Archive for the ‘Surveillance State’ Category

Amtrak lied to travel agents who questioned ID requirements

Tuesday, September 19th, 2017

The encouraging disclosure in the latest installment of documents released by Amtrak in response to one of our Freedom Of Information Act (FOIA) requests is that some travel agents resisted Amtrak demands that they collaborate in surveillance, profiling, and control of train travelers by entering passport or ID numbers and details in each reservation for cross-border Amtrak travel.

According to an email message to Amtrak from a product manager at Worldspan (one of the major computerized reservation systems), “We have one subscriber [i.e. a travel agency that uses Worldspan] that has checked the Federal Register and is quoting ‘chapter and verse’ that it is not mandated … to provide the data”:

Some travel agents pushed back repeatedly, read the official notices and instructions to travel agents about the rail API program carefully (and correctly), and made a travel agency “policy decision of non-provision” of ID data about their customers:

Kudos to the unnamed travel agencies that refused to help the government spy on their customers and called Amtrak on its lies that this was required.

(more…)

California DMV proposes to “comply” with the REAL-ID Act

Monday, September 11th, 2017

On September 1, 2017, the California Department of Motor Vehicles quietly published a notice of proposed regulations that would purportedly allow the California DMV to issue drivers licenses and state ID cards that would be “compliant” with the Federal REAL-ID Act of 2005:

For many years, the California DMV has appeared intent on eventual “compliance” with the REAL-ID Act, regardless of whether that compliance was authorized by the legislature. The current DMV rulemaking proposal to bring California into “compliance” with the REAL-ID Act by administrative fiat is the latest and most significant step along that path, and a disturbing effort to bypass legislative debate.

We encourage all Californians who are concerned about freedom of movement, Federal commandeering of state agencies to function as agents for enforcing Federal restrictions on individual rights, and lack of transparency, oversight and accountability for biometric and ID databases to submit comments opposing the proposed regulations and, if you can make it to Sacramento, to testify at the hearing on October 16th.

(more…)

No US passports for “terrorist sympathizers”?

Friday, September 8th, 2017

Bills are moving forward in both houses of Congress which, if approved, would mandate the administrative, extra-judicial revocation, non-renewal, and refusal of issuance of a US passport to any US citizen, even if their citizenship is unquestioned and they have been accused of no crime, but “whom the Secretary [of State] has determined is a member of or is otherwise affiliated with an organization the Secretary has designated as a foreign terrorist organization pursuant to section 219 of the Immigration and Nationality Act (8 U.S.C. 1189).”

The proposed legislation would leverage administrative determinations related to immigration (which US courts have allowed to be largely exempted from judicial review insofar as they only affect foreigners who aren’t considered by the US to have the same human rights as US citizens) to impose a categorical ban on certain US citizens leaving or entering the US except at the (standardless, i.e. arbitrary) “discretion” of the Secretary of State.

Since June 1, 2009, US citizens have been forbidden by Federal law and regulations from crossing any border into or out of the US by any means (land, sea, or air) without a passport, passport card, or Federally-approved “enhanced” drivers license. Denial of a passport thus amounts to a categorical ban on leaving or returning to the US. As such,  it is a blatant violation of the rights of US citizens pursuant to the First Amendment “right of the people… peaceably to assemble” and their human rights pursuant to Article 12 of the International Covenant on Civil and Political Rights:

2. Everyone shall be free to leave any country, including his own….

4. No one shall be arbitrarily deprived of the right to enter his own country.

The proposed law would not define how, on what basis, according to what procedures, or using what standard of proof the Secretary of State would make determinations as to membership or other “affiliation” of a US citizen with a blacklisted organization.  To make matters worse, the bills proposing this travel ban for US citizens associated with blacklisted organizations contain no definition of “member” or “otherwise affiliated”.

If you don’t like the decision of the Secretary of State, the bill would provide you with a “Right of Review” entitling you to a hearing before … the  Secretary of State.

Substitute “Communist” for “terrorist” in the proposed legislation, and it becomes clear that these bills would recreate the worst of the guilt-by-association witch-hunting of the MyCarthyist and other Red Scares.

Commie sympathizer? No passport for you! Terrorist symp? No passport for you!

(more…)

Biometric entry/exit tracking of US citizens

Tuesday, August 1st, 2017

We were invited to a briefing session today at U.S. Customs and Border Protection (CBP) headquarters: “an information sharing session and open dialog …  with external privacy stakeholders” to discuss “recent enhancements to CBP’s biometric exit initiatives” and “CBP’s implementation plans for a biometric exit system“.

