Today the Identity Project and allied civil liberties and human rights organizations submitted comments objecting to a proposal by US Customs and Border Protection (CBP) to require all travelers on international flights to or from the US to provide an address in the US, two phone numbers, and an email address, and prohibit or recommend that airlines not permit anyone who is unable or unwilling to provide this information to board any flight to or from the US. (See our report when this proposal was announced.)

In return for collecting this information and passing it on to CBP, airlines would be allowed to retain and use it for their own purposes, without permission from travelers. Airlines would also be allowed (and in some cases required) to pass it on to foreign governments.

The proposed CBP rule would apply to all travelers, including US citizens (regardless of whether they reside in the US), visitors, and asylum seekers.

The proposed rule is far more significant and far worse than it appears at first glance.

Although the proposal is represented by CBP as a minor change to an existing program that would cost airlines nothing and impose no costs on travelers, it would cost the airline industry hundreds of millions of dollars and impose costs on would-be travelers, especially asylum seekers, that would be measured not only in dollars but  also in lives. The proposed rule would also violate multiple provisions of the Privacy Act, including in ways that would force travelers to make personal information available to hostile foreign governments.

Below are excerpts from our objections to the CBP proposal. You can read the complete comments of the Identity Project and our allies here. You can submit your own comments until midnight EDT tonight, Monday, April 3, 2023, by filling out this form.

The undersigned civil liberties and human rights organizations – the Identity Project (IDP), Government Information Watch, Restore The Fourth (RT4), Privacy Times, and the Electronic Privacy Information Center (EPIC) – submit these comments in response to the Notice of Proposed Rulemaking, “Advance Passenger Information System: Electronic Validation of Travel Documents”, Docket Number USCBP-2023-0002, FR Doc. 2023–02139, RIN 1651-AB43, 88 Federal Register 7016-7033 (February 2, 2023).

By this Notice of Proposed Rulemaking (NPRM), U.S. Customs and Border Protection (CBP) proposes to (1) expand the fields of information that all international travelers flying to or from the U.S. by common carrier are required to provide to airlines and that airlines are required to pass on to CBP (while being free to retain copies for their own profitable use); and (2) prohibit airlines from allowing certain individuals including those who don’t have, or are unable or unwilling to provide, two phone numbers, an email address, and an address in the U.S. (even if they are U.S. citizens who reside abroad), to board flights, or recommend that airlines not board them (in violation of airlines’ duties as common carriers to transport all passengers paying the fares in their tariffs, and in violation of travelers’ rights under Federal statutes, the Bill of Rights, Executive Orders, and international human rights treaties to which the U.S. is a party).

The proposed rule is purportedly intended to “enable CBP to determine whether each passenger is traveling with valid authentic travel documents prior to the passenger boarding the aircraft.” Aside from the fact that CBP has no jurisdiction over foreign citizens boarding foreign-flagged aircraft at foreign airports, the proposed rule would have little or no effect on CBP’s ability to detect travelers using documents issued to other people. The proposed rule would not serve its stated purpose, but would only serve to expand CBP’s systematic warrantless, suspicionless, surveillance of air travelers and CBP’s attempt to control airline travel.

As discussed below, the proposed rule exceeds CBP’s authority and jurisdiction and is contrary to law. It is also bad policy. It amounts to an attempt to impose a travel document requirement in the guise of document “validation”, to outsource to airlines surveillance and control of travelers that CBP would have no authority to conduct itself, and to frustrate the human right to asylum by preventing asylum-seekers from reaching the U.S.

Read More →

US Customs and Border and Border Protection (CBP) has proposed new rules to expand its Advance Passenger Information System (APIS) to require all international airlines serving the US to provide additional information about all passengers, prior to flight departures.

CBP’s Notice of Proposed Rulemaking (NPRM), published last Thursday in the Federal Register, falsely claims that the proposed rules would not affect individuals, only airlines. But the mandate for airlines to provide additional information about each would-be passenger makes it a de facto requirement, as a condition of air travel, for travelers to provide this information to airlines and the government.

This would constitute a significant expansion of an ongoing unconstitutional surveillance and profiling program in which all international air travelers are required to respond to suspicionless, warrantless, interrogatories administered through airlines as intermediaries and outsourced government surveillance agents and interrogators.

APIS is not a passive surveillance scheme, however. It is part of a real-time system of  granular, per-passenger, per-flight government control of air travel:

After performing the security vetting, the CBP system transmits to the carrier an electronic message. This message is generally referred to as CBP’s response message. If the carrier is using an interactive transmission system, the response message provides certain instructions to the carrier. Specifically, it states whether each passenger is authorized to board, requires additional security screening, or is prohibited by TSA from boarding… Depending on the instructions received in the response message, the carrier may be required to take additional steps, including coordinating secondary security screening with TSA, before loading the baggage of or boarding the passenger at issue.

