Oct 09 2020

Port of Seattle continues debate on facial recognition

The debate continues on whether the Port of Seattle should allow or pay for continued or expanded use of facial recognition at Sea-Tac Airport (SEA) and the Seattle cruise port.

Yesterday Port of Seattle staff and a subcommittee of the Port Commission met with an advisory committee on biometrics appointed by the Port Commission.

Jennifer Lee of the ACLU of Washington State delivered a letter co-signed by a coalition of organizations including the Identity Project urging the Port Commission not to authorize, pay for, or participate in any use of facial recognition to identify travelers:

On December 10, 2019, the Commission adopted seven principles to guide its decision-making on if and how biometrics should be used at the Port. These principles are: justified, voluntary, private, equitable, transparent, legal, and ethical.

We do not believe that either the current or the proposed uses of biometrics to identify travelers on Port property can be implemented in a manner consistent with these principles. Port staff state that its recommendations “are not meant to suggest that the Port should implement public-facing biometrics, but rather how to do so in alignment with our guiding principles.”  The only action that would be aligned with those principles would be to ban the use of facial recognition technology to identify members of the public by the Port, as well as by the Port’s tenants and contractors….

1. We urge the Port of Seattle Commission to reject participation in, and funding of, CBP’s facial recognition exit and entry programs….

2. We urge the Port of Seattle Commission to prohibit use of facial recognition technology by private entities.

The Port of Seattle should prohibit business tenants such as airlines from integrating with CBP’s Traveler Verification Service (TVS) — the agency’s “Identity as a Service” biometrics system…. When Port tenants integrate with CBP’s TVS architecture, it is impossible to separate “private” or non-federal surveillance from federal government surveillance of travelers. Travelers may think that they are having their photo taken at a self-service kiosk solely for use by the airport or airline. But in reality, that photo will also be shared with DHS and CBP.

The Port, airlines, and contractors should not obscure the role of DHS and CBP by collecting facial images on their behalf. The Privacy Act, as discussed further below, requires that if an individual’s personal information is to be used by a federal agency, it must be collected by that agency directly from that individual. The best way to provide travelers with clear notice that facial images are being passed on to DHS is to require that any such images be collected by identifiable, uniformed DHS staff, using DHS equipment, at DHS’s expense.

The Port meeting also heard from the office of Rep. Pramila Jayapal, who represents the city of Seattle and environs (although not Sea-Tac Airport) in Congress.  Noting the concerns that led her to introduce a bill in Congress that would “place a prohibition on the domestic use of facial recognition technology by federal entities, which can only be lifted with an act of Congress,” Rep. Jayapal suggested that the Port Commission “consider a moratorium on the use of biometrics technology in all Port activities under its purview.”

Read More

Sep 09 2020

Portland bans facial recognition by city agencies or in places of public accommodation

Today the City Council of Portland, Oregon, voted unanimously to ban the use of facial recognition technology by City agencies or by private entities in places of public accommodation within the City limits, including at the Portland International Airport (PDX), effective immediately.

Many local and national organizations and individuals testified eloquently in favor of these proposals. We don’t need to repeat all of their general arguments.

But a point of particular concern and particular pleasure for us is that the Port of Portland asked the City Council for an exemption from the ban to allow use of facial recognition “for air carrier passenger processing” — and was turned down.

No member of the City Council mentioned the Port’s request for a carve-out for facial recogntion of air travelers during the City Council discussion, and the proposals were adopted without amendment except for making the ban on private use of facial recognition in places of public accommodation effective immediately, as had already been proposed for the ban on use by city agencies. (The amendment to make the private entity ban effective immediately was made verbally during the City Council meeting, so it isn’t reflected in the advance text of the proposal.)

This is an important precedent , as Portland is only the second jurisdiction in the US to consider local rules related to facial recognition at its airport.

Earlier this year, after behind-the-scenes threats by the US Department of Homeland Security (DHS) to make life difficult for the Port of Seattle if it didn’t collaborate with DHS facial recognition schemes at Sea-Tac International Airport (SEA) and allow airlines and contractors also to do so, the Port of Seattle Commission reneged on the aspirational policy principles it adopted in 2019  and decided to buy and operate common-use facial recognition cameras integrated with DHS and airline databases and operations.

(See our written testimony to the Seattle Port Commission on use of facial recognition at SEA: 1, 2, 3., and articles in our blog here and here.)

