Jun 22 2018

Arguments for and against TSA Form 415

We’ve finally begun receiving records from the TSA of how the public responded to the TSA’s proposal in 2016 to start requiring travelers to show ID in order to fly.

Since 2008, TSA and contractor staff at airport checkpoints have been demanding that some travelers who do not have ID, do not show ID to checkpoint staff, or show ID that is initially deemed “unacceptable”, fill out and sign TSA Form 415, “Certification of Identity” and answer questions about the information in the (secret) file about them maintained and made available to the TSA by the commercial data broker Accurint.

Before any Federal agency such as the TSA starts collecting information from the public, whether verbally or through a written form, the agency is required to obtain approval for the “information collection” from the Office of Management and Budget (OMB).

The TSA has never requested or obtained approval for any version of Form 415. But in 2016, the TSA gave notice that it intended to seek OMB approval for Form  415, and accepted comments on that proposal from the public by email. After submitting our own objections to the TSA’s proposal, the Identity Project made a FOIA request for the complete administrative record related to the TSA’s contemplated request.

The TSA has not yet actually submitted a request to OMB for approval of Form 415, but has continued to use it illegally without OMB approval.

In May 2018, we received a heavily redacted version of the TSA’s procedures for “ID verification” including use of Form 415.

Now we’ve received a first partial set of excerpts from the “administrative record” related to the TSA’s proposal, consisting mainly of comments submitted by the public.

Most of the comments were from civil liberties and human rights organizations opposed to the TSA’s proposal, including the Identity Project, the Cyber Privacy Project,  the Constitution Alliance, and the Electronic Privacy Information Center.

But the TSA also received comments questioning the TSA proposal from at least one state government, and a single frighteningly revealing comment urging the TSA to use even more intrusive measures to track people who try to fly without “acceptable” ID.

Read More

May 20 2018

Who’s in charge of the REAL-ID database?

The state of Alaska has sent us a whopper of a “the records you have requested do not exist” response to one of our attempts to find out about government oversight (or lack thereof) of the private contractor operating the national ID database created to implement the REAL-ID Act of 2005.

Here’s what’s happened and why it’s significant:

One of the key goals and consequences of the REAL-ID Act is a national database of information about every drivers license or ID card issued by any of the states and territories that have chosen to “comply” with the (optional for states) Federal law.

This “SPEXS” database includes both compliant ID documents and “noncompliant” IDs issued to people who think they have opted out of being included in the national ID system. There are currently about 50 million records in this national ID database.

The SPEXS database is operated as part of the “S2S” system by a for-profit contractor to AAMVA, a “private” nonprofit corporation whose voting members are the directors of state driver licensing agencies (“DLAs” in AAMVA-speak).

According to AAMVA and officials of participating states, S2S including SPEXS is “governed” by an AAMVA subcommittee created in 2017 and consisting of representatives from DLAs in each state that has added its residents’ ID data to the SPEXS database. We don’t yet know how much actual authority the SPEXS governing body has, or how it exercises that authority.

SPEXS became a focus of attention in Alaska last year after we pointed out in testimony to the state legislature that he Alaska Department of Motor Vehicles had uploaded information about all Alaska drivers’ licenses and state IDs to SPEXS shortly before seeking legislative approval for the state to take actions to comply with the REAL-ID Act.

Read More

May 08 2018

TSA releases redacted ID verification procedures

Five years after we requested them under the Freedom Of Information Act, the TSA has released a redacted copy of its Identity Verification Call Center (IVCC) procedures for interrogation and “screening” of people who show up at TSA checkpoints without ID or with ID the TSA initially deems unacceptable.

Most of these people — 98% of them, according to summaries and logs eventually released to us by the TSA in response to our FOIA request — are eventually “allowed” by the TSA or TSA contractors to exercise their right to travel by common carrier, but only after being put through the TSA’s identity verification procedures.

The TSA’s Standard Operating Procedures for travelers without ID or with initially unacceptable ID include requiring them to complete and sign an (illegal) TSA Form 415, “Certification Of Identity” (COI), and playing a pointless game of 20 questions by telephone with the ID Verification Call Center to see if the traveler’s answers to questions match the information in the files secretly maintained by a commercial data broker, the Accurint division of LexisNexis (part of Reed Elsevier).

