Jan 09 2019

How many times will the DHS cry wolf on REAL-ID?

The last time we checked in on the status of the seemingly endless game of “chicken” being played by the US Department of Homeland Security with its threats to start harassing air travelers who reside in states the DHS deems insufficiently “compliant”, every state and territory had been given another “extension” of time to demonstrate commitment to compliance until at least January 10,  2019.

Since then, the DHS, in its standardless administrative discretion, has announced further extensions until at least April Fools Day, 2019 (for the US Virgin Islands), for every state and territory except California and Guam.

But as of today, the DHS website says that, “California has an extension for REAL ID enforcement, allowing Federal agencies to accept driver’s licenses and identification cards from California at Federal facilities, nuclear power plants and federally regulated commercial aircraft until January 10, 2019.”

As of this morning, with the “deadline” less than 48 hours away, we got the following response to our questions about this from a spokesperson for the California DMV:

The State of California has been working for the better part of a year to be deemed compliant with the REAL ID act, unfortunately due to a lack of response on the part of the Federal Government with the ongoing shutdown there has been no final confirmation.

So was that a real deadline for REAL-ID in California?

Is the DHS really prepared to have TSA checkpoint staff — working for indefinitely deferred pay — start trying to carry out time-consuming “ID verification procedures” for everyone who shows up at an airport checkpoint with a California drivers’ license or ID, starting the day after tomorrow?

The answer turns out to be, “No.”

The DHS and TSA have blinked yet again in the face of insufficient state “compliance”.

We’ve just received the following updated statement from the DMV:

The California DMV has confirmed with the Department of Homeland Security (DHS) that they will be granting California an extension to April 1, 2019. Due to the furlough, the letter might not arrive until tomorrow and DHS will likely not be updating their website until the furlough ends. All driver licenses will remain valid and can continue to be used for federal purposes.

And this from a spokesperson for the TSA:

I recently learned from DHS that California’s extension has been extended through April 1, 2019…. Updates to their website are underway.

California doesn’t actually comply with the REAL-ID Act. That would require uploading data about all California drivers’ licenses and ID cards to the SPEXS national ID database, which California hasn’t done and which would probably violate multiple provisions of California’s state constitution. But DHS certifications and extensions are discretionary, and need not be based on any specific criteria or on actual compliance.

There’s still no public word about Guam, the extension for which is also scheduled to expire tomorrow.

Phase 4b” of REAL-ID Act enforcement at airports supposedly started on January 22, 2018. Since then, the only state or territory where the DHS has let a REAL-ID  extension lapse, even temporarily, has been American Samoa, for which another extension has now been granted until October 10, 2019. We’re still waiting for any response to our FOIA request for records of what happened to American Samoans who tried to fly during the period last year when the extension had lapsed.

 

Jan 04 2019

Issues for the revitalized Privacy and Civil Liberties Oversight Board

With its recent revival, the Federal government’s Privacy and Civil Liberties Oversight Board (PCLOB) has a chance to take a fresh look at how far the USA has gone since 9/11 in implementing a combination of “pre-crime” policing (à la Minority Report) and “social credit scoring” integrated with commercial service providers (à la China) as a means of control of what people can and cannot do, and where they can and cannot go.

The PCLOB didn’t have a quorum since early 2017, and was down to only one member. But three new members were confirmed in October 2018. An Executive Director – who may end up with longer-term influence than the members of the Board, especially given that the new members weren’t appointed and confirmed until just three months before one of their terms is scheduled to end – is currently being hired. Civil libertarians able to obtain a security clearance and willing to relocate to DC are encouraged to apply.

What should the PCLOB focus on, with its limited time and resources? The PCLOB is an advisory committee with neither legislative nor prosecutorial authority. The best use it can make of its limited mandate is to ask hard questions and raise issues that Federal agencies won’t otherwise acknowledge or address.

