Wikileaks has published two internal briefing documents produced for the use of CIA undercover agents, describing the methods used by airlines and governments to identify international travelers.

Both of these reports were produced as part of the CIA’S previously-unknown CHECKPOINT program of travel ID-related activities:

This product has been prepared by CIA’s CHECKPOINT Identity and Travel Intelligence Program. Located in the Identity Intelligence Center (i2c) within the Directorate of Science and Technology, CHECKPOINT serves the Intelligence Community by providing tailored identity and travel intelligence products. CHECKPOINT collects, analyzes, and disseminates information to help US intelligence personnel protect their identities and operational activities while abroad.

One of the reports, “Surviving Secondary“, describes ID-related “secondary screening” procedures at international airports, with examples from the US, EU, and other countries around the world.  The other report is an overview of, “The European Union’s Schengen biometric-based border-management systems.”

Most of the airline and government profiling and “screening” activities described in the reports, are already well-known.  These include many of the ways that governments obtain and use Passenger Name Record (PNR) and Advance Passenger Information (API or APIS) data derived form airline reservations.

But these newly-released reports also confirm that the CIA (and the other agencies with which the reports have been shared within the US government) are aware of some airline and government activities and some vulnerabilities for travelers which we and others have complained about, but which the US government has not previously acknowledged.

One problem confirmed by the CIA report on secondary screening is that government agencies can, and routinely do, obtain and use PNR, API, and other airline data, without legal authority or due process:

Security services lacking APIS or PNR information may have other arrangements to receive passenger manifests ahead of time. For example, the Airport Police Intelligence Brigade (BIPA) of the Chilean Investigative Police does not routinely obtain advance passenger manifests but can request the information from airlines on an ad hoc basis to search for targets of interest. Strict privacy laws covering Danish citizens extend to all passengers traveling through Copenhagen airport such that the Danish Police Intelligence Service (PET) cannot legally obtain routine access to flight manifests. However, if one of PET’s four cooperative airline contacts is on duty, the service can unofficially request a search on a specific name, according to August 2007 liaison reporting.

Airline data obtained by government agencies through these extrajudicial channels is used for profiling and targeting of searches, questioning, and other adverse actions against travelers.

This practice is illegal in many of the countries where it is routine, but typically occurs without leaving a trace.  Many airline staff are willing to betray their customers’ privacy to government agencies. And because no records are kept of who accesses PNR data, both government agents and their airline collaborators know that they are unlikely to be held accountable unless they confess or are caught in the act.

The persistence of routine “informal”, often illegal, and almost always unrecorded government access to airline data about travelers highlights a crucial issue we’ve been talking about for years: the complete absence of access logging in the architecture of the computerized reservation systems (CRSs) which host airlines’ PNR databases.  CRSs have PNR change logs, but no PNR access logs.

Governments and travelers must demand that CRSs add comprehensive access logging to their core functionality for PNR hosting. That won’t stop the problem. Airline staff will still be able to show government agents printouts or let them look at displays, with only the airline personnel’s  access being logged. But access logs will help, and are an essential first step toward control of PNR data “leakage”.

The CIA report on secondary screening also confirmed that the CIA is aware of the sensitivity and use by European governments (and presumably other governments) of associational information contained in fare basis codes, ticket designators, and travel agency IDs:

April 2007 reporting resulting from a liaison exchange with the Hungarian Special Service for National Security (SSNS) provides insights into factors considered by officers at Ferihegy airport in Budapest, Hungary when examining tickets. Officers check … whether the ticket fare code represents a government or military discount, or whether a government travel agency booked the ticket. Hotel and car reservations are similarly examined for unusual discounts or government affiliation.

Of course, the same PNR data elements and pricing and ticket designators can reveal other, non-governmental, affiliations between travelers and with other individuals and groups. If an airline gives a discount to members of a political organization, trade union, or other group attending a convention or meeting, for example, each PNR and ticket for a member who receives the discount typically includes some unique code.

Despite complaints, including ours, both US and European officials have denied that ticket designators and similar codes in PNRs can reveal sensitive associational data.  Now we know that this information is already being used by European governments, and that the CIA is aware of these uses.  There’s no more excuse for pretending that these data elements are innocuous or that they can be “shared” without risk to travelers.

In a Notice of Proposed Rulemaking (NPRM) published yesterday in the Federal Register, the Coast Guard has proposed that all so-called “cruise ship” ports be required to carry out airport-style searches (“screening) and check identity credentials of all embarking and disembarking passengers and any other visitors entering the port.

Entities responsible for the operations of large passenger vessels and ports are already required to submit “security” plans to the Coast Guard. Because those current plans are filed in secret, it’s not entirely clear how the  proposed requirements differ from current practices.

According to the NPRM, the Coast Guard’s guidelines for complying with the current regulations, in addition to various other supporting documents, were included in the rulemaking docket. We’ve confirmed with the docket office, however, that the Coast Guard never provided any of the supporting documents for posting on Regulations.gov or over-the-counter availability at the docket office. Presumably, a corrected notice with a new due date for comments will be published in the Federal Register once these documents are made publicly available.

From the summary in the NPRM, it appears that the main proposed changes are new requirements for port operators to:

(a) Screen all persons, baggage, and personal effects for dangerous substances and devices in accordance with the requirements in subpart E of this part;

(b) Check the identification of all persons seeking to enter the facility in accordance with §§ 101.514, 101.515, and 105.255 of this subchapter….

