Jan 08 2024

Supreme Court hears arguments in “No-Fly” case

Gadeir Abbas speaking in front of the steps of the US Supreme Court

[CAIR Senior Litigation Attorney Gadeir Abbas speaks to press conference in front of the U.S. Supreme Court following oral argument in FBI v. Fikre.]

Today the US Supreme Court heard more than an hour of oral argument (transcript, MP3 audio) in the case of FBI v. Fikre, the latest in a series of cases in which the government has tried to avoid having a judge or jury review the criteria, procedures, and factual basis (if any) for no-fly decisions by removing previously blacklisted people from the no-fly list after they sue the government, and then asking courts to dismiss their lawsuits as “moot”.

In order to get such a complaint dismissed as “moot”, the government has the burden of showing that “subsequent events made it absolutely clear that the allegedly wrongful behavior could not reasonably be expected to recur”, according to the District Court.

Inquiring minds on the Supreme Court wanted to know how the government could meet that burden — or whether it could ever do so — without disclosing the basis for the initial no-fly decision and/or what changes had been made to no-fly decision-making criteria or procedures.

Several Justices expressed “sympathy” with the government, but concern for due process:

Justice Gorsuch, for example, wanted to know why the government wouldn’t even tell a judge in a “Sensitive Compartmented Information Facility” (and maybe the plaintiff’s lawyer, if the government would give them a security clearance) anything about a no-fly decision:

Read More

Jan 03 2024

“No-Fly” case to be argued Jan. 8th in the Supreme Court

The U.S. Supreme Court will hear oral argument this Monday, January 8, 2024 on an appeal brought by the FBI challenging a Circuit Court decision in favor of Yonas Fikre. It’s the second case on the Supreme Court’s 10 a.m. EST calendar for oral argument Monday.

You can listen live online, attend a live watch party in DC if you can’t get into the Supreme Court, or listen to recorded audio that should be posted by the end of the day on Monday.

The complete Supreme Court docket and links to the pleadings in FBI v. Fikre are here.

The question presented to the Supreme Court in this case doesn’t directly address what substantive criteria or procedures are Constitutionally required for the government to order common carriers not to transport an otherwise-qualified U.S. citizen. A separate challenge to the entirety of the blacklisting system remains pending in U.S. District Court in Boston.

But this case in the Supreme Court does address one of the government’s standard tactics for evading judicial review of its blacklisting decisions: taking people who sue the government off blacklists to “moot” their cases if it looks like they might have a chance of getting a court to rule on the legality of the government’s procedures or criteria for blacklisting decisions or or the sufficiency of the evidence (if any) against them.

If anyone deserves to have the U.S. government’s decision to put him on its no-fly list reviewed by a judge, it’s Yonas Fikre.

Read More

Dec 26 2023

Congress watches the “watchlists” — but will Congress act?

Earlier this month  CBS News broadcast an in-depth report confirming that more than two million names (up from 1.75 million names in 2019) are now on U.S. government blacklists (euphemistically described as “watchlists”) restricting travel and other rights.

CBS also interviewed some of the U.S. citizens who, without ever being accused of any crime or having their day in court, and for no reason they know or that the government will tell them, have been stopped at gunpoint, delayed, or prevented from flying.

Less than a week later, the Senate Homeland Security and Government  Affairs Committee (HSGAC) released a detailed staff report on the same issue, “Mislabeled as a threat: How the terrorist watchlist & government screening practices impact Americans“.

The Chair of the HSGAC, Sen. Gary Peters (D-MI), also sent a formal request to the Inspectors General of each of the Federal departments that participate in the “Watchlisting Council”,   asking the Inspectors General to “coordinate on an assessment of the full implementation of the Terrorist Screening Dataset.”

“I have heard from my constituents, and in particular my Arab and Muslim American constituents, that they face undue levels of scrutiny and screening atairports, other ports of entry, and in their daily lives, which they believe is the result of their placement on the terrorist watchlist,” Sen. Peters  noted. “Inspectors General have not conducted a coordinated, independent assessment of the full watchlisting enterprise – from the nominations process; to how information is shared, used, and audited; to the redress options available to individuals who may match to the list.”

