Jun 21 2022

European Court ruling on air travel surveillance

The highest court of the European Union ruled today that an EU mandate for dragnet surveillance of travelers through government access to airline reservations might be permissible under EU law — but only under conditions that governments of EU member countries, and the US government, may be unable or unwilling to meet.

In 2016, the EU enacted a directive requiring each EU member state to enact a law requiring airlines to hand over copies of passenger name records (PNRs) to the government, and establish a new surveillance agency to profile travelers based on this PNR data.  This EU PNR Directive was modeled on US law and on the extrajudicial practices — never tested against the provisions of international human rights treaties, which generally can’t be invoked in US courts — of the US Department of Homeland Security.

The Belgian “Ligue des droits humains” (LDH) filed a lawsuit in the Belgian Constitutional Court challenging the law enacted in Belgium to implement the EU PNR Directive as contrary to multiple provisions of Belgian and EU law.

Before deciding the questions of Belgian law, the Belgian court requested a preliminary ruling from the Court of Justice of the European Union (CJEU), the highest EU court, as to whether the EU PNR Directive is consistent with fundamental EU human rights law.

In today’s ruling (press release and summary in English, full text of decision in French), the CJEU finds that the EU PNR Directive is not, on its face, invalid — but only if it is implemented and applied in accordance with a long list of conditions specified by the CJEU in its decision.

Governments of EU member states may be unable or unwilling to comply with all of those conditions.

The decision by the CJEU addresses the implications and validity of the EU PNR Directive both as a mandate for suspicionless dragnet surveillance and as a mandate for control of travel, in which PNR data is used as the basis for profiling and other actions.

Of the many conditions set by the CJEU, we find this one on secret law, secret evidence, and judicial review among the most significant. According to the court’s press release:

[T]he Court also stresses that the competent authorities must ensure that the person concerned can  understand the operation of the predetermined assessment criteria and programs applying those criteria, so that it is possible for that person to decide with full knowledge of the relevant facts whether or not to exercise his or her right to judicial redress. Similarly, in the context of such an action, the court responsible for reviewing the legality of the decision adopted by the competent authorities as well as, except in the case of threats to State security, the persons concerned themselves must have had an opportunity to examine both all the grounds and the evidence on the basis of which the decision was taken, including the predetermined assessment criteria and the operation of the programs applying those criteria.

In cases where EU governments act on “recommendations” from the US government to restrict travel to, from, or within the EU, the EU authorities nominally responsible for these actions may not know what evidence (if any) or algorithms for the basis for US recommendations. And the US may not be willing to share that information with EU governments, especially if EU law might require EU governments to disclose that information to European judges, much less to individuals who are “targeted” on the basis of US recommendations.

The court case now returns to the Belgian courts, but it  seems likely that changes to the laws implementing the EU PNR Directive in Belgium and most if not all other EU members states will be required to conform these laws to the conditions laid down today by the CJEU. Another round of litigation in EU member states and perhaps again in the CJEU is likely to be needed to determine whether amended laws have met those tests. Stay tuned!

May 20 2022

New reports on DHS surveillance and profiling

Two new reports from university think-tanks call attention to surveillance and profiling — including surveillance of, and action against, domestic and international travelers — by the Department of Homeland Security and its components.

A Course Correction for Homeland Security, a report by the Brennan Center for Justice at New York University, cites to some of our work and some examples of cases we have been involved with in its analysis of DHS data collection (surveillance), and “risk assessments” (algorithmic profiling and control), especially as they relate to travelers.

American Dragnet: Data-Driven Deportation in the 21st Century, a report by the Center on Privacy and Technology at Georgetown University Law School, focuses on DHS’s Immigration and Customs Enforcement (ICE) division, especially ICE access to facial images and other information obtained from drivers licenses and commercial data brokers.

A common theme of both reports is that DHS surveillance is more pervasive, more intrusive, and less visible than is generally recognized.

Airline reservations and demands for ID from travelers are used not merely to check for currently blacklisted would-be travelers, but are retained and used to build travel histories and social networks maps that are then used by suspicion-generating guilt-by-association algorithms to expand the web of surveillance, profiling, and extrajudicial blacklisting.

