Today the DHS announced that it is partially replacing its practice of illegally profiling air travelers seeking to board flights destined to the US by national origin — the subject of our still-unanswered formal complaint — with a new scheme to illegally profile passengers individually, bsed on based on mining of commercial data in passenger name records (PNRs) obtained from airlines and other travel companies and on secret DHS dossiers about would-be passengers including their lifetime travel histories maintained in the illegal Automated Targeting System and other databases.

The consequences if you fit the secret profile would continue to include, as before, being subjected to “secondary screening” (more intrusive search and/or interrogation, with no publicly-disclosed rules governing which questions you are required to answer) or having the airline not be given “clearance” under the APIS permission system to allow you to board the flight.  (Under the APIS system already on the books, the default is “No fly” unless the airline receives an affirmative, individualized, per-passenger, per-flight “clearance to board” message from the DHS.)

The new profiles reportedly could include both individual identities and vaguer patterns of suspicion such as countries previously visited (a clear case of targeting based on activities protected by the First Amendment), association (a matching phone number in a PNR, such as from having reconfirmed flights form the name hotel as thousands of other travelers), or appearance (leaving room for continued racial and/or ethnic profiling).

The profiling and selection algorithm, the identity of the decision-makers, and the data on which they will base their determinations remain secret.  No mechanism for judicial review of these decisions, or of actions taken on the basis of them, was mentioned in the DHS press release or FAQ.

The new practice greatly increases the significance of the DHS’s decision in February of this year to exempt much of the information in PNRs, including derogatory personal information submitted by travel companies without travelers’ knowledge, from release to data subjects in response to requests under the Privacy Act. It also highlights the significance of the DHS’s routinely late, incomplete, and improper responses to requests for travel records, when they respond at all.

Some of our Privacy Act requests to the DHS for travel records are 6 months old with no response at all (a year is not unusual), while one of our appeals of an obviously incomplete and improper response has been pending for more 2 1/2 years without a decision.  Of the responses we have seen to requests for PNRs and ATS travel history records, all are obviously incomplete, and invoke inapplicable exemptions (such as invoking the broader exemptions applicable to third-part requests under FOIA in response to first-party requests under the Privacy Act, to which FOIA exemptions don’t apply).  None actually appear to have been processed under the Privacy Act, only under the more limited FOIA rules, even when the requests were explicitly made under the Privacy Act.

So far as we know, nobody has actually received the “accounting of disclosures” (access log) that the DHS is required to provide on request.  And none of the major computerized reservation systems (CRSs) to which airlines outsource hosting of their PNR databases maintains logs of access to PNRs, which would be necessary for CRSs or their airline and travel company subscribers to comply with “Safe Harbor”, European Union data protection law, and other international privacy norms.  Since CRSs keep no records, nobody knows who actually accesses PNRs.

There are also still unanswered questions as to the extraterritorial US claim of jurisdiction over actions related to boarding of foreign-flag aircraft at foreign airports, especially where international aviation treaties between the US and those countries require airlines to operate as “common carriers” and transport all passengers willing to pay the fare and comply with the rules in the published tariff.

Both Americans and foreigners — including members of the European Parliament who are currently debating whether to approve continued DHS access to European PNR data — should be outraged that the DHS is simultaneously increasing the weight given to commercial and other information in secret DHS dossiers about us, while hiding even more of that information from us, even if we specifically ask to see it.  We’ll be bringing this to their attention in meetings and testimony in Brussels and Strasbourg, and talks with European activists, over the next few weeks.

The most recently filed lawsuit to result from detention of a would-be traveler at a TSA checkpoint highlights an interesting pattern:

While Federal departments themselves, and their agents in their official capacities, have thus far largely escaped legal liability for interference with travelers’ rights, multiple lawsuits against individuals who have enforced secret DHS directives — including DHS officers in their individual capacities as well as city, state, and tribal police acting as their accomplices and/or at their behest — are moving forward.  Yet at the same time, the DHS continues to use local law enforcement officers to carry out its secret orders, and has in some cases revealed policies directing DHS agents to take a literal “hands-off” attitude themselves, even while calling in local police to enforce what are at root (illegal) Federal orders.

Here’s a round-up of some pending cases across the country, leading up to the latest, with apologies for the sometimes tortured procedural histories which tend to characterize such cases and obscure the real issues: Read More →

News reports about recent diplomatic initiatives by the US Department of Homeland Security suggest that the DHS may once again be using the International Civil Aviation Organization (ICAO) as a vehicle for policy laundering.

In the past, ICAO has been the focus of attention for its role in the imposition of RFID passports and the associated systems of automated monitoring and control of international travel.