The decision by the Port of Seattle was made just before the COVID-19 pandemic drastically reduced traffic at SEA and other airports and delayed the need for the new gates at SEA where the DHS-linked cameras were to be installed. A broad coalition of local and national community and civil liberties organizations has called on the Seattle Port Commission to use the opportunity provided by this delay to reconsider its decision on facial recognition.

Portland did significantly better than Seattle in working to distance itself from and isolate the DHS — not surprisingly in light of the object lesson the DHS has provided in Portland recently with respect to DHS trustworthiness (not), self-restraint (not), commitment to the rule of law (not), and respect for civil and human rights (not). Portlanders don’t trust the DHS to behave any better at PDX Airport than it’s been behaving on the streets of Portland.

PDX airport is located within the City of Portland but operated by the Port of Portland, a special-purpose agency of the state of Oregon governed by a board appointed by the Governor of Oregon. The City of Portland can’t prevent use of facial recognition by the DHS or the Port of Portland, but can regulate or prohibit its use by private entities, including airlines, within the city limits, including at the airport.

The Port of Portland has the authority to enter into contracts, borrow and spend money, manage its employees, and enact rules for activities at PDX Airport. But in addition to the requirements of due process and other Constitutional rights, and the obligations on the airport as a publicly owned and operated place of public accommodations and common-carrier facility, the legislative authority of the Port is limited to the issuance of rules consistent with city ordinances. That appears to mean that the Port may not prohibit that which the city has duly prohibited. (If readers have more expertise on this jurisdictional issue, feel free to leave a comment or drop us a line.)

The Federal government could preempt the Portland ordinances if it enacted valid laws or promulgated valid regulations mandating use of facial recognition by Federally-regulated airlines and/or airports. But no law mandates use of facial recognition for US citizens, even when traveling internatoinally, or for passengers on domestic flights

The DHS has refrained from promulgating any such regulations, preferring to operate outside the law than to establish any legal framework for its use of facial recognition or subject it claim of authority to notice-and-comment rulemaking or judicial review. A petition for rulemaking on use of biometrics for traveler identification submitted to the DHS by the Portland-based World Privacy Forum has been ignored by the DHS for almost two years.

While the DHS has engaged in heavy-handed behind-the-scenes lobbying and threats to “persuade” airlines and airport operating agencies to become its “partners” in biometric surveillance and control of air travelers, as it did in Seattle, the DHS has continued to maintain — correctly — that this “cooperation” is entirely voluntary. In declining to participate, and by exercising its jurisdiction to prohibit airlines or other contractors form doing so within the city limits, the City of Portland is doing only what the DHS has consistently said that local jurisdictions have the authority to do, if they so choose.

The July 14, 2020, letter from the Port of Portland to the Portland City Council requesting exemption from the facial recognition ban made numerous false factual claims and specious arguments. Since these bogus arguments are likely to be raised again in other cites despite having failed to persuade any of the members of the Portland City Council, it’s worth noting and debunking them:

Read More

Sep 04 2020

ICAO mandates worldwide government surveillance of air travelers

Playing out the endgame we predicted last year of a two-decade campaign by the US government to establish a global regime of government surveillance of air travelers, the International Civil Aviation Organization (ICAO) has adopted an amendment to the Chicago Convention on Civil Aviation that will require each of the 193 state parties to that treaty — essentially every national government in the world — to require all airlines operating international flights to provide a designated government agency with complete mirror copies of all reservation records (“Passenger Name Records“) in a standard PNRGOV transmission format.

This is an extraordinary and, so far as we can tell, unprecedented globalization and normalization of suspicionless mass surveillance of the innocent exercise of legal rights.

To the best of our knowledge, this is the first time that any industry — much less an industry of common carriers required by law (including by international aviation treaties) to transport all would-be passengers, without discrimination, in the exercise of a right to freedom of movement also recognized by international treaties — has been mandated by international treaty to provide government agencies worldwide with complete copies of its commercial records of each of its transactions with a customer. No such treaty obligation exists, for example, with respect to records of postal, telephone, Internet, or financial transactions.

The exercise of rights should not be deemed per se suspicious or a legitimate grounds for surveillance.

The requirement for PNR-based surveillance of air travelers is included in Amendment 28 to Annex 9 to the Chicago Convention. This amendment was approved by ICAO’s Council — an executive committee of countries elected by ICAO’s members to make decisions between ICAO’s triennial General Assembly of all member states — on June 23, 2020.

Read More

Jul 23 2020

CBP to buy license-plate reader data to track vehicles away from borders

Are parking garages and toll roads spying on innocent motorists for Federal police?

