Papers, Please – Page 35 – Papers, Please!

Aug 14 2008

TSA stops building database of ID-less travelers

USA Today reports that Lack of ID put fliers on TSA list. 16,500 people were in this database since TSA changed the secret rules for travelers in June. After being called by USA Today to comment for the story, TSA head Kip Hawley changed the rule “effective today” and pledged to remove the 16,500 names from its database of “suspicious people”.

We applaud Mr. Hawley for ceasing to keep permanent records on the id-less 1% of the population. It remains for him to stop trying to bar citizens from domestic travel based on blacklists, and to stop demanding that people submit to illegitimate government demands to “identify themselves” before moving from place to place in their own country.

Aug 08 2008

New U.S. “exit permit” scheme for visitors goes into effect

The Identity Project filed comments today with the DHS Bureau of Customs and Border Protection CBP) in opposition to the new Electronic System for Travel Authorization (ESTA) which went into effect this week. According to our comments:

The essence of the ESTA rule is to require certain foreign citizens to obtain an exit permit from the United States government before they may leave their own country, or leave other countries.

In this rulemaking, the Bureau of Customs and Border Protection (CBP) of the Department of Homeland Security (DHS) is promulgating an interim final rule imposing a new requirement that “each nonimmigrant alien intending to travel by air or sea to the United States under the Visa Waiver Program (VWP) must … prior to embarking on a carrier for travel to the United States”, (a) provide specified data elements, in specified form and manner, to the CBP, and (b) “receive a travel authorization, which is a positive determination of eligibility to travel to the United States under the VWP, via the Electronic System for Travel Authorization (ESTA), from CBP.”

Under the interim final rule, “[a]n authorization under ESTA is not a determination that the alien is admissible to the United States” and is “not a determination of visa eligibility.” It would be granted, or not granted, by the CBP, in its sole, standardless, secret, and non-reviewable “discretion.” It would be required as a pre-condition for foreign citizens to “embark” from foreign countries if the CBP believes that they intend to apply (at some later time ) for admission to the U.S. under the VWP.

The Identity Project submits these comments because this CBP regulatory requirement that foreign citizens obtain permission from the U.S. in order to leave their own country, or a third country, (1) exceeds the statutory authority of the CBP; (2) exceeds the jurisdiction of the CBP; (3) is contrary to the obligations of the U.S. under the International Covenant on Civil and Political Rights and other international human rights, maritime, and aviation treaties; (4) has been promulgated without complying with the procedural requirements of Executive Order 13107 regarding Implementation of Human Rights Treaties, the Airline Deregulation Act, the Regulatory Flexibility Act, and the Administrative Procedure Act; (5) fails to consider or grossly underestimates many of the major costs of the rule, including its impact on small entities, business travelers, and other travelers; (6) is impermissibly vague, and (7) would be so impractical and unenforceable as to deprive it of any of the benefits claimed by the CBP.

The Identity Project urges the CBP to withdraw the interim final rule, in its entirety. If it does not withdraw the ESTA rule entirely, the CBP must complete the actions directed by Executive Order 13107, prepare the statutorily required analyses, publish them in a full Notice of Proposed Rulemaking (NPRM) , and provide a new opportunity for public comment, before finalizing any ESTA rule.

In their comments, airlines and travel agencies have objected that the CBP is “wrong” to implement the ESTA on an emergency basis, without the public notice and opportunity for public comment normally required for new Federal regulations. But the CBP began accepting “voluntary” applications for travel authorizations, through a (still buggy) Web interface. The CBP says they plan to issue an order later this year to make the ESTA system mandatory starting sometime in January 2009.

Countries that participate in the VWP, mainly in Western Europe, are still considering whether it amounts to a de facto visa requirement for their citixzens to visit the U.S. This could prompt them to reciprocate by ending visa-free entry to their countries for U.S. visitors, and requiring U.S. visitors to apply for permission before embarking for Europe.

Aug 05 2008

“Trusted Traveler” Identification Program Loses Unencrypted Laptop and TSA’s Trust

A provider of the Transportation Security Administration’s Registered Traveler (RT) program has been suspended from enrolling new applicants after TSA learned “an unencrypted [Verified Identity Pass] laptop computer was discovered to be missing from San Francisco International Airport (SFO) on July 26. The computer contained pre-enrollment records of approximately 33,000 customers.”

Verified Identity Pass operated Registered Traveler under the name “Clear.” The program is supposed to improve air travel security by creating “trusted” individuals who could go through security more quickly because their identities would have been confirmed as “clean” through the program. However, experts have explained that this just creates incentive for criminals to figure out a way to get into the “trusted” group – whether by creating fake identities that can withstand the program’s check or by using individuals who have no previously found connection to terrorists or other criminals.

