Papers, Please!

The Identity Project

Category Archives: Surveillance State

Apr 12 2016

What’s at stake in the EU PNR debate?

pnr

This week the European Parliament is scheduled to debate (Wednesday) and vote (Thursday) on  a resolution (PDF) to approve, with amendments, a proposed compromise on a directive “on the use of Passenger Name Record [PNR] data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.”

What does this mean, why does it matter, and why should this proposal be rejected?

To answer this question requires understanding (1) what PNRs are, (2) how PNRs and other travel data are already being used by European governments,  (3) how this would change if the proposed EU PNR directive is approved, and (4) why and how the provisions in the proposed directive that are supposed to protect individuals’ rights would be ineffective. Read More

Mar 30 2016

How does your bank know your dog’s not a terrorist?

The curious incident of the dog named “Dash” has spotlighted a type of outsourced surveillance and control of our everyday activities that typically operates invisibly but that is much more pervasive than most people in the USA imagine.

We were contacted last week by KTVU News to help explain what happened to Bruce Francis, a disabled San Francisco man whose online request to send a check to pay the person who walks his service dog was refused by Chase Bank. The memo line on the check read, “for Dash”, Dash being the name of Mr. Francis’ dog.

Chase initially accepted the check request. Later, however, the bank told Mr. Francis that it had declined to issue the check, and refused to do so unless and until Mr. Francisco provided a satisfactory explanation and/or evidence (satisfactory to Chase, that is) that the check wasn’t intended for an illegal purpose or entity.

Why would a bank refuse to honor a check request? Are bank customers required to justify to our bankers why, or to whom, we want to send our money?

Under U.S. law, the surprising answer is that banks and other financial institutions are required to act as police informers, profiling transactions and reporting customers to a little-known but financially powerful Federal law enforcement agency on mere suspicion of even unwitting violation of an array of Federal laws imposing sanctions on various entities including alleged “drug kingpins”, contributors of “material support” to terrorism (including such seemingly non-material forms of support as legal services, Web sites, and propaganda), and entities associated (in different ways depending on the country) with governments or entire countries disfavored by the U.S., including Cuba and Iran.

Banks (or contractors to which they outsource this work) scan all manner of financial transactions, from debit and credit card payments, electronic funds transfers, and paper checks to automobile and home loan and new-account applications.  As with airline reservations, these transactions are scored according to secret profiling algorithms that take into consideration government-supplied and commercial blacklists and watchlists, identity-based transaction histories and other databases, phonetic and other “fuzzy matching” rules, and other rules embodying security, fraud, “pre-crime“, and risk management criteria.

In the case of Mr. Francis’ check request, these robots flagged the name of his dog on the memo line (“for Dash”) as vaguely similar to “Daesh”, one of several English transliterations of a crude phonetic rendering of an Arabic acronym for a name sometimes applied to — although rejected and denounced by — one grouping of the Islamic State in Iraq and Syria (ISIS).

As Mr. Francis told KTVU, stopping payment of any check identified on the memo line as being “for ISIS” would amount to, “Stopping the world’s stupidest terrorist.”

Is this the way Congress intended Federal sanctions laws to work? Maybe, maybe not. But Chase Bank’s refusal to pay Mr. Francis’ dog-walker because the bank’s robotic profiling algorithm flagged his dog’s name as “suspicious” is typical of how these laws do (or don’t) work in practice.

Federal financial blacklists and requirements for banks to block blacklisted entities and activities are enforced by the Office of Foreign Assets Control (OFAC), a division of the Department of the Treasury that has long been notorious for its heavy-handed practices and lack of transparency or accountability.

Banks are themselves under heavy financial pressure from OFAC to err on the side of refusing to execute “suspicious” transactions, to reverse the presumption of innocence, and to put the burden of proof on the customer — as Chase did with Mr. Francis — to explain who we want to pay, and to justify what we want to do with our money.  In 2006, for example, J.P. Morgan Chase — the parent company of Chase Bank — agreed to pay $88 million in civil penalties in a settlement with OFAC for processing electronic funds transfers “directly or indirectly for the benefit”, in whole or in part, of entities on various OFAC blacklists, and for failing to provide “complete information relative to any transaction” about which OFAC requested details. That’s real money, even for a bank as big as Chase.