The Identity Project has objected to every step in the expansion of APIS since 2006, and we will be filing comments objecting to the latest NPRM. If you’d like to file your own objections, the deadline is April 3, 2023. We’ll post ours for others to use as a model.

Current mandatory APIS data fields include name, date of birth, gender, nationality, passport or travel document number, and flight details (airline, flight number, and departure and arrival airports, dates, and times). In addition to the information that CBP has been requiring since 2006, the new NPRM proposes that airlines operating flights to or from the US be required to collect and transmit to CBP additional information including:

• Street address in the US (currently required of aliens but not of US citizens)
• Telephone number and “alternate” telephone number (presumably the second phone number is required in order to help the government build social network maps and  guilt-by-association links of First Amendment protected associations between individuals)
• Email address

What if a US citizen has no fixed address, or no address in the US — or doesn’t want to tell the US government? What if they don’t yet know at which hotel or with which friend or relative  they will be staying — or don’t want their host permanently linked with them in the government’s surveillance and suspicion-generating files?

Are two telephone numbers and an email address required as a condition of air travel?

The proposed rules are silent, but they imply that any airline that transports such a passenger would be subject to sanctions:

CBP cannot require that a passenger be denied boarding. However, if an air carrier boards a passenger who is then denied entry to the United States, the air carrier may have to pay a penalty and bear the costs of transporting that passenger out of the United States.

On arrival in the US, the US government has the duty to allow a US citizen to enter the country unless there is genuine doubt as to their US citizenship. They are not required to provide any information not related to, and needed to determine, their US citizenship.

If a CBP inspector at a border crossing or airport asks a US citizen their address in the US, phone number(s), or email address, they have the right to stand mute or to refuse to answer. CBP can search them, but cannot make them answer questions or deny them entry for standing mute.

If CBP would have no Constitutional authority to require a traveler to answer these questions after they arrive in the US, on what possible grounds would it claim authority to require answers to those same questions before a traveler even boards a flight to the US?

The NPRM does not mention the Bill of Rights or any limits on the authority of the government or a common carrier to demand personal information or answers to interrogatories as a condition of carriage.  We believe that there is no such authority. The proposed rules would violate the First, Fourth, and Fifth Amendments, the Privacy Act, and US obligations as a party to the International Covenant on Civil and Political Rights.

Since the creation  of the Department of Homeland Security (DHS) after September 11, 2001, the DHS has imposed more than a billion dollars in unfunded mandates to the airline industry  to collect additional information about all airline passengers, transmit that information to DHS components (CBP for international flights and the TSA for domestic flights), and receive and process instructions from the DHS before issuing any boarding pass.

The proposed new rules would send the airline IT industry back to the drawing board to modify all of its software, user interfaces, APIs, and business-process layers to collect and transmit additional data fields  about each passenger to CBP prior to departure of each international flight to or from the US.

CBP says that some airlines are already “voluntarily” providing personal information about passengers to CBP beyond what has been required by the current APIS regulations.

Why would airlines be willing to collaborate with the DHS in these schemes?

The proposed rules would leave airlines free to retain, use, share, sell, or otherwise monetize the additional personal information which travelers would be required to provide. This would amount to a huge informational windfall for airlines, and this is the quid pro quo to airlines for collecting this additional data for the government. To put it another way, the proposed rules would constitute a government-compelled taking and transfer to airlines of the value of travelers’ personal information.

Airlines don’t collect this data systemically now, and have not yet developed any standards for normalizing, storing, or exchanging it. This would be a massive unfunded mandate for modifications to airline industry IT systems, at every level from interline messaging protocols to user interfaces, and in training staff. But most of these costs would be one-time costs, and in the long term would be offset by the informational windfall to airlines.

Airlines are already experts in monetizing passenger data, making billions of dollars a year by selling advertising targeted to members of their frequent flyer programs. Compelled provision of additional contact information would enable airlines to expand these customer data monetization and ad targeting programs to all air travelers, including infrequent flyers who aren’t members of these programs.

Many foreign airlines are parastatal entities, so this rule would effectively require many asylum seekers to divulge info to the foreign governments from which they are trying to flee, prior to departure from those countries, placing themselves and their associates (linked to them by e.g. shared contact info)  at even greater peril.

Travelers and airlines should just say no. Travelers should decline to answer questions unrelated to their admissibility to the US, and airlines should transport them anyway and challenge any attempt to impose sanctions on them for refusing to spy on their passengers by interrogating them and collecting surveillance data for the government.