The same day, five other Senators and eight members of the House of Representatives sent a joint letter about “watchlisting” practices  to the heads of the Department of Justice, FBI, Department of Homeland Security, Transportation Security Administration, U.S. Customs and Border Protection, and several other agencies.

The joint letter asks for answers “no later than January 9, 2024” to a long list of questions about how many people are on U.S. government watchlists, how many have been added and removed, what procedures have been followed, what data has been collected or purchased about these people,  what if any redress is available to them, and what the criteria for adding names are supposed to be. “Beyond the spouses and children of individuals on the watchlist, what other categories of ‘non-terrorists’ may be included as exceptions to the reasonable suspicion standard for placement on the watchlist?”

We’re pleased that members of Congress are asking increasingly pointed questions about the U.S. government’s system of secret, arbitrary, extrajudicial blacklists.

But asking questions isn’t enough. What’s needed from Congress is legislative action.

We hope that members of Congress don’t stop at “making inquiries” or “demanding answers”.  There’s ample evidence already that the watchlisting/blacklisting system is out of control. It’s up to Congress to bring that system under control by enacting legislation restoring the rule of law to decision-making about who is allowed to exercise their rights.

If members on Congress want to do something about the problem of travel blacklists, not just talk about it, a good way to start would be to reintroduce and bring to a vote the Freedom to Travel Act, which was introduced in 2021 but never got a hearing or a vote.

Oct 16 2023

The TSA wants to put a government tracking app on your smartphone

Today the Identity Project submitted our comments to the Transportation Security Administration (TSA) on the TSA’s proposed rules for “mobile driver’s licenses”.

The term “mobile driver’s license” is highly misleading. The model Electronic Credential Act drafted by the American Association of Motor Vehicle Administrators (AAMVA) to authorize the issuance of these digital credentials and installation (“provisioning”) of government-provided identification and tracking apps on individual’s smartphones provides that, “The Electronic Credential Holder shall be required to have their Physical Credential on their person while operating a motor vehicle.”

So the purpose of “mobile driver’s licenses” isn’t actually licensing of motor vehicle operators, as one might naively assume from the name. Rather, the purpose of the “mobile drivers license” scheme is to create a national digital ID, according to standards controlled by the TSA, AAMVA, and other private parties, to be issued by state motor vehicle agencies but intended for use as an all-purpose government identifier linked to a smartphone and used for purposes unrelated to motor vehicles.

We’ve seen the ways that government-mandated tracking apps on citizens’ smartphones are used by the government of China, and that’s not an example we want the US to follow.

AAMVA’s website is more honest about the purpose and planned scope of the scheme: “The mobile driver’s license (mDL) is the future of licensing and proof of identity.”

As we note in our comments:

The fact that the TSA seeks to require the installation of a government app on a mobile device of a certain type suggests that the government has other purposes than mere “identification”, such as the ability to track devices as well as people. But we don’t know, because we haven’t been able to inspect the source code for any of these apps.

Most of the details of the TSA proposal remain secret, despite our efforts to learn them. So our comments focus on the unanswered questions about the proposal, the deficiencies in the TSA’s “notice”, and the TSA’s failure to comply with the procedural requirements for consideration of proposed regulations and for approval of collections of information from members of the public — which the TSA is already carrying out illegally, without notice or approval, with digital ID apps that state agencies are already installing on smartphones:

By this Notice of Proposed Rulemaking (NPRM), the Transportation Security Administration (TSA) proposes to establish “standards” (which are not included in the NPRM and not available to the public) for a national digital ID to be used by Federal agencies in an unknown range of circumstances for unknown purposes (also not specified in the NPRM, and for which the notices and approvals required by law have not been provided or obtained).

