Papers, Please – Page 23 – Papers, Please!

Oct 10 2013

TSA proposes arbitrarily individualized surveillance-based searches

In the latest version of TSA’s endless series of “trusted traveler” (or “less mistrusted traveler”) schemes, the agency is currently proposing to impose more intrusive searches on any traveler who doesn’t “voluntarily” enroll in the TSA Pre-Check program and authorize the TSA to create a new permanent file with everything from your fingerprints to any “other information provided by … government agencies or other entities”.

These files would be exempted from the normal requirements of the Privacy Act that records used as the basis for decisions about individuals’ exercise of our rights be made available to us and be limited to information that is sufficiently accurate, complete, and relevant to form a legitimate basis for such decisions.

The proposal is contained in a package of three regulatory filings (one new and one revised “System of Records Notice” and a “Notice of Proposed Rulemaking” proposing Privacy Act exemptions) published last month in the Federal Register. All three have to be read in combination to appreciate their full implications.

The deadline for public comments on two of these proposals is today, and for the third is tomorrow. We filed consolidated comments today objecting to all three of these proposals:

Read in combination, this new and revised SORN and these proposed regulations describe a system in which an essentially unlimited range of personal information collected from an essentially unlimited range of sources, and known to include inaccurate and irrelevant information, would be (or perhaps already is being) compiled into the “TSA Pre-Check Application Program” system of records.

These records would be used – either according to criteria which are illegally being kept secret, or in an entirely arbitrary manner at the “discretion” of the TSA – to determine who is and who is not deemed “eligible” to exercise the right to travel without being subject to unreasonable searches.

The results of that decision-making would be incorporated into the “Secure Flight” system of records, and used as part of the basis (also either pursuant to secret rules or entirely arbitrarily) for deciding to issue or withhold the issuance of individualized “boarding pass printing results”, including instructions to TSA staff and contractors as to the degree of intrusiveness of the search to which each would-be traveler is to be subjected as a condition of exercising our right to travel.

Maintenance and use of these systems of records in the manner contemplated by these SORNs and the proposed exemptions would violate the 1st, 4th, and 5th Amendments to the U.S. Constitution, the presumption of innocence, due process, the Freedom Of Information Act (FOIA), the Privacy Act, and Article 12 (Freedom of Movement) of the International Covenant on Civil and Political Rights (ICCPR.

These records should be expunged, and the proposed regulations should be withdrawn….

We also point out that the TSA is only pretending to give the required consideration to public comments:

According to the “TSA Pre-Check Application Program” SORN published on September 10, 2013, “The Secretary of Homeland Security has exempted certain records from this system from the notification, access, and amendment procedures of the Privacy Act because it may contain records or information related to law enforcement or national security purposes.”

This claim was, and is, false. As of the date of the SORN, no such exemption had even been proposed: the NPRM proposing such an exemption, and requesting public comments (such as this one) concerning that proposed exemption for consideration by the DHS, was not published until a day later, on September 11, 2013. Even now, the Secretary has promulgated no final rule for such an exemption. Nor could he or she promulgate any such final rule, consistent with the Administrative Procedure Act, unless and until the current period for public comment on the proposed exemption rule has concluded and the comments submitted (including these comments) have been considered by the DHS.

The false claim that “The Secretary of Homeland Security has exempted certain records from this system from the notification, access, and amendment procedures of the Privacy Act”, when in fact the Secretary has not done so, appears to be intended to mislead individuals about what rights we have, and to dissuade us from attempting to exercise our rights. In addition, by stating the outcome of the current exemption rulemaking as a fait accompli, it constitutes prima facie evidence of bad faith in the consideration of public comments. It is not enough for an agency to accept submissions of comments from the public to the circular file, after making a decision. An agency must give genuine consideration to public comments before deciding whether to finalize, modify, or withdraw a proposed rule.

You can read our complete comments here. You can submit comments at Regulations gov (here, here , and here) but your comments won’t be processed or visible online until after the DHS Privacy Office re-opens.

