Papers, Please!

The Identity Project

Category Archives: Secret Law

Jan 20 2023

The #NoFly list is a #MuslimBan list

[CommuteAir routes operated as “United Express”]

In news first reported by Mikael Thalen and David Covucci of of the Daily Dot, Swiss hacker maia arson crimew has found versions of the Transportation Security Administration’s “No-Fly” and “Selectee” lists dating from 2019 on insecure Amazon Web Services cloud servers used by the airline CommuteAir for software development and staging.

CommuteAir is little known in its own name, but operates as a subcontractor to United Airlines for flights by regional jets between United hubs and secondary airports marketed under the “United Express” brand with United Airlines flight numbers.

In a statement to the Daily Dot, CommuteAir confirmed that, “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth.”

This isn’t the first time that information about the TSA’s “watchlists” (blacklists) and related procedures has been leaked or left exposed on the Internet. In 2009, the TSA posted an unredacted copy of its Standard Operating Procedures for “screening” of airline passengers on a Federal government website for contractors. In 2014, the Terrorist Screening Center’s Watchlisting Guidance, which describes the methodology and purported basis for entering names on the No-Fly, Selectee, and other blacklists, was obtained and published by The Intercept.

The lists found by maia and shared with journalists and researchers confirm the TSA’s (1) Islamophobia, (2) overconfidence in the certainty of its pre-crime predictions, and (3) mission creep.

The data in the files found by maia is limited to first and last name and date of birth and a sequence number for each listing, but there are headers for several other fields that are blank in most of the records: place of birth, citizenship, passport or ID number, “MISC”, and a blank field labeled “CLEARED” which may have been used to indicate those entries that were intended to be to be whitelisted rather than blacklisted.

The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming  names. More than 10% of the entries on the No-Fly list (174,202 of 1,566,062)  contain “MUHAMMAD” in either the first or last name fields. “It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” maia told the Daily Dot.

[Some of the listings for Osama Bin Laden — already long dead — on the 2019 No-Fly List]

The “NOFLY.csv” file found by maia contains 1,556,062 entries. The “SELECTEE.csv” file contains 251,169. The youngest of those on this version of the No-Fly List, as of 2019, were three four-year-olds. The oldest were twenty-five centenarians.

Read More

Dec 05 2022

DHS resets the clock on its threat to stop flyers without ID

 

Soccer fans have been noticing unusually large amounts of stoppage time added on to extend the final whistle in many of this year’s World Cup matches. But FIFA and World Cup referees have nothing on the US Department of Homeland Security when it comes to extending the end of the game of REAL-ID chicken that the DHS has been playing with air travelers.

Just a few months after adding a countdown clock to its website to add artistic verisimilitude to its threat to start “enforcing” a nonexistent law prohibiting flying without ID, the DHS has set that clock back by two more years.

The change announced today — only the most recent in a seemingly endless series of postponed empty REAL-ID threats — again postpones, but does not withdraw, the DHS threat to start preventing people without ID from traveling by airline within the US.

The DHS says it plans to promulgate another set of amendments to its regulations implementing the REAL-ID Act of 2005, postponing “enforcement” of the REAL-ID Act at airports until May 7, 2025. Conveniently for current Federal officials, that punts the problem of how to respond to the inevitable resistance to an attempted ban on flying without ID into the next Presidential administration.

Today’s press release from the DHS says, in part:

Under the new regulations, beginning May 7, 2025, every traveler 18 years of age or older will need a REAL ID-compliant driver’s license or identification card, state-issued enhanced driver’s license, or another TSA-acceptable form of identification at airport security checkpoints for domestic air travel.

We  doubt, however, that the revised regulations will contain any such provision. None of the previous versions of the REAL-ID regulations contained any provision requiring air travelers to identify themselves, and any such regulatory provision would exceed the implementing authority granted to the DHS by the REAL-ID statute.

The REAL-ID Act restricts what ID credentials a Federal agency can accept, in circumstances where ID is required by some other Federal law or regulation. But neither the REAL-ID Act nor any other current or proposed Federal law or regulation requires travelers to show any ID to pass through Transportation Security Administration checkpoints or board domestic flights within the US — as the TSA itself has argued whenever ID to fly has become an issue in court.