Although we weren’t able  to make it to Washington for today’s meeting, we have many questions about CBP’s ongoing (and illegal, as discussed below)  photographing of the faces of US citizens entering the US, and the agency’s plans to expand the current (also illegal) trials of exit photography to include most or all US citizens leaving the country.

We look forward to another chance to quiz CBP officials about these programs and their (lack of) legal basis. More importantly, we hope that members of Congress and the public will ask hard questions about these programs if regulations or legislation are proposed that would purport to authorize them.

We share the general concerns raised by others about the use of biometric information such as facial photos (mug shots) for suspicionless dragnet surveillance of any travelers. The right to leave any country is explicitly guaranteed by international treaty (Article 12 of the ICCPR) as a human right independent of citizenship.

But we find it especially objectionable — and likely to be illegal — that CBP is extending these surveillance schemes to US citizens. Here are some of the issues: (more…)

CBP is taking mug shots of US citizens who leave the country

Sunday, July 16th, 2017

US Customs and Border Protection (CBP) has expanded its photography of the faces of all non-US citizens entering or leaving the US (under the “US-VISIT” program) to add mug shots of US citizens leaving the country, starting with all passengers on a daily flight on United Airlines from Washington Dulles Airport (IAD) to Dubai, U.A.E. (DXB).

This exit photo scheme is part of a larger program of biometric traveler tracking for which CBP and DHS recently opened an entire new database management and airport procedures simulation facility.

US citizens have the legal right not to submit to this mass surveillance and travel control scheme. But as with your right to fly without ID, CBP notices at airports won’t tell you that. You need to know your rights and be prepared to assert them.

(more…)

New long form proposed for (some) applicants for U.S. visas

Wednesday, May 10th, 2017

The Department of State has requested “emergency” approval  from the Office of Management and Budget for a new questionnaire which some applicants for U.S. visas would be required to complete.

The questions on the proposed new “long form” for disfavored visa applicants would include:

  • Travel history during the last fifteen years, including source of funding for travel [how many frequent business travelers would be able to provide a complete and accurate 15-year retrospective itinerary of their travels?];
  • Address history during the last fifteen years;
  • Employment history during the last fifteen years;
  • All passport numbers and country of issuance held by the applicant [for an unspecified time period, so perhaps meaning for your entire life];
  • Names and dates of birth for all siblings;
  • Name and dates of birth for all children;
  • Names and dates of birth for all current and former spouses, or civil or domestic partners;
  • Social media platforms and identifiers, also known as handles, used during the last five years; and
  • Phone numbers and email addresses used during the last five years.

Applicants required to complete this form could include tourists and other short-stay visitors (business, visiting friend and relatives, etc.) as well as applicants for work, student, refugee, or other visas.

As with the “long form” supplemental questionnaire for U.S. citizens applying for passports, some but not all applicants for visas to visit or reside in the U.S. will be required to complete the proposed new form. The State Department says it expects to require about 65,000 people a year, or half a percent of all applicants for U.S. visas, to complete the proposed new long from.

As with the long form passport application, there are no publicly-disclosed standards or procedures for judicial review of decisions by State Department staff to require particular individuals to complete the long form. Those decisions would be “discretionary”, meaning that they would be arbitrary and could be discriminatory.

Most people would be unable to provide complete answers to some of the questions on the long from, or would inevitably leave things out or make mistakes that would provide a basis for denial of their application.  The proposed “discretionary” long form is thus a pretext for arbitrarily selective denial of entry to the U.S., at the whim of State Department staff and/or on the basis of secret pre-crime algorithms, as well as of arbitrarily selective surveillance of certain foreign citizens.

Comments on the “emergency” proposal for this new questionnaire can be submitted to the Office of Management and Budget through May 18, 2017.

Is the TSA checking domestic airline passengers for warrants?

Thursday, April 27th, 2017

Entities and data flows involved in decision-making (“vetting”) about travelers. Larger image, PDF with legend.

The latest annual report on data-mining by the Department of Homeland Security contains a disturbing hint that the TSA may have gotten the ability to include checks for warrants and police “wants” in its “vetting” of passengers on domestic airline flights.

This would turn airline check-in counters and kiosks and TSA checkpoints for domestic air travel into dragnet suspicionless warrant checkpoints.

According to page 16 (page 19 of the PDF) of the newly-released 2016 DHS Data Mining Report, “An annex to this report containing Sensitive Security Information (SSI) about Secure Flight’s use of ATS-P is being provided separately to the Congress.”

What data from ATS, to which the TSA didn’t already have independent access,  is being used by the TSA as part of Secure Flight? For what purpose?