In 2013, we asked the TSA for its records of what happens to people who try to fly without ID or with ID that the TSA or its contractors initially deem unacceptable. As part of the same request, we asked for related email messages and policies.

The TSA dragged its feet for years, gradually releasing a trickle of redacted and scanned page-view images of derivative reports, but none of the email messages or reports.

A year ago, the TSA declared its munged partial response “complete”. We filed an administrative appeal, and six months later, the TSA’s appeal officer partially upheld our appeal and remanded our request for a further search for email messages and policies.

After eight more months, we’ve finally received a redacted image of the 2013 version (the version in effect when we first made our request) of the TSA’s ID Verification Call Center “Standard Operating Procedures”.

By the time the TSA finally looked for the email messages on which some of the reports were based, after our appeal was upheld, those messages had all been deleted:

No email messages pertaining to the responsive records were located. The email account utilized to prepare and distribute the TSOC reports was centralized into the National Transportation Vetting Center email account, and all emails created during that time associated with the TSOC reports already released to you have been deleted.

Ultimately, the  ID Verification SOP leaves the final decision on whether a would-be airline passenger is allowed to travel to the standardless discretion of the TSA staff person in charge for each airport, the Federal Security Director (FSD) or their designee.

There are some other curious statements between the redactions in the version of the  ID Verification SOP. released to us by the TSA.

According to the SOP:

Under these procedures, passengers are required to produce acceptable identification to a TSA Screening Representative (TSR) before proceeding to the security checkpoint. Passengers who do not produce acceptable identification and who fail to assist TSA personnel in adequately identifying their identity will be denied entry.

There is no indication of the legal basis, if any, for this TSA claim that airline passengers have an affirmative duty to  “produce acceptable identification” or “assist TSA personnel in adequately identifying their identity”, or what the basis would be for denial of passage.

The SOP also contains a bizarre assertion in section 2.5.9 of the SOP that the COI form (TSA Form 415), which travelers without ID or with unacceptable ID are required to complete and sign, is “Sensitive Security Information” (SSI) which is “not to be circulated to the public”and which passengers must surrender to checkpoint or TSA staff on demand. The SOP doesn’t say how this form could be held to constitute SSI.

TSA Form 415 has already been made public in response to another of our FOIA requests, and the Paperwork Reduction Act requires that forms used to collect information from the public be published for comment before they are approved.

In 2016, after using Form 415 and its unnumbered predecessor illegally for years, the TSA published a notice that it planned to apply for approval of this form (to which we objected). But the TSA has yet to apply for, much less receive, the approval it would need before using this form.

Mar 13 2018

Is the DHS using this Unisys pre-crime software?

A press release last week from Unisys gives a disturbing glimpse into the extent to which border guards — possibly including US Customs and Border Protection (CBP) and other components of the US Department of Homeland Security — are making decisions on the basis of automated “pre-crime” predictions of future bad actions or bad intentions.

Unisys describes its “LineSight” (TM)  product as,

[N]ew software that uses advanced data analytics and machine learning to … enable border agents to make … on-the-spot decisions about whether to trigger closer inspection of travelers … before admitting them into a country…. The solution [sic] uses advanced targeting algorithms to continuously ingest and analyze high volumes of data from multiple sources and to flag potential threats in near real time. For travelers crossing borders, LineSight assesses risk from the initial intent to travel and refines that risk assessment as more information becomes available – beginning with a traveler’s visa application to travel, reservation, ticket purchase, seat selection, check-in and arrival.

Think about what this means: This is not a tool for investigation of illegal conduct or prosecution of people who have committed crimes. It presumes that government agencies will be sufficiently deeply embedded in travel industry infrastructure and have the surveillance capability to know as soon as you form an “initial intent to travel”. It’s being marketed to government agencies as a “pre-crime” system alleged to have “pre-cognitive” ability to predict intentions and future actions, and to generate its own algorithms for doing so:

“Many legacy border security solutions identify potentially risky travelers and cargo based on previously known threats – which is kind of like driving a car and only using your rear view mirror,” said Mark Forman, global head of Unisys Public Sector….

LineSight does not depend solely on pre-defined pattern matching rules; it also includes predictive analytics and machine learning that allow the system to learn from experience and automatically generate new rules and algorithms to continuously improve assessment accuracy over time.