The NPRM, which includes a proposal to incorporate by reference numerous documents which are not included in the NPRM and have not been made available to would-be commenters who have requested them, fails to provide adequate notice of the proposed rule or opportunity to comment on the undisclosed documents proposed to be incorporated by reference. It violates the regulatory requirements for incorporation by reference of unpublished material….

The proposed rule would also implicitly incorporate the Master Specification for State Pointer Exchange Services (SPEXS) published by the American Association of Motor Vehicle Administrators (AAMVA), which is not included or mentioned in the NPRM or publicly available and which AAMVA has actively attempted to remove from public availability….

The NPRM purports to include an analysis, pursuant to the Paperwork Reduction Act (PRA), of “the information collection burdens imposed on the public,” and claims to have requested approval for these information collection from the the Office of Management and Budget (OMB). But both the NPRM and the request for OMB approval omit any mention of the collection of information from individuals that occurs each time a “mobile ID” is “presented” and an app on a mobile device interacts with TSA or other Federal agency devices or servers….

What data fields will be collected when a TSA or other Federal agency device interacts with a mobile ID app on an individual’s device? We don’t know. What code will an individual be required to allow to run on their device, and with what privileges? We don’t know, although this could be critical to the risks and potential costs to individuals if, for example, they are required to allow closed-source code to run on their devices with root privileges.

From which people, how many of them, in what circumstances, and for what purposes, will this information be collected? We don’t know, although all of this is required to be included in an application for OMB approval of a collection of information….

What will individuals be told about whether these collections of information are required? We don’t know this either, although this is a required element of each PRA notice, because the TSA provides no PRA notices to any of those individuals from whom it collects information at its checkpoints, including information collected from mobile IDs.

As the TSA itself has argued in litigation, no Federal statute or regulation requires airline passengers to show ID. And hundreds of people pass through TSA checkpoints and board flights without showing ID every day. An accurate submission to OMB, and an accurate PRA notice (if approved by OMB), would inform all individuals passing through TSA checkpoints that ID is not required for passage. But instead of providing OMB-approved PRA notices at its checkpoints in airports, the TSA has posted or caused to be posted knowingly false signage claiming that all airline passengers are “required” to show government-issued ID credentials. Individuals incur substantial costs as a result of these false notices, particularly when individuals without ID forego valuable travel in reliance on deliberately misleading signs that ID is required.

Read More

Sep 26 2023

Broader challenge to Federal blacklists filed in Boston

In a nationally-significant lawsuit, the Council on American-Islamic Relations (CAIR) has filed the most comprehensive challenge  to date to the US government’s system of arbitrary and extrajudicial blacklists (“watchlists”) used to stigmatize and impose sanctions on innocent people — almost all of them Muslim — without notice, trial, conviction, or any opportunity, even after the fact, to see or contest the allegations or evidence (if any) against them.

The lawsuit, Khairullah et al. v. Garland et al., was filed last week in Federal District Court in Boston on behalf of twelve Muslims from Massachusetts and other states who have been stopped, prevented from traveling to, from, or within the US by air, harassed, delayed, interrogated, threatened, strip-searched, had all the data on their electronic devices copied, detained at gunpoint, denied permits, and had banking and money-transfer accounts summarily and irrevocably closed, among other adverse consequences:

Plaintiffs, along with over one million other people, have been placed by Defendants on the federal terrorist watchlist. Defendants claim the power to place an unlimited number of people on that list and, as a result, subject them to extensive security screening, impose adverse immigration consequences on them, and distribute their information to thousands of law-enforcement and private entities, which then use it to affect everyday interactions like traffic stops, municipal permit processes, firearm purchases, and licensing applications.

Congress has never statutorily authorized the creation, maintenance, use, or dissemination of the Terrorist Screening Dataset, its subsets like the Selectee List and No Fly List, the Quiet Skies and Silent Partner systems, or any other rules-based terrorist targeting lists.

WHEREFORE, Plaintiffs requests this Honorable Court grant declaratory and injunctive relief….

The complaint includes a depressingly thorough, detailed, and diverse litany of incidents of interference with normal life, especially with normal travel.