It’s scarcely surprising, given the potential cost of offending OFAC, that no bank has challenged OFAC’s demands for policing of customers and our activities.

By inducing banks to take these actions, OFAC achieves a more intrusive level of financial surveillance and control than the government would have legal authority to carry out directly, while avoiding transparency (banks’ actions aren’t subject to the Freedom of Information Act or the Privacy Act) or direct accountability, and maintaining a degree of plausible deniability.

If banks’ and other financial institutions’ profiling and payment-blocking practices or demands for customers to explain and justify ourselves are challenged, OFAC can claim that it isn’t responsible for how banks decide which customers, payees, or transactions to block. OFAC just imposes crushing fines on any bank that allows transactions that OFAC determines, after the fact, to have violated any of the complicated, often ambiguous, and sometimes contradictory sanctions laws.  The only rational business decision for a for-profit corporation is that the risk of running afoul of OFAC is many times the potential liability for an improperly blocked transaction.

The default becomes, “No”. Once Mr. Francis’ check was “flagged” by automated processing, payment was stopped until a human looked at the check request and manually overrode the “hold” to authorize payment. Automated processing operated not as an “alert” system, but as an interlock with de facto authority delegated to robots to freeze the entire bank account without notice, at any time, on the basis of secret algorithms and datasets.

Like the “no-fly” list and other DHS “watchlists” (blacklists), OFAC’s list of  “Specially Designated Nationals” subject to financial sanctions contains common names, ambiguous and imprecise translations and transliterations, and incomplete identifying information about many listed entities.The inevitable result is that innocent people find their everyday financial activities blocked, and constantly face the impossible challenge of proving their innocence and/or proving that they or those with whom they are trying to do business aren’t other unrelated people or entities about which they may know nothing.

While there are statutory criteria for the designation of entities subject to financial sanctions (unlike the no-fly list and related watchlists/blacklists, for which the standards, if any, are officially secret), the laws and regulations imposing these sanctions are complex and confusing. It can be impossible for anyone to determine, in advance, which transactions will provoke OFAC to impose sanctions on the parties making, receiving, and/or processing a payment. You can request an opinion in advance from OFAC as to the legality of a specified action, but it can take a year or more to get an answer, by which time the answer may be moot. Even communicating about possible transactions can be deemed by OFAC to constitute proscribed “facilitation” of sanctions violations.

What happened to Mr. Francis and his unpaid dog-walker is relatively minor. The check was eventually issued after the check request and Mr. Francis’ explanation of his dog’s name was reviewed by a human. But it’s the tip of an iceberg of the larger problem of OFAC overreach and injustice, as described in these 2007 and 2014 reports from the Lawyers’ Committee for Civil Rights of the San Francisco Bay Area. And the problem of OFAC is in turn just part of an even larger pattern of outsourced surveillance, algorithmic profiling, and control by what the ACLU has aptly labeled the “Surveillance-Industrial Complex” of private and commercial actors conscripted by government carrots and sticks.

Feb 25 2016

Why the Judicial Redress Act is worthless

Yesterday President Obama signed the Judicial Redress Act into law.  European Union Commissioner for Justice Věra Jourová described the new law as, “a historic achievement [that] will ensure that all EU citizens have the right to enforce data protection rights in U.S. courts…. The entry into force of the Judicial Redress Act will pave the way for the signature of the EU-U.S. Data Protection Umbrella Agreement.”

Is the Judicial Redress Act really so historic? And will it actually “ensure that all EU citizens have the right to enforce data protection rights in U.S. courts”?

Sadly, no.

Europeans should not be fooled by statements such as those from Commissioner Jourová or her counterparts in other EU institutions. As we know from our own experience in court as US citizens, there are almost no real-world cases in which the Judicial Redress Act will provide any actual protection or enforceable legal rights to citizens or residents of the EU, or anywhere else.