Decisions about which travelers should be subjected to more intrusive searches should be be made on the basis of probable cause to believe that  crimes have been committed, not on the basis of fantasies of “pre-cognitive” pre-crime prediction.

It’s wrong to delegate judicial decisions to administrative agencies, wrong to further delegate those decisions to software ‘bots, and wrong to set those robots loose to make up their own rules to govern whch individuals are subjected to searches or other sanctions.

Read More

Mar 07 2018

FOIA request for information about DHS “Extreme Vetting”

Despite a “shell game” of changing program names, most recently “Visa Lifecycle Vetting”, the general intent of what the DHS and President Trump previously refered to as the “Extreme Vetting Initiative” is clear and has remained unchanged:

  1. To expand the ongoing unconstitutional warrantless and suspicious surveillance of refugees, asylum seekers, immigrants, foreign residents, and US citizens who travel internationally, so that this dragnet sureveillance will be carried on continuously rather than only in conjunction with specific controlled actions such as vsia issuance or  entering or leaving the US, as though international travel were per se probable cause for search and surveillance rather than the exercise of a right; and
  2. To convert the present systems for making decisions as to who is or is not issued a visa or electronic “travel authorization“, allowed to enter or leave the US, or allowed to exercise their right to travel by common carrier, which are already based on pre-crime profiling, into a system of continuous pre-crime policing under which DHS pre-cogs can assign extrajudicial adverse consequences at any time, not just when individuals are attempting to engage in specific controlled actions.

While the DHS has made its intent clear, it has provided few details about who would be subjected to this “vetting”, what data would be used as inputs to the pre-crime prediction system, what algorithms would be used to make predictions, or what procedures would be followed in assigning consequences. More of this information has been provided in “Industry Day” briefings to private contractors to which these extraducial functions would be outsourced than to the public.

In November 2017, we joined dozens of other organizations in a letter to the Secretary of Homeland Security opposing and requesting more information about this program.

The response to our letter was a cursory brush-off providing no further information.

So this month, as part of a coalition led by Muslim Advocates, we filed a request under the Freedom of Information Act (FOIA) for more information about these DHS programs, including infomation about outsourcing of “vetting” to private conteractors and about DHS monitoring of social media.

We requested expedited processing of our request, but we don’t expect a prompt response. The DHS has a dismal track record of noncompliance with FOIA deadlines. But we hope that this request will eventually help us learn more about DHS surveillance and control of immigrants, foreigners, and travelers, including which companies are building the infrastructure of this police state.

Dec 15 2017

“Continuous screening” means continuous surveillance and control

Today the Identity Project joins more than 20 other government-accountability and civil liberties organizations in a joint letter opposing S. 2192, the “SECURE Act of 2017”, which  was introduced in the Senate earlier this month and immediately placed on the Senate calendar for a floor vote at any time.

The name of this bill is Newspeak. It is not about security, but about surveillance and control of immigrants, borders, and international travelers, including  U.S. citizens.

The coalition letter to members of Congress that we signed today focuses on Sections 6002-6003 (pp. 488-499) of S. 2192,  which would authorize the Secretary of Homeland Security, Secretary of State, or Attorney General to exempt their respective Federal departments from the Administrative Procedure Act,  the Privacy Act, and the Paperwork Reduction Act with respect to a wide range of border control and surveillance activities.

The Administrative Procedure Act (APA) spells out the details of Constititionally-required “due process” as it applies to administrative decision-making by Federal agencies. Decisions adversely affecting individuals’ rights made without complying with the APA would be highly likely to violate Constitutional norms of due process.

Exemption from the Privacy Act  would allow the creation and maintenance, without notice, of secret Federal government databases about U.S. citizens, and the use of secret, unreliable, uncorrected, and/or irrelevant data as the basis for decisions to deny U.S. citizens their rights. These practices would also be likely to be unconstitutional.

Many of the provisons of S. 2192 are copied from S. 1757, an earlier omnibus “border control” bill we criticized when it was introduced in September.

Like its predecessor S. 1757, S. 2192 incorporates a patently unconstitutional “Passport Revocation Act” (Section 1632, pp. 446-448), which would purport to authorize revocation or refusal to issue or renew a U.S. passsport, and the prohibition of departure from or return to the U.S., on the guilt-by-association basis of (1) an extrajudicial  administrative designation of an organization as a “foreign terrorist organization”, and (2) an extrajudicial  administrative determination by the State Department that a U.S. citizen is “affiliated” with such an organization (without the law defining the meaning of “affiliated”).