ICE represents itself as an agency with jurisdiction only over non-US citizens, but in fact runs photos and drivers license and location data about a large fraction of the entire population of US citizens through its profiling and enforcement algorithms. DHS lurks (usually invisibly) in the background, “ingesting” or obtaining access to personal information, when individuals pose for drivers license photos, make airline reservations, or interact with businesses that “share” data directly or indirectly with DHS.

What is to be done about this sorry state of affairs?

Both of these reports suggest that some reforms could be made by policy, at the direction of the President, the Secretary of Homeland Security, or the heads of DHS components.

However, given the thoroughly bipartisan continuity of support by both Democratic and Republican administrations for the continual expansion of DHS surveillance, especially of travelers and foreigners and most especially of border crossers, since its creation 20 years ago, we have little hope for reform from within DHS or at the behest of the White House.

Exposure of abuses is good, but more is needed than a change of administration policy.

While we welcome any additional attention paid to the problems with the DHS, we think they call for court action to uphold the Constitutional and treaty rights of travelers and other individuals, and Congressional action to effectuate those rights and to facilitate judicial review and redress for government actions that violate those rights.

The DHS, as these reports reveal, is an ever-growing dragnet surveillance agency, operating outside the rule of law. What are we going to do to alter or to abolish it?

Jan 26 2022

9th Circuit to review secrecy of CRS-based travel surveillance

May court records related to orders requiring a travel reservations company to provide real-time updates to the U.S. government whenever a “person of interest” makes reservations for flights or other travel  be kept secret from the public, the press, and other travel companies including the airlines on which the target plans to travel?

That issue is now before the 9th Circuit Court of Appeals in the case of Forbes Media and Thomas Brewster vs. the United States (Court of Appeals Docket #21-35612).

The legal question before the 9th Circuit is whether courts can keep their own actions secret. That’s important, but the the underlying facts raise other issues as well.

Read More

May 19 2021

A race to the bottom: DHS “Biometric Tech Rally”

Today the U.S. Department of Homeland Security (DHS) announced a competition between hardware and software vendors to demonstrate the facial-recognition systems that are most useful for surveillance and other malign uses: cameras or other sensors and facial and/or other biometric matching algorithms that can identity travelers (or other people in public places) even if they are wearing masks:

[T]he 2021 Biometric Technology Rally will focus on evaluating the ability of systems to reliably collect and/or match images of individuals, including those wearing face masks. The intent is to improve the ability to recognize people without requiring travelers to remove protective equipment….

The 2021 Biometric Technology Rally will be held at the Maryland Test Facility (MdTF) in Upper Marlboro, Maryland, later this fall. Testing will be performed in controlled scenarios relevant to DHS operations….

Providers of face and multi-modal biometric acquisition systems, as well as providers of biometric matching algorithms, are encouraged to participate.

Requiring travelers to remove their masks at checkpoints operated by or on behalf of the Transportation Security Administration (TSA) and/or other DHS components endangers travelers and makes clear that the U.S. government has put surveillance and tracking of travelers ahead of safety and health.

But the way to completely eliminate the threat to travelers’ health and safety posed by unmasking is to stop trying to identify travelers,  which is based on the “pre-crime” fantasy that identity-based algorithms can read travelers’ minds and predict which of them intend to  commit future aviation-related crimes. Instead, the TSA should confine its searches to those intended to detect genuinely threatening objects: weapons and explosives.

May 17 2021

ACLU: “Digital IDs Could Be a Nightmare”

As the U.S. Department of Homeland Security is soliciting proposals from vendors for how to put digital versions of drivers licenses and other ID credentials on smartphones, the ACLU has released a timely and insightful white paper, Identity Crisis: What Digital Driver’s Licenses Could Mean for Privacy, Equity, and Freedom, by Jay Stanley of the ACLU Speech, Privacy, and Technology Project, along with an executive summary in the form of a blog post, Digital IDs Might Sound Like a Good Idea, But They Could Be a Privacy Nightmare.