[TSA Pre-Crime graphic from Leaksource]

Sep 17 2013

How airline reservations are used to target illegal searches

One of the most detailed pictures to date of how the US government uses airline reservations to target illegal searches is provided by documents released recently by the US government as part of an agreement to settle a lawsuit brought by David House, an activist with the Pvt. Manning Support Network.

Mr. House was detained and searched and had his electronic devices confiscated and copied by DHS personnel at O’Hare Airport as he was re-entering the US after a vacation in Mexico in 2010.

The government learned of Mr. House’s travel plans through their systems for real-time monitoring and mining of airline reservations:

The ACLU analysis of the documents released to Mr. House, and reports by the New York Times and the Associated Press, focus on the DHS seizure and copying of the data from Mr. House’s electronic devices. An article in Mother Jones highlights the technical ineptness of the government’s attempts to analyze the data seized from Mr. House. (It took DHS “experts” more than a month, for example, to realize that a portion of the data dump from Mr. House’s netbook was a Linux partition.)

But as discussed below, more is revealed by these documents about DHS access to, and use of, airline reservations.

The documents released to Mr. House may also help explain how David Miranda, the domestic partner of journalist Glenn Greenwald, was detained and searched last month while changing planes at Heathrow Airport in London.

And in that context, they may also suggest an explanation for why Mr. Miranda was detained and searched in the UK, and Mr. House in the US, but Mr. Greenwald himself has not been detained or similarly searched when he travels to the US.

Sep 10 2013

9th Circuit considers Constitutionality of ban on Internet anonymity

Last year, we reported on a Federal district court hearing on the Constitutionality of portions of the law enacted by California’s Proposition 35, which requires California residents who have been convicted of certain sex-related crimes to register with the local police, annually and within 24 hours of any addition or change, for the rest of their lives, “A list of any and all Internet identifiers established or used by the person [and] A list of any and all Internet service providers used by the person… For purposes of this chapter, (a) “Internet service provider” means a business, organization, or other entity providing a computer and communications facility directly to consumers through which a person may obtain access to the Internet…. (b) “Internet identifier” means an electronic mail address, user name, screen name, or similar identifier used for the purpose of Internet forum discussions, Internet chat room discussions, instant messaging, social networking, or similar Internet communication.”

The challenge to this portion of the law, being argued by Electronic Frontier Foundation and the ACLU of Northern California on behalf of as-yet-anonymous clients who would be subject to this registration requirement, is a crucial test of the right to anonymity on the Internet.

It’s easy to say, “This only affects sex offenders.”

But restrictions on First Amendment rights are always imposed first on the most stigmatized groups of people, whether the villians du jour are serial killers, perverts, Communists, or Jews. Once they are accepted by the public as applied to those disfavored classes, these measures can gradually be expanded until everyone has to register with the government, carry government-assigned credentials identifying them and/or their group affiliation (Star of David, pink triangle, etc.), or comply with other restrictions that have come to be accepted as merely “administrative” rules for how they can exercise their rights, and are no longer considered substantive restrictions on rights.

Judge Thelton Henderson of the U.S. District Court for the Northern District of California had issued a temporary restraining order prohibiting the state form enforcing this part of the law. Following the hearing we reported on, Judge Henderson converted that order into a preliminary injunction. Both the state of California, and the sponsors of the ballot initiative (as “intervenors” in the court case) appealed to the Circuit Court before the District Court could resolve the issue of whether to make the injunction permanent.

Today a three-judge panel of he 9th Circuit Court of Appeals heard arguments on whether to let the preliminary injunction remain in force while the District Court proceedings continue.

Today’s hearing focused on whether the provisions of Prop. 35 requiring registration of Internet service providers and “identifiers” chill the exercise of free speach and are overbroad, i.e are not “narrowly tailored” to restrict no more activity protected by the First Amendment than is necessary. (The vagueness of the terms “Internet service provider” and “Internet identifier” was raised in the briefs, but barely mentioned at argument.)

Early in the hearing, Judge Jay Bybee observed that, “We’re living in a post-Snowden world now, where we all have to wonder whether all of our communications are being monitored by the NSA.” It was an intriguing suggestion of how much judicial attitudes may have been reshaped by the actions of whistleblowers.

The law’s proponents argued that free speech would not be chilled because under the law the police would have only limited authority to make Internet identifiers public.

