May 19 2021

A race to the bottom: DHS “Biometric Tech Rally”

Today the U.S. Department of Homeland Security (DHS) announced a competition between hardware and software vendors to demonstrate the facial-recognition systems that are most useful for surveillance and other malign uses: cameras or other sensors and facial and/or other biometric matching algorithms that can identity travelers (or other people in public places) even if they are wearing masks:

[T]he 2021 Biometric Technology Rally will focus on evaluating the ability of systems to reliably collect and/or match images of individuals, including those wearing face masks. The intent is to improve the ability to recognize people without requiring travelers to remove protective equipment….

The 2021 Biometric Technology Rally will be held at the Maryland Test Facility (MdTF) in Upper Marlboro, Maryland, later this fall. Testing will be performed in controlled scenarios relevant to DHS operations….

Providers of face and multi-modal biometric acquisition systems, as well as providers of biometric matching algorithms, are encouraged to participate.

Requiring travelers to remove their masks at checkpoints operated by or on behalf of the Transportation Security Administration (TSA) and/or other DHS components endangers travelers and makes clear that the U.S. government has put surveillance and tracking of travelers ahead of safety and health.

But the way to completely eliminate the threat to travelers’ health and safety posed by unmasking is to stop trying to identify travelers,  which is based on the “pre-crime” fantasy that identity-based algorithms can read travelers’ minds and predict which of them intend to  commit future aviation-related crimes. Instead, the TSA should confine its searches to those intended to detect genuinely threatening objects: weapons and explosives.

May 17 2021

ACLU: “Digital IDs Could Be a Nightmare”

As the U.S. Department of Homeland Security is soliciting proposals from vendors for how to put digital versions of drivers licenses and other ID credentials on smartphones, the ACLU has released a timely and insightful white paper, Identity Crisis: What Digital Driver’s Licenses Could Mean for Privacy, Equity, and Freedom, by Jay Stanley of the ACLU Speech, Privacy, and Technology Project, along with an executive summary in the form of a blog post, Digital IDs Might Sound Like a Good Idea, But They Could Be a Privacy Nightmare.

The ACLU white paper links to some of our research and reporting and highlights many of our concerns with compelled identification, the REAL-ID Act, invisible virtual checkpoints, ID-based blacklists and controls on what we are and aren’t allowed to do, and the role of AAMVA and other “private” entities as outsourced, opaque, unaccountable, creators of ID “standards” that function as de facto laws and regulations that govern our movements and activities, but that are adopted in secret, exempt from the Freedom Of Information Act or other transparency laws, and lack basic privacy protections. or respect for rights recognized by the U.S. Constitution and international human rights treaties.

We encourage readers interested in these issues to read the ACLU white paper in full. But here’s an excerpt form the introduction to the white paper, framing the issue:

Read More

May 14 2021

More DHS “pre-crime” policing, but still no real “precogs”

The U.S. Department of Homeland Security has announced the formation and rebranding of new and existing DHS components into what it is now calling the DHS Center for Prevention Programs and Partnerships (“C3P” in milspeak).

C3P is explicitly intended to be a “precrime” crime prevention agency, and to teach and promote “precrime” techniques for predicting future crimes and identifying future criminals to other Federal, state, and local law enforcement agencies. According to the DHS press release announcing the formation of C3P, “DHS’s efforts are grounded in an approach to violence prevention that leverages behavioral threat assessment and management tools, and addresses early-risk factors that can lead to radicalization to violence.”

C3P’s attempts to predict future crimes are to be based on behavioral patterns, i.e profiling, and on encouraging members of the public to inform on their families, friends, and classmates. According to Secretary of Homeland Security Alejandro Mayorkas, future criminals “typically exhibit behaviors that are recognizable to many but are best understood by those closest to them, such as friends, family, and classmates.”

The problem, of course is that the law does not permit prosecution based solely on patterns of lawful behavior. With good reason: “precrime” prediction is a figment of the imagination of the creators of a dystopian fantasy movie, Minority Report.

