Dec 02 2011

DHS “Automated Targeting System” records

The “Automated Targeting System” (ATS) has been a topic of discussion this week at the Securing Our Rights in the Information-Sharing Era conference on national security, surveillance, and immigration enforcement.

ATS is operated by the Customs and Border Protection (CBP) component of DHS, although ATS apparently contains links to records held by other agencies and other commercial databases. ATS records include passenger name records (travel reservations), border crossing logs, secondary inspection notes, “risk assessments” of all travelers (even if you aren’t on any watch list), risk assessment algorithms, and pointers to other databases.

Public notice of the existence of ATS was first provided in 2006, but ATS records provided in response to individual requests show that it had already been in operation, illegally, for years before that. If you’ve been on an international airline flight to or from the U.S. in the last ten years, or crossed the U.S. land border in the last few years, CBP has an ATS file of information about you and your travels. There might be ATS records of earlier trips, although older ATS records are spottier. Some ATS files include border crossings and international flights from as far back as the early 1990s.

We’ve posted forms you can use to request your own ATS file from CBP, as well as examples of some of the types of data included in responses to requests for ATS records. (There’s more about what we’ve found in ATS records in this front-page story from 2007 in the Washington Post.) Contact us if you want help with requests or administrative appeals, or in interpreting responses.

If you think there’s any chance you might be on a watch list, you should also send a separate request to the DHS Chief Privacy and FOIA Officer for records from the DHS /ALL-030 Use of the Terrorist Screening Database (TSDB)  System of Records.  Be sure to state that your request is made under both the Privacy Act and FOIA, and include a request for an accounting of all disclosures of records about you.

The first panelist at the conference was Julia Shearson, a native-born U.S. citizen who was arrested when she tried to drive back into the U.S. after an innocent weekend trip to Canada, on the basis of an entry in ATS falsely flagging her as an “armed and dangerous terrorist”. She’s suing DHS under the Privacy Act to find out why they labeled her a terrorist. Her lawsuit is still pending on remand after a favorable Circuit Court ruling reinstating her complaint. We last reported on her case here; there’s more about her story in this video which was shown yesterday at the conference, and this article from the Cleveland Plain Dealer. Whether the Privacy act provides for recovery of emotional damages was the subject of oral argument before the Supreme Court earlier this week in FAA v. Cooper.

Also still pending is our Privacy Act and FOIA lawsuit against CBP on behalf of Identity Project consultant Edward Hasbrouck, who is seeking ATS records about himself (including his “risk assessments” and the rules used for determining those risk assessments), an accounting of disclosures of those records to other agencies or third parties, information about how ATS records are indexed and retrieved, and records of the processing of his initial requests for ATS records. (He received only incomplete and redacted responses, and not until three years after his initial request and three weeks after he filed suit against CBP for its failure to respond or provide the requested records). A hearing on motions for summary judgment was held in September, and a decision is pending.

Other previous lawsuits related to ATS are discussed here. We’ve also filed comments on CBP rulemakings, objecting to ATS as in violation of the Privacy Act and international human rights treaties.

[On a separate note, the ongoing prosecution of Dr. Ghulam Nabi Fai under the Foreign Agents Registration Act, which was also mentioned at the conference, is discussed here.]

Oct 12 2011

Events in Europe on US travel surveillance and control

We’ll be participating in a series of public events and private meetings next week with European activists and with European Union and European national officials on PNR data (airline reservations), privacy, data protection, and human rights. Our presentations at all of these events will be in English, although much of the publicity is (naturally, given the venues) in German. see the links below for slides, handouts, video, and news reports on our presentations:

Read More

Oct 06 2011

How the USA imposes travel bans within Europe

In an article here yesterday, we mentioned a report earlier this month by Andrej Hunko, a member of the German national legislature (“Bundestag”) , based on responses to his information access requests to the German government about its collaboration with DHS and use of PNR data.  There was more about this in DHS testimony at yesterday’s hearing in the U.S. House of Representatives. The following is an English translation of Andrej Hunko’s report, republished by permission of the author:

How the US Department of Homeland Security imposes travel bans within the EU

by Andrej Hunko, September 28, 2011

Naturally enough, the website of the NoPNR campaign regularly contains material about the retroactive legalisation of exchanges of passenger name record (PNR) data between EU Member States and the United States, Canada or Australia. Members of Parliament in the EU from several parties have already done some important work on this issue and have been levelling fierce criticism at the planned agreements, which, in point of fact, have long been applied on a ‘provisional’ basis.

