-ID. But as long as Federal and state agencies keep putting these lies in their headlines, we’re going to keep on pointing out that the emperor (still) has no clothes.

Sep 14 2020

10th Circuit: No qualified immunity for police who demand ID

A panel of the 10th Circuit US Court of Appeals has ruled, in the case of Mglej v. Gardner, that it is “clearly established law” that police in Utah may not require suspects (or anyone else they detain, except operators of motor vehicles) to show ID documents, and therefore that the Garfield County Sheriff who wrongly arrested Matthew T. Mglej for “refusing to identify himself” is not entitled to qualified immunity and can be held liable for damages.

In the summer of 2011, Mr. Mglej, then 21 years old, set out on his motorcycle from his family home in Portland, OR, to visit relatives in Dallas, TX. Mid-way on that road trip, his motorcycle developed problems, and he stopped in Boulder, UT (population around 200), to see if he could get his bike repaired and replace a tire that was threatening to blow.

Read More

Sep 01 2020

TSA tries out another (illegal) biometric “ID verification” system

Today the Transportation Security Administration (TSA) announced that it has launched a “pilot” at Washington National Airport (DCA) of yet another scheme for biometric identification and tracking of domestic air travelers.

[Screen capture from TSA video]

The new “touchless ID verification” stations at DCA include a webcam (at top center of photo above) a magnetic-stripe reader (lower left) for drivers licenses and other ID cards, and a photographic scanner for passports (lower right).

Travelers who volunteer to use the new system are directed to insert their drivers license, ID card, or passport into the appropriate reader, stand on a marked spot in front of the webcam, and remove their face mask, so that the image from the ID (or, more likely, from some back-end image database linked to the ID, although that hasn’t been disclosed) and the image from the webcam can be compared by some undisclosed algorithm.

[Traveler being directed by TSA staff to remove her face mask for digital mug shot.]

As we’ve noted previously, it appears to us that (1) the TSA has no general authority to require travelers to show their faces or remove face masks, and (2) in many jurisdictions, orders issued by state or local health authorities currently require all people in public places such as airports to wear masks.

The TSA describes this system as “touchless”. But while TSA staff don’t have to touch travelers’ IDs, each traveler has to touch the same ID card or passport scanner. Then, immediately after touching the scanner, they have to touch their face again to put their mask back on.

Read More

Aug 11 2020

TSA considers new system for flyers without ID

According to a solicitation to potential contractors published last week, the Transportation Security Administration (TSA) wants to outsource its current questioning of airline passengers without ID, and its decisions about which travelers without ID to allow to travel and which to prevent from flying, to a fee-based system operated through a cellphone app provided by a private contractor and based on (secret) commercial databases.

There’s some good news and some bad news in the TSA’s posting of this Request for Information.

First, the good news:

1. The TSA admits that people can and do fly without ID.

According to the TSA’s Request for Information:

Prior to the COVID-19 National Emergency, TSA encountered over 2.5 million passengers a day and, on average, 600 instances of passengers without acceptable ID. These individuals are able to verify their identity via telephone through our National Transportation Vetting Center (NTVC).

That’s almost three times the average daily number of airline travelers without ID disclosed in the most recent of the TSA’s belated and still-incomplete responses to our Freedom of Information Act (FOIA) requests for records of travelers without ID.

2. You will still be able to fly without ID, even after the TSA “implements” and “enforces” the REAL-ID Act.

In their most recent notice of postponement of their REAL-ID threats, the TSA and the Department of Homeland Security (DHS) have said that they plan to fully implement and enforce the REAL-ID Act, with respect to airline travel, beginning October 1, 2021.

The TSA and DHS have repeatedly claimed that after that date, all air travelers will “need” to show ID that the DHS deems compliant with the REAL-ID Act in order to fly. And the TSA has previously indicated — in 2016 and again in May of 2020 —  that it intended to modify its current ID verification procedures to (illegally) deny passage through TSA checkpoints to would-be travelers who don’t present REAL-ID Act compliant ID cards.

But the TSA is now soliciting information preparatory to soliciting bids for a contract to provide outsourced “identity verification” services for air travelers without ID.

The TSA wouldn’t be preparing to solicit bids for a system to deal with air travelers without ID if the TSA planned, in a little more than a year, to stop allowing those people to fly at all.

And the TSA says that the contractor’s ID verification system for flyers without ID must “be able to process thousands of transactions per hour per day [sic] distributed across the TSA enterprise of airports.”  Whether the TSA means “thousands per hour” or “thousands per day”, that’s several times more than the current number of travelers without acceptable ID.

The only plausible explanation for the expected many-fold increase in the number of travelers without acceptable ID is that the TSA’s implementation of the REAL-ACT will result in many more air travelers’ ID’s being deemed unacceptable, and that the outsourced system is the one the TSA plans to use for travelers without REAL-ID compliant ID.

The TSA is looking for a new system for dealing with travelers without ID only because it has been forced to abandon its original plan to prevent all such people from flying.

The most important takeaway from the TSA’s latest notice is that the TSA is (still) lying about what REAL-ID Act enforcement and implementation will mean. You will not need a compliant ID to fly. The procedures may change, but you will still be able to fly without ID.

This is a major victory for our legal objections and for the potential of popular resistance.

The TSA has implicitly acknowledged that — either because it lacks legal authority to prevent everyone without “acceptable” or REAL-ID Act compliant ID from flying, or because doing so would cause riots at airports or other forms of popular resistance, or both — it  won’t be able to stop travelers without ID or without compliant ID from flying.

The bad news is the nature of the TSA’s contemplated new procedures for flyers without ID (or without “acceptable” ID).

Currently, the TSA leaves the final decision on whether or not to allow airline passengers without ID to pass through TSA or contractor-operated checkpoints to the discretion of the Federal Security Director (FSD) or their designee on duty at the individual airport.

That decision can be based on what the FSD thinks of the traveler’s looks, the nature of any “unacceptable” ID they present, whether they are willing to complete and sign the illegal TSA Form 415, and their responses to questions relayed via the TSA’s Identity Verification Call Center (IVCC) from the TSA National Transportation Vetting Center (NTVC) based on information in records about the traveler held by the commercial data broker Accurint.

The new process apparently being considered by the TSA would outsource the questioning of travelers without ID or with unacceptable ID to a private for-profit contractor, with that questioning to be administered through a smartphone app. The questions would be based on some aggregation of government and commercial data, and the answers would be assessed according to some secret algorithm to generate a binary pass or fail result.

An identity thief (or ‘bot) with access to the commercial database used as the basis for “pass/fail” determinations would be better able to answer questions about the information in that database than would a real person who is unprepared for this questioning and who has no way to know (or to correct) what misinformation is contained in the database.

A traveler who shows up at a TSA checkpoint would, it appears, be told they have to install the mobile app, pay a fee through the app (which presumably would require a credit or debit card or bank account),  complete the in-app questioning, and show a “pass” result from the app to the TSA staff or contractors in order to “complete screening” and proceed through the checkpoint.

  • No cellphone? No fly. (We’ve seen this already in Hawaii.)
  • Your cellphone isn’t a smartphone? No fly.
  • Your smartphone has a different OS that can’t run the contractor’s app? No fly.
  • No charge in your cellphone battery? No fly.
  • No signal in the airport? No fly.
  • No credit or debit card? No fly.
  • Don’t know what misinformation is in data brokers’ records about you? No fly.
  • Your record fits a “fail” profile in the contractor’s secret algorithms? No fly.

Read More