Papers, Please!

The Identity Project

Category Archives: Secret Law

Nov 23 2022

The airport of the future is the airport of today — and that’s not good.

(video; slides)

[Facial recognition at each step in airline passenger processing. Slide from presentation by Heathrow Airport Holdings Ltd. to the International Civil Aviation Organization (ICAO) Traveler Identitification Program symposium, October 2018]

Today, the day before Thanksgiving, will probably be the busiest day for air travel in the USA since the outbreak of the COVID-19 pandemic in early 2020.

If you are flying this week for the first time in three years, what will you see that has changed?

Unfortunately, many of the most significant changes made during the pandemic are deliberately invisible — which is part of what makes them so evil.

During the pandemic, largely unnoticed, the dystopian surveillance-by design airport of the future that we’ve been worried and warning about for many years has become, in many places, the airport of today.

While travelers were sheltering in place during the COVID-19 pandemic, airports have taken advantage of the opportunity to move ahead with expansion and renovation projects. While passenger traffic was reduced, and terminals and other airport facilities were operating well below capacity, disruptions due to construction could be minimized.

A characteristic feature of almost all new or newly-renovated major airports in the U.S. and around the world is that they are designed and built on the assumption that all passengers’ movements within the airport will be tracked at all times, and that all phases of “passenger processing” will be carried out automatically using facial recognition, as shown in this video from a technology vendor, Airport of the Future:

[Stills from 2019 vendor video, Airport of the Future.]

In the airport of the future, or in a growing number of present-day airports, there’s no need for a government agency or airline that wants to use facial recognition to install cameras or data links for that purpose. As in the new International Arrivals Facility at Sea-Tac Airport, which opened this year, the cameras and connectivity are built into the facility as “common-use”  public-private infrastructure shared by airlines, government agencies, and the operator of the airport — whether that’s a public agency (as with almost all U.S. airports) or a private company (as with many foreign airports).

Read More

Sep 16 2022

Countdown to a crackdown on flying without ID

The Department of Homeland Security has added a Countdown to REAL ID Enforcement at airports to its website. But questions remain as to what this really means, despite our best efforts to find out.

What — if anything — will really change at Transportation Security Administration checkpoints when this countdown clock runs out on May 3, 2023?

Nothing in the law will change on that date. The REAL-ID Act of 2005 established criteria for which ID credentials can be “accepted” by Federal government agencies, in circumstances where individuals are required by Federal law or regulations to possess and/or show some evidence of their identity. But the consistent position of the DHS and TSA in litigation has been that no law or regulation requires air travelers to possess or show any ID. And the REAL-ID Act did not create any new requirement to have or show ID to fly.

Since the REAL-ID Act applies only to which IDs are accepted from those who choose to show ID to fly, it should have no effect, now or at at any date in the future, on those who don’t have, or choose not to show, ID to fly. They still have the right to fly without ID — as more than a hundred thousand people do every year — subject at most to a more intrusive administrative search of their person and baggage.

The “deadline” announced by the DHS and TSA might indicate plans for new regulations that would impose a requirement for air travelers to have or to show ID. But no such regulations have been proposed or included in DHS or TSA agendas of planned rulemaking.

Despite the lack of any apparent legal authority, however, it appears from the latest extrajudicial DHS and TSA rulemaking-by-press-release that these agencies plan to begin preventing anyone from flying without ID on or after May 3, 2023, on unknown grounds.

The following statement now appears on the DHS and TSA websites:

What happens if I show up without a valid driver’s license or state ID?

Starting May 3, 2023, every traveler will need to present a REAL ID-compliant license or an acceptable form of identification to fly within the U.S. Passengers who do not present an acceptable form of identification will not be permitted through the security checkpoint.

This would be a major change, with no legal basis, from current practice or any previously disclosed DHS or TSA plans.

Read More

Jun 06 2022

Another legal “victory” but still no justice for tortured traveler

For more than a decade (see our articles from 2012 and 2018), we’ve been monitoring the saga of Yonas Fikre, a US citizen who was placed on the US government’s “No-Fly List” and blacklisted by his government as a “suspected terrorist” while he was overseas on business.