In the diagram above (larger image, PDF with legend), the solid green line shows the transfer of data from the FBI’s “National Criminal Information System” (NCIC) criminal history database to CBP’s “Automated Targeting System” (ATS) for use in “vetting” international airline passengers. The dashed green line shows the newly-disclosed transfer of ATS data to the “Secure Flight” system used by the TSA to “vet” domestic airline passengers. This could allow the TSA to check all domestic airline passengers for warrants and “wants” listed in NCIC, as CBP already has the ability to dos for all international airline passengers on flights to or from the US.

There is no explicit mention in the public portion of the DHS report of TSA use of NCIC data for decision-making (“vetting”) about domestic air travelers. But as the diagram above shows, almost all of the other data contained in ATS is already available directly to the TSA for use in Secure Flight. It’s not clear what data from ATS, other than criminal history data imported to ATS from NCIC, the TSA doesn’t already obtain directly without needing to get it from ATS.

Records of arrest warrants in NCIC are often inaccurate, as we have noted before. It’s especially common for the issuance of a warrant to be reported to the FBI for inclusion in NCIC, but for the later cancellation of that warrant not to be reported to NCIC. NCIC contains hundreds of thousands, perhaps millions, of listings for warrants that are no longer valid. Using TSA “vetting” of domestic airline passengers as a suspicionless dragnet for “wanted” individuals would inevitably result in the detention and arrest of many innocent people at TSA checkpoints on the basis of inaccurate NCIC data.

Normally, warrant checks are permissible only on the basis of reasonable articulable suspicion that a person has committed a crime. The current CBP checks of international travelers for warrants, police “wants”, and investigative “lookouts” have been permitted only as part of a judicially-created border exception to the 4th Amendment to the US Constitution. There is no comparable “airport exception” to the 4th Amendment that would allow suspicionless dragnet warrant checks on domestic travelers by the TSA. Travel is not an inherently suspicious activity. It’s the exercise of a Constitutional and human right, and cannot in itself be the basis for warrant checks.

Members of Congress should look closely at the secret annex to the 2016 DHS Data Mining Report, and question the DHS and TSA as to whether they are using, or intend to use, data obtained from NCIC (directly or indirectly through ATS or otherwise) to conduct warrant checks on domestic air travelers.

If any of our readers has information about someone being identified for arrest on an outstanding warrant (valid or invalid) on the basis of TSA “screening”, rather than on the basis of an independent police warrant check based on reasonable suspicion, please let us know.

Fly, Don’t Spy!

Wednesday, April 19th, 2017

Last December, over our formal objections filed with the Department of Homeland Security, US Customs and Border Protection began asking foreign visitors to the US to fill out the online form, shown above, requesting their user names on social media platforms form Facebook to GitHub.

As of then, and as of now, answering this question is still “optional”, although there’s no guarantee that those who decline to respond won’t be denied entry.

However, new Secretary of Homeland Security Kelly has begun speaking publicly about wanting to require foreign visitors to provide CBP not just with their user names but also their passwords for social media and email accounts.

In response, we’ve joined several dozen other organizations in a Fly, Don’t Spy! campaign to oppose “any proposal to require visa applicants, refugees, or other foreign visitors to provide passwords for online accounts, including social media, in order to enter the United States.”

Please add your name to the petition and the coalition mailing list for updates and actions at FlyDontSpy.com, and help spread the word.

More background:

Palantir, Peter Thiel, Big Data, and the DHS

Wednesday, March 15th, 2017

San Francisco and Silicon Valley are among the centers of opposition to President Trump and his fascism, especially as it relates to restrictions on movement, border controls, immigration, and asylum.

Bay Area technology companies and their better-paid classes of employees like to think of themselves as building a better world that reflects the distinctive values that have attracted dreamers and futurists to this region  from across the country and around the world. But some of these companies are key developers and providers of “big data” tools for the opposite sort of “Brave New World“.

On Saturday, Edward Hasbrouck of the Identity Project was invited to speak to an ad hoc group of picketers outside the Pacific Heights mansion of Palantir Technologies founder and Trump supporter Peter Thiel (photo gallery from the SF Chronicle, video clip from KGO-TV; more photos from the East Bay Express).

As Anna Weiner reported in the New Yorker (“Why Protesters Gathered Outside Peter Thiel’s Mansion This Weekend“):

David Campos, a former member of the San Francisco board of supervisors, who emigrated from Guatemala, in 1985, stood on the brick stoop and raised a megaphone. “The reason we’re here is to call upon the people who are complicit in what Trump is trying to do,” he said. Clark echoed the sentiment. “If your company is complicit, it is time to fight that,” she said. Trauss, when it was her turn, addressed Thiel, wherever he was. “What happened to being a libertarian?” she asked. “What happened to freedom of movement for labor?”