But Michael Risher of the ACLU pointed out that chilling effects result primarily from fear of official retaliation — such as by the police. Police don’t have to make registration information public to use it themselves against people who say things they don’t like.

“A registrant who wants to criticize the local police department in comments on a local newspaper’s website, but doesn’t want to face retaliation, will be chilled if they know that their identifier is on file with those local police…. Among the reasons for protection of anonymous speech is to protect against this sort of official retaliation.” It’s easy for the police to make life hard for a registered sex offender, Risher pointed out.

The law’s defenders had a particularly hard time justifying the breadth of the registration requirement, which they conceded applied (at least as the law is written) to screen names or accounts used to post comments on websites from the New York Times to eBay, and to people whose crimes had nothing to do with the Internet.

“If I open an account so I can sell my bicycle on Craigslist, do I have to report that?”, Judge Bybee asked.

When counsel for the intervenors tried to justify the requirement for registration of Internet identifiers (but not pseudonyms used for other sorts of communications) by claiming that “sex crimes are moving to the Internet”, Judge Mary Schroeder shot back, “So is shopping. So what?”

We’re relatively optimistic that this panel of the 9th Circuit will allow the District Court’s preliminary injunction to remain in force. But it’s still up to the District Court to make that injunction permanent.

Aug 22 2013

California considers “enhancing” drivers licenses with radio tracking beacons

California’s legislature is considering a bill to authorize adding radio tracking beacons to drivers licenses and state non-driver ID cards.

Each such card would broadcast a unique tracking number which could legally be intercepted by anyone with a suitable radio transceiver within range, and which would be linked to a national DHS database of drivers license, state ID card, and citizenship information.

The tracking beacons are designed to allow the tracking numbers on ID cards carried by travelers in motor vehicles to be read from outside their vehicles as they approach or pass through checkpoints.

Independent academic studies of actual ID cards issued by other states, using the same standards proposed for use in California, have found that they can sometimes be read from more than 50 yards away.

S.B. 397 has already been approved by the California Senate, and is now under consideration in the Assembly. Because it has been amended by the Assembly, it will need to be reconsidered by the Senate (to decide whether to accept the Assembly amendments) if and when it is approved by the Assembly.

To date, S.B. 397 has been largely unopposed in the California legislature, and it is likely to be approved unless legislators start hearing a groundswell of opposition from their constituents.

What excuse is being offered for this scheme? And what’s its real purpose?

Aug 19 2013

White House approves new “long forms” for some passport applicants

After a year-long “review”, the White House on August 12, 2013, approved the State Department’s proposed new “long form” questionnaires for some (unspecified) subset of applicants for US passports:

Form DS-5513, “Supplemental Questionnaire to Determine Entitlement for a U.S. Passport”:

Form DS-5513 as approved (OMB Control Number 1405-0216)
Supporting Documents for Form DS-5513 (click on “all” at top of page for more details)

Form DS-5520, “Supplemental Questionnaire to Determine Identity for a U.S. Passport”:

Form DS-5520 as approved (OMB Control No: 1405-0215)
Supporting Documents for Form DS-5520 (click on “all” at top of page for more details)

In approving these forms, the Office of Management and Budget (OMB) ignored overwhelmingly public outrage at these questionnaires, which ask such questions as:

List all your parent(s) residences one year before your birth.
Parent(s) place of employment at the time of your birth (Dates of employment, Name of employer, Address of employer).
Did your mother receive medical care while pregnant with you and/or up to one year after your birth? (Name of hospital or other facility, Address, Name of Doctor, Approximate dates of appointments).
Please provide the names (as well as address and phone number, if available) of persons present at your birth such as medical personnel, family members, etc.
Please list any schools, day care centers, or developmental programs you attended from birth to age 18 in or outside of the United States.
Please list all of your permanent residences inside and outside of the United States starting with your birth until age 18.