One US citizen plaintiff now abroad has been effectively exiled because the US government won’t allow any airline to transport him back to the US from overseas.

The effects of blacklisting can last for life. Because the US government continues to stigmatize “formerly” blacklisted individuals and flag them to its own agents and third parties including foreign governments, some of the plaintiffs continue to suffer these consequences despite having purportedly been “removed” from US “watchlists”.

Because the US government’s blacklisting algorithms incorporate explicit guilt-by-association criteria, some plaintiffs have had their friends, family members, and colleagues targeted for adverse treatment solely on the basis of having “associated” (an act protected by the First Amendment to the Constitution) with a blacklisted person.

As the complaint explains:

[B]ecause Defendants consider being a relative, friend, colleague, or fellow community member of a TSDS [Terrorist Screening Dataset] Listee “derogatory information” supporting placement on the watchlist, Muslim communities are subjected to rapidly-unfolding network effects once one member is watchlisted. One nomination, even if grounded in probable cause or a preexisting criminal conviction, can quickly spiral into Defendants classifying nearly every member of an extended family or community mosque as a suspected terrorist.

A similar lawsuit, also brought by CAIR, led a Federal District Court judge in Virginia to rule in 2019 that the Federal blacklisting system was unconstitutional. But that ruling was overturned in 2021 in a strikingly poorly-reasoned opinion by the 4th Circuit Court of Appeals.

The new lawsuit has been brought in a different circuit (the 1st Circuit), and the new complaint includes more recent information — including the disclosure of the no-fly and “selectee” lists — and arguments to bolster the case and counter the claims made by the 4th Circuit judges.

Lawsuits like this take years to be resolved, but we’ll be watching this one closely.

Aug 02 2023

Challenges to mandatory facial recognition for air travel

[US Senator Jeff Merkley films the signage and what happens when he opts out of facial recognition at the TSA checkpoint at Reagan National Airport]

Attempts by airlines, airports, and government agencies to make facial recognition mandatory for air travel, while pretending that it is “optional” or based on “consent”, are being challenged in both the United States and the European Union.

In the US, the Transportation Security Administration continues to tell Congress and the public that it is “testing” facial recognition and that mug shots are optional for air travel.

But Senators continue to question whether, as the TSA claims, this is really a “field demonstration” or actually a phased rollout,  and whether, “Providing this information is voluntary.”

The latest in a series of increasingly skeptical letters to the TSA from groups of US Senators was sent in February of this year, asking questions including these:

  • How are travelers notified of their right to opt-out of facial recognition?
  • What are the effects on a traveler who chooses to opt-out of facial recognition?
  • Under TSA’s current system, do travelers who choose to opt-out face any additional consequences or additional screenings, pat-downs, interrogations, or even detention, beyond what they would have encountered at a non-facial recognition airport?

If the TSA provided these Senators with any answers, they haven’t been made public. But it seems likely that any response from the TSA was unsatisfactory, since a month after this letter was sent, some of these same Senators and others, along with members of the House of Representatives, reintroduced a bill (S. 681 and H.R. 1404) first introduced in the previous session of Congress that would outlaw use of facial recognition by Federal agencies except with explicit statutory authorization which the TSA lacks.

The “Facial Recognition and Biometric Technology Moratorium Act of 2023” has yet to be considered by either the House or the Senate. But in the meantime, Senator Jeff Merkley (D-OR)has been opting out of facial recognition when he flies home to Portland, filming what happens at the TSA checkpoint, and posting the videos on YouTube.

TSA policies are expressed in “standard operating procedures” (SOPs) for checkpoint staff that the TSA refuses to make public. So except to the extent that the SOPs have been leaked or inadvertently released by the TSA itself, this sort of observation-based reverse engineering is the best available evidence of de facto TSA policies and procedures.

On his first tests of TSA signage and practices, Sen. Merkley found that there were no signs at the TSA checkpoint at Reagan National Airport telling travelers that mug shots were optional.   After he posted video of the lack of signage, some signs were added — but with notices about facial recognition buried in fine print and not next to the mug shot cameras.