Edward Hasbrouck, a consultant with the Identity Project, a civil-liberties group, took the stand, wearing a furry pink tiger-striped pussyhat. “The banality of evil today is the person sitting in a cubicle in San Francisco, or in Silicon Valley, building the tools of digital fascism that are being used by those in Washington,” he said. “We’ve been hearing back that there are a fair number of people at Palantir who are working really hard at convincing themselves that they’re not playing a role — they’re not the ones out on the street putting the cuffs on people. They’re not really responsible, even though they’re the ones who are building the technology that makes that possible.”

It’s easy to rationalize the creation of technological tools by saying that they can used for good as well as evil. But you can’t separate the work of tool-making from the ways those tools are being used. Palantir workers’ claims to “neutrality” resemble the claims made in defense of IBM and Polaroid and when they were making and selling “general purpose” computers, cameras, and ID-badge making machines to the South African government in the 1970s. None of this technology and equipment was inherently evil. But in South Africa, it was being used to administer the apartheid system of passbooks and permissions for travel, work, and residence.

The same goes for “big data” today. To understand what’s wrong with the work being done by Palantir for the US Department of Homeland Security, it’s necessary to look not just at what tools Palantir is building but at how and by whom they will be used; not just at the data tools but at the datasets to which they are applied, the algorithms they use, and the outcomes they are used to determine.

(more…)

What should you to do if you are asked for your password at a US airport or border?

Monday, February 27th, 2017

Our work is cited in an article today by Kaveh Waddell in The Atlantic, “How Long Can Border Agents Keep Your Email Password? Some data gathered from travelers going through customs can stay in a Homeland Security database for 75 years.

The article in The Atlantic highlights several recent incidents in which international travelers have been asked or ordered to tell US Customs and Border Protection inspectors the passwords to their electronic devices and/or online accounts. As in many encounters with law enforcement officers or other government agents, the distinction between a request and a command at an airport or international border is often unclear.

In one of these incidents, a Canadian would-be visitor to the US provided CBP with the password to his phone, but balked at providing the password to his accounts with LGBT dating apps and websites. He forfeited his ticket, and left the US “preclearance” site at the airport in Vancouver without boarding his intended flight to the US. A month later, when he tried again to fly to the US, carrying the same phone with the password unchanged, he found that CBP had recorded his phone password in their permanent file about him in the CBP “TECS” lifetime international travel history database.

This sort of data collection and data retention is wrong, but it’s also routine and should be expected.

For more than a decade, since DHS first disclosed the existence of its “Automated Targeting System” database, we’ve been providing forms you can use to request the files about you from TECS and other government databases, helping travelers interpret the (redacted and incomplete) responses from CBP, and reporting on what we’ve seen in the responses and how these dossiers are used in pre-crime profiling and control of who is “allowed” to fly and how they treated when they fly.

We’ve sued to obtain our travel records from CBP and information about how these databases are mined and shared by CBP and other government agencies.

After ignoring our requests for three years, DHS exempted the system from most of the requirements of the Privacy Act, including limits on data retention, when the agency realized we were about to sue.

Any disclosure to us of the government’s permanent files about our travel is now a matter of “discretion”, not a right, if we are US citizens, and expressly forbidden by an Executive Order of President Trump for anyone other than US persons.  As we told The Atlantic:

“Any limits would have to be derived directly from the Constitution or international treaties, not from statutes or regulations,” said Edward Hasbrouck, a travel expert and consultant to The Identity Project. “I am not aware of any case law limiting retention of this sort of data.”

Here’s what our experience and our research confirms: CBP officers are not your friends, and their job is not to help you. They are law enforcement officers. Their job is to find evidence of violations of the law, and/or reasons to deny you entry to the US. Anything you say to them can be retained and used against you at any time in the future, just like anything you say to any other law enforcement officers. You should expect that anything you have with you, anything you say, and anything you do at an international border, airport, or CBP checkpoint can and will be recorded. That information can and will be retained by DHS for the rest of your life. You could be questioned about it in any future encounter with CBP or other law enforcement or government agents, even many years later, and have it used against you or anyone else in court at any time, perhaps in ways you could never anticipate.

We’ve seen all sorts of information — irrelevant, inappropriate, and potentially subject to derogatory interpretations or giving rise to guilt by association — in CBP travel dossiers. We’ve been questioned at a US border crossing, years later, about completely inconsequential and legal events at another airport years earlier, because those were being recorded in the TECS database even during primary screening on a routine entry to the US by a US citizen.

What can you do, and what should you do, if you are asked to tell CBP agents any of your passwords?

We agree with all the lawyers consulted by The Atlantic: US citizens should not voluntarily provide passwords to US border guards or inspectors at airports.

(more…)