The Judicial Redress Act gives some foreign citizens some of the rights that US citizens currently have, with respect to some of the uses and misuses by the US government of their personal information.  But in no case will any foreigner have more rights under the Judicial Redress Act than US citizens have under the Privacy Act.

Serious scrutiny of the terms of the Privacy Act, and of the history of attempts by US citizens to use the Privacy Act to protect themselves against misuse of our personal information by the US government, has been largely absent from the debate about the Judicial Redress Act. But from our experience as parties to one of the key lawsuits attempting to assert Privacy Act claims by US citizens in relation to one of the most controversial categories of personal information being transferred from the EU to the US — passenger name records (PNRs) for international airline flights — we have learned an important lesson that Europeans need to know: the Privacy Act is so limited and riddled with exceptions that it is almost worthless. It is because the Privacy Act is useless, not because the US government follows fair personal information practices in its dragnet surveillance, that there are so few examples of successful litigation against the US government by US citizens under the Privacy Act.

All of the limitations and exceptions that always rendered the “protection” of the Privacy Act inadequate — even for US citizens — will continue to render the protection of the Judicial Redress Act inadequate for foreigners, in all of the same ways, and in additional ones.

What are these exceptions and limitations? In order to make sense out of the Judicial Redress Act, it’s essential to understand the exemptions in the Privacy Act, as courts have interpreted them.

Federal agencies can exempt themselves from almost all of the requirements of the Privacy Act with respect to “investigatory material compiled for law enforcement purposes,” a catch-all category that has been applied to records of dragnet surveillance and other information compiled and used for “pre-crime” profiling, even when the data subjects have never been accused or suspected of any crime. All an agency has to do to opt-out is to publish a notice in the Federal Register that a particular system of records has been declared exempt by the agency that maintains the records. An agency can wait to promulgate such a notice until after it receives a request for access to records, a request for an accounting of disclosures, or a request for correction of records.

Read More

Feb 23 2016

US border guards have root access to all Amtrak domestic reservations

The latest installment in Amtrak’s response to one of our FOIA requests confirms our suspicion that Amtrak has given US Customs and Border Protection (CBP) access to all Amtrak reservations including those for purely domestic passengers and trains — but in an additional and harder-to-track manner than we had previously been aware of.

In October 2014, we asked Amtrak for its records related to data-sharing and other collaboration with the Department of Homeland Security (DHS) and other US and foreign law enforcement agencies. Amtrak is still in the process of searching for and censoring responsive records, more than a year after the legal deadline for its full response. In the mean time, however, Amtrak has been providing intermittent “interim” responses, which we’ve been analyzing and reporting on as we receive them. Because Amtrak is a Federal government entity subject to FOIA, unlike commercial airlines or bus lines, we’ve been able; to find out much more about Amtrak collaboration with DHS and other law enforcement agencies than about the parallel practices of private transportation carriers.

We’ve learned that Amtrak’s own police — who are commissioned by individual states, but have unusual multi-state jurisdiction — have root access to Amtrak’s “ARROW” computerized reservation system, and even a special “Police GUI” (graphical user interface) to mine passenger reservations for police purposes.

We’ve also learned about Amtrak’s transmission to DHS of information about all passengers on Amtrak trains that cross the US-Canada border.

What we didn’t know, until the latest interim release of Amtrak documents this month, was whether DHS or any other Federal police agency also has access to complete reservation details for the much larger number of passengers on domestic Amtrak trains within the US.

Now we know: Agents of US Customs and Border Protection (CBP) have the same access to all Amtrak reservations as Amtrak onboard train conductors, in such a way that their access evades ever being logged or associated with CBP, but appears to Arrow and Amtrak as though it was carried out by Amtrak staff.

It works like this:

Read More

Feb 02 2016

Congress votes to stigmatize and surveil the travel of second-class US citizens

Can second-class US citizens be required to carry second-class US passports with a conspicuous stigmatizing “scarlet letter” label? Congress has now said yes.

Do DHS pre-cogs have the omniscience and infallibility of angels at predicting and protecting the US and the world against future crimes? Congress has now said yes.