The proposed forms were slightly (but not significantly) revised by the State Department during the review by OMB. But there are still no publicly-disclosed guidelines for which passport applicants would be sent one or both of these “long forms”. We requested this information from the State Department more than two years ago under the Freedom of Information Act (FOIA), but the State Department has not yet responded to our request. (This is, we’ve been told, typical of the State Department’s failure to comply with FOIA deadlines.) The most reasonable inference is that the new forms are designed to be impossible to complete, so as to provide a pretext to deny you a passport if the State Department doesn’t like your looks (or your opinions, or whatever).

The State Department has also ignored our formal complaint that these conditions for passport issuance violate U.S. obligations as a party to the International Covenant on Civil and Political Rights, and our FOIA request for any records of what (if anything) was done with that complaint.

OMB declined our written request to meet with them to discuss our objections to the proposed forms. OMB policy is to meet with groups interested in its reviews of proposed regulations, but it doesn’t apply that policy to its reviews of proposed “information collections”.

In the course of the review by OMB, the State Department admitted that, as we had already reported, it has already been using these forms illegally. According to the latest State Department submission to OMB:

The DS-5520 has been created to correct a procedure that may have been inconsistent with the Paperwork Reduction Act (PRA)…. Field offices have, in the past, sent the applicant a letter containing a questionnaire asking for the supplemental information. The Department has become aware of this procedure and is now seeking OMB approval to rectify the oversight….

The DS-5520 is a new collection based on the previously internal Information Request Letter (IRL) titled, “Supplemental Identification List”. To estimate the number of respondents per year, therefore, the Department ran a report using our Management Information System (MIS) to determine the number of these IRLs filed in 2011 by every passport agency and acceptance facility. The results revealed that in 2011, 54,723 letters were filed along with the DS-11.

Until the forms were approved (as they now have been) by OMB, the Paperwork Reduction Act (PRA) prohibited the State Department from denying anyone a passport or imposing any other penalties for failure or refusal to fill out these forms.

Now that these forms have been approved, objections to the denial of a passport on the basis of failure to complete these forms (or to do so to the satisfaction of the State Department) will have to be based on other grounds than the PRA. These objections may be more fundamental, but may also be more difficult to establish in administrative or judicial proceedings.

If you are a US citizen but are denied a US passport because you are unable or unwilling to answer these questions, or you are prevented from entering or leaving the USA because you don’t have a passport, we’d like to hear from you.

Jun 14 2013

How many people fly without ID? How many are denied the right to fly?

Buried in the TSA’s response last month to our FOIA request for information about its ID verification forms a and procedures was a fragmentary report on how many people try to fly without ID, and what happens to them.

An e-mail message discussing the changes made in 2008 to the TSA’s (secret) procedures for flying without ID — the last time TSA Form 415 for air travelers without ID was revised — included a TSA Operation Center (TSOC) “ID Verification Report” for the 15-hour period from 5 p.m. on June 21, 2008, to 8 a.m. on June 22.

On what was described as a “quiet” night, 74 people (nationwide, apparently) tried to fly without ID and were subjected to the TSA “ID verification” procedures between 5 p.m. and 5 a.m., and an additional 45 between 5 and 8 a.m. the next morning, for a total of 119. This didn’t include what is presumably the busiest shift, from 8 a.m. to 5 p.m., but what still suggest that tens of thousands of people try to fly without ID each year.

It appears that most of these people were allowed to fly without ID. Of the total of 119, only 8 were reported as “denials” (presumably meaning that they were identified, but deemed on the basis of that identification to be subject to no-fly orders), while 23 were reported a “not verified”. It’s unclear if those “not verified” were denied travel, or were allowed to travel despite not being “verified”.

Now that we know that records are being kept of how many people try to fly without ID, and of what happens to them, we’ve filed a follow-up FOIA request for all “TSOC ID Verification Reports” as well as any records of how incidents and outcomes are categorized for reporting purposes.

May 29 2013

TSA never got OMB approval for “Certification of ID” (Form 415)

In June 2008, the TSA began requiring would-be travelers who didn’t show government-issued ID credentials to fill out and sign — under penalty of perjury — a new “Certification of Identity” form, and answer questions based on the records about them retrieved by a TSA contractor from some commercial data-aggregation company.

Since then, we’ve made a series of FOIA requests to try to obtain the current form, the rules (if any) for its use, and whether the TSA had gotten this collection of information approved by the Office of Management and Budget (OMB), as required by the Paperwork Reduction Act (PRA).