The TSA and DHS were created in haste after 9/11 without consideration of the privacy and civil liberties implications of their new activities, many of which have never been explicitly approved by Congress. The reactivation of the PCLOB after the latest hiatus is a chance to take a fresh look at the big picture of what these agencies are doing, and what this means for privacy and civil liberties. It might be tempting to focus on “emerging” threats, but the first priority should be to assess the DHS surveillance and control systems that are already in place:

  1. Conversion of state licensing of motor vehicle operators into a national ID system. More than a decade after Congress enacted the REAL-ID Act of 2005, we are entering the endgame of DHS efforts to pressure states into participating in an outsourced, privately-operated, national ID database created to enable compliance with the REAL-ID Act. SPEXS already includes records sourced from states about more than 50 million Americans, but is not subject to any direct government control and has never been the subject of any publicly-disclosed review of its implications for privacy and civil liberties.

  2. Mass surveillance and permission-based predictive control of movement and travel. Congress has never debated whether air travelers should be required to identify themselves, whether the government should keep histories of innocent citizens’ movements (compiled from commercial airline reservations for common carrier travel, license plate readers for travel by private vehicle, and facial recognition for pedestrian movement), or whether existing judicial mechanisms for restricting the right to travel and movement through injunctions or restraining orders should be replaced with secret, extrajudicial administrative prior restraint through “no-fly” and similar orders. How has travel been transformed from a right to a privilege exercised only by government permission? How does this implicate the 1st Amendment right to assemble and the right of freedom of movement recognized by international human rights treaties? How widely, and with what implications for privacy and civil liberties, has the precedent set by real-time “pre-crime” predictive control of travel expanded to other activities and transactions?

  3. Suspicionless dragnet administrative searches. Today, the most common hands-on interaction between a Federal agent and a person not suspected of any crime is a TSA pat-down. But there’s never been any comprehensive review of the legality or the implications for privacy and security of the proliferation of suspicionless administrative searches since the creation of the DHS and TSA: security theater in airports, warrantless searches at internal checkpoints (domestic airports, CBP roadblocks on roads that don’t cross the US border, etc.), and attempts to claim the right to impose searches on the public in other forms of transportation.

There’s much more that we and others could say about each of these issues, if the PCLOB choses to consider them. But the first challenge for the PCLOB is whether it will tackle these big-picture issues.

Jan 03 2019

Plaintiff in first no-fly trial wins another appeal on attorneys’ fees and government lawyers’ bad faith

Fourteen years to the day after she discovered she was on the no-fly list when she was arrested at SFO, and five years after her legal victory in the first trial of a challenge to a government no-fly order (a Pyrrhic victory as she has still been denied a visa to return to the US), Dr. Rahinah Ibrahim won a third decision in her favor in the same case in 9th Circuit  Court of Appeals yesterday, this time en banc and on the issue of reimbursement by the government of Dr. Ibrahim’s attorneys’ fees and costs.

Read More

Dec 12 2018

The Department of “Mother, May I?”

[Federal Probation System Form PROB-37, “Permission To Travel”. Note that even as used for probationers, this form is illegal: It lacks the required OMB approval, OMB control number, and Paperwork Reduction Act notice.]

Have all travelers become convicted criminals subject to court supervision, who have to apply in advance for permission from the government every time they want to travel?

And does the US government have extraterritorial jurisdiction over travel worldwide?

Apparently so, at least in the eyes of the Department of Homeland Security.

Case in point: The National Vetting Center (NVC).

The NVC was established pursuant to President Trump’s February 2018 executive order NSPM-9. The “vetting” in the name is what President Trump has referred to as “extreme vetting” of immigrants and non-US citizens visiting or transiting the US. The first use of the NVC will be to “vet” citizens of countries in the US Visa Waiver Program applying for ESTA permits (online visas) to travel to the US.

The NVC is an inter-departmental body coordinated by a DHS component, US Customs and Border Protection (CBP), and this week the DHS has published a Privacy Impact Assessment (PIA) and released a redacted version of the  Implementation Plan for the NVC.

Here’s how the DHS describes the purpose and role of the NVC:

Every day, the U.S. Government determines whether to permit individuals to travel to and enter the United States…  and consider other actions…. The U.S. Government has developed several different processes and procedures to evaluate an individual’s suitability for access to the United States or other travel- or immigration- related benefits against information available to the U.S. Government (generally referred to as “vetting”)….Creating, maintaining, and facilitating the operation of that process is the primary mission of the NVC.

