Apr 07 2010

Testimony to the European Parliament on PNR data

Identity Project consultant and technical expert Edward Hasbrouck is testifying Thursday in Brussels on the proposed agreement between the European Union and the U.S. Department of Homeland Security on transfers of Passenger Name Records (PNR’s) from the European Union to the DHS, at a public hearing on “Protection of Personal Data in Transatlantic Security Cooperation: SWIFT, PNR & Co. – which way forward?”, hosted by Jan Philipp Albrecht, Member of the European Parliament. 14:00-17:00 (8-11 a.m. Eastern time, 5-8 a.m. Pacific time), European Parliament, Brussels, room ASP 1G-3 (open to the public, but prior arrangement required for access to the building).

Apr 02 2010

DHS shifting from national origin to ID-based passenger profiling

Today the DHS announced that it is partially replacing its practice of illegally profiling air travelers seeking to board flights destined to the US by national origin — the subject of our still-unanswered formal complaint — with a new scheme to illegally profile passengers individually, bsed on based on mining of commercial data in passenger name records (PNRs) obtained from airlines and other travel companies and on secret DHS dossiers about would-be passengers including their lifetime travel histories maintained in the illegal Automated Targeting System and other databases.

The consequences if you fit the secret profile would continue to include, as before, being subjected to “secondary screening” (more intrusive search and/or interrogation, with no publicly-disclosed rules governing which questions you are required to answer) or having the airline not be given “clearance” under the APIS permission system to allow you to board the flight.  (Under the APIS system already on the books, the default is “No fly” unless the airline receives an affirmative, individualized, per-passenger, per-flight “clearance to board” message from the DHS.)

The new profiles reportedly could include both individual identities and vaguer patterns of suspicion such as countries previously visited (a clear case of targeting based on activities protected by the First Amendment), association (a matching phone number in a PNR, such as from having reconfirmed flights form the name hotel as thousands of other travelers), or appearance (leaving room for continued racial and/or ethnic profiling).

The profiling and selection algorithm, the identity of the decision-makers, and the data on which they will base their determinations remain secret.  No mechanism for judicial review of these decisions, or of actions taken on the basis of them, was mentioned in the DHS press release or FAQ.

The new practice greatly increases the significance of the DHS’s decision in February of this year to exempt much of the information in PNRs, including derogatory personal information submitted by travel companies without travelers’ knowledge, from release to data subjects in response to requests under the Privacy Act. It also highlights the significance of the DHS’s routinely late, incomplete, and improper responses to requests for travel records, when they respond at all.

Some of our Privacy Act requests to the DHS for travel records are 6 months old with no response at all (a year is not unusual), while one of our appeals of an obviously incomplete and improper response has been pending for more 2 1/2 years without a decision.  Of the responses we have seen to requests for PNRs and ATS travel history records, all are obviously incomplete, and invoke inapplicable exemptions (such as invoking the broader exemptions applicable to third-part requests under FOIA in response to first-party requests under the Privacy Act, to which FOIA exemptions don’t apply).  None actually appear to have been processed under the Privacy Act, only under the more limited FOIA rules, even when the requests were explicitly made under the Privacy Act.

So far as we know, nobody has actually received the “accounting of disclosures” (access log) that the DHS is required to provide on request.  And none of the major computerized reservation systems (CRSs) to which airlines outsource hosting of their PNR databases maintains logs of access to PNRs, which would be necessary for CRSs or their airline and travel company subscribers to comply with “Safe Harbor”, European Union data protection law, and other international privacy norms.  Since CRSs keep no records, nobody knows who actually accesses PNRs.

There are also still unanswered questions as to the extraterritorial US claim of jurisdiction over actions related to boarding of foreign-flag aircraft at foreign airports, especially where international aviation treaties between the US and those countries require airlines to operate as “common carriers” and transport all passengers willing to pay the fare and comply with the rules in the published tariff.

Both Americans and foreigners — including members of the European Parliament who are currently debating whether to approve continued DHS access to European PNR data — should be outraged that the DHS is simultaneously increasing the weight given to commercial and other information in secret DHS dossiers about us, while hiding even more of that information from us, even if we specifically ask to see it.  We’ll be bringing this to their attention in meetings and testimony in Brussels and Strasbourg, and talks with European activists, over the next few weeks.