We’ve recently received a response to one of our FOIA requests, filed more than two years ago, which includes the latest version of TSA Form 415 and makes clear that the TSA has never obtained the requisite OMB approval.

In the absence of OMB approval and a valid OMB control number on TSA Form 415, travelers who decline to respond to these questions or fill out or sign this form cannot be subjected to any government sanctions, including TSA “civil penalties”.

There are several noteworthy features of the latest documents released by the TSA in response to our FOIA request, particularly TSA Form 415 itself and this email thread regarding how the form is used and whether it requires OMB approval.

First, the e-mail correspondence with the FOIA Office to identify records responsive to our request appears to have been completed within a few weeks. Then the TSA sat on the response for more than two years, presumably while waiting for approval from the DHS FOIA “front office”. From responses to our previous requests, we know that the FOIA “front office” has ordered the TSA not to respond to our requests without this approval, even if responses are complete and otherwise ready to go out.

Second, if the TSA’s latest FOIA response to our request for the “most recent version” is to be believed, the version of the “Certification of Identity” currently in use is this TSA Form 415 dated August 2008.

Third, the TSA never even applied for OMB approval for TSA Form 415 or its unnumbered predecessor “Certification of Identity” form, because the office responsible for obtaining OMB approval was led to believe that the form was to be completed by TSA staff, not by travelers (a manifestly implausible claim, since all versions of the form have included a space labeled for the signature of the would-be traveler).

Fourth, the TSA completely misunderstood the statutory criteria for determining when OMB approval is required. Who fills out the form, or whether there even is a paper form (or information is collected by verbal questioning), is completely irrelevant to the definition in the Paperwork Reduction Act of a “collection of information” for which OMB approval is required:

[T]he term “collection of information” … means the obtaining, causing to be obtained, soliciting, or requiring the disclosure to third parties or the public, of facts or opinions by or for an agency, regardless of form or format, calling for … answers to identical questions posed to, or identical reporting or recordkeeping requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the United States….

The consequence is that you aren’t required to complete TSA Form 415 (since it doesn’t have an OMB control number), you aren’t required to answer any TSA questions (if the same questions are asked of ten or more people), and you can’t be penalized for declining to fill out the form or answer such questions.

Apr 17 2013

Federal court voids New York subway “ID rule”

In a case touching on several issues of concern for us here at the Identity Project, a Federal magistrate has struck down the N.Y. Transit Authority’s “ID rule” as unconstitutionally vague.

This was the right decision in the case, and it was issued on the right basis. And it articulates the sort of analysis and judgment that courts ought to apply to a range of other ID and related rules applicable to travelers, including in particular the TSA’s regulations requiring us to submit to “screening” as a condition of travel, without any definition of what constitutes “screening”.

Barry v. City of New York, et al. began with a complaint that focused on the right to take photographs and to be in public (in public areas of the New York City subway system) without identifying documents:

This is a civil rights action to vindicate the rights of the plaintiffs and of the public to take
photographs in the New York City subway system without fear of arrest and to be in public without identification documents.

But the case was decided neither on the basis of the right to take photographs nor the right not to carry or produce ID credentials — although those rights were implicated, and helped establish the applicable standard for vagueness — but on the basis of the vagueness of the underlying rule.

Apr 15 2013

Can you fly without ID? Only if the TSA gives you permission.

While we’re picking on what the TSA posts in its official blog, let’s take a look at what the TSA said in another blog post earlier this week entitled, “Can you fly without ID?”

It’s an important question, but the TSA only hints at the answer.

One might expect that the answer to the question, “Can you fly without ID?”, would start with the ID rules. But no, there are no rules about this or anything else the TSA does. The TSA has “Standard Operating Procedures”, but (a) they aren’t rules, and the TSA can’t be required to follow them, and (b) they are secret. Gotta keep the terrorists (and the innocent travelers) guessing, apparently.

According to the TSA’s latest blog post:

If we can’t confirm your identity with the information you provide or you’re not willing to provide us with the information to help us make a determination, you may not be able to fly.

What does this mean?