As even this summary self-description shows, the NVC is founded on a fundamental disregard for human and Constitutional rights.

Read More

Nov 02 2018

What China calls “social credit”, the US calls “risk assessment”

A viral video of an announcement on a Chinese high-speed train and a series of reports (here and here) on NPR have prompted a surge of interest this week in China’s “social credit” system:

Dear passengers: People who travel without a ticket, behave disorderly, or smoke in public areas will be punished according to regulations, and the behavior will be recorded in individual credit information system. To avoid a negative record of personal credit, please follow the relevant regulations and help with the orders on the train and at the station.

Despite unwarranted comparisons to US financial credit scores, “social credit” scoring in China is used by the government and para-statal entities, not just private companies, and not just for financial decision-making.

One of the NPR stories as well as a report last month by the Australian Broadcasting Co. include interviews with people who discovered they were barred by the Chinese government from travel on high-speed trains as a result of “social credit” scores, regardless of their ability to pay for tickets.

Dystopian? Yes.

Unjust? Yes?

“It can’t happen here?” No.

It already happens here, every day, to everyone who travels by airline or engages in bank or credit card transactions.

You may not realize it until you are mysteriously unable to obtain a boarding pass or complete a financial transaction, but each of these activities is already subject to secret, permission-based, extrajudicial prior restraint by the US government.

The default is “no”.  Since a little over 10 years ago, US Federal regulations have forbidden any airline from issuing a boarding pass unless and until it has sent the would-be traveler’s itinerary and identifying information to the DHS and has received back an individualized, per-passenger, per-flight, permission-to-travel message from the DHS. The DHS generates a secret “risk score” for each passenger, which determines how closely they are searched and questioned, whether the airline is instructed to call the police when they try to check in, and other aspects of how they are treated.

Even before airlines or banks get to the point of consulting the government, “carrier sanctions” and similar sanctions against financial institutions give them a financial incentive to err on the side of saying “no”, not “yes”.

You don’t have to be on a government blacklist for your air travel or financial transactions to be blocked by the US government or by airlines or banks acting at the government’s behest. There are multiple air travel blacklists (euphemistically and inaccurately called “watchlists”), but no-fly and transaction-processing decisions are also made in real time, on the basis of algorithmic “pre-crime” predictions (euphemistically and misleadingly called “risk assessments”, despite the lack of any evidence of a correlation between these scores and actual “risk”).

What China calls “social credit scoring”, the US calls “risk-based screening”.

Government blacklists and real-time pre-crime policing are being applied to control a growing range of activities of daily life. But air travel and financial transactions are the areas where the US government already has a fully deployed and operational real-time “social credit” system in which private service providers are seamlessly integrated with government agencies to surveil and control our everyday activities.

The question isn’t whether the US should have a “social credit” system — it already does — but whether it should be expanded to more aspects of our lives, or rolled back.

It can happen here. It is happening here. It will continue to happen here until we stop it.

China’s social credit system provides a useful object lesson in the three essential preconditions for a system of ID-based surveillance and control. We can block or impede the expansion of such schemes by undermining any of these three legs of the tripod:

  1. ID requirements to travel or engage in other transactions or activities — If you travel, pay, or act anonymously,  your individualized “score” can’t be used to control you. China’s “social credit” system is enabled by requirements to show government-issued ID to open a bank or mobile payment account or purchase a SIM card.  You can only rent a shared bicycle in China through an app, not by cash, and you can’t use the app without an ID-linked mobile phone and ID-linked payment account. So even if you travel around a Chinese city by shared bicycle, you can be tracked. Travel anonymously, and use cash or other anonymous forms of payment.
  2. Collection of ID-linked transaction and position data  — Chinese “social credit” scores and US “risk assessments” are based on travel, movement, and transaction histories. Some of this data is collected through biometric identification, primarily automated  facial recognition. Other data is “ingested” by the government from commercial databases such as travel reservations and financial transactions. Private companies can and should resist requests for this data, but can’t be counted on to do so. No airline, for example, has ever challenged government demands for warrantless access to the entirety of their reservation database, including free-text derogatory internal comments by front-line reservation and customer-service staff that are imported directly into permanent DHS files used for “risk” scoring. Once personally identified or identifiable data is collected, it’s almost impossible to resist demands for government access made in the name of “security”.  Any data that is collected about you can and will be used against you. The only real way to oppose this mass surveillance is #DoNotCollect. Just say no to requests for information, for consent to search, or for sharing of data with the government.
  3. Government control of movement, activity, and transactions — A key step in the implementation of the “social credit” system for air travel was the installation (at a cost to the airline industry of at least US$2 billion) of the control lines that transformed a reporting (i.e. surveillance) system into a “pre-crime” control system. It’s critical to defend against having our Constitutional and human rights redefined as privileges to be exercised only by prior permission of the government —  as the right to travel by common carrier has already been. Demand that restrictions on the exercise of rights be based on evidence-based court orders, not pre-crime fantasies.