I believe, however, that it is all too easy to lose sight of the fact that the US Department of Homeland Security (DHS) employs hundreds of staff who operate at airports and sea ports within the EU. This practice came to light in the summer after Mark Koumans, Deputy Assistant Secretary for International Affairs, presented a report on security issues in Europe and Eurasia before the House of Representatives Subcommittee on Europe and Eurasia.

Read More

Sep 30 2011

How would REAL-ID affect the right to travel?

In the latest step in the implementation of the REAL-ID Act and the establishment of a de facto national ID card and database, the Department of Homeland Security has requested OMB approval for the collection of additional information from states and individuals.

The public response to the DHS request, particularly these comments submitted by the Electronic Privacy Information Center (EPIC), highlight the important unanswered questions about how REAL-ID Act implementation will affect the right to travel:

EPIC’s comments focus on the widely-publicized recent case of  Lewis Brown, a former high school and college basketball star who died on a street in Southern California homeless, earlier this month:

EPIC writes today to draw the agency’s attention to the death of Lewis Brown, a former college basketball prodigy, who died on the streets of Los Angeles because he could not scrape together the money to obtain a state-issued identity document…. According to the New York Times, Brown, a basketball legend at the University of Nevada at Las Vegas, planned to fly to visit his family in New York and could not. Homeless and destitute, living on the sidewalks of Hollywood, Brown had developed cancer and planned to go to the hospital. Brown’s mother learned about his condition and stated that she wanted to see him “before he died.” Brown’s sister, Anita, told him to visit New York. Brown told confidants that he lacked funds to qualify for a California identification card, and was taking donations and borrowing money.

Read More

Sep 27 2011

More US lies to the European Parliament

In an appearance on September 20th before the LIBE (civil liberties) Committee of the European Parliament to lobby for legalization of US government access to European airline reservations (PNR data), US Attorney General Eric Holder claimed that there has been “not one single example of privacy being breached” by the US in its processing of PNR data. We “need to deal with what is real, not what is hypothetical”.

Is Holder’s claim true? What’s “real”, and what’s “hypothetical”?

In reality, DHS policies prevent us from knowing how many breaches of privacy or other fundamental rights have resulted from US processing, use, and/or disclosure to others of PNR data. Read More

Sep 16 2011

Court hearing in our lawsuit for DHS travel records

A little more than a year after we filed suit on behalf of Edward Hasbrouck against the Customs and Border Protection (CBP) division of DHS to find out what records they are keeping about our international travels, and what they have done with those records, we had our first real day in court yesterday in front of Federal Judge Richard Seeborg in San Francisco.

Judge Seeborg was appointed as a judge of the U.S. District Court by President Obama, after a decade as a Federal magistrate and seven years before that as a Federal prosecutor. On first impression, he seems fair-minded and thoughtful, although — like most judges — inclined to give more “deference” than is warranted to even implausible claims by police and prosecutors, such as some of those made in the declarations submitted by the CBP in opposition to Mr. Hasbrouck’s complaint.

Mr. Hasbrouck was represented by David Greene of Holme Roberts & Owen (formerly executive director and staff counsel of the First Amendment Project), who conducted yesterday’s argument, along with FAP staff attorney Lowell Chow. Former FAP staff attorney Geoffrey King also worked on earlier stages of the case, as did several FAP law school student interns, who we were pleased were able to attend the argument. We are grateful to them all for their contributions.

CBP was represented by Assistant U.S. Attorney Neill Tseng, who conducted the argument, accompanied by an attorney from the CBP.

