Papers, Please!

The Identity Project

Category Archives: Secret Law

Jan 15 2026

TSA extorts $45 from each air traveler without REAL-ID

screenshot: Step 3: Show your receipt to the TSA officer and follow their instructions

Today the TSA launched a flagrantly illegal new extortion program, TSA ConfirmID,  to collect $45 from each airline passenger who wants to fly without showing REAL-ID.

As of today, only the payment platform for this “ID verification” program is operational. If you want to fly without REAL-ID on or after February 1, 2026, a new TSA video instructs you to pay $45 each through the Pay.gov website, bring your receipt to the TSA checkpoint at the airport, “show your receipt to the TSA officer and follow their instructions”.

Payments are accepted by ACH transfer from a bank account, credit or debit card, Venmo, or PayPal.

What will the TSA officer instruct you to do at the checkpoint? The TSA says that:

TSA will then attempt to verify your identity so you can go through security; however, there is no guarantee TSA can do so. Please note: Using TSA ConfirmID is optional. If you choose not to use it and don’t have an acceptable ID, you may not be allowed through security and may miss your flight.

The TSA says that you “may” not be allowed through the checkpoint, not that you “will” not. And the TSA’s FAQ says that, “In the event you arrive at the airport without acceptable identification (whether lost, stolen, or otherwise), you may still be allowed to fly”.

What are the procedures for this “attempt to verify your identity”? What are the criteria for  whether or not the TSA will allow you to fly? We don’t know.

A TSA propaganda video released last week falsely claims that, “Everyone knows that when you fly you have to bring a REAL-ID or a passport.” In fact, 200,000 people a day fly without REAL-ID and without a passport. (Any passport of any country is considered REAL-ID.)

It’s unclear what will happen to travelers who show up at TSA checkpoints on February 1st without REAL-ID, or with no ID at all, whether or not they have paid the $45 per person “TSA ConfirmID” fee. See our FAQ about your rights and what might happen.

As we pointed out when the TSA announced this plan in December, no law authorizes this scheme. No law requires airline passengers to have, carry, or show any ID — as the TSA itself has consistently argued, at least to date, when the issue has been raised in court.

The TSA has promulgated no regulations for “TSA ConfirmID”, has published no Privacy Act notice for the information collected from travelers either when they pay the $45 fee or when they go through the TSA checkpoint, and has neither requested nor received approval from the Office of Management and Budget (OMB) for this collection of information, as is required by the Paperwork Reduction Act (PRA).

“TSA ConfirmID” isn’t mentioned in any of the Privacy Act notices for the TSA’s systems of records. Operation of a system of records by a Federal agency without first publishing a proper notice in the Federal Register is a criminal violation of the Privacy Act on the part of the responsible  agency employees:

Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.

Presumably, data collected from individuals who pay the $45 “TSA ConfirmID” fee is passed on to the TSA and stored in some (undisclosed) TSA system of records. The TSA officers and employees responsible for that system of records are, as of today, criminals.

Even the payment platform for the $45 fee is in flagrant violation of multiple Federal laws. The Pay.gov payment site and TSA ConfirmID payment form display no OMB control number, as is required by the PRA.

The Department of the Treasury, which operates Pay.gov, says specifically that:

An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it provides notice of a currently valid Office of Management and Budget (OMB) control number. Among other things, a notice of the expected time burden is required…. Pay.gov provides services to Federal agencies. These services include the posting of agency forms. Required notices that accompany these forms are the responsibility of those agencies.

There’s a link from the payment page to a Privacy and Security Policy, but the linked page doesn’t mention the Privacy Act, the PRA, or an OMB control number.

Since the TSA hasn’t chosen to follow the law or disclose any of its plans, the only way to figure out the de facto “rules” is to reverse engineer them from travelers’ experiences.

If you show up at a TSA checkpoint on or after February 1st without REAL-ID, or with no ID, please let us know whether or not you paid the “TSA ConfirmID fee” and what happened to you at the cehckpoint..