Last week, after nine years and counting in the courts, Mr. Fikre “won” a second successive favorable decision on pre-trial appeals to the 9th Circuit US Court of Appeals, but his quest for justice remains unfulfilled. The history of this case to date is a case study in the lack of accountability or judicial review for no-fly decisions and decision-makers.

Read More

Apr 08 2022

Amtrak gave train reservations to the TSA for a profiling test

[“Secure Flight” process flow used by the TSA for airline passengers and being tested on Amtrak passengers. The red box at right center is the “black box” for algorithmic profiling, blacklist/blocklist enforcement, and fly/no-fly decision making.]

Amtrak has reportedly given the Transportation Security Administration several months of  archives of Amtrak passenger reservations and frequent rider profiles. At Amtrak’s request, the TSA has used these records to test the TSA’s ability to extend to Amtrak passengers the ID-based profiling and blacklisting algorithms the TSA already applies to air travelers.

If you aren’t allowed to travel by air, the right to travel by train is critical. And while all common carriers have an obligation to transport all would-be passengers, Amtrak as a government agency should be most strictly held to that obligation.

The plans to run a batch of historical Amtrak reservations through the TSA’s “threat assessment” black box were disclosed in a Privacy Impact Assessment (PIA) quietly posted on the Department of Homeland Security website last December, and first noted in a news report by Mark Albert of Hearst Television earlier this week.

The PIA posted by the TSA in December 2021 said that Amtrak would give notice of the batch transfer of reservation archives to the TSA through an update to Amtrak’s privacy policy. That policy was last updated in November 2021, and doesn’t mention data sharing with the TSA. But a follow-up report today by Hearst Television quotes the TSA as saying that, “The collection of data and analysis has already occurred,” without the promised notice in Amtrak’s privacy policy.

What will this TSA’s test of Amtrak passenger profiling reveal? Of course some of the people who aren’t allowed to travel by air travel by train or bus instead. Amtrak and Greyhound are the long-distance carriers of last resort for undocumented and blacklisted travelers. So it’s to be expected that the TSA will find a disproportionate percentage of the people it has blacklisted from air travel on Amtrak passenger manifests.

Even more people will be forced to take Amtrak or Greyhound instead of flying if the TSA — as it has threatened — starts preventing people from flying if they don’t have, or don’t show, any ID, or ID the TSA deems to be compliant ID with the REAL-ID Act.

Does this mean that would-be terrorists are riding Amtrak trains? No. It means only that people blacklisted from air travel are riding trains. So far as we know, there have been no terrorist attacks on Amtrak trains. The false positives generated by the TSA’s “threat assessment” algorithms and precogs are evidence of what’s wrong with predictive profiling and why the right to travel by common carrier is so important.

The TSA and DHS have long wanted to extend their prior restraint of travel from airline passengers to all modes of travel including  trains and buses, but have lacked any legal basis to do so. Amtrak’s sharing of reservation  data with the DHS, even for passengers on international trains, has been represented as a “voluntary” action by Amtrak.

In the absence of any notice from Amtrak, it’s unclear what Amtrak claims as the legal basis for the recent “test” of TSA profiling of passengers on domestic Amtrak trains. Read More

Jan 26 2022

9th Circuit to review secrecy of CRS-based travel surveillance

May court records related to orders requiring a travel reservations company to provide real-time updates to the U.S. government whenever a “person of interest” makes reservations for flights or other travel  be kept secret from the public, the press, and other travel companies including the airlines on which the target plans to travel?

That issue is now before the 9th Circuit Court of Appeals in the case of Forbes Media and Thomas Brewster vs. the United States (Court of Appeals Docket #21-35612).

The legal question before the 9th Circuit is whether courts can keep their own actions secret. That’s important, but the the underlying facts raise other issues as well.

Read More

Sep 15 2021

DHS must explain failure to release e-mail files

In a victory for the Freedom Of Information Act (FOIA), an Administrative Law Judge (ALJ) has ruled that the Department of Homeland Security (DHS) must either disclose records of e-mail messages which we requested in the “native” file formats in which they are held on DHS servers or archival storage media, or must “demonstrate with sufficient justification that they cannot produce the documents in their original fully digital version.”