The number of references to the “unreviewable discretion” of officials and agencies has increased from 14 in S. 1757 to 17 in S. 2192.

S. 2192 also includes provisions from S. 1757 mandating government monitoring of activities and ideas expressed on social media, and the use of this surveillance data for making visa decisions and for “continuous screening” (continuous surveillance and control) of immigrants, foreign residents (including permanent residents), and foreign-citizen visitors to the U.S.

As the letter we sent today concludes, “We oppose these provisions in S.2192 and any other border security bill.”
Nov 16 2017

“Extreme Vetting” would be a #PreCrime #DigitalMuslimBan

Today The Identity Project joined 55 other civil rights, civil liberties, government accountability, human rights, immigrant rights, and privacy organizations in calling on the US Department of Homeland Security to abandon its Extreme Vetting Initiative.

The essential goal of the DHS Extreme Vetting Initiative is to extend the bogus “pre-crime” prediction algorithms and methods based on “big data” from suspicionless mass surveillance, already being used by the DHS and its partner agencies in the US and abroad to decide who is allowed to board airplanes, to a broader range of decisions about who is allowed to travel to, or reside or remain in, the US.

But the DHS doesn’t have any “pre-cogs”, human or robotic, to make these predictions. And prior restraint of our movements or other activities based on predictions of future criminality is not only impossible (and inherently subject to abuse by those who create the predictive and decision-making algorithms) but an affront to fundamental notions of justice, due process, and human rights.

According to a joint letter we sent today to the Acting Secretary of Homeland Security, Elaine Duke:

We write to express our opposition to Immigration & Customs Enforcement’s proposed new Extreme Vetting Initiative, which aims to use automated decision-making, machine learning, and social media monitoring to assist in vetting of visa applicants and to generate leads for deportation. As it is described in ICE documents, this program would be ineffective and discriminatory. It would also pose a signal threat to freedom of speech and assembly, civil liberties, and civil and human rights. We urge the Department of Homeland Security to abandon this effort….

The goal of the Extreme Vetting Initiative is to “develop processes that determine and evaluate an applicant’s probability of becoming a positively contributing member of society as well as their ability to contribute to national interests,” using analytic capabilities including machine learning.  ICE also seeks to “develop a mechanism/methodology that allows [the agency] to assess whether an applicant intends to commit criminal or terrorist acts after entering the United States.”

In reality, as a group of prominent technologists advised in a recent letter, “no computational methods can provide reliable or objective assessments of the traits that ICE seeks to measure.” There is no definition anywhere in American law of what it means to be a “positively contributing member of society” or to “contribute to national interests,” posing a risk that ICE will exercise maximal latitude to discriminate beneath the cover of an unproven algorithm….

Confirming that ICE’s focus is on quantity rather than quality, the agency has announced that the winning vendor for the Extreme Vetting Initiative contract must “generate a minimum of 10,000 investigative leads annually” – without regard to how many leads are actually appropriate….

The Extreme Vetting Initiative will also undoubtedly chill free expression, contravening the First Amendment and international human rights, such as those contained in the Universal Declaration of Human Rights, for which the United States has registered official support, and the International Covenant on Civil and Political Rights, to which the U.S. is a party… These risks are particularly acute in light of existing initiatives to ask travelers to identify all of their social media handles in order to obtain permission to travel to the United States….

Through the Extreme Vetting Initiative, ICE seeks to automate the process by which the U.S. government targets, finds, and forcibly removes people from our country…. But this system … risks hiding politicized, discriminatory decisions behind a veneer of objectivity – at great cost to freedom of speech, civil liberties, civil rights, and human rights.

Palantir Technologies has already become a target of criticism for its role in building tools for “extreme vetting”. (See our report from a protest outside the home of Palantir founder Peter Thiel earlier this year, and this recent 10-minute video, “Is Silicon Valley Building the Infrastructure for a Police State? New AI tools could empower the government to violate our civil liberties.“)  Now IBM, which attended a recent outreach day for Extreme Vetting Initiative contractors and has declined to distance itself from bidding to build the pre-crime program, is also being targeted by a petition asking IBM to “back up your verbal support of immigrants by publicly rejecting and denouncing the Extreme Vetting Initiative and pledge to not bid on any contract to build the tool.”