Yesterday Congress completed its approval of a bill which, assuming it is signed into law by the President, will stigmatize and surveil the international movements of certain US citizens by (1) requiring the State Department to mark their passports with a modern equivalent of an “A for Adulterer” or “J for Jew” (a “visual designation affixed to a conspicuous location on the passport indicating” their status), (2) requiring these individuals to notify the government, in advance, of any intended travel outside the US, including their complete itinerary and any details of their planned movements demanded by the Attorney General, and (3) creating a new pre-crime travel surveillance and policing agency within the DHS to track, log, and alert foreign governments to the intended movements of these travelers.

The bill, H.R. 515, obtained final approval yesterday in the House of Representatives by voice vote, with no real debate and only a handful of members present, under procedures allowing for suspension of normal Congressional rules. [The bill had already been approved by the Senate in December.] But in previous statements about the bill and its predecessors, which Congress has been considering for years, members of Congress have made clear their hope that the combined effect of stigmatized passports, deliberately burdensome reporting requirements, and advance notice to foreign governments from the US government (carrying with it an implicit message that the US wants those foreign governments to deny entry to these US citizens) will effectively prevent these US citizens from traveling abroad at all, and confine them within the borders of the USA.

In an astonishing Orwellianism — but one that perfectly describes the fallacy of the vision embodied in the law — Congress has named the new pre-crime travel policing unit within the DHS the “Angel Watch Center”, claiming for the DHS the omniscient and infallible divine predictive ability of angels to watch over us and protect us from the people they think, or “know” by means that mortals cannot question, are going to commit future crimes.

Read More

Jan 08 2016

The REAL-ID Act is about the database

At yesterday’s first meeting of a new Minnesota “Legislative Working Group on REAL-ID Compliance“, state lawmakers’ concerns centered on (1) whether residents showing state-issued IDs will be prevented from boarding domestic flights, or harassed and delayed by the TSA, if the state doesn’t agree to “comply” with the REAL-Act Act to the satisfaction of the DHS, and (2) what compliance with the REAL-ID Act would mean for the state’s database of information about people with Minnesota drivers’ licenses or state ID cards.

The DHS has been trying to mislead state officials and the public about both these issues. Understanding both, and separating fact from DHS fiction and innuendo, is key to understanding the REAL-ID Act.

A report from a legislative analyst with the legislature’s research department distributed at yesterday’s meeting asserts that, “At some unspecified point in time (which could be in 2016), a REAL ID-compliant form of documentation will become required to fly in scheduled airline service.” But — oddly for a purported legislative analysis or research report — no authority is cited for this alleged legal “requirement”.

In fact, as we testified yesterday and as we have confirmed through more than a decade of litigation, research, and FOIA requests, this key claim — the threat being used by the DHS to induce reluctant states to accede to DHS requests for “compliance” — has no basis in any publicly-disclosed law or regulation.

People fly without ID every day, and the TSA has procedures for that, as we’ve heard them testify in court. People without ID may be (unlawfully) harassed and delayed at TSA checkpoints and airline check-in counters, but the TSA’s responses to our FOIA requests for its daily reports on how many people try to fly without ID show that almost all of these people are allowed to fly. And those few people who are prevented by the TSA from traveling by air, like the larger numbers who are harassed or delayed by the TSA merely because they don’t show ID or answer other questions, likely have cause for legal action against the TSA. They deserve the support of the states where they reside.

If you lose your wallet and find out the next day that your mother is dying 2,000 miles away, as happened to a friend of ours in St. Paul just before Christmas, you don’t have time to get your driver’s license replaced or take a bus across the country. You need to get on a plane right away, without ID. That’s what our friend did, and fortunately she got there in time. The TSA isn’t going to try to stop you from seeing your mother before she dies. That’s not a case the TSA wants to take to court, or would be likely to win.

But what’s this other question about the database?

To meet the requirements of the REAL-ID-Act, a state must “Provide electronic access to all other States to information contained in the motor vehicle database of the State,” including, “all data fields printed on drivers’ licenses and identification cards issued by the State.” In effect, this would allow state databases to function as part of a distributed but national ID database system.

