Papers, Please – Page 25 – Papers, Please!

Dec 01 2010

Testimony to the Canadian Parliament on US access to travel data

Edward Hasbrouck of the Identity Project testified yesterday on behalf of the Liberty Coalition at a hearing before the Canadian House of Commons’ Standing Committee on Transport, Infrastructure and Communities on Bill C-42, which — as we’ve discussed previously — would override Canada’s “Personal Information Protection and Electronic Documents Act” (PIPEDA) to permit airlines to give personal information about passengers to the government of any country whose airspace a flight would pass through, even if it didn’t land in that country.

Bill C-42 was proposed by the government, but is being opposed by some within Parliament as well as civil liberties and human rights activists and (along with the US Secure Flight scheme) by the Office of the Privacy Commissioner of Canada.

The English-language audio archive of the hearing is here; the complete transcript is here. Mr. Hasbrouck’s introductory statement is from 24:45 to 35:15 of the audio stream; he was also questioned extensively by the members of the Committee.

Because of the Thanksgiving holiday in the US, the invitation to testify arrived too late for the requisite translation into French of any written notes or supporting documents. For more background on the information architecture and cross-border data flows of the airline industry, see the slides from Mr. Hasbrouck’s more detailed testimony on related issues earlier this year at the European Parliament in Brussels.

Here’s the transcript of our introductory statement:

Read More →

Nov 23 2010

What you need to know about your rights at the airport

TSA “screeners” are not law enforcement officers. Despite wearing police-type uniforms and calling themselves “officers”, they have no police powers and no immunity from any state or local laws. At some airports, notably San Francisco (SFO) and Kansas City (MCI), they aren’t government employees at all, but rent-a-cops employed by a private contractor. They cannot legally arrest or detain you (except as a citizen’s arrest, the same way you can arrest them if they commit assault or battery). All they can do is call the local police.
You have the right to remain silent, including when questioned by TSA “Behavior Detection Officers.” Anything you say may be used against you.
You have the 1st Amendment right to film, photograph, and record what happens in public areas of airports, including your interactions with TSA and screeners. Photography and recording in airports and at TSA checkpoints violates no Federal law or TSA regulation. Any state or local laws that purport to prohibit this are likely to be unconstitutional. You have the right, for your own protection, to document what happens to you and what is done to you. In addition, the Federal “Privacy Protection Act of 1980” (42 USC 2000aa) forbids TSA staff or police from searching or seizing photographs, audio or video recordings, documents, or electronic data, if you possess these materials in connection with an intent to distribute them publicly, including online distribution such as posting them on Facebook, Youtube, etc. There are some exceptions to this law, including a limited exception for searches and seizures by customs inspectors (not the TSA) at international ports of entry (not domestic airports). But there is no general airport or TSA exception to this law.
You have the right not to be assaulted or battered (sexually or otherwise), falsely arrested, unlawfully detained, or kidnapped. You may have the right to make a criminal complaint and/or a citizen’s arrest of someone who assaults you, and/or to sue them for damages. You should consult the applicable laws, including local laws, and/or an attorney, if you plan to do any of these things.
Under most airlines’ conditions of carriage, you have the right to a full and unconditional refund if the airline refuses to transport you because you won’t show ID or won’t “consent” to whatever they want to do to you in the name of “screening”. Read this first: Here’s what to do to protect your right to a refund. If the airline refuses to give you a full refund, you can sue them for damages and request that the US Department of Transportation investigate and fine them.
If an airline cancels your reservation or refuses to transport you, you may be entitled to collect damages, and you can request that the US Department of Transportation (and, if you were denied passage to the USA from another country, that country’s authorities) investigate and fine or impose other sanctions on the airline.
You have the right to freedom of movement, guaranteed by the First Amendment (“the right of the people… peaceably to assemble”) and Article 12 of the International Covenant on Civil and Political Rights (ICCPR), a human rights treaty to which the US is a party: “Everyone lawfully within the territory of a State shall, within that territory, have the right to liberty of movement and freedom to choose his residence. Everyone shall be free to leave any country, including his own…. No one shall be arbitrarily deprived of the right to enter his own country.” Federal law (49 USC § 40101, part of the Airline Deregulation Act of 1978) requires the TSA to consider “the public right of freedom of transit” by air when it issues regulations.

Nov 23 2010

Airlines threaten illegal actions against travelers who opt out of groping

Can you get your money back if you opt out of the TSA’s assault on your freedom? Yes, but airlines don’t want to admit that. (That’s nothing new.) You may have to put up a fight.