As for the specific Chinese examples of travel by high-speed train, Amtrak, like the operators of Chinese trains, is a para-statal government-charterted corporation. In 2014, we made a FOIA request to Amtrak for records of Amtrak’s sharing of passenger data with the DHS and other law enforcement agencies. Amtrak has been releasing a trickle of responsive records, as we’ve been reporting. But Amtrak’s response remains incomplete, and this is now the oldest pending unanswered request in Amtrak’s FOIA queue.

 

Oct 18 2018

How many air travel blacklists does the US have?

[Click image for full-sized version.]

Heavily redacted records released by the Transportation Security Administration (TSA) last month, more than six years after they were requested by the Electronic Privacy Information Center (EPIC), give fragmentary clues to the answer to an important question: Just how many air travel blacklists does the US government have?

Read More

Oct 10 2018

What AAMVA doesn’t want you to know about the national REAL-ID database

Another “deadline” for enforcement of the REAL-ID Act of 2005 passed uneventfully today.

The US Department of Homeland Security had advertised that DHS extensions of time for voluntary compliance with the REAL-ID Act by many states would expire today.

The DHS threatened that starting today it would “enforce” the REAL-ID Act through harassment or denial of the right to travel of airline passengers without ID or with ID issued by states or territories that the DHS, in its standardless administrative discretion, deemed insufficiently compliant with Federal wishes.

Today’s supposed “deadline” was fixed neither by law nor by regulation. Not surprisingly, the DHS blinked in the final days before its self-imposed ultimatum, as it has done again and again.

Every US state and territory subject to the REAL-ID Act was either certified by the DHS as sufficiently compliant to satisfy the DHS (at least for now), or was given a further extension of time to comply without penalty until at least January 10, 2019.

Yesterday, the day before the “deadline”, the DHS quietly posted notices on its website that it had granted further extensions until January 2019 to the last two states, California and New Jersey.

Perhaps the DHS is still unwilling to provoke riots at airports by stopping people without ID, or with ID from disfavored states and territories, from flying. Perhaps it isn’t yet prepared to face, and likely lose, the inevitable lawsuits from would-be flyers.

Even American Samoa, which — because the second-class status of American Samoans as US subjects but not US citizens would make it harder for them to challenge DHS restrictions of their rights — had been the first trial by the DHS of enforcement of the REAL-ID Act, was given an extension until October 10, 2019.

So far as we can tell, REAL-ID Act “enforcement” meant only modestly enhanced harassment of American Samoans at airports. Our FOIA request for records of how many people tried to fly with American Samoa IDs, and what happened to them, remains pending with no response after more than five months.

American Samao isn’t the limit of REAL-ID Act expansion beyond US borders and overseas. H.R. 3398, a bill to extend eligibility for REAL-ID Act compliant drivers licenses and IDs to citizens of several nominally independent de facto US dependencies, has passed the House and is pending in the Senate.

Meanwhile, the real movement toward state compliance with the REAL-ID Act is behind the scenes  — as the DHS, its collaborators among state driver licensing agencies, and AAMVA, the operator of the outsourced and pseudo-privatized national ID database, want it to be.