Reversing a decision made in response to public pressure in 2014, US Customs and “Border” Protection (CBP) plans to pay a commercial aggregator of license-plate reader data to track vehicles that aren’t near any US border or in the “border zone” within 100 miles of coasts and borders where CBP has its own license plate readers, according to a Privacy Impact Assessment (PIA) published this month.

According to the new PIA, the aggregated commercial database that CBP is paying to query includes “nationwide… license plate image information from private businesses (e.g., parking garages), local governments (e.g., toll booth cameras), law enforcement agencies, and financial institutions via their contracted repossession companies.”

The PIA is worded in the future tense (“CBP plans to…”), but the contract is describes may already have gone into effect, or could do so at any time.

Read More

Jul 17 2020

FBI enlists reservation services to spy on travelers

[The role of CRSs in the travel data ecosystem and government access to airline data. Slide from Identity Project presentation on C-SPAN, April 2, 2013.]

A report by Thomas Brewster published yesterday by Forbes discloses that the FBI has used court orders issued under the “All Writs Act” (AWA) to order operators of computerized reservation systems (CRSs) to provide weekly reports on any new reservations made by specified persons of interest, for periods of as long as six months at a time.

The article in Forbes includes a copy of one of these orders issued to Sabre, which mentions, by way of legal precedents, some other such orders issued to Sabre:

Forbes also describes a similar All-Writs Act order issued to Travelport, another of the three major CRS operators.

Who are these CRSs? What are we to make of these court orders? And is there anything really surprising about the newly-revealed All Writs Act orders to Sabre and Travelport?

This report in Forbes and these orders aren’t a surprise, but they do provide positive confirmation of (previously suspected) facts about US government activities and US law that may be of considerable significance to challenges to travel surveillance under the laws of other countries including the European Union, Canada, and possibly others.

Read More

Jul 16 2020

European court (again) finds US data protection inadequate

Today the highest court in the European Union ruled (summary, full decision) for the second time, that US law does not provide an “adequate” level of protection for personal information transfered from the EU to companies or servers in the US.

What does this mean for Passenger Name Records (PNRs) or other records of our travels?

Understanding the implications of today’s decision — especially with respect to airline reservations and other  information about when, where, how, and with whom we have traveled — requires some review of the background:

Read More

Jun 30 2020

Freedom to travel across state lines

Oral arguments have been scheduled by two different Federal District Court judges for this Thursday, July 2, 2020, on motions for temporary restraining orders against enforcement of separate state health orders mandating 14-day quarantine of all people arriving in New York or Hawaii from out of state.

Corbett v. Cuomo will be argued at 2 p.m. EDT by telephone in New York; Carmichael v. Ige will be argued in person (and not available for remote auditing) at 11 a.m. HST in Hawaii.

The Hawaii quarantine order, as we’ve discussed previously, applies to anyone arriving from out of state. The New York order only applies to people who have visited certain states designated by New York authorities, but those states include almost half the US population. The blacklisted states include Georgia and Texas, so anyone who changes planes in Atlanta, Houston, or Dallas-Ft. Worth — all major airline hubs — en route to New York is affected, even if they are coming from some other, less-infected state.

As the complaint in the New York case notes, it’s unclear whether those involuntarily quarantined in New York will be held in jails, hospitals, or some other locations, but according to a public statements by New York Governor Cuomo cited in the complaint, they are to be detained at their own expense.

On its face, the New York order applies to anyone arriving in New York who has recently been in any of the blacklisted states, even if they don’t intend to stay in New York. This would include people changing planes in New York, or passing through on the short New York section of Interstate 95 or on the Northeast Corridor between New England and New Jersey, Pennsylvania, and points south and west. All routes between New England and the rest of the US pass through either New York or Canada. With the US-Canada border mostly closed, enforcement of the New York travel restrictions would render New England an isolted island accessible only by air.

In addition to the 14-day quarantine, New York state has also begun demanding that each interstate traveler arriving by air (regardless of their state of residence or whether they have visited any of the blacklisted states) complete and sign a written declaration (Exhibit B to the complaint) about themselves, their business affairs, and their travels.

The Hawaii and New York quarantines and the New York questionnaire for interstate air travelers are all backed with threats of arrest and fines for noncompliance.

The New York quarantine order and travel declaration are being challenged by Jonathan Corbett, who has his primary residence and business interests in Brooklyn, New York, but is also a member of the California bar who practices law in California. Before his admission to the bar, Mr. Corbett had brought multiple pro se lawsuits challenging restrictions on air travel and searches of travelers, including the TSA’s use of “virtual strip-search” imaging machines.