Neither the DHS nor anyone else actually has any “precogs” (human, robotic, or cybernetic) like those in the movie who can predict future crimes, or any profile or algorithm that actually enables it to predict who will commit future crimes.

“Precrime” policing should be left in Hollywood where it belongs, not allowed to infect the thinking of those who wield real-world police powers.

Apr 12 2021

Connecting the DHS to the airline industry

A Request For Information (RFI) posted on a website for Federal government contractors gives a glimpse into the degree to which the Department of Homeland Security (DHS) has embedded itself into the information technology infrastructure of the airline industry.

The RFI for Services to Electronically Transmit Airline Data was posted April 5, 2021, by US Customs and Border Protection (CBP). Responses from potential vendors are due by April 19, 2021.

CBP says it is “conducting market research to gain a greater understanding of the full range of available options for services for obtaining names and related information of passengers who are arriving and departing the U.S. on commercial airlines.” Although the RFI was put out by CBP, which surveils and controls international air travel and cargo transport to and from the US, it appears to contemplate integration with the parallel systems used by the Transportation Security Administration (TSA) for data-driven surveillance and control of domestic US air travel as well.

According to the RFI:

CBP is evaluating transmission options for air carriers to use in compliance with these requirements.

  • The vendor must have established connectivity with the airline community.
  • The vendor must be able to test and certify with the air carriers, the vendor, CBP and TSA as required.

For those unfamiliar with the “parallel universe” of airline IT and data communications networks, this RFI might best be conceptualized by analogy to the specifications for the equipment — revealed by whistleblower Mark Klein — that was installed in the facilities of AT&T and other telecommunications companies to provide real-time copies of message data to the National Security Agency (NSA).

While the NSA receives metadata about the movements of our messages in the form of telephone calls, email messages, Web browsing, and other Internet traffic, CBP receives metadata about the movements of our physical bodies, whenever we travel by air, in the form of, according to the RFI,  “Passenger Name Records (PNR), air cargo manifests, advance passenger information (API), passenger manifests, and other airline-related data.”

The TSA receives a similar but somewhat different dataset of all domestic airline flights in the form of Secure Flight Passenger Data (SFPD).

The RFI requests information from vendors that already have  “an available global private network primarily used by the aviation industry to enable the aviation industry to send/receive API, PNR, and other information to CBP and other entities.”

The gateways provided by these vendors would also, presumably, position these vendors to serve other governments wanting to surveil and control air travel while using common gateways to connect to airlines without having to connect to each airline separately.

As the NSA did with telecommunications companies, CBP embeds itself in vendors’ data centers and message switching hubs:

The contractor shall provide the following to permit the electronic transmission of airline data to CBP’s computer network and host systems:

Provide Ethernet Internet Protocol (IP) connections to the contractor’s private global network. CBP routers are located on vendor’s premises. Contractor provides physical space at their datacenter(s) to include ¼ communications rack to house DHS/CBP co-located equipment that connects to the contractor’s private global network.

Unlike the “black boxes” installed in AT&T and other telecommunications and Internet switching centers to send mirror copies of messages to the NSA, the CBP/DHS connection to the global airline reservation cloud is bidirectional. The role of the DHS is not limited to passive surveillance, which would require only a unidirectional data feed.  DHS exercises positive permission-based prior restraint and control of the issuance of each boarding pass, which requires reliable real-time transmission of Boarding Pass Printing Result (BPRR) permission messages from DHS to airline check-in counters and Web check-in systems worldwide.

Currently, each airline has the option of connecting directly to CBP for bi-directional  transmission of PNR and API data and receipt of BPPR messages through a virtual private network using CBP-specified protocols and vendors, or connecting to DHS through one of two vendors approved by CBP to act as intermediaries: ARINC or SITA.

Read More

Apr 05 2021

Can TSA checkpoints be used as a general law enforcement dragnet?

Airline travelers who were searched at Transportation Security Administration (TSA) checkpoint for cash and other items unrelated to any threat to aviation are entitled to their day in court, according to the first significant ruling by a Federal judge in Pittsburgh in a class action lawsuit filed a year ago.