It should go without saying that one doesn’t have to take a “flying test” to obtain a drivers license. A drivers license is not a permit to fly, and possession (or not) of a valid drivers license is entirely unrelated to entitlement to travel by common carrier. The REAL-ID Act has done nothing to make flying safer, any more than preventing people without ID from flying would make flying safer. The only real impact of the REAL-ID Act  has been the creation of an (outsourced, privately held, opaque and uncontrolled) national ID database  (SPEXS) aggregated from state and territorial driver’s license records.

By the time the two more years of added “stoppage time” runs out on the DHS threat clock, twenty years will have passed since the REAL-ID Act was rushed through Congress in post-9/11 panic, without debate and with hardly time for legislators to read the bill.

Time is running out on the REAL-ID Act. It’s time for Congress to admit that the REAL-ID Act was wrong from the start, has enabled the creation of a de facto national ID database  overwhelmingly opposed by the American public, and should be repealed.

Nov 23 2022

The airport of the future is the airport of today — and that’s not good.

(video; slides)

[Facial recognition at each step in airline passenger processing. Slide from presentation by Heathrow Airport Holdings Ltd. to the International Civil Aviation Organization (ICAO) Traveler Identitification Program symposium, October 2018]

Today, the day before Thanksgiving, will probably be the busiest day for air travel in the USA since the outbreak of the COVID-19 pandemic in early 2020.

If you are flying this week for the first time in three years, what will you see that has changed?

Unfortunately, many of the most significant changes made during the pandemic are deliberately invisible — which is part of what makes them so evil.

During the pandemic, largely unnoticed, the dystopian surveillance-by design airport of the future that we’ve been worried and warning about for many years has become, in many places, the airport of today.

While travelers were sheltering in place during the COVID-19 pandemic, airports have taken advantage of the opportunity to move ahead with expansion and renovation projects. While passenger traffic was reduced, and terminals and other airport facilities were operating well below capacity, disruptions due to construction could be minimized.

A characteristic feature of almost all new or newly-renovated major airports in the U.S. and around the world is that they are designed and built on the assumption that all passengers’ movements within the airport will be tracked at all times, and that all phases of “passenger processing” will be carried out automatically using facial recognition, as shown in this video from a technology vendor, Airport of the Future:

[Stills from 2019 vendor video, Airport of the Future.]

In the airport of the future, or in a growing number of present-day airports, there’s no need for a government agency or airline that wants to use facial recognition to install cameras or data links for that purpose. As in the new International Arrivals Facility at Sea-Tac Airport, which opened this year, the cameras and connectivity are built into the facility as “common-use”  public-private infrastructure shared by airlines, government agencies, and the operator of the airport — whether that’s a public agency (as with almost all U.S. airports) or a private company (as with many foreign airports).

Read More

Sep 16 2022

Countdown to a crackdown on flying without ID

The Department of Homeland Security has added a Countdown to REAL ID Enforcement at airports to its website. But questions remain as to what this really means, despite our best efforts to find out.

What — if anything — will really change at Transportation Security Administration checkpoints when this countdown clock runs out on May 3, 2023?

Nothing in the law will change on that date. The REAL-ID Act of 2005 established criteria for which ID credentials can be “accepted” by Federal government agencies, in circumstances where individuals are required by Federal law or regulations to possess and/or show some evidence of their identity. But the consistent position of the DHS and TSA in litigation has been that no law or regulation requires air travelers to possess or show any ID. And the REAL-ID Act did not create any new requirement to have or show ID to fly.

Since the REAL-ID Act applies only to which IDs are accepted from those who choose to show ID to fly, it should have no effect, now or at at any date in the future, on those who don’t have, or choose not to show, ID to fly. They still have the right to fly without ID — as more than a hundred thousand people do every year — subject at most to a more intrusive administrative search of their person and baggage.

The “deadline” announced by the DHS and TSA might indicate plans for new regulations that would impose a requirement for air travelers to have or to show ID. But no such regulations have been proposed or included in DHS or TSA agendas of planned rulemaking.

Despite the lack of any apparent legal authority, however, it appears from the latest extrajudicial DHS and TSA rulemaking-by-press-release that these agencies plan to begin preventing anyone from flying without ID on or after May 3, 2023, on unknown grounds.

The following statement now appears on the DHS and TSA websites:

What happens if I show up without a valid driver’s license or state ID?