Mar 30 2010

Comments on passport fee increases re-opened through April 8

While cancelling its plans for a public hearing in response to the outcry against its plans to increase fees to travelers to pay for the RFID chips in passports, the State Department has re-opened the public comment period on the proposal through next Thursday, April 8th.

An uninformative supplemental notice (PDF) was published in the Federal Register on  March 24, 2010, with a new docket number (DOS-2010-0037) so that people searching or monitoring the original docket wouldn’t know that comments have been re-opened.

You can submit comments by e-mail to fees@state.gov with “RIN 1400-AC57 and 1400-AC58” in the subject line until 5 p.m. Washington time on Thursday, April 8, 2010.  You can use our comments (also available in OpenOffice .odt and MS-Office .doc formats) as a model if you need ideas for what to say.

The supplemental notice claims that comments can also be submitted through the Regulations.gov Web site, but because the notice wasn’t linked to the original docket and was mis-categorized as “non-rulemaking”, that isn’t currently possible.

[Update: Not surprisingly, in light of the problems with the online docket, few additional comments were submitted. The most significant are from United Airlines and the U.S. Travel Association, calling for the State Dept. to suspend the rulemaking until it discloses the cost basis for the proposed fee increases, holds a public meeting to explain them, and provided a new notice and comment period.]

Mar 23 2010

State Dept. backs away from public hearing on passport fees

As we noted earlier this month, the State Department told United Airlines that they planned to hold “a public meeting sometime in April or May of 2010” to explain the cost basis of their proposal to increase fees for passports, visas, and other international travel permissions and credentials.

We contacted the State Department as soon as we read this in United’s comments, to try to find out when and where the meeting would be.  At first, a State Department spokesperson said they had “no knowledge of any meeting being organized”.  After we pointed out the statement in United’s comments, they backpedaled, and told us they were “working out the details on whether there will be a public meeting”.  Then this week they  admitted that there had been a plan for a public meeting, but there no longer is. Instead, they now say the State Deaprtment will publish a new notice in the Federal Register next week (probably in this docket folder), with more background on the  “Cost of Service Study”, and re-open public comments for an additional 15 days.

We take it as a sign that the State Department has gotten the message:  So many people oppose this scheme to charge us more for an improper prerequisite to the exercise of our right to travel that the agency responsible for the proposal realizes that any public hearing would provide a forum for the opposition.

The good news is that if you missed the original comment period, you’ll get a second chance.   Comments are currently closed, but get them ready to send as soon as the window re-opens next week.  You can use our comments (also available in OpenOffice .odt and MS-Office .doc formats) as a model if you need ideas for what to say.

[Update: An uninformative supplemental notice (PDF) was published in the Federal Register on  March 24, 2010, with a new docket number (DOS-2010-0037) so that people searching the original docket wouldn’t know that comments have been re-opened.  You can submit comments by e-mail to fees@state.gov with “RIN 1400-AC57 and 1400-AC58” in the subject line until 5 p.m. Washington time on Thursday, April 8, 2010.  The supplemental notice claims that comments can be submitted through the Regulations.gov Web site, but because the notice wasn’t linked to the original docket and was mis-categorized as “non-rulemaking”, that isn’t currently possible.  In the most important of the follow-up comments, which wasn’t posted to the online docket until a month after it was filed, United Airlines and the U.S. Travel Association jointly argue that the State Department still hasn’t provided sufficient information to allow the public to judge whether the fee increases are justified.]

Mar 19 2010

Obama endorses DNA database, considers biometric national ID

Yesterday President Obama met again with Senators Chuck Schumer (D-NY) and Lindsey Graham (R-SC), the sponsors of the “immigration reform” bill we reported on yesterday, which has as its first “pillar” a mandatory biometric national worker ID card.  In conjunction with his meeting with the Senate sponsors of this scheme, President Obama issued a statement which didn’t mention the national ID card specifically, but praised the overall proposal as “a promising, bipartisan framework which can and should be the basis for moving forward.”

Meanwhile, President Obama has strongly and explicitly endorsed mandatory DNA sampling of everyone arrested (not convicted, arrested — people who are presumed to be innocent) and retention of DNA records in a national database. “It’s the right thing to do… This is where the national registry becomes so important,” the President said [transcript] in an on-camera interview.  We hope he reconsiders, and that his views on a national DNA database aren’t an indication of his leanings on a national biometric ID card.

Whichever way they are leaning now, the President and the Senate need to hear from the public, right away, what you think of these ideas — and that you won’t go along with unconstitutional restrictions on your rights.