As we expected, and as is usual, no decision by the court was announced at yesterday’s hearing. In each of the other cases on Judge Seeborg’s motion calendar yesterday, he began by describing how he was “inclined” to rule on the matters before him. In our case, however, Judge Seeborg began — after some comments about how ill-suited the typical summary judgment motion practice is to FOIA or Privacy Act cases like this, where the issues only gradually become clear in the course of the briefing — by saying that after reading the lengthy pleadings he had only the most tentative “impression” as to how he might rule on any of the issues.

In other words, he still had an open mind, and oral argument might actually matter.

With that preface, Judge Seeborg invited Mr. Hasbrouck’s attorney, David Greene, to address whatever issues he thought were most important, and then gave AUSA Neill Tseng an opportunity to respond for the CBP.

If you’re just tuning in, the best places to start are the Identity Project FAQ (for the political issues and significance of the case) and our last reply brief before yesterday’s argument (for the legal issues).

Broadly speaking, the argument focused on what we would group into four main questions:

Read More

Sep 12 2011

U.K. detains Italian citizen on basis of U.S. no-fly list

U.K. authorities have apparently detained an Italian citizen disembarking from a trans-Atlantic cruise ship at Southampton on the basis of his inclusion on the U.S. “no-fly” list.

It’s the latest in a steady series of expansions of the extra-territorial reach of U.S. travel surveillance and control, and should raise a red flag as to the dangers of the proposed intra-EU system of PNR-based travel surveillance and control.

According to news reports and a press release from his U.S. lawyer with the Council on American-Islamic relations, Michael Migliore is a 23-year-old dual citizen of the USA and Italy. He’s been trying to return to Italy, to live with his mother there. But when he tried to board a flight in Portland, Oregon, he was refused passage and eventually told he was on the U.S. “no-fly” list.

Undaunted, he took a train to New York (as of now, the DHS only applies “no-ride” controls to international Amtrak trains to and from Canada, not domestic trains) and then a cruise ship to England.

The U.S. APIS rules require cruise lines, like airlines, to get permission from CBP before allowing each passenger to board. But for some reason, they let Migliore board a ship even though they wouldn’t let him on a plane. It’s hard to see a rational reason why, if they really thought he was a terrosirt threat, unless they had an unusually precise “pre-crime” vision of what they thought he intended to do. A cruise ship crossing the Atlantic is at sea for a week, and carries thousands of passengers. Unlike airline passengers, who are reported to the FBI for detention and questioning and their flight escorted by fighter jets if they spend an unusually long time in the toilet (trying to join the Mile High Club?), cruise passengers aren’t under constant scrutiny.  It would be much easier and do much more damage for a terrorist to sabotage a cruise ship than an airliner.

But whatever their reasons, U.S. authorities allowed Mr. Migliore to board the ship departing from the U.S., but apparently alerted U.K. authorities who detained him on arrival. (His U.S. lawyer presumes he’s been detained since he hasn’t been heard from since he disembarked, but nobody has yet gotten  any formal confirmation of who is holding him, where, or why.)

Presumably, mr. Migliore would have sought to enter the U.K. as an Italian citizen. We invite our European readers to speculate in the comments as to what EU laws and rights may have been violated by the U.K. in detaining an  EU citizen on the basis of secret derogatory information from the U.S., what due process Mr. Migliore is entitled to, and what basis the U.K. will need to continue to detain him or to prevent him from returning to Italy, the country of his citizenship.

Sep 12 2011

Illegal Israeli-style traveler interrogations come to Boston

If you’re going to be flying through Logan Airport in Boston, you might want to have a copy of the Paperwork Reduction Act handy when you go through the TSA checkpoint.

The TSA has celebrated the 10th anniversary of the September 11, 2001, hijackings — two of them of flights that originated at Logan — by rolling out a new program of Israeli-style interrogations of air travelers passing through TSA checkpoints at Logan.