Keep a copy and/or take a photo or screenshot or any printed or online forms you are asked to fill out. If the forms or user interface pages don’t include a valid OMB control number, you can legally ignore them without penalty.

Are you allowed to fly without REAL-ID? With no ID? Without paying the “TSA ConfirmID” fee? If you are prevented from flying, who stops you? What do they say is the basis for their action?

You have the right to film and record at TSA checkpoints. Please share your experiences so we can better inform future flyers without ID or without REAL-ID.

Dec 10 2025

CBP wants all visitors to install and use its smartphone app

Permisisons requeste by ESTA Android app

[Permissions requested by ESTA Android app. Why does CBP want to be able control your flashlight?]

By a notice published today in the Federal Register, US Customs and Border Protection (CBP) is requesting approval not only to make all foreigners visiting the US without visas submit a comprehensive set of biometric identifiers (“face, fingerprint, DNA, and iris”) but to do so by installing and using a closed-source CBP smartphone app that requires permission to access Wi-Fi scanning and network data; take photos and video; access any fingerprint, iris scan, or other biometric sensors, and even turn on and off your flashlight.

Each visitor to the US under the Visa Waiver Program (VWP), for which the fee has recently been raised from $21 to $40 per person, would be required to submit, in advance, through this smartphone app, identifiers for all social media accounts they have used in the last five years.

Each visitor would also be required to submit what CBP calls “High Value Data Elements”. According to the notice:

The high value data fields include:

a. Telephone numbers used in the last five years;
b. Email addresses used in the last ten years;
c. IP addresses and metadata from electronically submitted photos;
d. Family member names (parents, spouse, siblings, children);
e. Family number telephone numbers used in the last five years;
f. Family member dates of birth;
g. Family member places of birth;
h. Family member residencies;
i. Biometrics—face, fingerprint, DNA, and iris;
j. Business telephone numbers used in the last five years;
k. Business email addresses used in the last ten years.

CBP thinks that the average visitor could compile and enter all of this data (typing on a smartphone) in 22 minutes,  including the time needed to contact each of their siblings and children to find out their five-year history of addresses and phone numbers.

Welcome to the 2026 World Cup!

Applicants for US visas are already required to provide a much more extensive set of personal data, including biometrics and identifiers for all social media accounts they have used. So this proposal, if approved, would expand collection of biometrics, social media identifiers, and the additional “high value data elements” to almost all foreign visitors to the US, with or without visas. The only remaining exception, which CBP doesn’t mention, is for asylum seekers who may have no documents and who require no pre-approval.

We continue to oppose warrantlesss, suspicionless compelled disclosure of social media or biometric identifiers or other information as unconstitutional and a violation of the human rights of travelers. And we oppose any requirement to provide this information in advance, when it could be collected on arrival in the US, when visitors apply for admission.

Read More

Dec 05 2025

TSA Confirm.ID: TSA plans to charge air travelers without ID or without REAL-ID $3B a year in extra fees for extra questioning

TSA Coinfirm.ID

Since scare tactics haven’t gotten everyone in the U.S. to sign up for REAL-ID or show ID whenever they fly, the Transportation Security Administration (TSA) is turning to extortion through the threat of a new $45 fee to fly without “acceptable” ID.

The proposed fee and the modified “ID verification” program it would pay for are being described by the TSA as a fait accompli. But even if they were authorized by Congress and Constitutional — which we don’t think  they are — they have several months-long procedural hurdles to clear before they could legally be put into effect, and even then they would face the possibility of litigation by travelers, states, airlines, and perhaps others.

$3 billion dollars a year in extra fees for extra questioning of flyers

In its latest round of rulemaking by press release, the TSA has issued a series of procedurally irregular announcements indicating that the agency plans a new fee-based procedure for air travelers without “acceptable” ID, including those presenting ID that the TSA deems not to comply with the REAL-ID Act and those who don’t have or don’t show any ID at all:

  • A notice published by the TSA in the Federal Register on November 20th said the fee for flying without ID or without REAL-ID would be $18 per person for each ten-day period.
  • A second notice published on December 3rd, just two weeks later, announced that “based on review and revision of relevant population estimates and costs… and a revised methodology… TSA recalculated overall costs and determined that the fee necessary to cover the costs of the TSA Confirm.ID program is slightly more than $45.”