The DHS has picked out only a subset of the statutory requirements in the REAL-ID Act to consider in deciding whether to exercise its statutorily standardless discretion to certify whether states are making progress toward compliance or to grant them discretionary waivers of “deadlines” which have been set by the DHS in its discretion, and can be and have been repeatedly postponed in the exercise of that same discretion.

The initial DHS-selected criteria don’t include the requirement in the law for nationwide access by state agencies to other states’ drivers’ license and ID databases. DHS undoubtedly knows that this is one of the most objectionable, and potentially one of the most difficult and costly to implement, of the elements of state “compliance” with the REAL-ID Act, and has tried to downplay or deny the plain language in the law requiring unrestricted interstate access to drivers’ license databases. Including full interstate database access in its “compliance” criteria also would probably compel DHS, if it was to be honest, to concede that no state has yet fully complied with the REAL-ID Act.

But state officials shouldn’t be fooled: A state that agrees to “comply” with the REAL-ID Act is agreeing to comply with all of its provisions, including the database access mandate, not just the less objectionable portions that the DHS has decided to focus on first.

Once a state agrees to comply, it no longer has any leverage to move Congress to change those requirements. The only power a state has to exert pressure for change in the REAL-ID Act requirements, or their repeal, is to withhold state agreement to comply until those requirements are amended to its satisfaction, repealed, or overturned by the courts as unconstitutional.

Read More

Dec 15 2015

No Social Security number? No passport. Why?

When we reported last week on the passport provisions in the new “Fixing America’s Surface Transportation Act”, we focused on the details of the rules for denial or revocation of US passports of citizens alleged to owe more than $50,000 in Federal taxes.

We should, perhaps, have put more emphasis on the other new basis we mentioned for the denial of a passport application: failure to provide a valid Social Security account number on the passport application form. This could affect more people than the linkage of passports to taxes.

While the shorthand title on our blog post referred to people who “don’t have” a Social Security number, the same fate could befall anyone who chooses not to disclose their Social Security number. The new law would authorize but not require the Secretary of State — at her standardless “discretion” — to deny any passport application that doesn’t contain a valid Social Security number.

There are probably more US citizens who don’t have a Social Security number than who owe more than $50,000 in taxes. And there are good reasons for even those citizens who do have a Social Security number not to want to disclose it to the State Department and to all the other government agencies (including the DHS) with which it shares passport data.

Federal law and IRS regulations already imposed a $500 civil penalty for applying for a passport without providing a Social Security number. This was a high price to pay for freedom from travel dataveillance based on Social Security number. But it wasn’t always enforced (more “discretion”), and it was not a basis for denial of a passport. Now it is.

Why would someone who has a Social security number not want to give it to the State Department? The answer is obvious once you reverse the question: Why does the State Department want to record the Social Security number of each passport holder? And how do the State Department, and the other agencies with which it shares this data, plan to use it?

There’s a separate legal requirement and required form, which includes the passport number, for reporting any international transportation of $10,000 or more in cash or “monetary instruments”, either as accompanied baggage or in an unaccompanied shipment. So the State Department doesn’t need Social Security numbers in passport files to know whether large sums of money are being taken in or out of the country by the holder of a particular passport.

The new law doesn’t just require that you show that you have a valid Social Security number before you can receive or renew your passport. You must provide your Social Security number to the State Department, so that it can be entered into the passport records database.

Nor is your Social Security number used only to check with the IRS whether you are suspected of owing back taxes. The principal routine users of this data outside the State Department are the DHS, “for border patrol, screening, and security purposes.” Screening is, of course, a euphemism for algorithmic profiling and profile-based search and control.

In other words, the real point of requiring each US passport applicant to supply their Social Security number is to enable all the financial records linked to that Social Security number to be combined with the travel records linked to the passport number in the DHS “Automated Targeting System” and included in the inputs to the pre-crime “black box” that decides whether to give airlines and other common carriers permission to transport each US citizen, and how intrusively to search and/or interrogate each US citizen who is allowed to travel.