Since we last reported on the status of REAL-ID Act compliance six months ago, agencies in three more states — Pennsylvania, New Mexico, and most recently Washington in September 2018 — have uploaded information about all licensed drivers and holders of state-issued IDs to the SPEXS national database. That brings to 19 the number of states whose residents’ personal information is included in the aggregated database.

But even as the database grows to include information about more and more US residents, the DHS persists in denying its existence. According to the DHS public FAQ about the REAL-ID Act:

A: Is DHS trying to build a national database with all of our information?

No…. REAL ID does not create a federal database of driver license information.

To the extent that there is any truth at all in this statement, it’s that the SPEXS national database isn’t under direct Federal or state control, but has been handed over to AAMVA and AAMVA’s contractors. (The database is apparently actually hosted by Microsoft.)

For obvious reasons, nobody is more eager than AAMVA to have you pay no attention to the national ID database behind the REAL-ID Act curtain.

In June 2018, we were honored to receive an urgent letter by Fedex from the President  & CEO of AAMVA, demanding that we immediately remove from our website the specifications for the SPEXS database, which we had obtained in 2016 from AAMVA’s own public website. After AAMVA made that whole section of its site “members-only”, we posted a copy of the SPEXS specification to help readers understand the details of the system, and as one of the key sources for our analysis of SPEXS.

SPEXS already includes personal information obtained from government records of drivers licenses and state IDs, including dates of birth and the last five digits of Social Security Numbers, for more than 50 million US residents. We think the people whose data is included in this system are entitled to know what information is being kept about them, who has access to it, and how it is used.

According to the SPEXS specifications,  development of SPEXS was funded by grants from componetns of the DHS and the Department of Transportation. (We’re waiting for responses to our FOIA requests for those agencies’ records about SPEXS.) If SPEXS were being operated directly by a Federal agency, the Privacy Act would require it to provide notice of the types of records in the system, how they are used, and with whom they are shared, as well as procedures for individuals to see the records about themselves and to obtain an “accounting of disclosures” to third parties of information about themselves.

But because the SPEXS database has been outsourced to a nominally private contractor, AAMVA, both Federal and state agencies can disclaim any responsibility for it. That leaves the SPEXS specifications as the best available evidence of what the system is and does.

In a later message to our Web hosting provider, a lawyer for AAMVA claimed that, “The information contained in this work is sensitive and its unauthorized publication could jeopardize the security of the governmental program to which this document relates.” This is nonsense. AAMVA waived any claim of sensitivity by making the specifications public.

When it was still struggling to sell the first states on buying into SPEXS, AAMVA posted the SPEXS specification on its website for anyone to download. More than two years after we called attention to what this document reveals, AAMVA is trying to suppress it. Not because it contains any secrets — it’s been publicly available for years — but because it conclusively disproves the DHS big lie that there is no national REAL-ID database, and shows the essential role that AAMVA itself is playing in this surveillance system.

We encourage you to pay close attention to the AAMVA man behind the REAL-ID Act curtain. And if you have questions about SPEXS or the SPEXS specifications, feel free to contact us.

Oct 09 2018

Another round in 9th Circuit fight over “No-Fly” orders

A 3-judge panel of the 9th Circuit US Court of Appeals heard arguments today in Portland, Oregon, in Kariye v. Sessions, the third and latest round of appeals to the 9th Circuit in a challenge to US government “No-Fly” orders that was filed in 2010 as Latif v. Holder.

The lawsuit has survived two previous appeals to the 9th Circuit. But most recently,  the District Court dismissed the claims of those plaintiffs who remain blacklisted from domestic or international air travel. Today’s third round of argument in the 9th Circuit was on the appeal of that latest dismissal of the complaint.

Today’s oral argument was conducted in a courtroom closed to everyone except the judges, court staff, the parties to the case, and their attorneys. Presumably, the argument was closed because one of the issues was whether the government should have been allowed to submit evidence “ex parte and in camera” for the court to consider without the plaintiffs being able to see it, or whether the District Court and/or the Court of Appeals should consider such submissions.

If you think there’s something Kafka-esque about secret arguments about whether to consider secret evidence, we agree. It’s possible that redacted excerpts from the oral argument will be made available later in the 9th Circuit’s video and audio archives.