The drastic revision of the cost estimate and fee, so soon after the initial announcement, suggests that the initial estimate was sloppy,  rushed, or both, and perhaps that the entire new program is being hastily implemented, may not yet be clearly defined, and may fit the definition of agency action that is “arbitrary, capricous, an abuse of discretion, or otherwise contrary to law”. Any such action is liable to be “set aside” by the courts on the basis of the Administrative Procedure Act (APA).

According to a press release posted on the TSA website on December 1st, “Currently, more than 94% of passengers already use their REAL ID or other acceptable forms of identification.” That’s only one percentage point higher than the 93% compliance the TSA announced after the first few weeks of REAL-ID “enforcement” in May 2025. These largely unchanged numbers suggest that the TSA is making little progress in persuading more travelers to sign up for a national-ID scheme or show their papers at TSA checkpoints.

Based on the current rate of roughly three million people a day passing through TSA checkpoints, 6% of whom don’t show ID the TSA deems “acceptable” (or don’t show any ID), 180,000 people a day would be assessed the proposed new $45 fee. That would generate $8.1 million a day, or $2.96 billion a year, in new revenue for the TSA.

The TSA’s initial notice claimed that currently “taxpayers pay[] for an individual’s identity verification services provided by TSA”. But each airline passenger already pays a fee of $5.60, collected by the airline, each time they pass through a TSA checkpoint at an airport.

This “9/11 Security Fee” was imposed when the TSA was created, and is supposed to cover the TSA’s costs  of searching air travelers. Air travelers, not taxpayers, pay for the TSA to grope, interrogate, and delay us. Charging a fee for this “benefit” is like charging a “police user fee” to be pulled over in a traffic stop, even if no violation is found and no citation is issued.

Read More

Oct 12 2025

CBP changes procedures for airline passengers with “X” passports

19 C.F.R. 4.7b (3)

CBP regulations require would-be airline passengers to identify as “F” or M”. These regulations were never changed, even when CBP was accepting “X” gender markers.

Traveler Gender CBP Data Element Validation: System Error if missing or invalid. Only submissions of “M” for male and “F” for female are accepted.

[CBP implementation guide says that only “M” and “F” are accepted in APIS data.]

U.S. Customs and Border Protection (CBP) has announced plans for changes to its procedures for processing information sent to CBP by airlines (and possibly also train, bus, and ferry operators) about passengers on international routes with non-binary or non-gendered “X” gender marker passports, to take effect on Tuesday, October 12, 2025.

The planned changes were disclosed by press release rather than by rulemaking notice in the Federal Register. Implementation has been outsourced to airlines subject to secret “Security Directives” from CBP.  Neither the current nor the planned procedures comply with the law. All of this makes it difficult to predict what will happen to anyone with an “X” gender marker on their passport who tries to make reservations, buy tickets, or check in for international flights after October 12th.

But here’s what we know:

Read More

Jul 30 2025

Palantir breaks new ground in algorithmic surveillance and control

One of the biggest beneficiaries of the expansion of the homeland-security industrial complex since the second inauguration of Donald Trump has been Palantir.  Shares of Palantir stock have doubled in value since Trump’s re-election.

Both the Department of Defense and the Department of Homeland Security have expanded their contracts with Palantir for data aggregation, data mining, algorithmic profiling, predictive “pre-crime” policing and preemptive war, and automated decision-making.

But is Palantir just doing more of what it has been doing since at least the first Trump presidency? Or is it (also) doing something new? We think it’s doing both.

Palantir is one of the prime contractors being paid to carry out President Trump’s executive order for the integration, mining, and use for decision-making throughout the Federal government of information about individuals held by any Federal agency, regardless of what agency originally collected it or for what purpose. Trump’s executive order seeks to define “purpose limitation”  — one of the fundamental principles of fair information practices — out of existence, at least as applied to the Federal government.