According to a Washington Post report, “The laptop had the names, addresses and driver’s license or passport numbers of mostly online applicants to the Registered Travel program.” However, Clear records can contain more than that, such as: credit card data, biometric data (fingerprints and iris scans), and previous home addresses for the past five years. Read More →

Jul 28 2008

DHS Ignores OMB Government Approval Process on TSA’s Questionnaire Form for Travelers Without ID

Since June 21st, TSA has required all air travelers in the United States to present identification when entering a secure area at airports. Prior to then, a person could simply say they had lost their ID or didn’t want to show it, and they would be subjected to a secondary screening to enter the area. Now you can only get through security if you can convince TSA and their behavioral detection specialists that you lost or forgot your ID and are “cooperative” with their efforts to identify you by means of commercial data. Part of that process involves filling out their Certification of Identity form.

It appears that DHS has ignored the process of procuring an OMB (Office of Management and Budget) number for their new form. The OMB process requires publication of a notice in the Federal Register and the opportunity for public comment whenever the government gathers information from the public. The law clearly states that someone can’t be punished for failing to answer questions on a government form unless the questioning agency has an OMB number associated it. Despite this, TSA’s new Certification of Identity form states that failing to answer the questions may result in your inability to fly. Further, false statements made by travelers when using the form may be punishable by up to five years in prison. DHS is again showing that it doesn’t believe the rule of law applies to them. Read More →

Jul 10 2008

Auditor: Colorado DMV Security So Poor That It Puts Cardholders At Risk of Identity Theft

A report from the Colorado State Auditor reveals that the state DMV’s data security system is so flawed that it puts the personal information of 3.4 million driver’s license and state ID cardholders at risk of identity theft or fraud. The State Auditor told the Colorado legislature that, among other things, the Colorado DMV “does not have adequate processes for mitigating the risk of employee-perpetrated fraud or measuring the effectiveness of its improvements to the issuance system” and “the Department’s management of information security is fragmented, disorganized, and poorly planned.”

The State Auditor explained that the DMV transmitted large batches of personally identifiable data unencrypted. “These batch transmissions could be intercepted by unscrupulous individuals and expose Colorado residents to identity theft and other criminal activity.” A significant problem is that “the Department lacks a tracking mechanism for collecting and analyzing statistics on the effectiveness of its controls for preventing fraudulent issuances [of licenses or ID cards]. As such, the Department cannot determine whether additional controls or system enhancements are needed.”

Under the REAL ID national identification system being pushed by the US Department of Homeland Security, the databases of 56 states and territories would be linked, allowing any individual state to access all of the others’ information. This massive, centralized system would include the personal data of 245 million license and ID cardholders nationwide. It would be a tempting target for identity thieves, because if a criminal could break just one state’s data security system, then he would have access to the sensitive data retained by all 56 states and territories.

Jul 08 2008

TSA “identity verification” procedures

In a series of posts in their blog, the TSA has expanded on its claimed authority for the changes to “ID verification procedures” announced in a press release last month.

Lawmaking by press release exemplifies the evils of “secret law” which the Supreme Court declined to consider in Gilmore v. Gonzalez. The TSA now says that, “Our position is that Gilmore v. Gonzalez affirmed our ability to require ID for transportation via air and the law that formed TSA, the Aviation and Transportation Security Act (ATSA) empowers the TSA to make these decisions.”

In fact:

The 9th Circuit Court of Appeals in Gilmore v. Gonzalez reached its decision without addressing whether it would have been permissible for the airline or the TSA (or anyone else) to require Mr. Gilmore to show evidence of his identity, or to prevent him from travelling if he failed to do so. The court found that, as of that time and in that particular case, Mr. Gilmore could have flown without showing ID. Read More →

Jul 08 2008

Electronic System for Travel Authorization (ESTA)

In a Notice of Proposed Rulemaking (NPRM) in the Federal Register on June 9, 2008 (73 Federal Register 32440-32453), the Department of Homeland Security has proposed a new system for foreign citizens intending to visit the U.S without visas, and to enter the U.S. by air or sea, to apply for and receive an additional form of advance permission to travel to the U.S.

Effective August 8, 2008, a person “intending to travel to the United States by air or sea under the VWP [Visa Waiver Program]” will be permitted to apply in advance for an electronic “travel authorization”(ETA) from the DHS Bureau of Customs and Border Protection (CBP). The ETA application will contain “such information as the Secretary [of Homeland Security] deems necessary to issue a travel authorization, as reflected by the I–94W Nonimmigrant Alien Arrival/Departure Form (I–94W).”