This ruling was made in response to an administrative appeal by the Identity Project of the DHS (non)-response to a FOIA request we made in 2016 for the reports submitted to the DHS each month on how may people attempted to enter Federal facilities without ID or with ID deemed “noncompliant” with the REAL-ID Act of 2005, and what happened to these people. How many were eventually allowed to enter, and how many were turned away?

Read More

Jul 19 2021

Photographing and recording the TSA

After stalling for more than five years, the Transportation Security Administration has made public a curious internal memo regarding photography and audio and video recording at TSA checkpoints.

The TSA wants to photograph us and track our movements and activities using facial recognition, but wants to limit our ability to photograph and record its activities.

The memo was released in May 2021 in response to a Freedom Of Information Act (FOIA) request made by Sai in March 2016. The memo itself is undated, but was distributed in July 2011 to TSA Federal Security Directors (FDSs) “for your immediate dissemination and implementation.” Needless to say, that “dissemination” did not include disclosure to the public, then or at any time until now, ten years after the fact.

That we have to make FOIA requests for internal TSA records like this, wait years for answers, and then try to parse the fragmentary responses for clues about TSA “policy” — rather than reading official policies applicable to the public in the U.S. Code, the Statutes at Large, or the Code of Federal Regulations — is indicative of the systemic problem of secret law.

But since secret rulemaking is standard operating procedure for the Department of Homeland Security and its components, what can we learn form the most recently-released memo about photography and recording at TSA checkpoints?

Read More

Jun 17 2021

DHS still evades review of no-fly orders

Two recent court cases, and follow-up articles and interviews with the plaintiffs and their lawyers, show how the highest priority for the U.S. government with respect to no-fly orders continues to be preventing judicial review of these government decisions, not preventing terrorism.

When an airline requests permission to allow an individual to board a flight, and the U.S. Department of Homeland Security (DHS) declines to give permission, that “Boarding Pass Printing Result” (BPPR) message is communicated only to the airline,  not the would-be traveler. Even the airline is not told the basis, if any, for the negative BPPR message. (The default is “No”, in the absence of affirmative, individualized government permission-to-board.)

Again and again and again, when people have challenged these no-fly orders in U.S. courts, the government has chosen not to disclose or defend the basis for its decisions that these people constitute a threat to aviation sufficient to justify restricting their right to travel.

Instead, the government has told the plaintiffs that they have been (although perhaps only temporarily) removed from “the no-fly list” (although with no assurance that they won’t again be prevented from traveling in the future), and then gotten their complaints dismissed in court as “moot”. Only rarely has it been possible to pursue these cases.

A special law restricting the jurisdiction of the Federal courts over “orders” of the Transportation Security Administration (TSA), 49 U.S.C. § 46110, has also been used to avoid fact-finding as to the basis, if any, for these orders. In our opinion this law is clearly unconstitutional. But the Constitutionality of this law has not yet been directly ruled on, and it has been the subject of little Congressional scrutiny.

If the government really thought these people were dangerous, it should have gone to court sooner to obtain injunctions or restraining orders restricting their freedom of movement. If challenged, it should have defended its actions before Federal judges in adversarial, evidence-based fact-finding proceedings.

The government has chosen to do neither, and has consistently responded to no-fly lawsuits by taking almost everyone with the means and will to pursue extended litigation off the not-fly list. This reflects the reality that the DHS sees judicial oversight of its actions, not terrorism, as the greater threat to its standard operating procedures. The top DHS priority is to be able to continue its practice of extrajudicial secret decision-making — disconnected from facts and based instead on fantasies of “pre-crime” predictive ability — about who is, and who is not, allowed to exercise their Constitutional rights.

The stories of Ahmad Chebli and Ashraf Maniar illustrate how this plays out in real life —  and how it wrecks real people’s lives and livelihoods.