Here’s what’s happening, and what you can do:

With National Opt-Out Day coming up, travel journalist Christopher Elliott contacted several airlines to see how they would handle requests for refunds from ticketed passengers who aren’t allowed to fly because they opt out of being x-rayed or groped.

Disturbingly, several airlines (American, Southwest, United/Continental, and US Airways) told Elliott that they would not give refunds to such passengers holding nonrefundable tickets.

Airlines can’t just make up new rules governing tickets and refunds after tickets are issued. Those rules are published in airlines’ tariffs and conditions of carriage, as filed with the Department of Transportation.

Almost all airlines’ conditions of carriage provide that, if an airline refuses to transport you, you are entitled to a full and unconditional “involuntary refund” of all fares, fees, and charges, even if the fare at which your ticket was issued is otherwise completely nonrefundable.

American Airlines, for example, told Elliott:

“Our refund rules that are in place now, apply,” says a spokeswoman. “If the customer has a refundable ticket, then we will refund. If the customer has a non-refundable ticket, then we can offer a voucher.”

But American’s actual rules are contained in their conditions of carriage, as follows:

Involuntary Refunds

In the event the refund is required because of American’s failure to operate on schedule or refusal to transport, the following refund will be made directly to you –

If the ticket is totally unused, the full amount paid (with no service charge or refund penalty), or

If the ticket is partially used, the applicable fare for the unused segment(s).

If American or another airline with similar terms in its contractual conditions of carriage refuses to give you a full and unconditional refund (not merely a voucher), they are liable to you for damages if you sue them, and liable to enforcement action and fine by the Department of Transportation.

So what’s the best strategy if you already have a ticket and want to opt out of virtual strip-search and groping?

Nov 22 2010

Self-restraint is not the solution for the TSA

This morning on the “Today” show, TSA Administrator and former FBI agent John Pistole said that the TSA is “actively rethinking its policy” to require all travelers to submit to either an x-ray virtual strip search or vigorous groping of their breasts and genitals.

We aren’t reassured or appeased. The process of “rethinking” described by Pistole, like the TSA procedures themselves, would remain entirely secret, internal, and extra-judicial.

The problem with the TSA is not with exactly how it has exercised its secret, standardless administrative “discretion,” but the fact that the TSA has been allowed to opt itself out of the rule of law.

Last Friday the New York Times editorialized that, “The government could start by making their screening guidelines clear.” The government could do so — but the TSA won’t unless it is forced by direct orders from the President, the Congress, or the Federal courts. We cannot rely on the TSA to restrain or reform itself.

There are no laws or published regulations defining what the TSA is allowed to do. The TSA has claimed in response to our requests that all of its procedures and directives for airport checkpoints are exempt from the Freedom of Information Act (FOIA). The DHS Privacy Office ordered the TSA not respond to our request for these documents without approval from the DHS “front office”, including the White House liaison. Apparently that approval has never been given. We’re still waiting.

When John Gilmore challenged the checkpoint practices in court, the DHS refused to show him the documents that they showed the judges “in camera” to persuade them to dismiss his case. The Supreme Court refused to consider his appeal of this secret lawmaking.

Former Secretary of Homeland Security Chertoff said repeatedly and publicly that administrative DHS “no-fly” decisions should be exempt from judicial review. Neither current DHS Secretary Napolitano nor President Obama have done anything to dissociate themselves from that position.

Now the ACLU and EPIC are both collecting reports and complaints about what happens at TSA checkpoints. But we have no confidence that public exposure of what is happening will in itself prompt any change in behavior by an agency whose motto appears to be, “We don’t care – we don’t have too.” Everyone already knows that the TSA is groping grandmothers, probing under diapers and sanitary napkins, and requiring removal and examination of breast and other prostheses. All while threatening or even arresting those who try to protect themselves by documenting the process with photographs and/or recordings.

EFF has information on how to complain to the TSA and DHS. But those complaints would also be dealt with, if they aren’t ignored, solely by secret procedures within those agencies. What, if anything, is done as a result will remain unknown to the complainants and the public.

Clearly, the TSA has crossed the line of what the traveling public will tolerate. But the solution is not for the TSA to retreat slightly (and perhaps only temporarily) in response to public outrage. That will only leave us with endless scrimmages over where to draw the line, with the TSA not an iota less invasive than the most intrusive processes that they think they can get away with.