Legal documents in the case are available from the ACLU, which is representing the plaintiffs. The best summary of the issues in the current appeal, and the best overview of what’s wrong with the government no-fly decision-making procedures at issue in the case,  is in the plaintiffs’ opening brief in the current appeal.

Read More

Sep 25 2018

9th Circuit says government can’t moot challenge to “no-fly” order

In a blow to the US government’s evasion of judicial review of no-fly and blacklisting decisions, the 9th Circuit US Court of Appeals has reinstated a lawsuit against the government by Mr. Yonas Fikre, a US citizen who was effectively exiled from the US and consigned to imprisonment and torture abroad by being placed on a “No-Fly” list, in an attempt to pressure him to become an FBI informer, while he was overseas.

Unwiling to become an FBI informer — even when he was tortured to do so — and unable to return to the country of his citizenship, Mr. Fikre fled to Sweden, where he applied for political asylum. In a successful effort to smear Mr. Fikre and thwart his asylum claim in Sweden, the US then had him indicted on trumped-up charges related to his business (and having nothing to do with terrorism, violence, aviation, or dangerousness).

Mr. Fikre’s application for asylum in Sweden was denied, and Sweden paid to deport Mr. Fikre to the US (by private jet, because the US wouldn’t allow him on any airline flights). The bogus charges against Mr. Fikre were promptly dropped once he got back to the US. But he has been unable to resume his international business career without being able to count on being able to travel from and to the US without US government interference.

The decision by the 9th Circuit panel in Fikre v. FBI overturns the dismissal of Mr. Fikre’s complaint as “moot” by a US District Court judge in Oregon after the government defendants told the court that Mr. Fikre’s name had been removed from the no-fly list.

The 9th Circuit allowed the case to proceed, finding that there was no guarantee that the actions Fikre complained of, and the violations of his rights, wouldn’t recur:

Because there are neither procedural hurdles to reinstating Fikre on the No Fly List based solely on facts already known, nor any renouncement by the government of its prerogative and authority to do so…  Fikre’s due process claims are not moot.

Read More

Aug 31 2018

A broader legal challenge to Federal blacklists

1. The federal government has imposed a kind of second-class citizenship on the Plaintiffs. Without charges, without arrests, without even an investigation sometimes — the agency defendants act in concert to deprive thousands of innocent Americans, mostly Muslim, of their right to be free from a government that extrajudicially designates them as worthy of permanent suspicion.

2. That permanent suspicion has sweeping consequences for the Plaintiffs as well as the more than one million others who bear it. They are separated from their children, denied employment opportunities, prevented from traveling by air to attend weddings and funerals, and denied or delayed immigration benefits. The rights of Plaintiffs to purchase firearms, to wire money and keep a bank account, to receive their passports and be granted visas to foreign countries are all constrained. For one plaintiff, the Defendants’ actions have diminished his standing and ability to provide religious leadership to his community.

3. Through an interagency watchlisting system, led by Defendants’ Watchlisting Advisory Council, the Defendants have identified the Plaintiffs as worthy of permanent suspicion, imposing burdens and disabilities on them in all aspects of their lives.

4. In deciding to target the Plaintiffs, the watchlisting system behaves lawlessly, acting in the absence of and — in some ways — in opposition to what Congress requires of its agencies.

5. To identify its targets, some parts of the watchlisting system, such as the Terrorism Screening Database (“TSDB”), utilize a nonsense-on-stilts standard that is always satisfied. Other parts, such as TSA’s Quiet Skies initiative, do not use any standard and instead rely upon the inarticulate hunches of federal officials, rank profiling, and vulgar guilt-by-association practices.

6. Through their watchlisting system, the federal government makes it known — to every law enforcement agency in the country, every part of the federal government, more than 60 foreign countries, an unknown number of private companies, international bodies, and other third parties—that the Plaintiffs should be treated as dangerous threats. The Plaintiffs’ friends, family, and others with whom the Plaintiffs associate are punished for their relationship with a watchlisting system’s target.

So begins the complaint filed earlier this month in Federal court in Maryland in the broadest legal challenge to date to the US government’s sweeping program of extrajudicial blacklisting and restriction of the rights of US (and foreign) citizens.

Read More