Read More

May 17 2021

ACLU: “Digital IDs Could Be a Nightmare”

As the U.S. Department of Homeland Security is soliciting proposals from vendors for how to put digital versions of drivers licenses and other ID credentials on smartphones, the ACLU has released a timely and insightful white paper, Identity Crisis: What Digital Driver’s Licenses Could Mean for Privacy, Equity, and Freedom, by Jay Stanley of the ACLU Speech, Privacy, and Technology Project, along with an executive summary in the form of a blog post, Digital IDs Might Sound Like a Good Idea, But They Could Be a Privacy Nightmare.

The ACLU white paper links to some of our research and reporting and highlights many of our concerns with compelled identification, the REAL-ID Act, invisible virtual checkpoints, ID-based blacklists and controls on what we are and aren’t allowed to do, and the role of AAMVA and other “private” entities as outsourced, opaque, unaccountable, creators of ID “standards” that function as de facto laws and regulations that govern our movements and activities, but that are adopted in secret, exempt from the Freedom Of Information Act or other transparency laws, and lack basic privacy protections. or respect for rights recognized by the U.S. Constitution and international human rights treaties.

We encourage readers interested in these issues to read the ACLU white paper in full. But here’s an excerpt form the introduction to the white paper, framing the issue:

Read More

Apr 21 2021

DHS wants to put REAL-ID drivers licenses on smartphones

The Department of Homeland Security has published a Request For Information (RFI) from vendors and other stakeholders regarding standards for drivers licenses and other IDs stored on smartphones or other mobile devices to be considered compliant with the REAL-ID Act of 2005.

Responses to the RFI are due by June 18, 2021.

The amendments to the REAL-ID Act signed into law at the end of 2021 included provisions authorizing the DHS to certify digital ID credentials as “REAL-ID compliant”. That certification can’t happen, though, until the DHS promulgates new regulations.

The RFI published in the Federal Register this week is not formerly part of such a rulemaking, but appears to be part of the preparations for it.

A “mobile ID” would consist of a certificate digitally signed by a state department of motor vehicles. The RFI contemplates a process through which “individuals would electronically send identity verification information to the DMV to establish their identities and ownership of the target device.” No explanation or justification is provided for why or how a digitally-signed certificate would be, or should be, bound to a specific device, rather than simply provided as a file that can be stored on any digital device or storage medium.

It’s just as easy to loan a smartphone or other mobile device to another person whose appearance is similar as it is to loan a physical ID card to another person.

A drivers license rarely needs to be displayed, and in the form of a wallet-sized plastic card it  can be kept in a relatively secure pocket or compartment of a purse. A smartphone, in marked contrast, is likely to be frequently consulted and carried in a location on one’s person that is much more exposed and vulnerable to snatch-thieves than one’s wallet.

A smartphone is already, for many people, vulnerable as a single point of failure for identity and password management. Binding a digital ID to a specific smartphone appears likely to increase the risk and exacerbate the consequences of smartphone theft as a method of identity theft.

The RFI says that the DHS is considering incorporating the American Association of Motor Vehicle Administrators Mobile Driver License (mDL) Implementation Guidelines (April 2019) in the DHS standards and regulations, and the DHS seeks comments on those AAMVA guidelines. But those AAMVA guidelines are posted only on the “members-only” portion of the AAMVA website, and aren’t available to the public.

In the past, when we reposted specifications for the AAMVA’s national REAL-ID database that AAMVA had posted for years on the public portion of its website, AAMVA not only moved those specifications to to the members-only portion of its website, but asserted their copyright and threatened us with litigation to get us to take them off our site.

The DHS notice purporting to invite the public to submit comments on a secret document, not available to the public, that might be incorporated into DHS regulations, exemplifies everything that is wrong with both secret law and the outsourcing of “lawmaking” to entities such as AAMVA that are nominally private and not subject  to Federal or state freedom of information, public records, or open meetings laws.

There’s no indication in the RFI as to when or how the DHS plans to move forward with the separate rulemaking and approval procedures that will be required if it is to follow through on its threats to start turning away would-be air travelers at TSA checkpoints if they don’t have REAL-ID approved ID or don’t have or show any ID.