The ACLU white paper links to some of our research and reporting and highlights many of our concerns with compelled identification, the REAL-ID Act, invisible virtual checkpoints, ID-based blacklists and controls on what we are and aren’t allowed to do, and the role of AAMVA and other “private” entities as outsourced, opaque, unaccountable, creators of ID “standards” that function as de facto laws and regulations that govern our movements and activities, but that are adopted in secret, exempt from the Freedom Of Information Act or other transparency laws, and lack basic privacy protections. or respect for rights recognized by the U.S. Constitution and international human rights treaties.

We encourage readers interested in these issues to read the ACLU white paper in full. But here’s an excerpt form the introduction to the white paper, framing the issue:

Read More

May 14 2021

More DHS “pre-crime” policing, but still no real “precogs”

The U.S. Department of Homeland Security has announced the formation and rebranding of new and existing DHS components into what it is now calling the DHS Center for Prevention Programs and Partnerships (“C3P” in milspeak).

C3P is explicitly intended to be a “precrime” crime prevention agency, and to teach and promote “precrime” techniques for predicting future crimes and identifying future criminals to other Federal, state, and local law enforcement agencies. According to the DHS press release announcing the formation of C3P, “DHS’s efforts are grounded in an approach to violence prevention that leverages behavioral threat assessment and management tools, and addresses early-risk factors that can lead to radicalization to violence.”

C3P’s attempts to predict future crimes are to be based on behavioral patterns, i.e profiling, and on encouraging members of the public to inform on their families, friends, and classmates. According to Secretary of Homeland Security Alejandro Mayorkas, future criminals “typically exhibit behaviors that are recognizable to many but are best understood by those closest to them, such as friends, family, and classmates.”

The problem, of course is that the law does not permit prosecution based solely on patterns of lawful behavior. With good reason: “precrime” prediction is a figment of the imagination of the creators of a dystopian fantasy movie, Minority Report.

Neither the DHS nor anyone else actually has any “precogs” (human, robotic, or cybernetic) like those in the movie who can predict future crimes, or any profile or algorithm that actually enables it to predict who will commit future crimes.

“Precrime” policing should be left in Hollywood where it belongs, not allowed to infect the thinking of those who wield real-world police powers.

Apr 12 2021

Connecting the DHS to the airline industry

A Request For Information (RFI) posted on a website for Federal government contractors gives a glimpse into the degree to which the Department of Homeland Security (DHS) has embedded itself into the information technology infrastructure of the airline industry.

The RFI for Services to Electronically Transmit Airline Data was posted April 5, 2021, by US Customs and Border Protection (CBP). Responses from potential vendors are due by April 19, 2021.

CBP says it is “conducting market research to gain a greater understanding of the full range of available options for services for obtaining names and related information of passengers who are arriving and departing the U.S. on commercial airlines.” Although the RFI was put out by CBP, which surveils and controls international air travel and cargo transport to and from the US, it appears to contemplate integration with the parallel systems used by the Transportation Security Administration (TSA) for data-driven surveillance and control of domestic US air travel as well.

According to the RFI:

CBP is evaluating transmission options for air carriers to use in compliance with these requirements.

  • The vendor must have established connectivity with the airline community.
  • The vendor must be able to test and certify with the air carriers, the vendor, CBP and TSA as required.

For those unfamiliar with the “parallel universe” of airline IT and data communications networks, this RFI might best be conceptualized by analogy to the specifications for the equipment — revealed by whistleblower Mark Klein — that was installed in the facilities of AT&T and other telecommunications companies to provide real-time copies of message data to the National Security Agency (NSA).

While the NSA receives metadata about the movements of our messages in the form of telephone calls, email messages, Web browsing, and other Internet traffic, CBP receives metadata about the movements of our physical bodies, whenever we travel by air, in the form of, according to the RFI,  “Passenger Name Records (PNR), air cargo manifests, advance passenger information (API), passenger manifests, and other airline-related data.”

The TSA receives a similar but somewhat different dataset of all domestic airline flights in the form of Secure Flight Passenger Data (SFPD).

The RFI requests information from vendors that already have  “an available global private network primarily used by the aviation industry to enable the aviation industry to send/receive API, PNR, and other information to CBP and other entities.”

The gateways provided by these vendors would also, presumably, position these vendors to serve other governments wanting to surveil and control air travel while using common gateways to connect to airlines without having to connect to each airline separately.