Rafi Ron, a former director of security at Ben-Gurion Airport in Tel Aviv, relocated to the U.S. and hung out his shingle (“New Age Security Systems”) as an airport security consultant just before September 11, 2001. His first post-9/11 U.S. client was MASSPORT, which operates Logan. Ever since, as Ron’s client list has expanded to the Massachusetts State Police (the notorious racists who patrol Logan) and then the TSA, Logan has remained the cutting edge of U.S. testbed for Ron’s Israeli-style gospel of  human profiling, from the TSA’s SPOT “behavior detection” program to the new TSA “chat-downs“.

We’re pleased that Rep. Bennie Thompson (D-MS), the ranking minority member of the House Committee on Homeland Security, has publicly questioned the TSA about the Logan pilot program.

But whether or not it’s a good idea (it’s not), the immediate problem for the TSA is that it’s illegal.

Previous case law on airport checkpoints has authorized administrative searches, but never compelled responses to administrative interrogations.  Responses to police questioning in such circumstances have been presumed by courts to be voluntary.

If the TSA’s Constitutional case for such interrogation is untested, their lack of statutory authority is clear. The Paperwork Reduction Act, — a Reagan-era Republican anti-bureaucracy law — requires that any Federal “information collection” be justified in advance to, and approved in advance by, the Office of Management and Budget. An “information collection” is defined as any solicitation — even verbally — of answers to identical questions from ten or more people by a Federal agency, which clearly covers what the TSA “Assessors” (interrogators) are doing in Boston.

OMB approval is evidence by an OMB control number provided on the form or to those being questioned. in the absence of an OMB control number, (a) the collection of information is illegal, (b)  nobody can be required to answer the questions or provide the requested information, and (c) no sanctions can be imposed for failure to respond or provide information.

The TSA has never gone through the process of seeking OMB approval, or obtained an OMB control number, for its ID verification form or any of its other information collections from travelers.

So if the TSA’s goons at logan (or anywhere else) ask you, “Who are you?”, “Where are you going?”, “What’s the purpose of your trip?”, or any of their other standard questions, ask them what the OMB control number is for their collection of that information.

If they can’t or won’t provide you with a valid OMB control number (you can look up and verify any valid OMB control number here), politely but firmly decline to answer. If necessary, remind them — it might help to show them a copy of the law — of the provisions of  44 U.S.C. § 3512:

§ 3512. Public protection

(a) Notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information that is subject to this subchapter if–

(1) the collection of information does not display a valid control number assigned by the Director in accordance with this subchapter; or

(2) the agency fails to inform the person who is to respond to the collection of information that such person is not required to respond to the collection of information unless it displays a valid control number.

(b) The protection provided by this section may be raised in the form of a complete defense, bar, or otherwise at any time during the agency administrative process or judicial action applicable thereto.

Document what happens, so that you can, if necessary, prove that any sanctions such as a more intrusive search, denial of passage through the checkpoint, or denial of access to common-carrier transportation were based on your refusal to provide illegally-request information without having been provided with a valid OMB control number and notice that without it you don’t have to answer.

Sep 07 2011

“Why should I care about PNR?”

Our guest post for European travelers at NoPNR.org:

Why should I care about PNR?

More for our European readers about PNR data and how it is used by governments:

What can Europeans do?

Jul 30 2011

Our reply to DHS claims that travel dossiers are exempt from the Privacy Act

Our reply brief and a supporting declaration were filed yesterday in Hasbrouck v. CBP, our Privacy Act and Freedom of Information Act (FOIA) lawsuit seeking records from and about the DHS “Automated Targeting System” of individualized government dossiers about each of the the millions of international travelers to and from the USA, including US citizens.