Mar 18 2010

New excuses for state and Federal ID laws and databases

Heads up, Arizona readers: Your state legislature is on the verge of enacting a REAL-ID type national ID requirement in the guise of “immigration reform”.  And a heads up to readers elsewhere: Congress is also considering an ID mandate as part of an  “immigration reform” bill.

For a while after 9/11, the excuse offered by proponents of a national ID card was that it would somehow prevent terrorism.  We all know that there’s never any terrorism in police states, right?  With that excuse wearing thin, the old bugaboo of illegal immigration is emerging (or reemerging) as the rationale for a national ID requirement and database.

In Arizona, SB1070/HB2632 is under consideration on the floor of the state House of representatives today, and could be voted on at any time.  The Campaign for Liberty has a detailed analysis of the provisions of this bill. We don’t know why the state of Arizona needs any legislation on “ENFORCEMENT OF IMMIGRATION LAWS”, since those are Federal laws normally enforced by the Feds, not by state authorities.  But in the guise of an amendment to those “immigration” provisions of Arizona law, the bill would require not merely state law enforcement officers but all state and local agencies to make “a reasonable attempt … to determine the immigration status of the person” in a wide range of circumstance. As part of that attempt to determine the person’s status, “The person’s immigration status shall be verified with the federal government pursuant to 8 United States code section 1373(c).”  And checks of ID against Federal immigration databases would be allowed as a condition of virtually any state or local public services.

In Congress, “Lawmakers working to craft a new comprehensive immigration bill are proposing a new national biometric ID card that would be required of all U.S. workers… Under the potentially controversial plan still taking shape in the Senate, all legal U.S. workers, including citizens and immigrants, would be issued an ID card with embedded information, such as fingerprints, to tie the card to the worker”, according  to a report in the Wall Street Journal quoting Senators Chuck Schumer (D-NY) and Lindsey Graham (R-SC).

As one commentator put it, “Every worker would have to ask permission from the federal government to get a job. American workers shouldn’t have to beg or plead to anybody to get permission to work.”  Nor should they have to have their fingerprints in a national database that, to work as designed, would have to be open to verification queries form every potential employer in the country.  (Never mind what would happen to remote workers or contractors who’ve never met their employers in the flesh for them to be able to verify their fingerprints.)

But the key problem with any of these schemes isn’t the excuse that is offered to justify their creation, but the potential they create for abuse and the inevitability that they will be used in ways that the public never imagined when they allowed them to be created — such as, for example, the historic “mission creep” of Social Security numbers.

A national ID card or database or identification requirement is wrong, regardless of whether it is created through state or local law, and regardless of the “excuse du jour” proffered as its rationale.

Mar 17 2010

Long reach of “Secure Flight” angers Canadians

On September 11, 2001, Canada followed the US in closing its airspace and grounding all aircraft, stranding tens of thousands of passengers on flights to and from the US (mostly on inbound flights from Europe and Asia) at airports like Gander and St. John’s, Newfoundland.  The Canadian welcome and hospitality for these travelers became the stuff of legend.  But ever since, Canada has struggled to retain sovereignty over its airspace in the face of US “security” demands.

Canadian privacy law was amended, under US pressure, to allow “sharing” with the US government of information contained in reservations for flights between Canada and the US.  But most Canadians assumed that the role of the US in determining who is permitted to fly is limited to flights to and from the US.

This month a four-part series by Kevin Dougherty in the Montreal Gazette, syndicated across Canada in the Canwest newspaper chain, has broken open that Canadian complacency about the long reach of US claims to passenger information and “fly/no-fly” decision-making authority:

The series raises serious questions as to the legal basis for denying boarding to passengers on Canadian-flag aircraft not landing in the US on the basis of secret blacklists or decisions by the black-box Secure Flight system in the US.

Since publication of the Canwest series about “Secure Flight”, letters to the editor, op-ed colums, and editorials across Canada have denounced the application of the Secure Flight scheme to Canadian airlines and travelers.  Many have pointed out the hypocrisy: As was made evident when all those flights were grounded on September 11th, almost all trans-Atlantic and many trans-Pacific flights to and from the US pass over Canada, but Canada demands no information about who is on those planes and asserts no authority to control who is allowed to be.