DHS Automated Targeting System records include many identifiers and pointers that can be used to link them to other databases: timestamped IP addresses, cellphone numbers, passport numbers, credit card numbers, names of emergency contacts and traveling companions, etc. But they haven’t yet contained Social Security numbers, so far as we know. Now they will, or will be linked to a related database that does.

Government records indexed by Social Security number aren’t just tax records, but records of your worldwide assets and financial affairs. Records identified by Social Security Number (but not passport number, so they would otherwise be at least somewhat more difficult for DHS to use for this profiling), include not only US bank accounts but also foreign bank accounts (reported by Social Security number on the required annual FBAR form) and other foreign “financial assets” (a partially overlapping category) required to be reported each year on IRS Form 8938.

None of this has anything to do with citizenship, which should be the sole criterion of entitlement (not merely “eligibility” at the government’s “discretion”) to a US passport.

Dec 11 2015

More pre-crime profiling of visitors to the US?

President Obama’s televised speech last Sunday included a smorgasbord of proposals (and endorsements for proposals already made by members of Congress) for more control and surveillance of travel.

We’ll look first at the proposals for restrictions on travel by foreign visitors to the US, followed in our next post by some of those that would affect US citizens.

According to the President:

We should put in place stronger screening for those who come to America without a visa so that we can take a hard look at whether they’ve traveled to warzones. And we’re working with members of both parties in Congress to do exactly that.

What does “stronger screening” mean? And what’s a “warzone” [sic] when on the one hand there has been no declaration of war against anyone, anywhere, and on the other hand the government apparently believes that it has the authority to treat the entire planet as a battlefield on which to wage its “War on Terror”?

To understand what the President really means, let’s look at the proposed legislation. The President appears to have been referring to H.R.158, the so-called “Visa Waiver Program Improvement Act of 2015”, which passed the House this week and is pending in the Senate.

The “Visa Waiver Program” (VWP) is a scheme under which citizens of certain preferred countries are given US government permission through the “Electronic System for Travel Authorization” (ESTA) to board flights to the US — provided that they agree in advance that they when they arrive in the US, they can be denied admission for any or no reason, that they will not contest any denial of admission, and that they will bear their own costs of deportation if they aren’t admitted.

This isn’t based on reciprocity. Citizens of all other second-class countries must obtain paper visas, which require a much higher fee and an in-person interview at a US Embassy or Consulate, even for short visits as tourists or to change planes in the US in transit between e.g. Europe or Asia and Latin America.

Most of the countries that the US “allows” to participate in the VWP allow US citizens to enter as tourists, and sometimes for other purposes, without obtaining any permission or submitting any information to the destination government prior to their arrival.

An ESTA walks like a visa and quacks like a visa, except that it is issued electronically rather than stamped in a passport. To obtain an ESTA, a would-be foreign visitor must apply through a cumbersome CBP Web site, providing a variety of personal information to enable the application to be matched with the applicant’s “travel history” and other secret data in the CBP’s Automated Targeting System (the information required on the ESTA application was just increased last month) and pay a fee with a credit card so that the application can also be matched with any US government records about the applicant’s finances.

The travel industry reportedly wants the current euphemistic name of this program changed to the more Orwellian, “Secure Travel Partnership”, which gives a pretty accurate indication of the industry’s willingness to partner with governments in surveillance and control of travelers, as long as doing so doesn’t cost the industry money.

Any foreign citizen who “intends” to enter the US under the VWP is required to obtain an ESTA before CBP will give an airline permission to issue a boarding pass for a flight to the U S.

After operating the VWP/ESTA scheme for seven years under an “interim” rule, the DHS finalized the VWP/ESTA regulations and made them permanent earlier this year, dismissing our objections that the rules are unconstitutional, violate US obligations under international human rights treaties, and exceed the authority of CBP or the DHS.

How would any of this change if the bill endorsed by the President, H.R.158, becomes law?

Aside from reporting requirements, the only substantive change that would be made by the House bill would be to require that the secret pre-crime prediction algorithm incorporated into the ESTA approval/denial decision-making black box must consider “terrorism risk” in addition to, as is already required, “security risk”. We have no idea what this means. What sort of “terrorism risk” wouldn’t also constitute a “security risk”? But we can only assume that the proponents of this bill, including the President, want more secret rules added to the algorithm, to keep away even more visitors.