Significantly, in light of the written declaration that the state of New York is now ordering arriving air travelers to fill out and sign, Mr. Corbett has also previously challenged administrative interrogations of air travelers (who aren’t suspected of any crime) by, or at the behest of, the TSA. That case was dismissed without the court reaching the Constitutionality of administrative interrogation of travelers. So far as we know, Corbett v. Cuomo is the first time this issue has arisen in a COVID-19 quarantine case.

There’s extensive case law on administrative searches, but very little on administrative interrogations. Mr. Corbett argues, and we concur, that he has an absolute right to stand mute in response to interrogatories by state authorities at state borders or airports.

In the current circumstances, it’s tempting to give health authorities a free pass for whatever they do, “because pandemic”. But that would be a mistake. We’ve already seen what happened when authorities were given free rein to impose new restrictions on travelers after September 11, 2001, “because terrorism”. Many of those measures had no rational relationship to the prevention of terrorism, were implemented without regard for Constitutional rights, and have become permanent, or effectively so.

How long will the current health emergency last? And will Federal, state, and local government agencies return to their prior practices at airports and borders if and when the emergency is declared to have ended, or will restrictions imposed during the pandemic become the permanent “new normal”?

If our Constitution is to have meaning, and if there is a sufficient justification for restrictions on travel, it should be possible to defend those restrictions on the basis of the Constitution. It should not be necessary to argue for suspending the Constitution.

Read More

Jun 23 2020

TSA wants more authority for ID demands, “vetting”, and data use

The Transportation Security Administration (TSA) wants more power to require ID from travelers (“credentialing”), control who is and who is not allowed to exercise their right to travel (“vetting”), and use and share information about travelers with more third parties and for more purposes (“expanded data use”).

These TSA priorities for the next two years are included in a 2020 update released today to the 2018 implementation road map for the TSA and White House long-term strategic plans for travel surveillance and control.

TSA Administrator David Pekoske’s oddly-named “Intent 2.0” strategy update also prioritizes “biometric vetting and [identity] verification”, a “near-contactless experience” at TSA checkpoints, and “vetting as a service”.

The “near-contactless experience” would be achieved, it appears, not through reduced hands-on groping or fewer demands for ID, but through increased use of remote sensing such as facial recognition.

“Vetting as a service” refers to allowing airlines, airport operators, and perhaps other government agencies and/or commercial third parties to use the TSA’s databases of profiles, risk scores, travel histories, free-text comments in reservations by travel industry workers, unverified aggregated derogatory data form other sources, and biometric and other identifiers for their own purposes. This not only expands the potential adverse impact of arbitrary secret algorithmic profiling based on secret databases, but gives airlines a financial incentive to carry out facial-recognition surveillance on the TSA’s behalf in order to get a free ride to use the TSA’s identification/vetting service for business process automation, personalization (including personalized pricing), or other purposes.

None of the TSA’s strategy documents say how the TSA hopes to acquire “expanded vetting and credentialing authorities” or “expanded approvals for data use”. Will the TSA seek to have these included in new laws? Or will to try to grant itself wider authority through  rulemaking or press releases, as it has often done in the past?

At least now we know, if we didn’t already, what to watch out for from the TSA in the months and years ahead.

Jun 08 2020

TSA to take mug shots of domestic air travelers

The Transportation Security Administration (TSA) has officially although quietly announced that, as it has planned for years, its deployment of mug-shot machines at airport checkpoints will move from pilot projects to the new normal for domestic air travelers.

According to a Privacy Impact Assessment (PIA) released last week, the TSA plans to integrate facial recognition into the Secure Flight profiling, scoring, and control system used by the TSA and other linked agencies to decide who is, and who is not, “allowed” to pass through TSA checkpoints to exercise their right to travel by airline common carrier.

Cameras to photograph would-be travelers’ faces will be added to each of the stations at airport checkpoints where TSA employees and contractors currently scan would-be passengers’ travel documents (boarding passes and, if they present ID, ID documents).

Read More

Jun 02 2020

“Immunity passports”, opportunism, and COVID-19

Today the Appropriations Committee of the California Assembly held another hearing on A.B. 2004, a bill that would add to state law a provision that:

An issuer, including an issuer that is a public entity, of COVID-19 test results or other medical test results may use verifiable credentials, as defined by the World Wide Web Consortium (W3C) for the purpose of providing test results to individuals.

What does this mean? Why does it matter? Is it part of a larger pattern?

Read More