The class action complaint in Brown v. TSA was brought by the Institute for Justice on behalf of all air travelers whose cash was seized at TSA checkpoints. It charges that searches at TSA checkpoints for “general law enforcement purposes” that aren’t limited to searches for weapons, explosives, and incendiaries that could pose a danger to aviation are (1) “ultra vires”,  that is, outside the scope of any authority granted by law to TSA checkpoint staff, and (2) unconstitutional as warrantless, unreasonable searches and seizures prohibited by the 4th Amendment.

The TSA and Drug Enforcement Administration (DEA) defendants tried to get the court to dismiss the complaint on such specious grounds as that the dozens of incidents of seizures of air travelers’ cash described in the complaint were merely “isolated incidents” unlikely to be repeated, and that a Federal law that has often frustrated judicial review of TSA actions, 49 U.S.C. § 46110, denies any Federal District Court jurisdiction to even consider such a complaint.

After review of initial recommendations by a Federal Magistrate, U.S. District Judge Marilyn Horan has denied most of the government’s motions to dismiss the class action complaint, allowing the case to move forward toward a decision on the merits.

As we noted when we first reported on the filing of this lawsuit, its importance extends well beyond the specific issues of searches and seizures of cash. This is one of two key pending lawsuits (along with one filed by Sai that’s pending in the 1st Circuit Court of Appeals with friend-of-the-court briefs due to be filed by the end of this week) challenging the TSA’s attempt to expand its checkpoints from limited special-purpose administrative searches for items posing a hazard to aviation to general law enforcement checkpoints like the “4th Amendment-free zones” at international borders and points of entry.

There have been, and continue to be, strong pressures from within the Department of Homeland Security and from other law enforcement agencies to use TSA checkpoints for an even wider range of general law enforcement purposes. That would create a new airport exception to the 4th Amendment, based on treating travel as presumptively grounds for suspicion (and thus subject to search and/or seizure) rather than the exercise of a right.

We are pleased to see this case go forward as an important test of the limits to the TSA’s authority, the meaning of the 4th Amendment, and the existence of a right to travel.

Mar 30 2021

Expanding travel policing beyond no-fly lists (and the Fourth Amendment)

According to an article in POLITICO based on interviews with unnamed “law enforcement officials,” the US Department of Homeland Security (DHS) is considering expanded use of airline reservation data  to target travelers  for more intrusive searches:

The department could begin analyzing the travel patterns of suspected domestic extremists, monitor flights they book on short notice and search their luggage for weapons, a senior law enforcement official told POLITICO. There have also been discussions about putting suspected domestic violent extremists — a category that includes white supremacists — on the FBI’s No Fly List, the official said. When suspected extremists travel internationally, officials may be more likely to question them before they pass through customs and to search their phones and laptops.

A second law enforcement official told POLITICO that conversations about monitoring domestic extremists’ travel have involved multiple federal agencies at the interagency level, including the FBI.

We’ve recently discussed what’s wrong with the no-fly lists (there are several, created and maintained by different, although interlocking, entities, for different ostensible purposes) and why they shouldn’t be used like this or in most of the other ways that they are now used.

As Gary Leff puts it in his View from  the Wing travel blog:

Denying the freedom of travel, without trial, is precisely the mob rule outside of the rule of law that we’re supposed to be pushing back on after the events of January 6th. Having the government ban travel on all airlines without judicial review is frightening in a democracy.

The latest article in POLITICO suggests tactics that go well beyond no-fly lists. It’s important to understand what’s being talked about, and how it would differ from previously-disclosed practices and exceed what is permitted by current law.

It’s crucial to recognize that, in this proposal, the DHS is testing the waters not for an expansion of existing authority, but an entirely new category of exception to the Fourth Amendment: a “pre-crime” search that is based on neither a warrant nor probable cause, but that — unlike an administrative search — targets individuals selectively.

Read More

Mar 05 2021

Court says you can sue TSA agents who don’t let you film them

Judge John A. Gibney, Jr. of the US District Court for the Eastern District of Virginia has ruled that TSA checkpoint staff can be sued (and, potentially, held personally liable for damages) for stopping a traveler from recording video with his cellphone of them searching (“patting down”) his wife, and ordering him to delete the video.