The White House has also talked about denying ESTA approvals and entry under the VWP on the basis of which other countries travelers have previously visited. A European citizen who has visited friends or family in Syria, for example, might find themselves barred from the US for the next five years unless they go through the drawn-out and expensive process of applying for a full US visa. A provision to this effect is part of both the Democratic (S. 2337) and Republican (S. 2362) versions of Visa Waiver Program bills pending in the Senate, but wasn’t included in the version approved by the House.

Nov 09 2015

Accurint exposed as data broker behind TSA “ID verification”

The most recent documents released in response to one of our Freedom of Information Act (FOIA) requests may have identified the data broker powering the TSA’s “ID verification” system as Accurint — the current incarnation of a component of the discredited and supposedly disbanded Total Information Awareness program — rather than Acxiom as we had speculated (and as had powered other TSA passenger-profiling schemes).

We found this clue to the company behind the curtain in the daily reports on the operation of the TSA Identity Verification Call Center (IVCC) that gets the call whenever someone tries to fly without having, or without being willing to show,  government-issued ID satisfactory to the TSA or contractor staff at an airport checkpoint:

Over the past 48 hours the IVCC experienced on-going internet connectivity issues that caused IVCC operations to be disconnected from Accurint and WebEOC databases…. The interrupted service resulted in extended call times when either database conductivity was abruptly discontinued or unavailable. At approximately 1430, TSOC IT contacted the Accurint Customer Support who indicated the issue was internal to Accurint. At approximately 1615, service appeared to be restored. At 1900, the connectivity issue resurfaced but with limited impact to operations. The TSOC Network Engineer is monitoring the Accurint situation and EMOC Security is working to identify and resolve those issues separate to Accurint.

This report strongly suggests that it’s Accurint that provides the database and “verification” algorithms used by the IVCC, the TSA, and TSA contractors to decide who to allow to fly, and who not to allow to fly.  There’s no other apparent reason why the IVCC would need connectivity to Accurint, or why an outage in IVCC connectivity would would be significant.

Who are these guys? It’s a shell game of acronyms, acquisitions, and corporate restructuring.

Accurint is a service of the LexisNexis brand of the UK-incorporated RELX Group plc, which until June 2015 was named Reed Elsevier.  The aggregated “garbage in, garbage out” database and pre-crime profiling algorithms used by Accurint for “ID verification” were developed by a company called Seisint, under contracts (brokered in part by Rudy Giuliani’s influence-peddling consultancy) to the DHS and Department of Justice, for the MATRIX (Multistate Anti-Terrorism Information Exchange) component of Total Information Awareness (TIA).

In the midst of public controversy over MATRIX, TIA, and other aspects of Seisint and its operations, Seisint was acquired by Reed Elsevier for $775 million in 2004.  Seisint’s Accurint service was folded into LexisNexis, part of what is now RELX Group plc.

“Matrix reloaded”?

Here’s what Megan Kaushik of the Brennan Center for Justice found when she tried to find out what’s in Accurint’s files about herself:

After an exhaustive search, I ultimately received records from … LexisNexis’s Accurint…. The report[] listed every phone number and address I had ever been associated with, from my college mailbox to the relative’s home where I’d forwarded mail while abroad. Accurint listed the apartment I rented while interning in DC, along with the names and phone numbers of its current occupants. It even provided the sale price and mortgage on each home I’d lived in.

Surprisingly, much of the information was also inaccurate….

Accurint listed someone named Florinda as “Associated with Subject’s SSN” though it assured me this “doesn’t usually indicate fraud.”

Obtaining my data … was difficult. Amending incorrect information was impossible. Unlike Canada or the UK where data brokers must allow individuals to access and amend their data, American law lacks such requirements. Accurint’s report stated it “may not contain all personally identifiable information in our databases” and they “do not verify data, nor is it possible to change incorrect data.”