The real need is to put the TSA — for the first time in its existence — clearly within the rule of law. That’s why we think what’s most important about EPIC’s lawsuit against the TSA is not the specific issue of virtual strip searches (important though this is) but the fundamental complaint that the TSA has ignored formal petitions for rulemaking. EPIC’s central claim is that the TSA has refused to give public notice of proposed rules, accept public comments, and make a public determination that could be subjected to review by the Federal courts.

Liability, both organizational and personal, is also important. Talk to a lawyer about bringing a criminal complaint or civil lawsuit against any TSA employees or contractors who act illegally against you. We’re pleased to see discussion of citizens’ arrests of overreaching (so to speak) TSA and contractor gropers. At least some local prosecutors are open to possibly pressing such charges. That’s especially significant at San Francisco International Airport (SFO), where the screeners are out on an especially thin limb of liability as private contractors rather than employees of the TSA or any other government agency.

Nov 21 2010

Trial to begin December 7th in TSA checkpoint case

“Opting out” of TSA demands or questioning and photographing the TSA is not a crime!

We’ve reported before on the arrest of Phillip Mocek just over a year ago at a TSA checkpoint at the airport in Albuquerque, New Mexico, and his prosecution by local authorities on trumped-up criminal charges.

Now, after several postponements, Phil Mocek’s trial is scheduled to begin with jury selection on Tuesday morning, December 7th, 2010, in Albuquerque. The trial is expected to last 2-3 days. There’s more information here.

(The trial has been postponed several times, and might be postponed again, but this date appears to be for real, and Mr. Mocek is making firm travel plans — by land, not by air — to be in Albuquerque.)

We encourage everyone who opposes the TSA’s lawless assault on our liberties to support Mr. Mocek. Spread the word about this case, especially to people you know in New Mexico. Contribute to Mr. Mocek’s legal defense. (He had to hire private lawyers to defend himself.) Come to the trial in Albuquerque if you can. Pass out a leaflet. Speak out and stand up to the TSA yourself.

This is the first TSA checkpoint resistance case to come to trial, and this trial comes during an unprecedented and spontaneous explosion of grassroots resistance to the TSA’s claim to unlimited authority. The outcome of Mr. Mocek’s trial will be critical to whether that resistance continues to snowball, or whether the TSA and its allies in authoritarianism can terrorize and intimidate law-abiding travelers into submission to their illegitimate authority.

There are no laws or published regulations defining what the TSA is allowed to do. In response to a Freedom of Information Act (FOIA) request from Mr. Mocek, the TSA has refused to release its secret procedures and directives for airport checkpoints. And the DHS Privacy office has ordered the TSA not respond to our request for these documents without approval from the DHS “front office”, which apparently has never been given.

In these circumstances, only the courts can define the limits of TSA authority to search, interrogate, x-ray, and grope innocent travelers who are not suspected of any crime. So far as we know, Mr. Mocek’s case is the first time someone in the USA has been brought to trial on criminal charges for attempting to exercise their right to travel by air without showing ID or answering questions about themselves or their trip, or for photography or audio or video recording at a TSA checkpoint.

Nov 17 2010

What is to be done about TSA?

We’re pleased and excited to see the spontaneous outpouring of grassroots outrage at the latest TSA “Standard Operating Procedures”, which offer would-be air travelers a Hobson’s choice between forms of submission to secret rules, illegitimate authority, and invasion of personal privacy.

TSA wants us to choose between a virtual strip-search (x-ray or similar photography through your clothes, with the as-though-naked high-resolution photos viewed by a TSA agent or rent-a-cop out of your sight somewhere in a little porno booth in the bowels of the airport), versus vigorous manual groping of your entire body with special attention to your genitals and breasts.

We’re equally pleased and excited to see that outrage move beyond mere complaint to direct action and resistance, primarily by those “opting out” of both the “whole body imaging” and the groping, and calling on others to do the same.

We thank those who are taking action, even what we think may be ineffective or insufficient action, against TSA’s excesses. The public’s frustration with TSA’s ever-escalating demands was bound to explode eventually, and we hope that time has truly come. We just hope that the results will move us in the direction of real reform, rather than “concessions” that leave us worse off than before, or band-aids followed by more excesses after the public calms down.