On top of all this, there’s another shoe still to fall:  Canadians remain unaware that the vast majority of travel agencies, and tour operators in Canada subscribe to computerized reservation systems (CRSs) based in the US.  That means all their passenger name records (PNRs) and customer profiles are stored in the USA, even for flight that go nowhere near the US.  These travel agencies, tour operators, and other travel companies don’t tell their customers that they have outsourced their travel records to the USA, where the government could get them secretly from the CRS with a “National Security Letter”.

That’s a flagrant violation of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). Canadians should complain to their Privacy Commissioner and demand that she take action against companies — of which travel agencies are leading examples — that outsource their customer data to the US without their customers’ knowledge or consent, and without any way to know what’s done with that data once it is in the hands of CRSs in the US.

Mar 12 2010

Airlines, travel agencies, Congress join public outcry against passport fees

We don’t think it’s fair or legal for the government to charge you a fee to exercise your rights under the First Amendment and international human rights treaties to enter or leave the USA.  Those rights are all but absolute, and rules that restrict or burden them, such as by imposing fees, are subject to strict scrutiny.

Judging from the response to the government’s latest proposal to increase passport fees (in order to cover the increased costs of including a uniquely-numbered remotely-readable RFID chip in each passport), we aren’t alone in our views.

More than a thousand people filed comments with the Department of State by yesterday’s deadline to oppose the proposed passport fee increases.  In addition to the comments filed by individual citizens and travelers and by the Identity Project, Consumer Travel Alliance, and Center for Financial Privacy and Human Rights, comments objecting to the proposed fee increases were filed by United Airlines, the American Society of Travel Agents, and the Interactive Travel Services Association.  United Airlines told the State Department, as we did, that the proposed rules would violate the Administrative Procedure Act, and demanded that the Department reveal the cost analysis that they claim supports the fee increases and extend the comment period for responses to it before finalizing any fee increase. ASTA (which represents brick-and-mortar travel agencies) and ITSA (which represents online travel agencies), have generally been at each other’s throats; we’re not sure we’ve ever seen them file joint comments in a Federal rulemaking.  The overall picture painted by the industry comments is of the extent to which the proposed fee increases would, in fact, impose a meaningful burden on international travel.

Members of Congress, particularly from border districts, have also objected, with Rep. Chris Lee of New York writing to Secretary of State Clinton that the fee increase would “further burden American travelers,” and fellow Rep. Brian Higgins, also from upstate New York (along the busiest sector of the Canadian border), issuing a statement that, “Creating financial barriers to the international traffic flow will cost our national economy and this community greatly in the long run.”

According to its filing, “Given its questions, and the importance of access to fairly priced travel documents to support international travel, United has sought a copy of or further details on the CoSS [Cost of Service Study] on March 9, 2010. United was advised that the CoSS is not a study or a report, but rather a model which the Department plans to demonstrate during a public meeting sometime in April or May of 2010.”

We’ll keep you posted of any announcement we hear of an extension of the comment period or a public hearing on the proposal to raise passport fees to pay for RFID chips in passports.

Mar 08 2010

Military spymaster to be nominated for head of the TSA

Testing the waters yesterday, White House sources leaked to Reuters and the Associated Press that President Obama plans to nominate retired Army Major General Robert A. Harding to be the Administrator of the TSA.

Harding’s 30-year career as an army officer was spent moving up through the military “intelligence” ranks, culminating as “DoD’s senior HUMINT [human intelligence] officer.”  In other words, he was the U.S. military’s most senior spymaster. Following his retirement out the military-industrial revolving door (through which he would return if confirmed to head the TSA), he double-dipped by founding a military consulting and contracting company which he sold last year to private equity investors. “Harding Security Associates provides identity intelligence and other security services to the federal government, including doing work for the Department of Defense’s biometric-identification analysis and forensics.”

Many of the TSA’s practical problems and abuses of civil liberties have involved schemes like CAPPS-II (later Secure Flight) that were dreamed up by the NSA and other military intelligence agencies and “experts” unaccustomed to operating within the civilian, domestic U.S. legal regime and ignorant of transportation industry technical infrastructure and business practices. Harding’s autobiography gives no indication that he has any experience whatsoever with civilian or domestic civil liberties, with legal constraints on “intelligence gathering” (spying and surveillance) on civilians or U.S. persons or within the U.S., or with the transportation industry.