The difference in “screening” practices contemplated by the proposed rules seems to be that they would be more standardized than at present, more like those at airports, and would be required to enforce a Coast Guard “prohibited items” list.  Although the list of items prohibited from aircraft is designated as “Sensitive Security Information”, the Coast Guard has included a tentative list of items proposed to be prohibited from cruise ship cabin baggage in the proposed rules. At the same time, the proposed rules would provide that:

The Prohibited Items List does not contain all possible items that may be prohibited from being brought on a cruise ship by passengers. The Coast Guard and the cruise ship terminal reserve the right to confiscate (and destroy) any articles that in our discretion are considered dangerous or pose a risk to the safety and security of the ship, or our guests, and no compensation will be provided.

Cruise ship passengers are already required to “present personal identification in order to gian entry to a vessel [or port] facility,”  but it isn’t clear how or by whom this is supposed to be enforced. The propsoed rules would create a new obligation for port operators to check passengers’ ID credentials.

As with the definition of “prohibited items”, the definition of acceptable ID credentials is defined for air travel only in secret (SSI) TSA Security Directives and/or Standard Operating Procedures, but is defined publicly in Federal regulations for cruise ships.

The NPRM would leave the definition of acceptable ID unchanged. In addition to government-issued ID credentials, the regulations specifically provide for the acceptance of ID issued under thre authority of, “The individual’s employer, union, or trade association”, as long as it is laminated, includes a current photo, and baears the name of the issuing authority.

By its plain language, this regulation allows any self-employed person to issue their own self-signed personal ID credentials for access to port facilities.

That’s not inappropriate, since many self-employed contractors need to enter ports for business reasons.

In practice, most cruise lines enforce (with or without legal authority) ID requirements more stringent than those in Federal regulations. But we’d be interested in hearing from anyone who has presented self-signed ID credentials, in accordance with these regulations, for purposes of entry to a port or to board a cruise ship.  Some cruise lines alloow guests onboard while ships are in port, such as friends seeing off passengers. So you might be able to experiment without being a passenger yourself.

Read More →

Secretary of Homeland Security Jeh Johnson announced this morning that, with immediate effect and with no advance notice or warning, foreign citizens “seeking to travel to the United States from countries in our Visa Waiver Program (VWP) will be required to provide additional data fields of information in the travel application submitted via the Electronic System for Travel Authorization (ESTA).”

The additional questions which have already been added to the newly “Enhanced” ESTA application include:

• Other Names/Aliases
• Other Citizenships
• Parents name(s)
• National Identification Number (if applicable)
• U.S. Contact information (email, phone, points of contact)
• Employment information (if applicable)
• City of Birth

As discussed in our comments to DHS when it was first proposed, the ESTA is a a travel permission and exit-permit system of dubious legality. Prior application, payment of the ESTA fee (by credit card only, so that CBP has a credit card number on file to link the travel history of each ESTA applicant to a financial history), and receipt of ESTA approval is required by the US before boarding any flight departing from any other country in the world, with the intention of eventually traveling to the USA.

ESTA approval is not a guarantee of admission to the US, and the US has consistently and explicitly claimed that ESTA is solely a travel-permission scheme, not a visa requirement.  (If it were deemed a visa requirement, US citizens would likely be subjected to reciprocal visa requirements to visit VWP countries.)  So the sole purpose of adding questions to the ESTA application form is to add them to the inputs to the pre-crime profiling process that determines whether to allow an applicant to travel to the US for the purpose of applying, on arrival at a US port of entry, for visa-free admission to the US as a visitor.

In other words, the only reason to ask citizens of VWP countries about their other or prior citizenship(s), if any, is for DHS to discriminate between citizens of the same WVP country, in making ESTA permission-to-travel decisions, on the basis of those VWP-country citizens’ prior national origins.

This is a disgraceful act of overt US government bigotry, and all citizens of both the USA and VWP countries should be outraged.  Why should the US think it can treat citizens of, say, the UK or Germany differently on the basis of their national origin, as evidenced by what other countries’ passports they also hold or previously held? Such blatant discrimination against  US citizens on the basis of their national origin would be illegal on its face, although it has been standard illegal operating procedure for the DHS.

DHS claims in its FAQ about today’s ESTA “enhancements” that it can mandate provision of this additional information through a Paperwork Reduction Act (PRA) notice of information collection, without needing to promulgate any new or revised regulations:

Why is DHS doing this under a Paperwork Reduction Act and not a regulation?

The relevant regulatory provision does not list the specific data elements that VWP travelers must provide in order to obtain an ESTA. Instead, the regulation states that “ESTA will collect such information as the Secretary [of Homeland Security] deems necessary to issue a travel authorization, as reflected by the I-94W Nonimmigrant Alien Arrival/Departure Form (I-94W).” Since there are no data elements listed in the regulation, there is no need to update the regulation. The revisions to the ESTA data elements fall under the Paperwork Reduction Act since DHS is amending an information collection (Form I-94W) and not amending a regulation.

The problem with this is that DHS has already added the new questions to the ESTA form, but doesn’t appear to have gotten the necessary approval from the Office of Management and Budget (OMB) for their inclusion.

DHS has a long history of ignoring the PRA and failing to get its forms approved by OMB. The PRA notice in the online ESTA application form refers to OMB approval control number 1651-0111, which was issued September 17, 2014. But the Federal Register notices and other documents submitted to OMB to support that approval don’t appear to have included the new questions added to the form today.