Now, the DHS appears to be trying to use ICAO as the vehicle through which to impose its ideas of passenger searching (virtual strip-search machines) and passenger surveillance (pre-flight government access to PNR data and its use in conjunction with identity-linked travel histories and personal profiles for control of who is allowed to fly)  as global norms.

Secretary of Homeland Security Napolitano, accompanied by Asst. Secretary for Policy David Heyman (successor to former NSA and DHS attorney Stewart Baker), has been barnstorming the globe in pursuit of this agenda over the last month.  She met with ICAO officials and their airline industry partners at IATA in Geneva, attended a regional European ministerial meeting on aviation security in Spain which issued a joint statement agreeing to “Promote international co-ordination … through ICAO”, followed by a regional ICAO meeting in Mexico for the Americas and the Caribbean (attended by ICAO’s Secretary General) which declared participating goverments’ commitment to “systematically collaborate within ICAO… with a view to convene both international expert and intergovernmental meetings to agree upon actions in the following fields:”

• Broaden existing cooperation mechanisms among our countries and with other parties to the Chicago Convention, and the civil aviation industry, for information exchange …
• Share best practices in a range of areas related to civil aviation, such as … screening and inspection techniques, airport security, behavioral detection, passenger targeting analysis…
• Utilize modern technologies to detect prohibited materials and to prevent the carriage of such materials on board aircraft.
• Transmit in a timely manner passengers’ information prior to takeoff to effectively support screening … as well as develop and improve compatible systems for the collection and use of advance passenger information (API) and passenger name record (PNR) information.

In a detailed video news release, Napolitano herself described this as “an unprecedented international initiative” centered on “a series of regional meetings around the globe facilitated by ICAO”:

There were four broad areas for discussion: Information sharing, passenger vetting, technology, and international standards…. Look for announcement in each of these four areas in the weeks ahead.

The agenda and the forum could not be more clear: Unless defenders of civil liberties and human rights mobilize effective opposition, the goal of the US and the DHS is for ICAO to put forward “international standards”, effectuated by national laws on “compliance with standards”, which will mandate virtual strip-search machines (“modern technology”), worldwide government access to PNR data, and government “vetting” (identity-based and permission-based control) of international air travelers.  That is perfectly in line with the 10-year plan of ICAO’s working group on Machine-Readable Travel Documents (MRTD), “MRTD Vision 2020,” as laid out in the latest ICAO MRTD Report.

ICAO is a UN-affiliated intergovernmental organizing most of whose decisions are made in invitation-only working groups. The interests of citizens are supposed to be represented in ICAO decision-making by their national governments, but national delegations to ICAO are invariably drawn from security, surveillance, law enforcement, and aviation regulatory agencies, and have never included representatives of data protection, civil liberties, or human rights authorities.

In effect, ICAO’s decisions reflect the desires of the world’s police.  By enacting national laws requiring “compliance” with ICAO “standards”, national governments can effectively outsource national law-making to those police, while justifying repressive measures (which their own representatives have proposed and championed at ICAO) as being the reult of an extenral, international mandate for which they aren’t responsible. Policy laundering.

ICAO’s importance to the DHS (and its counterparts in Europe and elsewhere) is heightened by the likelihood that, in the wake of the precedent set by its rejection of the SWIFT agreement on financial transaction data sharing with the US government, the European Parliament will reject the similar PNR agreement for travel transaction data sharing with the US government. The DHS had been pressuring the Europarl to fast-track approval of the PNR agreement. With the writing on the wall that the PNR agreement is headed for defeat in the Europarl, the DHS is already making it clear that ICAO standards are their back-door “Plan B” for how to impose a global PNR and identity-based travel sureveillance and control regime.  They are losing in Brussels, so they are trying to shift to more “Big Brother friendly” ICAO forums in Geneva and Montreal.

ICAO draws on invited technical experts from the aviation industry, but unfortunately their interests in surveillance for commercial purposes coincide with those of the police in the same surveillance for political purposes. Airlines and other travel companies are happy to help governments monitor travelers, as long as they get get paid for collecting the data and are allowed to use it themselves too. We’ve heard them tell ICAO so in so many words.

ICAO’s dual secretariats in Montreal and Geneva, and its process in which most decisions have effectively been made before they are presented to rubber-stamp plenaries, makes effective civil society participation difficult without long-term commitment and international cooperation.  A useful model is provided by environmental activists, who have formed a single-issue international NGO coalition for the sole purpose of obtaining accreditation and observer status with ICAO. Despite previous joint appeals to ICAO by an ad hoc international civil liberties coalition, human rights groups haven’t yet formalized their coalition or sought observer status with ICAO, and have had no presence at ICAO meetings or working groups.

If you are interested in working with the Identity Project to get our voices heard at ICAO, please get in touch — before its too late.