For many years, TSA has been writing its own laws, in secret, in the form of “Security Directives” to airlines and “Standard Operating Procedures” for TSA employees and contractors. We’ve requested the directives and procedures that purport to say what travelers are required or prohibited from doing. That’s our right under the Freedom of Information Act (FOIA). To date, TSA has either refused our requests outright or ignored them. For months, until they were caught by the Associated Press, the most senior FOIA and “privacy” officer for DHS gave direct orders to the TSA not to provide us with any responses without express prior permission from DHS headquarters.

“Get photographed as though naked or get groped” isn’t the only new TSA imposition. This month, apparently, TSA issued more secret orders to airlines as part of its illegal Secure Flight passenger surveillance and control scheme. The airlines have begun threatening to cancel reservations and deny transportation to paid and ticketed would-be passengers who haven’t provided the airlines (and thus the TSA) with their “full name”, gender, and date of birth. No law requires passengers to do so, but TSA is trying behind the scenes to force airlines to refuse to carry people who don’t.

So what is to be done? Real reform of TSA procedures would include:

Sep 21 2010

How will “Secure Flight” be enforced?

Recent announcements by airlines suggest that, either on their own initiative or in response to secret Security Directives from the TSA, they are implementing new and clearly illegal Secure Flight enforcement measures.

One of the many questions about the TSA’s Secure Flight program has been how it would be enforced.

None of the published Secure Flight regulations include any enforcement provisions or any provisions imposing obligations on travelers, and the details of Secure Flight implementation are spelled out, if at all, only in secret Security Directives to airlines that by their nature cannot impose any obligations on travelers.

The TSA’s own secrecy leaves us no choice but to rely on whistle-blowers and leakers within the government and the airline industry (please keep those calls, letters, and e-mail messages coming!) and on what we can infer from airlines’ public disclosures.

This new notice from American Airlines is typical of what we’ve been seeing and hearing lately:

As a result of the Transportation Security Administration (TSA) and Department of Homeland Security (DHS) mandate, beginning November 1, all passengers will be required to have Secure Flight Passenger Data (SFPD) in their reservation at least 72 hours prior to departure….

In compliance with this mandate you will be required to provide Secure Flight Passenger Data:

To purchase any ticket on or after September 15, 2010

To travel November 1, 2010, or later regardless of purchase date

What’s wrong with this picture?

The “mandate” described on the AA website doesn’t exist in any Federal statute or publicly-disclosed regulation, or in AA’s tariff or contractual conditions of carriage. On the contrary, airlines are required by Federal law to be licensed as common carriers. They are required to sell a ticket to, and to transport, any would-be passenger willing to pay the fare and comply with the rules in their published tariff.

Federal agencies including the TSA and Department of Transportation (DOT) are required when issuing regulations to take into consideration “the public right of freedom of transit” by air, and have no authority to issue administrative regulations or directives that would override the statutory definition of airlines as common carriers.

No court has ever even considered, much less upheld, any suggestion that air travelers forfeit their right to remain silent in response to questions from the TSA or other Federal employees, much less from TSA contractors or airlines.

On international routes, bilateral and multilateral aviation treaties similarly require airlines to operate as common carriers, in accordance with published rules and a published tariff.

So if AA or any other airline refuses to sell you or a ticket, or to transport you, solely on the basis of your declining to provide Secure Flight data, they render themselves liable to Federal civil suit and damages for refusal of transportation in violation of their duty as a common carrier, as well as to formal complaint and revocation of their operating license for the same violation.

While the US government might intervene in US court to block such a suit on the grounds that any Security Directives issued to the airline were a state secret, that wouldn’t be possible if the lawsuit for refusal to transport were brought in the courts of a foreign country from which the airline refused to transport you to the US.

If an airline tried to file new conditions of carriage incorporating such a provision for denial of transportation, the US Department of Transportation would be duty bound, by Federal statute, to disapprove it. And if the DOT approved such a filing applicable to an international route, the government of other affected country or countries would be entitled both to disapprove the filing (by treaty, international tariffs typically require approval by both or all countries involved) and to protest its approval by the US as a treaty violation.

We hope that, faced with these choices and risks, airlines will choose to follow Federal law and international aviation and human rights treaties, and will vigorously and publicly litigate their challenges to any US attempt, through secret Security Directives or otherwise, to get them to depart from their duty to the traveling public as common carriers.

Sep 21 2010

ESTA fees: the whole is worse than the sum of its parts

New U.S. Customs and Border Protection (CBP) regulations took effect this month that combine two bad ideas — fees to encourage foreigners to visit the US by charging them more to do so, and fees for the Electronic System for Travel Authorization (ESTA) — in a way that creates new possibilities for travel surveillance and control that are far worse than either component alone.