If Harding is nominated to head the TSA, his military background and lack of any track record on civilian civil liberties makes it especially critical for Senators to question him closely (we have some suggestions to start that questioning) about his views on the fundamental civil liberties and human rights issues facing the TSA, before any confirmation vote, and to resist any calls for an abbreviated or rushed review of his suitability for the position.

Feb 27 2010

U.S. raising fees for travel credentials and permissions

Under a series of new laws and regulatory proposals, almost everyone traveling internationally to or from the USA — US passport holders, visa-free foreign visitors, and foreigners with visas — would have to pay more in government fees for the required credentials and/or permissions.

This week the U.S. Senate passed the “Travel Promotion Act”, a bill designed to encourage foreigners to visit the USA … by making it more expensive for them to do so.

The money would go for advertising, presumably to try to persuade foreigners that the USA is worth the price and the hassle. This ignores the fact that people around the world already want to visit the USA, and don’t need to be told that. What’s standing in the way of more foreigners spending their money in the USA are the xenophobic rules and procedures that make it so difficult and expensive to get permission to travel to the USA — not lack of desire to take the family on a vacation to Disney World or Las Vegas, or a shopping junket to New York or Miami.

The Travel Promotion Act, previously passed by the House and thus now headed to the White House to be signed into law, will add a US$10 fee (good for an unlimited number of visits in a 2-year period from the date it is paid) to the price of obtaining “pre-approval” to travel to the USA through the “Electronic System for Travel Authorization” (ESTA) .

ESTA pre-approval doesn’t guarantee that you will be admitted to the USA, but is required as a de facto exit visa before the USA considers you authorized to depart from your home country for the USA. No, the USA has no authority to impose an exit permit requirement on departure from other countries, as the Identity Project argued in comments to the DHS when the scheme was proposed, but the legality of the ESTA was never brought up in Congressional debate on the Travel Promotion Act.

ESTA pre-approval is required for all those “intending” to enter the USA without a visa under the “Visa Waiver Program” (VWP). Outside of the VWP, which is limited to a short list of mostly-wealthy most-favored nations, most of them populated mostly by white-skinned people, everyone else except US and Canadian citizens and US permanent residents (green-card holders) needs a visa even to change planes in the USA, which costs a minimum of about US$200 depending on the type of visa.

Those fees for US visas would increase substantially under a pending regulatory proposal from the State Department, which would also increase the fees for issuance or renewal of US passports.

The proposed rule published in the Federal Register earlier this month would increase the total price of a new or renewal US passport from US$100 to US$135. Part of that is an increase in the “Security Surcharge” for each passport to US$40, which presumably reflects the additional cost of including a remotely-readable uniquely-numbered RFID chip in each passport.

The State Department is accepting public comments through 10 March 2010 through the Regulations.gov Web site or by e-mail to fees@state.gov. (You must include the docket number, “RIN 1400-AC58” in the subject line of your e-mail message.) This would be a good chance to tell the Obama Administration that they wouldn’t need the proposed passport fee increase if they reconsidered and rescinded the requirement for RFID chips in passports.

Frequent international travelers with US passports will also get socked. Adding pages to a passport that has filled up with visa and entry and exit stamps, previously free, will now cost US$82. Ouch! That’s particularly unfair to those who requested a passport with extra pages, but didn’t get one, since the passport application form still doesn’t include any place to indicate that you want a thicker passport book (48 or 96 pages instead of the standard 24). If you are submitting comments to the State Department, please include a request that they put check-boxes on the application form to indicate a request for a 48 or 96-page passport.

Interestingly, despite the other ostensibly cost-based fee increases the State Department admits that they are deliberately keeping the cost of a passport card, which has a much longer-range RFID chip than a standard passport book, dramatically below cost, in effect giving travelers a large financial incentive to carry a credential with a longer-range tracking beacon.

And lest Canadians feel left out (they are essentially the only nationality that doesn’t need either a US passport, a US visa, or ESTA pre-approval to travel to the USA, and thus escapes these US fee increases), this week Canada’s Transport Minister announced increases in security fees that will be added to all air tickets for departures from Canadian airports, both domestic and international. Why the higher fees? To pay for more virtual strip-search machines (“body scanners”).

Enjoy your trip, and come back and visit us again soon!

[Comments filed by the Identity Project, Consumer Travel Alliance, Center for Financial Privacy and Human Rights, and John Gilmore, which you can use as a template for your own comments; also available in Open Office .odt and MS-Office .doc formats.]