TSA staff told Sen. Merkley that opting out of TSA mug shots would result in “significant delay” in his passage through the TSA checkpoint, and detained him (although seemingly only briefly), contrary to what the TSA claims is supposed to happen.

In his latest video posted this week, Sen. Merkley encourages air travelers to film the signage or lack of signage at TSA checkpoints and what happens when they opt out of facial recognition:

Know that you can refuse to use facial recognition technology at the airport and you should be easily accommodated by an agent checking your physical ID….

You ARE allowed to take photos and videos at a security checkpoint.

The Algorithmic Justice League is also collecting reports from travelers about facial recognition at TSA checkpoints, including signage and consent (or the lack thereof).

It’s a sad day when a member of the US Senate has to enlist the help of members of the public to find out whether a Federal agency is lying to Congress and the public about its practices.  But the TSA has earned our mistrust and that of Congress. We commend Sen. Merkley for his skepticism and for judging the agency by what it does and not what it says.

Meanwhile, in the European Union, a complaint has been brought against the airline Ryanair for requiring either facial images or earlier check-in from certain passengers.

While this complaint has been made under EU law, it’s significant as the first complaint against an airline anywhere in the world, so far as we know,  for requiring for requiring passengers to provide mug shots or imposing additional burdens on those who opt out.

As we’ve noted before, there’s a malign convergence of interest between airlines, airport operators (public or private), and law enforcement agencies in tracking and control of air travelers. In practice, it’s often impossible to tell whether cameras — including those used for automated facial recognition — are being operated by the airline, the airport, or the police, or are part of a common-use shared surveillance-as-a-service infrastructure. In such cases, there’s no meaningful distinction between a requirement for passenger mug shots imposed by a common carrier that shares photos with the government and a mug shot requirement imposed and carried out directly by a government agency.

The complaint against Ryanair under EU law also has implications for US travelers and US airlines. Most major US and international airlines operate flights, sell tickets, and/or collect personal information in the EU and are thus subject, in at least some of their operations, to EU data protection laws. If they can respect their European customers’ rights, they could — and should — afford their US customers those same rights.

Jun 13 2023

98% of names on U.S. travel blacklist are Muslim

98% of the names on the U.S. government’s travel blacklists, including all of the top 50 names that appear most frequently on those lists, appear to be Muslim, according to a statistical analysis commissioned by the Council on American Islamic Relations (CAIR).

This analysis of the so-called “watchlist” (a euphemism for “blacklist”) is included in a report released this week in conjunction with the annual Muslim Advocacy Day on Capitol Hill organized by the US Council of Muslim Organizations (USCMO).

When the U.S. government’s “No-Fly list” and “Selectee list” were made public earlier this year, we were the first to point out that more than 10% of the entries on the No-Fly list (174,202 of 1,566,062) contain “MUHAMMAD” in either the first or last name fields, in addition to those entries with other spellings of Muhammad.

CAIR’s latest report goes into more detail:

CAIR has studied more than 1.5 million entries on a 2019 version of the FBI’s list, provided to us by a Swiss hacker who found them online after a regional air carrier accidentally posted them to the public internet. One scroll through it reveals a list almost completely comprised of Muslim names. In fact, more than 350,000 entries alone include some transliteration of Mohamed or Ali or Mahmoud and the top 50 most frequently occurring names are all Muslim names….

CAIR shared the leaked list with statistical experts for review to determine what percentage of the list is Muslim. The expert analysis of the people on the list—approximately 1.5 million entries—indicates that more than 98% of all records in the watchlist identify Muslims.

In its report and at the press conference announcing its findings, CAIR called out the lack of any legislative basis for secret blacklists, the difficulty of challenging secret decisions in court, and the failure of Congress to exercise its oversight responsibilities:

Congress did not give the FBI this authority. There is no law that made the watchlist…. But neither the FBI nor any other government agency should have a secret list. They’ve abused the one that they have now, and there is no such thing as a good, lawful kind of secret government list made available to hundreds of thousands of government actors. It is time to bring this practice to a close.