The initial decision in the case of Dyer v. Smith is likely to be appealed to the Court of Appeals for the 4th Circuit. But Judge Gibney’s ruling is an important step toward holding the TSA accountable to the 1st Amendment (freedom of speech and of the press) and 4th Amendment (freedom from unreasonable search and seizure) to the US Constitution.

In particular, Judge Gibney not only (1) recognized that members of the public have a Constitutional right to film at TSA checkpoints, and not to have their recordings seized, but also (2) rejected the claim that this right was not “clearly established” and thus that TSA checkpoint staff should have “qualified immunity” from lawsuits, and (3) allowed the lawsuit against the TSA to go forward, under the so-called “Bivens doctrine” already recognized by courts in other contexts, even though there is no specific law (other than the Constitution itself, which ought to suffice) providing for lawsuits against TSA staff who violate travelers’ Constitutional rights.

We are particularly pleased that Judge Gibney recognized that the Constitutional right to film the TSA is “clearly established,” contrary to the court finding in 2015 in Phil Mocek’s lawsuit against TSA checkpoint staff and Albuquerque Police that, while Mr, Mocek’s rights had been violated, the right to film at TSA checkpoints was not (yet) clearly established — so Mr. Mocek was not entitled to any redress through the courts for the violation.

The plaintiff, Dustin Dyer, is himself a lawyer, but served only as pro se local counsel to civil rights attorney Jonathan Corbett, one of whose specialties is TSA wrongdoing.

(Mr. Corbett is also, we are pleased to report, representing Sai in his challenge to the Constitutionality of 49 USC § 46110, the Federal law which establishes special and especially limited procedures and criteria for judicial review of “orders” issued by the TSA.)

As with Mr. Mocek, Mr. Dyer was able to recover the “deleted” video, although it’s not clear how important that may have been in deterring the TSA from making up stories about what happened, as the TSA and police did (unsuccessfully, in the face of video and audio evidence falsifying their official reports) with respect to Mr. Mocek.

It’s worth reading both Mr. Corbett’s brief in support of his client Mr. Dyer, and the amicus brief by Constitutional law professors Brandon Hasbrouck of Washington and Lee School of Law and Katherine Mims Crocker of William and Mary Law School (where Judge Gibney is also an adjunct professor). As friends of the court, these law professors note that “The logic of the single decision [the defendants] cite [Mocek v. Albuquerque] is quite strained.” Judge Gibney seems to have agreed.

Feb 25 2021

Precog in a Box

[Flowchart of “goTravel” software package developed by the government of the Netherlands and offered to U.N. members through the Countering Terrorist Travel Programme of the U.N. Office of Counter-Terrorism (UNOCT)]

National governments of all members of the United Nations are being pressured to implement new U.N. mandates for surveillance, profiling,  and control of air travelers.

These unprecedented mandates for the creation and deployment of new surveillance and “pre-crime” policing systems in every U.N. member state  are the result of a successful twenty-year campaign carried out by the US and its allies through the U.N. Security Council and the International Civil Aviation Organization (ICAO) as policy laundering proxies.

This U.N. mandate is illegal: it contravenes provisions of the International Covenant on Civil and Political Rights, to which almost all U.N. members are parties. It’s immoral: it goes against basic principles of justice, including the presumption of innocence and punishment for criminal actions rather than for inferred criminal states of mind. And it’s wrong: it presumes the existence of human and/or robotic “precogs” that can predict future crimes.

U.N. members that haven’t yet set up “pre-crime” police agencies to surveil and profile air travelers are being pushed by Security Council and ICAO directives, and pulled by offers of  their choice of free “Precog in a Box” software and other training and support from US Customs and Border Protection (CBP) through the World Customs Organization (WCO), or from the government of the Netherlands through the Countering Terrorist Travel Programme of the U.N. Office of Counter-Terrorism (UNOCT).

But how did we get here? What’s going on? And what’s wrong with this picture?