Sep 18 2017

TSA says it doesn’t know how to copy files

We’ve gotten used to delays, obstruction, and slander from TSA privacy and Freedom Of Information Act (FOIA) officers. Sometimes it’s hard to tell whether these result from incompetence, under-staffing, lack of diligence, mendacity, malice, or some combination of these and/or other factors.

The latest in these TSA FOIA follies is a letter we got last week from the TSA’s FOIA appeal officer, saying that the TSA doesn’t know how to copy computer files, and doesn’t know the names of any of the files on their computers or any other filesystem information or metadata about those files:

You assert that TSA should be able to reproduce digital files as bitwise copies. TSA does not maintain records in bitwise format nor can we produce records in such a format. Additionally,… the file or filesystem data or metadata from the raw format of the records are not available.

Where does this nonsense come from? Do the officials making these statements really believe them, or expect us to?

Read More

Sep 13 2017

Federal court can review the Constitutionality of Federal blacklists

A Federal judge has ruled that yes, he can review the Constitutionality of Federal blacklists (euphemistically but misleadingly labeled “watchlists”).

That should be an unsurprising finding. But “pre-crime” and predictive policing programs, including decisions to put people on blacklists that are used to control what they are and aren’t allowed to do, have largely operated in secrecy and outside the rule of law.

Rather than defending blacklisting programs or individual blacklisting decisions, the Federal government — under both Democratic and Republican administrations — has consistently argued that it should not be required to disclose, explain or defend these decisions, the identity of the decision-makers, the criteria for their decisions, or the “derogatory” information on which these decisions are purportedly based, either to the people who have been blacklisted or to the courts.

Too often, even sixteen years after 9/11/2001, courts still traumatized by memories and fears of 9/11 have acquiesced to these Executive-branch claims that the conduct of the “war on terror” is exempt from judicial review.

In this context, the decision last week by Judge Anthony Trenga of the U.S. District Court for the Northern District of Virginia, rejecting the government’s motion to dismiss a lawsuit by blacklisted Muslim Americans, is one of the most significant steps to date toward legal accountability for the DHS and its accomplices in the war at home against Americans secretly accused and extrajudicially sanctioned through Federal blacklisting.

The decision comes in a case brought by the Council on American-Islamic Relations (CAIR) on behalf of 24 individuals and as as a class action on behalf of all those who have suffered adverse consequences as a result of arbitrarily and without due process being named on Federal blacklists (“watchlists”) . As we reported when this case was filed last year, it’s the most fundamental challenge to date to the Constitutionality of the entire scheme of DHS and FBI pre-crime blacklists based on secret administrative procedures and algorithms rather than on court orders such as criminal convictions, injunctions, or restraining orders.

Read More

Jul 20 2017

Fact-checking the FAQs on ID to fly

In May and June of 2017, several new FAQs about “requirements” for travel on common-carrier airlines were posted on TSA.gov and DHS.gov:

Statements about current and future ID “requirements” similar to those on these websites have also appeared on official signs in some airports.

It should go without saying that neither government websites nor informational signs in airports create legal rights or obligations or can be relied on as authoritative statements of the law.

Federal law is contained in the US Constitution, international treaties duly ratified by the US in accordance with the US Constitution, the US Code, and US Public Laws. Federal regulations are contained in the Code of Federal Regulations. The Freedom of Information Act requires that binding Federal agency rules, regulations, and orders of general applicability be published in the Federal Register.

If you want to know what the law says, you need to read the law, not press releases from government agencies or anyone else (including us!).

This is especially important with respect to the TSA, since the TSA website and TSA signs in airports have for years included statements about ID requirements to fly that have been disclaimed by TSA witnesses testifying under oath and by TSA lawyers arguing before Federal courts.

So what is the TSA saying now about ID to fly? Is it true? And is it legal?

The TSA’s latest public statements are more accurate than some of the agency’s previous press releases about ID to fly, and may (although we can’t really tell, given the absence of fomal proposals or published rules) accurately describe the changes the TSA intends to implement. But major questions remain about the legality of both current and possible future ID practices at TSA and contractor checkpoints at US airports.

Read More