CAIR and other advocates for the civil rights of Muslim Americans are making this issue a priority in their meetings with members of Congress this week. We hope that their efforts will help prompt members of Congress to reintroduce and enact the Freedom To Travel Act or include it in other omnibus legislation.

Mar 19 2023

9th Circuit upholds secret US monitoring of foreign airline reservations

In a case we’ve been following closely, the 9th Circuit Court of Appeals has ruled that orders requiring the Sabre computerized reservation system to provide real-time reports to the FBI on any reservations made in or through Sabre associated with specific individuals can continue to be kept secret, at least as long as warrants for these individuals’ arrest remain outstanding, which could be indefinitely.

The wanted individuals aren’t US citizens and aren’t believed to be in the US. US Customs and Border Protection (CBP) already receives complete mirror copies 72 hours in advance of all international airline reservations (Passenger Name  Records) for flights to, from, or via the US. CBP has a well-established system of TECS alerts — which don’t even require a warrant — that it can use to generate a message to the FBI or other law enforcement agencies whenever planned travel to or from the US by a person of interest is detected.

This is a much simpler process than going to court to get an order directing Sabre to maintain a lookout and report to the FBI on planned travel by a suspect.

Why, then, has the FBI repeatedly gone to court to get orders requiring Sabre and in some cases other CRSs to watch for, and report, planned travel by persons of interest? The only reason would be for the US to obtain advance notice of a suspect’s planned travel within or between countries other than the US, so that the US could try to persuade some allied government to arrest and deport or render the wanted person to the US for trial.

Everyone should be concerned that reservation hosting companies are secretly monitoring and reporting their travel plans to the US government.

Other countries should be concerned that the US government is forcing CRSs that are based or have a presence in the US to carry out ongoing real-time monitoring and reporting to the US government of planned flights by non-US persons between non-US points — in effect, serving as remote agents of US surveillance within other countries.

The case in the 9th Circuit was brought by a journalist. But the court noted that Sabre or other CRSs would have a stronger basis than journalist or other third parties to contest the government’s attempt to force them to spy on travelers and rat them out to the government:

[T]he notion that technical assistance proceedings will forever go unchallenged or unnoticed absent a constitutional right of access is overstated. Petitioners themselves assert that there today exists a robust public debate over these investigatory devices. The government acknowledges that AWA [All Write Act] technical assistance orders may still be subject to challenge through different legal pathways, such as by the suspects themselves or by entities like Sabre, who receive the AWA orders.

So far as we can tell, however, neither Sabre nor any other CRS, nor any airline, has contested any of the US government’s requests or demands for information from airline reservations. No CRS or airline has issued a “transparency report” on its responses to government requests or demand for information about travelers.

CRSs and airlines should stand up for the traveling public against government spying.

Travelers, and airlines that care about travelers, should demand that the “Big Three” CRSs — Sabre, Travelport, and Amadeus — promise to challenge any government demands for information about travelers, and issue regular transparency reports on what requests or demands for travel records they have received from the government (including both case-by-case information requests and ongoing bulk feeds of PNR and API data) and what they have done to resist compliance.

Read More

Feb 04 2023

A blacklist is not a basis for search or seizure

A lawsuit filed last week in Federal court in Oklahoma City by the Council on American-Islamic Relations on behalf of Oklahoma native Saadiq Long challenges unconstitutional searches and seizures (sometimes at gunpoint) and interference with freedom of movement on city streets and highways on the unlawful basis of a combination of warrantless dragnet surveillance and arbitrary extrajudicial blacklists.

According to Mr. Long’s application for a temporary restraining order and preliminary injunction to protect his rights and his life while the case proceeds:

In the span of only two months, Saadiq Long has been repeatedly pulled over, arrested twice, held at gunpoint, and had his car searched by Oklahoma City Police Department officers. It is not because Saadiq is a criminal or suspected of being one. Mr. Long is an American citizen and Air Force veteran who has never been indicted, tried, or convicted of any kind of violent crime.