The Interim Final Rule for ESTA and Travel Promotion Act fees took effect on an emergency basis on September 8, 2010, with public comments and objections being taken only after the fact. In promulgating the new rule, CBP continues to ignore the objections we raised to the fundamental illegality of the ESTA scheme. CBP also continues to ignore the Presidential Directive that it consider in its rulemakings US obligations under international human rights law, and continues to claim, in direct contravention of the applicable law, that it doesn’t need to consider the impact of the rule on individuals because “individuals are not small economic entities”, despite the fact that a sole proprietor, freelancer, or other self-employed individual is the epitome of a small economic entity (as the DHS has itself admitted in response to some of our previous objections to this same false boilerplate claim in other rulemakings). And it remains unclear if and when an ESTA is actually required, or how the “requirement” is supposed to be enforced.

But the most problematic consequences of the new rule result from the new requirement, completely lacking in statutory authority, that the the new “travel promotion” and ESTA fees can be paid only by one of four specified brands of credit or debit cards. This implies:

Travel control by credit and debit card issuers: If you do not have one of these four types of cards, you cannot travel to the US intending to enter under the Visa Waiver Program (VWP), but may enter the US only if you obtain a visa at a cost of at least US$135 plus a personal interview at a US consulate or embassy (for which there may be a waiting list of several months). Since the regulations impose no obligations whatsoever on the issuers of these cards, this means that collectively the four companies (Visa, MasterCharge, American Express, and Discover) have absolute, secret, standardless commercial veto power over eligibility for VWP entry to the US.
Universal financial surveillance of VWP travellers: Because the credit or debit card details must be provided as part of the same online ESTA application with the would-be visitor’s personal information, it is now illegal to travdel to the US intending to enter under the VWP without having at least one currently valid credit or debit card on file with CBP and linked to your identifying and travel details. As some news reports have already noted, this creates new possibilities for financial surveillance of travelers. All of the four acceptable types of cards are issued through US-based commercial entities, so all records related to them can be accessed by the US government in secret, without warrant, through “National Security Letters”. Even if you use a different card while in the US, it will in almost all cases be linkable through card application or other banking records (such as those obtainable by the US government from SWIFT or other companies through the “Terrorist Finance Tracking Program”).
Vastly increased potential for identity theft, phishing, and other ESTA-based fraud: Because ESTA requires entry through an easy-to-imitate website of exactly the sort of personal information that’s needed for identity theft, together with travel itinerary information that makes it easy to carry out the attack while the victim is away from home and less likely to notice or be able to respond quickly and effectively, ESTA phishing and fraud are already rampant. But the addition of current valid credit or debit card data to the online-only ESTA application requirements has put phony ESTA websites in the vanguard of current phishing techniques. Already, most of the top search results for “ESTA application” in the languages of countries in the VWP are fraudulent phishing sites, and the problem is getting steadily worse. We can tell you that the only legitimate ESTA application website is at https://esta.cbp.dhs.gov — but how do you, or anyone else, know to believe us rather than to believe any of the other bogus websites that say otherwise?:Visitor beware!

Sep 03 2010

Napolitano outlines US travel control agenda for ICAO

In a speech to the Air Line Pilots Association earlier this week, Secretary of Homeland Security Janet Napolitano made explicit the US government’s intentions to, as we have repeatedly predicted, use the International Civil Aviation Organization (ICAO) as its primary international policy-laundering forum to bypass and override national laws restricting surveillance and control of travel.

ICAO isn’t mentioned in the DHS press release, and the DHS doesn’t seem to have posted the full text of Napolitano’s speech. But according to reports in Homeland Security Today and elsewhere:

Napolitano will seek a formal resolution from the general assembly of the International Civil Aviation Organization (ICAO) Sept. 28-Oct. 8 in Montreal, Canada, to build upon five regional security declarations obtained by the United States….

Each of the five meetings resulted in a security declaration focusing on vulnerabilities in the international aviation system in four key areas: developing and deploying new security technology, strengthening aviation security measures and standards, enhancing information collection and sharing, and coordinating international technical assistance

ICAO assisted in coordinating the five agreements, which Napolitano hopes to use as a springboard to obtain a declaration covering the international organizations 190 member states in the fall.

“Enhancing information collection and sharing” is of course a euphemism for mandatory airline and national government participation in the compilation of lifetime logs of individuals’ movements, while “developing and deploying new security technology” refers mainly, as of now, to mandatory use on airline passengers of virtual strip-search machines.