Read More

Dec 21 2020

We say “No” to mug shots at airports and borders

Illustration from CBP website. The claim that facial recogntion “helps to prevent the spread of germs” is especially bogus, since facial recognition requires travelers to remove their face masks wherever it is used.

Today the Identity Project (IDP), Restore the Fourth, Privacy Times, and the National Workrights Institute  filed joint comments with U.S. Customs and Border Protection (CBP) in opposition ot the CBP proposal to require mug shots (and possibly collection of other biometrics) from all non-U.S. citizens at all border crossings and international airports and seaports:

The purported NPRM [Notice of Proposed Rulermaking] was promulgated under purported authority delegated by an official purporting to exercise the duties of the Secretary of Homeland Security. That official was not appointed in accordance with the Vacancies Reform Act and therefore lacks authority to promulgate notices of proposed rules or final rules, or to delegate authority to do so which they do not themselves hold….

The proposed rules and procedures would violate the Privacy Act, and must therefore be revised or withdrawn.

The proposed rules and procedures would violate the Paperwork Reduction Act (PRA), and must therefore be revised or withdrawn.

The impact assessment in the NPRM is incomplete, inaccurate, and grossly underestimates the costs which would be imposed on individual travelers by the proposed rule. The NPRM fails to consider how many (more) individuals would opt out of collection of biometrics, if they were provided with the notices required by the PRA, or the cost to those travelers who are so delayed that they miss their flights. The impact assessment must be revised.

Read More

Oct 09 2020

Port of Seattle continues debate on facial recognition

The debate continues on whether the Port of Seattle should allow or pay for continued or expanded use of facial recognition at Sea-Tac Airport (SEA) and the Seattle cruise port.

Yesterday Port of Seattle staff and a subcommittee of the Port Commission met with an advisory committee on biometrics appointed by the Port Commission.

Jennifer Lee of the ACLU of Washington State delivered a letter co-signed by a coalition of organizations including the Identity Project urging the Port Commission not to authorize, pay for, or participate in any use of facial recognition to identify travelers:

On December 10, 2019, the Commission adopted seven principles to guide its decision-making on if and how biometrics should be used at the Port. These principles are: justified, voluntary, private, equitable, transparent, legal, and ethical.

We do not believe that either the current or the proposed uses of biometrics to identify travelers on Port property can be implemented in a manner consistent with these principles. Port staff state that its recommendations “are not meant to suggest that the Port should implement public-facing biometrics, but rather how to do so in alignment with our guiding principles.”  The only action that would be aligned with those principles would be to ban the use of facial recognition technology to identify members of the public by the Port, as well as by the Port’s tenants and contractors….

1. We urge the Port of Seattle Commission to reject participation in, and funding of, CBP’s facial recognition exit and entry programs….

2. We urge the Port of Seattle Commission to prohibit use of facial recognition technology by private entities.

The Port of Seattle should prohibit business tenants such as airlines from integrating with CBP’s Traveler Verification Service (TVS) — the agency’s “Identity as a Service” biometrics system…. When Port tenants integrate with CBP’s TVS architecture, it is impossible to separate “private” or non-federal surveillance from federal government surveillance of travelers. Travelers may think that they are having their photo taken at a self-service kiosk solely for use by the airport or airline. But in reality, that photo will also be shared with DHS and CBP.

The Port, airlines, and contractors should not obscure the role of DHS and CBP by collecting facial images on their behalf. The Privacy Act, as discussed further below, requires that if an individual’s personal information is to be used by a federal agency, it must be collected by that agency directly from that individual. The best way to provide travelers with clear notice that facial images are being passed on to DHS is to require that any such images be collected by identifiable, uniformed DHS staff, using DHS equipment, at DHS’s expense.

The Port meeting also heard from the office of Rep. Pramila Jayapal, who represents the city of Seattle and environs (although not Sea-Tac Airport) in Congress.  Noting the concerns that led her to introduce a bill in Congress that would “place a prohibition on the domestic use of facial recognition technology by federal entities, which can only be lifted with an act of Congress,” Rep. Jayapal suggested that the Port Commission “consider a moratorium on the use of biometrics technology in all Port activities under its purview.”

Read More