Starting May 3, 2023, every traveler will need to present a REAL ID-compliant license or an acceptable form of identification to fly within the U.S. Passengers who do not present an acceptable form of identification will not be permitted through the security checkpoint.

This would be a major change, with no legal basis, from current practice or any previously disclosed DHS or TSA plans.

Read More

Jun 06 2022

Another legal “victory” but still no justice for tortured traveler

For more than a decade (see our articles from 2012 and 2018), we’ve been monitoring the saga of Yonas Fikre, a US citizen who was placed on the US government’s “No-Fly List” and blacklisted by his government as a “suspected terrorist” while he was overseas on business.

Last week, after nine years and counting in the courts, Mr. Fikre “won” a second successive favorable decision on pre-trial appeals to the 9th Circuit US Court of Appeals, but his quest for justice remains unfulfilled. The history of this case to date is a case study in the lack of accountability or judicial review for no-fly decisions and decision-makers.

Read More

Apr 08 2022

Amtrak gave train reservations to the TSA for a profiling test

[“Secure Flight” process flow used by the TSA for airline passengers and being tested on Amtrak passengers. The red box at right center is the “black box” for algorithmic profiling, blacklist/blocklist enforcement, and fly/no-fly decision making.]

Amtrak has reportedly given the Transportation Security Administration several months of  archives of Amtrak passenger reservations and frequent rider profiles. At Amtrak’s request, the TSA has used these records to test the TSA’s ability to extend to Amtrak passengers the ID-based profiling and blacklisting algorithms the TSA already applies to air travelers.

If you aren’t allowed to travel by air, the right to travel by train is critical. And while all common carriers have an obligation to transport all would-be passengers, Amtrak as a government agency should be most strictly held to that obligation.

The plans to run a batch of historical Amtrak reservations through the TSA’s “threat assessment” black box were disclosed in a Privacy Impact Assessment (PIA) quietly posted on the Department of Homeland Security website last December, and first noted in a news report by Mark Albert of Hearst Television earlier this week.

The PIA posted by the TSA in December 2021 said that Amtrak would give notice of the batch transfer of reservation archives to the TSA through an update to Amtrak’s privacy policy. That policy was last updated in November 2021, and doesn’t mention data sharing with the TSA. But a follow-up report today by Hearst Television quotes the TSA as saying that, “The collection of data and analysis has already occurred,” without the promised notice in Amtrak’s privacy policy.

What will this TSA’s test of Amtrak passenger profiling reveal? Of course some of the people who aren’t allowed to travel by air travel by train or bus instead. Amtrak and Greyhound are the long-distance carriers of last resort for undocumented and blacklisted travelers. So it’s to be expected that the TSA will find a disproportionate percentage of the people it has blacklisted from air travel on Amtrak passenger manifests.

Even more people will be forced to take Amtrak or Greyhound instead of flying if the TSA — as it has threatened — starts preventing people from flying if they don’t have, or don’t show, any ID, or ID the TSA deems to be compliant ID with the REAL-ID Act.

Does this mean that would-be terrorists are riding Amtrak trains? No. It means only that people blacklisted from air travel are riding trains. So far as we know, there have been no terrorist attacks on Amtrak trains. The false positives generated by the TSA’s “threat assessment” algorithms and precogs are evidence of what’s wrong with predictive profiling and why the right to travel by common carrier is so important.

The TSA and DHS have long wanted to extend their prior restraint of travel from airline passengers to all modes of travel including  trains and buses, but have lacked any legal basis to do so. Amtrak’s sharing of reservation  data with the DHS, even for passengers on international trains, has been represented as a “voluntary” action by Amtrak.

In the absence of any notice from Amtrak, it’s unclear what Amtrak claims as the legal basis for the recent “test” of TSA profiling of passengers on domestic Amtrak trains. Read More

Jan 26 2022

9th Circuit to review secrecy of CRS-based travel surveillance

May court records related to orders requiring a travel reservations company to provide real-time updates to the U.S. government whenever a “person of interest” makes reservations for flights or other travel  be kept secret from the public, the press, and other travel companies including the airlines on which the target plans to travel?

That issue is now before the 9th Circuit Court of Appeals in the case of Forbes Media and Thomas Brewster vs. the United States (Court of Appeals Docket #21-35612).