As the NSA did with telecommunications companies, CBP embeds itself in vendors’ data centers and message switching hubs:

The contractor shall provide the following to permit the electronic transmission of airline data to CBP’s computer network and host systems:

Provide Ethernet Internet Protocol (IP) connections to the contractor’s private global network. CBP routers are located on vendor’s premises. Contractor provides physical space at their datacenter(s) to include ¼ communications rack to house DHS/CBP co-located equipment that connects to the contractor’s private global network.

Unlike the “black boxes” installed in AT&T and other telecommunications and Internet switching centers to send mirror copies of messages to the NSA, the CBP/DHS connection to the global airline reservation cloud is bidirectional. The role of the DHS is not limited to passive surveillance, which would require only a unidirectional data feed.  DHS exercises positive permission-based prior restraint and control of the issuance of each boarding pass, which requires reliable real-time transmission of Boarding Pass Printing Result (BPRR) permission messages from DHS to airline check-in counters and Web check-in systems worldwide.

Currently, each airline has the option of connecting directly to CBP for bi-directional  transmission of PNR and API data and receipt of BPPR messages through a virtual private network using CBP-specified protocols and vendors, or connecting to DHS through one of two vendors approved by CBP to act as intermediaries: ARINC or SITA.

Read More

Apr 05 2021

Can TSA checkpoints be used as a general law enforcement dragnet?

Airline travelers who were searched at Transportation Security Administration (TSA) checkpoint for cash and other items unrelated to any threat to aviation are entitled to their day in court, according to the first significant ruling by a Federal judge in Pittsburgh in a class action lawsuit filed a year ago.

The class action complaint in Brown v. TSA was brought by the Institute for Justice on behalf of all air travelers whose cash was seized at TSA checkpoints. It charges that searches at TSA checkpoints for “general law enforcement purposes” that aren’t limited to searches for weapons, explosives, and incendiaries that could pose a danger to aviation are (1) “ultra vires”,  that is, outside the scope of any authority granted by law to TSA checkpoint staff, and (2) unconstitutional as warrantless, unreasonable searches and seizures prohibited by the 4th Amendment.

The TSA and Drug Enforcement Administration (DEA) defendants tried to get the court to dismiss the complaint on such specious grounds as that the dozens of incidents of seizures of air travelers’ cash described in the complaint were merely “isolated incidents” unlikely to be repeated, and that a Federal law that has often frustrated judicial review of TSA actions, 49 U.S.C. § 46110, denies any Federal District Court jurisdiction to even consider such a complaint.

After review of initial recommendations by a Federal Magistrate, U.S. District Judge Marilyn Horan has denied most of the government’s motions to dismiss the class action complaint, allowing the case to move forward toward a decision on the merits.

As we noted when we first reported on the filing of this lawsuit, its importance extends well beyond the specific issues of searches and seizures of cash. This is one of two key pending lawsuits (along with one filed by Sai that’s pending in the 1st Circuit Court of Appeals with friend-of-the-court briefs due to be filed by the end of this week) challenging the TSA’s attempt to expand its checkpoints from limited special-purpose administrative searches for items posing a hazard to aviation to general law enforcement checkpoints like the “4th Amendment-free zones” at international borders and points of entry.

There have been, and continue to be, strong pressures from within the Department of Homeland Security and from other law enforcement agencies to use TSA checkpoints for an even wider range of general law enforcement purposes. That would create a new airport exception to the 4th Amendment, based on treating travel as presumptively grounds for suspicion (and thus subject to search and/or seizure) rather than the exercise of a right.

We are pleased to see this case go forward as an important test of the limits to the TSA’s authority, the meaning of the 4th Amendment, and the existence of a right to travel.

Mar 30 2021

Expanding travel policing beyond no-fly lists (and the Fourth Amendment)

According to an article in POLITICO based on interviews with unnamed “law enforcement officials,” the US Department of Homeland Security (DHS) is considering expanded use of airline reservation data  to target travelers  for more intrusive searches:

The department could begin analyzing the travel patterns of suspected domestic extremists, monitor flights they book on short notice and search their luggage for weapons, a senior law enforcement official told POLITICO. There have also been discussions about putting suspected domestic violent extremists — a category that includes white supremacists — on the FBI’s No Fly List, the official said. When suspected extremists travel internationally, officials may be more likely to question them before they pass through customs and to search their phones and laptops.