Effective as of a date the CBP intends to specify in another Federal Register notice in early November 2008, at least 60 days after the publication of that follow-up notice but no later than January 12, 2009, each person with such intent will be required to (1) provide certain specified personal information, in specified form, to the CBP in an ETA application and (2) “receive a travel authorization [from the CBP] prior to embarking on a carrier for travel to the United States.”

While the proposed regulations would require travellers to apply for and obtain ETA’s, nothing in the NPRM would require the CBP to respond to or act on such applications at all, much less to do so with any specified timeliness. No standards or criteria for approval, denial, or inaction on an ETA application are specified; no particular decision-making entity within CBP is specified; no administrative appeal is provided for; and no court would have jurisdiction to review an ETA decision (although courts could, of course, review the legality of the program as a whole). Read More →

Jul 07 2008

ACLU Marks Addition of One Millionth Name to Terrorist Watchlists

The massive U.S. terror watchlists will soon add their one millionth name and the ACLU will mark the day with an event on July 14th at the National Press Club involving innocent individuals who have been wrongly matched to the terrorist watchlists. The ACLU gets the one millionth number from a Department of Justice Inspector general report that said the watchlists included 700,000 names in April 2007 and the lists were growing by 20,000 names per month.

The Transportation Security Administration recently stated on its blog, “While the exact number of ‘no-flys’ is secret, there are many, many less than 500, 000.” The agency did not point to any documentation, merely asking the public to believe its numbers. The agency also did not estimate the number of individuals on the “selectee” list.

The Terrorist Screening Center maintains two terrorist watchlists, the “no fly” and “selectee” lists. Individuals on the “no fly” lists are deemed too dangerous to fly by the U.S. government. Individuals on the “selectee” lists must endure more invasive security screening before they are allowed to fly by the U.S. government. How individual names are added to the list is unknown. The government claims there is a redress process for individuals who are “mistakenly matched” to the watchlists, but it is cumbersome and opaque.

A number of innocent individuals including a nun, Senator Ted Kennedy, and former presidential candidate John Anderson have all been wrongly deemed suspects. Have you been caught in the watchlist web? Tell us your story. E-mail jph AT papersplease DOT org

Jun 28 2008

NY Times: US and Europe Near Agreement on Data Sharing

The New York Times has obtained a report showing that US and European negotiators are nearing an agreement on international sharing of private data.

The United States and the European Union are nearing completion of an agreement allowing law enforcement and security agencies to obtain private information — like credit card transactions, travel histories and Internet browsing habits — about people on the other side of the Atlantic Ocean. […]

Negotiators, who have been meeting since February 2007, have largely agreed on draft language for 12 major issues central to a “binding international agreement,” the report said. The pact would make clear that it is lawful for European governments and companies to transfer personal information to the United States, and vice versa.

The negotiators remain at odds on some issues, such as “what rights European citizens will have if the United States government violates data privacy rules or takes an adverse action against them — like denying them entry into the country or placing them on a no-fly list — based on incorrect personal information.”

It is unclear what standards both sides believe would adequately protect individuals’ civil liberties, including free speech and the right to travel.

David Sobel, a senior counsel with the Electronic Frontier Foundation, a nonprofit organization dedicated to data-privacy rights, said the administration’s depiction of the process of correcting mishandled data through agency procedures sounds “very rosy,” but the reality is that it is often impossible, even for American citizens, to win such a fight.

The story refers to transfers of data directly from entities in the the EU to the US government, and that’s where most of the attention has focused in recent EU/US disputes. But in many cases, data is first transferred from the EU to commercial entities in the US (for example, from airline and travel agency offices in the EU to computerized reservation systems in the US) and only later, if at all, accessed by the US government from those US commercial entities. Those commercial transfers violate EU data protection law, regardless of whether the US government also accesses the data. It’s unclear form the Times story if the draft agreement would purport to immunize commerical entities engaging in such transfers.

It’s also unclear if the draft “agreement” would take the form of a treaty — ratified by the U.S. Senate, and enforceable in U.S. courts — or whether it would be another nonbinding DHS “undertaking” without legal effect.

The full New York Times story is here.

Jun 27 2008

Nation’s Capital Creates ‘One Card’ to ID Them All

The Washington Post reports on a new identification program from the DC government. DC wants to use the “One Card” to track “library accounts, public school attendance, recreation-center use and other services,” and “Metro riders can have a SmarTrip chip implanted in the card.”

The DC government’s chief technology officer says, “The eventual goal is that you’d need only one card across the entire District government.”

Why create a city-wide centralized identification system, mandatory for public school students and government workers but “voluntary” for others? We’ve all heard it before with REAL ID and other broad identification programs: the “papers please” system of One Card would be more efficient and save money.

The Washington Post points out that DC officials “could not offer specifics about those savings for agencies or the city.”

Read the rest of the story here.