The legal question before the 9th Circuit is whether courts can keep their own actions secret. That’s important, but the the underlying facts raise other issues as well.

Read More

Sep 15 2021

DHS must explain failure to release e-mail files

In a victory for the Freedom Of Information Act (FOIA), an Administrative Law Judge (ALJ) has ruled that the Department of Homeland Security (DHS) must either disclose records of e-mail messages which we requested in the “native” file formats in which they are held on DHS servers or archival storage media, or must “demonstrate with sufficient justification that they cannot produce the documents in their original fully digital version.”

This ruling was made in response to an administrative appeal by the Identity Project of the DHS (non)-response to a FOIA request we made in 2016 for the reports submitted to the DHS each month on how may people attempted to enter Federal facilities without ID or with ID deemed “noncompliant” with the REAL-ID Act of 2005, and what happened to these people. How many were eventually allowed to enter, and how many were turned away?

Read More

Jul 19 2021

Photographing and recording the TSA

After stalling for more than five years, the Transportation Security Administration has made public a curious internal memo regarding photography and audio and video recording at TSA checkpoints.

The TSA wants to photograph us and track our movements and activities using facial recognition, but wants to limit our ability to photograph and record its activities.

The memo was released in May 2021 in response to a Freedom Of Information Act (FOIA) request made by Sai in March 2016. The memo itself is undated, but was distributed in July 2011 to TSA Federal Security Directors (FDSs) “for your immediate dissemination and implementation.” Needless to say, that “dissemination” did not include disclosure to the public, then or at any time until now, ten years after the fact.

That we have to make FOIA requests for internal TSA records like this, wait years for answers, and then try to parse the fragmentary responses for clues about TSA “policy” — rather than reading official policies applicable to the public in the U.S. Code, the Statutes at Large, or the Code of Federal Regulations — is indicative of the systemic problem of secret law.

But since secret rulemaking is standard operating procedure for the Department of Homeland Security and its components, what can we learn form the most recently-released memo about photography and recording at TSA checkpoints?

Read More

Jun 17 2021

DHS still evades review of no-fly orders

Two recent court cases, and follow-up articles and interviews with the plaintiffs and their lawyers, show how the highest priority for the U.S. government with respect to no-fly orders continues to be preventing judicial review of these government decisions, not preventing terrorism.

When an airline requests permission to allow an individual to board a flight, and the U.S. Department of Homeland Security (DHS) declines to give permission, that “Boarding Pass Printing Result” (BPPR) message is communicated only to the airline,  not the would-be traveler. Even the airline is not told the basis, if any, for the negative BPPR message. (The default is “No”, in the absence of affirmative, individualized government permission-to-board.)

Again and again and again, when people have challenged these no-fly orders in U.S. courts, the government has chosen not to disclose or defend the basis for its decisions that these people constitute a threat to aviation sufficient to justify restricting their right to travel.

Instead, the government has told the plaintiffs that they have been (although perhaps only temporarily) removed from “the no-fly list” (although with no assurance that they won’t again be prevented from traveling in the future), and then gotten their complaints dismissed in court as “moot”. Only rarely has it been possible to pursue these cases.

A special law restricting the jurisdiction of the Federal courts over “orders” of the Transportation Security Administration (TSA), 49 U.S.C. § 46110, has also been used to avoid fact-finding as to the basis, if any, for these orders. In our opinion this law is clearly unconstitutional. But the Constitutionality of this law has not yet been directly ruled on, and it has been the subject of little Congressional scrutiny.

If the government really thought these people were dangerous, it should have gone to court sooner to obtain injunctions or restraining orders restricting their freedom of movement. If challenged, it should have defended its actions before Federal judges in adversarial, evidence-based fact-finding proceedings.

The government has chosen to do neither, and has consistently responded to no-fly lawsuits by taking almost everyone with the means and will to pursue extended litigation off the not-fly list. This reflects the reality that the DHS sees judicial oversight of its actions, not terrorism, as the greater threat to its standard operating procedures. The top DHS priority is to be able to continue its practice of extrajudicial secret decision-making — disconnected from facts and based instead on fantasies of “pre-crime” predictive ability — about who is, and who is not, allowed to exercise their Constitutional rights.

The stories of Ahmad Chebli and Ashraf Maniar illustrate how this plays out in real life —  and how it wrecks real people’s lives and livelihoods.

Read More