ATS includes complete copies of airline reservations (“Passenger Name Records” or PNRs), as well as a “risk assessment” for each would-be traveler that is used to decide whether or not to give the airline permission to transport them into, out of, or through the airspace of the USA. As Mr. Hasbrouck’s supplementary declaration supporting our latest reply brief explains:

Tens of thousands of travel agencies, airline offices, and offices of other travel companies around the world, and a million or more individual employees and contractors of these companies, have access through CRSs [Computerized Reservation Systems] or otherwise to PNR databases and the ability to enter data in PNRs. PNRs thus can, and do, contain an unlimited quantity and variety of data originating with numerous third parties around the world, some of it in the form of unstructured free text. CBP requires that, in all cases where a PNR contains a flight between a point in the U.S. and a foreign point, or overflying U.S. airspace, the entirety of the PNR — including the free-text general remarks and whatever other data has been entered by anyone with access to the PNR — must be made available to CBP for import into ATS.

PNRs can contain information about aspects of a journey other than air transportation, such as hotel reservations and other travel services, even in what are considered in travel industry jargon to be “air-only” PNRs. Information about these other travel services can be included in the “OSI” (Other System Information), and “SSR” (Special Service Request) elements of the PNR. For example, in reviewing records from ATS released to another requester by CBP, I have seen a PNR for two people, for whom the airline had reserved a hotel for an involuntary overnight layover, which included an SSR entry with a code showing whether a room with one bed or two had been requested for those two travelers. This is a normal and expected example of standard travel industry practices.

The SORNs [System Of Records Notices, required by the Privacy Act] for ATS specifically mention OSI, SSR, and “General Remarks” 10 among the “Categories of Information in the [ATS] System” and among the types of data derived from PNRs and included in ATS. “OSI” entries can be used by travel agency or airline staff with access to PNRs to enter, and to send to airlines, arbitrary free-text messages. “Remarks” in PNRs are intended to be used for an unlimited range of free-text data entry. This information can — and in some cases does — include remarks about the personal foibles of the traveler (to assist other travel agency or airline staff in dealing with the traveler), and/or derogatory descriptions of interactions with customer service staff. Travelers do not normally see the PNRs that contain information pertaining to them, and do not know or control what information has been entered about them.

Our reply brief also notes that:

Acknowledging the sensitivity of the data in PNRs, Canadian and European Union laws require that private entities that control or host PNRs allow individuals to inspect their own PNRs and obtain information about how they are used. However, U.S. law contains no such requirement.

The focus of our latest arguments is on the government’s claim that — after receiving Mr. Hasbrouck’s Privacy Act request and his appeal of the government’s failure to respond — CBP had the right to issue new regulations retroactively exempting itself from any obligation to respond to the pending request or appeal, to provide Mr. Hasbrouck any of the ATS or other records about him and his travels, to provide him with any accounting of the disclosures of those records to third parties, or to correct inaccurate records or expunge irrelevant ones. As our brief notes:

The retroactive application of the ATS and BCIS exemptions is especially egregious in this case where the processing of Hasbrouck’s Privacy Act requests was completed by CBP’s Office of Intelligence and Operation Coordination on April 2, 2009, but was then sat on for 17 months until after the exemption rules were finalized.

We also contest CBP’s failure to search for Mr. Hasbrouck’s records, in response to his request, in the same way they would if they were searching for records about him as a suspected terrorist. And we contest their refusal to disclose even the records about Mr. Hasbrouck that they admit to having found.

The next step in the case will be oral arguments on the cross-motions for summary judgment on Thursday, August 25, September 15, 2011, 1:30 p.m., before Judge Richard Seeborg (Courtroom 3, 17th Floor), U.S. District Court for the Northern District of California, Phillip Burton Federal Building and U.S. Courthouse, 450 Golden Gate Ave. (between Polk and Larkin, near Civic Center), San Francisco, CA. [Note revised hearing date of September 15th.]

It’s unlikely that any decision will be announced on the spot at the oral argument. Judge Seeborg will most likely take the written submissions and oral arguments under advisement, and issue an initial decision on the motions for summary judgment some weeks or months later. (There is no mandatory deadline for most Federal judicial decisions.)

The public is welcome to attend the oral argument, although the guards at the entrance to the courthouse require visitors to show government-issued ID. See the specific rules for electronic devices in the courthouse and additional rules and information for journalists.