Working with and for the Department of Government Efficiency, Palantir has been central to this Federal government-wide effort to abolish “data silos”. Palantir is reportedly building aggregated databases and platforms for analysis and decision-making about both immigrants and foreign visitors and US citizens.

The expansion of Palantir’s activities has, unsurprisingly, made Palantir a focus of renewed protest.

Some of Palantir’s expansion is just more of more of what it was already doing. In particular, Palantir pioneered natural-language queries for mining of complex datasets and complex algorithms for identification of patterns in data long before either of those processes came to be labeled “artificial intelligence”. Now it’s applying these tools to a wider range of data and decisions. But the fundamental dangers remain the same. As the algorithms and the volume of data ingested become sufficiently large and complex, it becomes impossible to attribute a decision to any specific item of data or rule, or to exercise human oversight or judicial review of that algorithmic decision.

Meanwhile, Palantir’s expanded work for the US government has broken new ground, or broken through barriers, in several ways:

  • Expansion from the Departments of Defense (DOD) and Homeland Security (DHS) to all components of the Federal government;
  • Expansion from people and activities with some foreigners or foreign travel or trade to all US citizens; and
  • Expansion from decisions about air travel and entry to the US to all types of Federal government decisions about what individuals are or aren’t allowed to do.

The impact of all of these changes is to normalize pervasive suspicionless surveillance — collection, retention, and integration of data about movements, activities, and transactions — and permission-based extrajudicial government control as the defaults.

While this is an expansion of previous government intrusions on individual freedom of movement and action,  it’s also a fundamental conceptual shift from the assumption of an “airport exception” to the US Constitution or a “non-US citizen exception” to Constitutional or human rights, to a permission-based regime of government surveillance and control applied to all individuals and all activities within reach of US government power.

In the conceptual framework that underlies Trump’s executive order on “data silos” and Palantir’s work to build an omniscient and omnipotent “artificial intelligence” platform, there are no limits to the scope of individuals or activities to which it is applied.

The DHS data lake is now a US government-wide data ocean in which we all swim, all the time, and in which Palantir is constantly monitoring and choosing which fish to corral or catch.

Mar 12 2025

State Department puts “X” passport applicants in limbo

The US State Department is withholding passports from some US citizens, effectively denying them the ability to leave or return to the US, without any basis in law or regulations.

Multiple news outlets have reported that the State Department has ordered its staff in the US and abroad to “suspend” processing of all pending applications for new or renewal US passports or passport cards with an “X” gender marker.

A new page of the State Department’s website suggests that each of these passport applicants will (eventually) be notified that their application has been “suspended” and will remain “suspended” (i.e. that they won’t be issued a passport) unless and until they provide “certain documents and records to help us establish your biological sex”.

Read More

Nov 25 2024

Do you need ID to read the REAL-ID rules?

[“The welcoming, friendly and visually pleasing appearance” of the TSA’s headquarters at 6595 Springfield Center Drive, Springfield, VA.]

We spent most of a day last week outside the headquarters of the Transportation Security Administration (TSA), trying and failing to find out what the rules are for the TSA’s new digital-ID scheme.  What we did learn is that, by TSA policy and practice, you can’t read the REAL-ID rules, get to the TSA’s front door, or talk to any TSA staff unless you already have ID, bring it with you, and show it to the private guards outside the TSA’s gates.

The problems we have faced just trying to get access to the text of the TSA’s rules raise issuess about (recursive) incorporation by reference of third-party, nongovernmental text in regulations, secret law, and access to Federal services and rights by those without ID, as well as the underlying issues of REAL-ID, mobile driver’s licenses, and digital IDs.

In late October, as we’ve previously reported, the TSA issued a final rule establishing “standards” for smartphone-based digital IDs that would be deemed by the TSA to comply with the REAL-ID Act of 2005. These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.

The standards themselves — the meat of the TSA’s rule — weren’t published in the Federal Register or made public either when the rule was proposed or when it  was finalized. Instead, thousands of pages of documents from private third parties were incorporated by reference into the TSA’s rules, giving them the force of law, on the basis of false and fraudulent claims — the falsehood of which was easy for anyone who checked to verify — that they were “reasonably accessible” to affected individuals.