A second law enforcement official told POLITICO that conversations about monitoring domestic extremists’ travel have involved multiple federal agencies at the interagency level, including the FBI.

We’ve recently discussed what’s wrong with the no-fly lists (there are several, created and maintained by different, although interlocking, entities, for different ostensible purposes) and why they shouldn’t be used like this or in most of the other ways that they are now used.

As Gary Leff puts it in his View from  the Wing travel blog:

Denying the freedom of travel, without trial, is precisely the mob rule outside of the rule of law that we’re supposed to be pushing back on after the events of January 6th. Having the government ban travel on all airlines without judicial review is frightening in a democracy.

The latest article in POLITICO suggests tactics that go well beyond no-fly lists. It’s important to understand what’s being talked about, and how it would differ from previously-disclosed practices and exceed what is permitted by current law.

It’s crucial to recognize that, in this proposal, the DHS is testing the waters not for an expansion of existing authority, but an entirely new category of exception to the Fourth Amendment: a “pre-crime” search that is based on neither a warrant nor probable cause, but that — unlike an administrative search — targets individuals selectively.

Read More

Mar 05 2021

Court says you can sue TSA agents who don’t let you film them

Judge John A. Gibney, Jr. of the US District Court for the Eastern District of Virginia has ruled that TSA checkpoint staff can be sued (and, potentially, held personally liable for damages) for stopping a traveler from recording video with his cellphone of them searching (“patting down”) his wife, and ordering him to delete the video.

The initial decision in the case of Dyer v. Smith is likely to be appealed to the Court of Appeals for the 4th Circuit. But Judge Gibney’s ruling is an important step toward holding the TSA accountable to the 1st Amendment (freedom of speech and of the press) and 4th Amendment (freedom from unreasonable search and seizure) to the US Constitution.

In particular, Judge Gibney not only (1) recognized that members of the public have a Constitutional right to film at TSA checkpoints, and not to have their recordings seized, but also (2) rejected the claim that this right was not “clearly established” and thus that TSA checkpoint staff should have “qualified immunity” from lawsuits, and (3) allowed the lawsuit against the TSA to go forward, under the so-called “Bivens doctrine” already recognized by courts in other contexts, even though there is no specific law (other than the Constitution itself, which ought to suffice) providing for lawsuits against TSA staff who violate travelers’ Constitutional rights.

We are particularly pleased that Judge Gibney recognized that the Constitutional right to film the TSA is “clearly established,” contrary to the court finding in 2015 in Phil Mocek’s lawsuit against TSA checkpoint staff and Albuquerque Police that, while Mr, Mocek’s rights had been violated, the right to film at TSA checkpoints was not (yet) clearly established — so Mr. Mocek was not entitled to any redress through the courts for the violation.

The plaintiff, Dustin Dyer, is himself a lawyer, but served only as pro se local counsel to civil rights attorney Jonathan Corbett, one of whose specialties is TSA wrongdoing.

(Mr. Corbett is also, we are pleased to report, representing Sai in his challenge to the Constitutionality of 49 USC § 46110, the Federal law which establishes special and especially limited procedures and criteria for judicial review of “orders” issued by the TSA.)

As with Mr. Mocek, Mr. Dyer was able to recover the “deleted” video, although it’s not clear how important that may have been in deterring the TSA from making up stories about what happened, as the TSA and police did (unsuccessfully, in the face of video and audio evidence falsifying their official reports) with respect to Mr. Mocek.

It’s worth reading both Mr. Corbett’s brief in support of his client Mr. Dyer, and the amicus brief by Constitutional law professors Brandon Hasbrouck of Washington and Lee School of Law and Katherine Mims Crocker of William and Mary Law School (where Judge Gibney is also an adjunct professor). As friends of the court, these law professors note that “The logic of the single decision [the defendants] cite [Mocek v. Albuquerque] is quite strained.” Judge Gibney seems to have agreed.