There is a different reason behind these obvious Fourth Amendment violations. That reason involves the intersection of two different dystopian webs: the vast network of cameras and computers maintained by the Oklahoma City Police Department and a secret, racist list of Muslims that the FBI makes available to Chief Wade Gourley and his officers.

That secret FBI list—variously called the federal terror watchlist, the Terrorism Screening Database (TSDB), and most recently the Terrorist Screening Dataset (TSDS)—is a list of more than a million names, almost all of them Muslim and Arab. The FBI adds whatever names it likes, without meaningful review and in accordance with secret processes and standards, for a stunning array of flimsy reasons. Government suspicion of ongoing criminal activity is not a prerequisite to being listed.

The FBI distributes its list, via the National Crime Information Center (NCIC) Database, to the Oklahoma City Police Department. That is all that the FBI distributes: a list of names. The FBI keeps its reasons and evidence about the placement to itself. Because of this, the Department knows that the FBI put Saadiq Long on a watchlist but the Department has no idea why.

Mr. Long’s mistreatment by the US government — the government of the country where he was born and of which he was and still is a citizen — began when, while serving in the US Air Force from 1987-1998 and living in Turkey, he converted to Islam and applied for discharge from the Air Force as a conscientious objector on the basis of his new beliefs.

The Air Force denied his application for conscientious objector status, gave him an “other than honorable” discharge — and, unbeknownst to Mr. Long at the time, had him put on the US government’s No-Fly List as a “known or suspected terrorist”.

After leaving the Air Force, Mr. Long moved with his family first to Egypt and later to Qatar, where he found work as a teacher of English. He discovered that he was blacklisted by the US government almost a decade later when he tried to come back to the US to visit his terminally ill mother in Oklahoma City.

Read More

Jan 20 2023

The #NoFly list is a #MuslimBan list

[CommuteAir routes operated as “United Express”]

In news first reported by Mikael Thalen and David Covucci of of the Daily Dot, Swiss hacker maia arson crimew has found versions of the Transportation Security Administration’s “No-Fly” and “Selectee” lists dating from 2019 on insecure Amazon Web Services cloud servers used by the airline CommuteAir for software development and staging.

CommuteAir is little known in its own name, but operates as a subcontractor to United Airlines for flights by regional jets between United hubs and secondary airports marketed under the “United Express” brand with United Airlines flight numbers.

In a statement to the Daily Dot, CommuteAir confirmed that, “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth.”

This isn’t the first time that information about the TSA’s “watchlists” (blacklists) and related procedures has been leaked or left exposed on the Internet. In 2009, the TSA posted an unredacted copy of its Standard Operating Procedures for “screening” of airline passengers on a Federal government website for contractors. In 2014, the Terrorist Screening Center’s Watchlisting Guidance, which describes the methodology and purported basis for entering names on the No-Fly, Selectee, and other blacklists, was obtained and published by The Intercept.

The lists found by maia and shared with journalists and researchers confirm the TSA’s (1) Islamophobia, (2) overconfidence in the certainty of its pre-crime predictions, and (3) mission creep.

The data in the files found by maia is limited to first and last name and date of birth and a sequence number for each listing, but there are headers for several other fields that are blank in most of the records: place of birth, citizenship, passport or ID number, “MISC”, and a blank field labeled “CLEARED” which may have been used to indicate those entries that were intended to be to be whitelisted rather than blacklisted.

The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming  names. More than 10% of the entries on the No-Fly list (174,202 of 1,566,062)  contain “MUHAMMAD” in either the first or last name fields. “It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” maia told the Daily Dot.

[Some of the listings for Osama Bin Laden — already long dead — on the 2019 No-Fly List]

The “NOFLY.csv” file found by maia contains 1,556,062 entries. The “SELECTEE.csv” file contains 251,169. The youngest of those on this version of the No-Fly List, as of 2019, were three four-year-olds. The oldest were twenty-five centenarians.

Read More