Secret laws are per se a violation of due process, and should be per se null and void. How can it be that “ignorance of the law is no excuse” if the government has kept you ignorant of the law, even when you try to find out what the law says?

You shouldn’t need ID to read the law, just as you shouldn’t need ID to travel by common carrier. But the TSA doesn’t seem to have read the Constitution.

Read More

Nov 04 2024

TSA launches smartphone-based digital ID scheme

Brushing off objections from the Identity Project and others, the US Transportation Security Administration (TSA) has issued regulations creating the framework for an all-purpose smartphone-based national digital ID and tracking system.

The TSA’s new rules are piggybacked on the REAL-ID Act of 2005, and are ostensibly standards for what states will have to do to issue digital versions of driver’s licenses or ID cards that the TSA and other Federal agencies will accept for Federal purposes, in circumstances where ID is required by other Federal laws. This doesn’t include airline travel, for which no ID is legally required, although the TSA keeps lying about this.

The TSA’s new rules provide that acceptable digital IDs can only be issued to individuals who already have physical driver’s licenses or state-issued ID cards. And individuals are still required by standard state laws to “have their Physical Credential on their person while operating a motor vehicle”, even if they also have a digital ID on their smartphone. So this regulatory scheme isn’t really about driver’s licenses at all. It’s about pressuring states to move from uploading information about all their residents to a national ID database to putting a digital tracking app with a state-issued identifier on each resident’s smartphone.

We’ll have more to say in our next article about some of the ways this might be used for surveillance and control of individuals’ activities in the physical and online realms.

The TSA dismissed out of hand our suggestion that an individual could be provided with a digitally-signed file (signed by a government agency) containing the same information as is contained on a physical license or ID card. Such a  file could be carried on any sort of device and presented over any sort of connection. Instead, the TSA’s new rules require that a digital ID must be “provisioned” through an app on a smartphone. The smartphone must be “bound” to an individual (how is this possible?) and must have bluetooth-low energy (BTE) radio connectivity enabled so that the app containing the digital ID can be remotely interrogated by the government (perhaps without the user’s knowledge).

How will this work? What else will these apps do? In what situations, and for what purposes, will these apps and digital IDs be required? We don’t really know.

Read More

Sep 16 2024

TSA again backs down from its REAL-ID threats

The Transportation Security Administration (TSA) has again backed down from its decades-old threats to start requiring all airline passengers to show ID that the TSA deems to be compliant with the REAL-ID Act of 2005. But the new rules proposed by the TSA would create new problems that won’t go away until Congress repeals the REAL-ID Act.

In a notice published in the Federal Register on September 12th , the TSA has proposed another two-year postponement of the most recent  of the “deadlines” the agency has imposed on itself for REAL-ID enforcement.  But that postponement would be combined  with interim rules for the next two years that ignore the law and invite arbitrariness in how travelers are treated.

The TSA notes that “frustrated travelers at the checkpoint may also increase security risks” if the TSA stopped allowing travelers to fly without REAL-ID. But the TSA doesn’t mention its current procedures for flying without any ID or its position in litigation that no law or regulation requires airline passengers to show any ID. Instead, The TSA claims without explanation that without this postponement, “individuals without  REAL ID-compliant DL/ID or acceptable alternative would be unable to board federally regulated aircraft.”

Comments from the public on the proposed rule are due by October 15, 2024. Dozens of comments have already been submitted, almost all of them opposing requiring REAL-ID to fly.

We’ll be submitting comments opposing the proposed rules and reminding the TSA that (1) no state is yet in compliance with the REAL-ID Act, which would require sharing of driver and ID databases with all other states, and (2) neither the REAL-ID Act nor any other Federal law requires air travelers to have, to carry, or to show any ID.

Unless the law is changed to try to impose an unconstitutional ID requirement as a condition on the right to travel by common carrier, the TSA must continue to recognize the right to fly without ID. Any distinction by the TSA or other Federal agencies between state-issued ID, when no state complies with the REAL-ID Act or could do so until all states participate in the national REAL-ID database (SPEXS), would be arbitrary and unlawful.