Obviously, the only reason you might “not be able to travel” would be that the TSA would prevent you from doing so, or direct someone else — most likely the airline or local law enforcement officers — to do so. So the TSA statement amounts to an assertion of authority to issue no-fly orders.

But the TSA doesn’t say that you won’t be able to travel, only that you “may” not be able to do so. So the TSA’s assertion is of discretionary no-fly authority.

There is no requirement in any TSA regulation or law for would-be travelers to identify themselves or provide any information to the TSA. Nor is there any definition of what it might mean for the TSA to “confirm your identity”, or what information might be required for that purpose. So the TSA’s assertion is of administrative no-fly authority not derived from any public source and not bounded by any publicly-disclosed standards.

To sum it up, even while saying that yes, you might sometimes be allowed to fly without ID, the TSA is claiming the authority, in its standardless administrative discretion, to prevent you from flying if you don’t provide whatever information it asks for, or if it claims to have been unsuccessful (for whatever reason) in accomplishing whatever it thinks constitutes “confirming” your identity.

So much for the “right” to fly without ID, and for TSA compliance with its explicit statutory duty to treat air travel as a public right.

Mar 30 2013

“Travel Surveillance, Traveler Intrusion” at the Cato Institute

Edward Hasbrouck of the Identity Project will be speaking at a free, public forum on Travel Surveillance, Traveler Intrusion from noon-1 p.m. EDT next Tuesday, 2 April 2013, at the Cato Institute in Washington DC (with a live webcast):

Travel Surveillance, Traveler Intrusion

[photo by kind permission of Jeramie D. Scott]

Video from the Cato Institute (recommended)

Video from C-SPAN

C-SPAN video on Youtube

Audio podcast (listen while viewing the slides)

Slides and notes (PDF)

Featuring Edward Hasbrouck, Journalist, Consumer Advocate, Travel Expert, and Consultant, The Identity Project (PapersPlease.org), Author of the book and blog, The Practical Nomad; and Ginger McCall, Director, Open Government Program, Electronic Privacy Information Center; moderated by Jim Harper, Director of Information Policy Studies, Cato Institute.

The United States government practices surprisingly comprehensive surveillance of air travel, amassing data about the comings and goings of all Americans who fly. Travel expert Edward Hasbrouck has been researching travel surveillance for many years. His findings reveal a stunning level of government surveillance, control of the traveler, and intrusion into commercial travel IT systems.

By April 2, the Transportation Security Administration will have begun a public comment process on its policy of putting travelers through imaging machines that can see under their clothes. Ginger McCall of the Electronic Privacy Information Center has been handling the litigation that prompted the D.C. Circuit Court of Appeals ruling requiring it to do so, and she will assess the proposed regulation and her renewed efforts to bring the TSA within the law.

If you can’t make it to the Cato Institute, watch this event live online at www.cato.org/live.

The Cato Institute asks that you pre-register if you plan to attend in person, but that’s just so they have an estimate of the expected attendance.

Hasbrouck will be presenting examples of what he found in his files when he sued the DHS for its records of his travels, what other travelers have found in theirs, and how the DHS obtains and uses this information to track us and to control who is allowed to travel.

As part of the same program, Ginger McCall of EPIC will be discussing the TSA’s proposed “rules” to require all air travelers to submit to virtual strip-searches. You have 90 days, until 24 June 2013, to tell them what you think of their proposal. (On the form to submit comments to the TSA, note that all of the fields except your comment itself are optional.) You can find some ideas for what to say in our previous article about the rulemaking.

There will be a live webcast, for those who aren’t in DC.

If you’d like to follow along, you can download the slides from Hasbrouck’s presentation as a PDF file.

[Update: C-SPAN broadcast the event live. Streaming video is available from the Cato Institute event archives (recommended), the C-SPAN archives, or on Youtube. The C-SPAN and Youtube camera angles don’t show the slides which illustrate Hasbrouck’s talk, so we recommend watching the Cato version and/or downloading the slides to follow along with the talk on C-SPAN. If you want to find out what’s in the file about you in the DHS “Automated Targeting System”, you can use the forms here. We would welcome a chance to review the government’s response, if you get one, and help you interpret it.]