With Members of the European Parliament asking new questions about DHS demands for European collaboration in US travel surveillance and control schemes, DHS and the US government are turning increasingly to ICAO as a less transparent, less publicly accountable “plan B” for internationalization of its travel regime.

It’s unclear whether the resolutions to be proposed for adoption by ICAO at its upcoming general assembly will constitute ICAO “security standards”, or will merely be a step toward their adoption through he slow but inexorable multi-year ICAO decision-making process. But the goal of the US government is clear: Whatever surveillnace and control measures can be incorporated into ICAO security standards can be backported into national and international laws through innocuous-seeming statutory and treaty mandates for compliance with ICAO security standards, and imposed on recalcitrant countries through denial of landing rights oin the US to flights from countries or on airlines that don’t comply with such surveillance and control standards.

Aug 07 2010

Public says “No” to national cyberspace ID proposal

In June, the Department of Homeland Security and the President’s Cybersecurity Coordinator published a proposal and request for comments on a for a “National Strategy for Trusted Identities in Cyberspace” (NSTIC).

It’s hard to belive that such a system implemented from the top down at the behest of DHS and the White House would remain, as its proponents claim it would be, truly “voluntary”.

In practice, it will be required for online interactions with government agencies as well as private compnaies, rendering it “voluntary” the way it’s “voluntary” to show ID to travel: you don’t have have government ID credentials as long as you are prepared to walk (or walk on water or paddle a sea kayak if you want to get between, say, Hawaii and the U.S. mainland).

Although the official public comment period lasted only 30 days, many others have pointed out key problems with the NSIC concept. The NSTIC proposal places no value on anonymity; indeed, it evinces an apparent lack of understanding of what anonymity really means. It takes for granted the need for authentication (if we pay in cash, why does a merchant, much less a common carrier or government agency, need to know anything about us other than that our money isn’t counterfeit?) and confuses a policy that purportedly restricts disclosure of our identity with actual non-knowledge of our identity. The former protects us from those who comply with their own policies, while the latter protects us from bad actors as well. But in reality, many of the threats to our freedom come from those who can’t be counted on not to cross the boundaries of privacy “policy”, including those within governments. Actual anonymity, non-linkability of transactions and identities, and the ability of the system (and our anonymity) to survive capture of the “identity provider” and/or the government by malign interests should be key design criteria, but weren’t even considered.

The question now is what the White House and DHS will do with the response to their request for public comment on the NSTIC draft. In the online forum where the public could submit and vote on feedback and ideas for NSTIC, the single most popular suggestion was an anonymous one (no, we didn’t submit it, and we don’t know who did), “Decentralize further, don’t centralize”:

A single centralized identity is inherently less secure than a dozen identities because it creates a single point of failure. Once that identity has been compromised – which will certainly happen no matter what technological measures are taken to protect it because there will always be a user in the chain – an individual’s entire life will be open for hijacking…. This effort will be counterproductive at best and has the potential to cause problems that are orders of magnitude worse than current identity theft issues. And this is before even considering aspects that potentially compromise privacy, anonymous speech, free access to the devices that an individual has purchased, etc.

Instead of attempting to centralize identity, simply ensuring that current best practices are followed would vastly improve online security. Making authentication services responsible for all outcomes of a data theft would be a good first step, as well as outlawing EULA language that forfeits a user’s ability to hold such services responsible for technology failure that result in theft, downtime, and data loss. Providing incentives such as these, combined with increased enforcement, will force corporations large and small to work toward increasing security. There should also be an enforced decoupling of identity data; if one of a user’s accounts is compromised, it should not contain personal identity information like SSNs which would allow another of the user’s accounts to be compromised. Web-based authentication has no need to have access to such information and it should be kept in separate, firewall-divided databases as a matter of law, not just habit.

There was more in this vein from other commenters, such as this on “Multiple roles, multiple identities”:

I play many roles in life. Some associated with my work, some associated with a sports league, others associated with my hobbies. If I can easily get several identities, I can use a different one for each role that I play and the issue of a national identity becomes less of a problem. I don’t have to worry about my employer having a problem with views I have shared as an individual person.

There were also numerous calls for a lengthier public comment period and more explanation of the details of any plan before it is adopted.

We urge the White House and DHS to heed the public comments on the NSTIC draft and scrap this scheme for a single, centralized scheme for de facto mandatory online credentialing and identification.

Papers, Please!

The Identity Project