Read More

Sep 03 2024

Congress asks more questions about TSA blacklists

The “No-Fly” and “Selectee” lists managed by Federal agencies through the joint Watch List Advisory Council (WLAC) aren’t the only blacklists and watchlists that are used to determine who is given US government permission to board an airline flight, and how they are treated when they fly.

Senior members of relevant House and Senate Committees are asking overdue questions about the blacklists created and used by the Transportation Security Administration (TSA) to target selected travelers for special scrutiny, surveillance, and searches when they fly.

The TSA’s Secure Flight program is used to determine, on the basis of identifying and itinerary information from ID documents and airline reservations, what Boarding Pass Printing Result (BPPR) to send to the airline for each would-be passenger. The ruleset included in the Secure Flight algorithm includes list-based and profile-based Quiet Skies rules created by the TSA itself, independent of the interagency No-Fly and Selectee travel blacklists.

These Quiet Skies rules are used to flag certain airline passengers as “Selectees” to be searched more intrusively at TSA checkpoints (even if they aren’t on the interagency Selectee list), and to assign Federal Air Marshals (FAMs) to follow, watch, and file reports on their activities in airports and on flights. A secret alert is sent to FAMs, based on airline reservations, 72 hours before each planned flight by a person on the Quiet Skies list.

The Quiet Skies program was implemented secretly in 2012. “In March 2018,” according to a later report on the Quiet Skies program by the DHS Office of Inspector General (OIG), “in addition to enhanced checkpoint screening, TSA began surveillance (observation and collection of data) of Quiet Skies passengers beyond security checkpoints, as part of its Federal Air Marshal Service’s (FAMS) Special Mission Coverage flights.

The No-Fly list and profile-based no-fly rules are used in the Secure Flight travel control  and surveillance algorithm to determine who is allowed to fly. The Selectee and Quiet Skies lists and rules are used to  determine who to search and surveil when they fly.

The Quiet Skies program came to light later in 2018 when FAM whistleblowers went to the Boston Globe with their complaints that the wrong travelers were being targeted, mis-prioritizing which flights FAMs were being assigned to. These FAM whistleblowers complained, that, for example, anyone identitied from airline reservations as having traveled to Turkey was put on the Quiet Skies list and had a FAM assigned to each US flight they took for the next several months, including domestic flights. Travelers’ reports of being followed through airports (presumably by FAMs) and subjected to more intusive searches at TSA checkpoints after trips to Turkey supported these allegations.

The TSA initially declined to confirm the existence of the Quiet Skies program. But in response to questions from Congress and follow-up reprting by the Globe, the TSA released a belated Privacy Impact Assessement (PIA) for Quiet Skies in 2019. However, that PIA specified none of the Quiet Skies rules and gave no demographic or other information about who those rules had targeted.

Additional descriptions of the program, including the flowchart above, but still not including any of the Quiet Skies rules, were included in a critical DHS OIG report on the program in 2020.

Since January 6, 2021, there has been a new round of complaints by travelers and disgruntled FAMs that participants in the activities that day at the US Capital have been put on the No-Fly, Selectee, and/or Quiet Skies lists.

This month a redacted version was made public of a formal complaint to the DHS OIG by a FAM who says his wife was put on the Quiet Skies list and “targeted for FAMS ‘Special Mission Coverage’ simply because she attended President Trump’s January 6, 2021 speech at the ellipse in Washington, D.C.” FAMs also said that former US Representative and Presidential candidate Tulsi Gabbard has been put on the Quiet Skies list because of her role in the January 6, 2021 events. When she read those reports, Gabbard said that, “The whistleblowers’ account matches my experience” of disprate treatment at TSA checkpoints.

We’ve been unable to confirm or disprove these reports. But we find them plausible and — whether or not they are true — indicative of fundamental problems in these arbitrary, secret, extrajudicial schemes for making decisions about the exercise of our right to travel by common carrier and to be free from unreasonable searches and seizures.

Read More