In addition, “LexisNexis does not suppress personal information from databases used by law enforcement customers,” regardless of whether LexisNexis knows it to be inaccurate or misleading. As we said earlier,  “garbage in, garbage out”. All the garbage, no matter how much it stinks.

Since its latest latest corporate restructuring in June 2015, Accurint has been operated by a UK corporation, RLEX Group plc. Stock in RLEX Group plc is owned partly by a UK-based and partly by a Netherlands-based parent corporation. But there’s no US-incorporated subsidiary to shield RLEX Group plc, as a UK corporation, from its obligation to comply with UK law in its worldwide operations, whether in the US or anywhere else.

Many of Accurint’s policies and practices with respect to its services for the TSA and other law enforcement agencies appear to violate both the LexisNexis privacy policy and, more importantly, the obligations of RLEX Group plc pursuant to UK and European Union data protection law. The governing factor under UK and EU law appears to be that the data controller for Accurint, RLEX Group plc, is legally domiciled in the UK.

It doesn’t help rescue RELX Group plc from liability under UK and EU law that it has relied on self-certification that it complies with the “safe harbor” framework, which has now been ruled legally inadequate, as the basis for transferring personal data to entities in the US such as the TSA.

Accurint also integrates social media data from “Twitter, Tumblr, Disqus, Foursquare, WordPress, Instagram, Facebook, Google+, YouTube and more,”  monitored and mined by Digital Stakeout, Inc. This confirms what we have long feared: that (privatized but government-funded) surveillance of social media and other Internet activity is being used as one of the inputs to the black box that decides whether to allow us to exercise our rights. As we said five years ago in conjunction with the first “Social Network Users’ Bill of Rights”:

In such a world, your “identity” is what these companies say it is. Where do these private companies think you lived, and with whom, in a certain year, for example? An identity thief who has gotten your files may be more likely than you are to to know the “correct” answer.  And each time such a commercial service is used to verify your ID for government purposes, the service provider has a record of the transaction to add to its dossier about you, and use for whatever purposes it chooses.

We’ll be posting more details and statistics as the TSA releases more of its records about what happens to people who try to fly without ID. But the records we’ve received to date show that people are already being prevented from traveling by air, despite having valid tickets on common carrier airlines, because the private data broker(s) consulted by the TSA don’t have enough data to profile them, or their answers don’t correspond to the garbage in the aggregators’ data warehouses about things such as who Accurint thinks they live with or thinks who their neighbors are.

Oct 29 2015

Can the US be a “safe harbor” for travel surveillance?

At its plenary session today in Strasbourg, the European Parliament adopted a “Resolution on the electronic mass surveillance of European Union citizens”.

As part of that resolution, the European Parliament, “Calls on the EU Member States to drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistleblower and international human rights defender.”

We’re pleased, of course, to see such a democratically and popularly elected body as the European Parliament coming to Mr. Snowden’s defense and joining the calls for recognition of his claim for asylum. But while the Snowden clause is getting most of the attention, it’s not all that’s included in today’s Europarl resolution.

The resolution adopted today by the European Parliament discusses what needs to be done, and by whom, to address the “electronic surveillance” Mr. Snowden has helped to expose. Notably, the resolution explicitly includes the electronic surveillance of travel and finance along with surveillance of telephone and Internet communications.

We have long argued, and we suspect Mr. Snowden would agree, that warrantless, suspicionless dragnet collection of metadata about the movements of people through root access by governments to PNRs stored in airlines’ Computerized Reservation Systems, warrantless, suspicionless dragnet collection of metadata about the movements of money through government access to electronic funds transfer intemediaries like SWIFT, and warrantless, suspicionless dragnet collection of metadata about the movements of messages through government root access to telecom and Internet backbone networks are all part of the same overarching surveillance program that raises issues common to all of these types of movement metadata.  That point of view is implicitly endorsed by today’s Europarl resolution.

Today’s action by the European Parliament was prompted in part by the decision earlier this month by the European Court of Justice (sometimes abbreviated “ECJ”, sometimes “CJEU”) in Schrems v. Facebook.  In that case, an Austrian user of Facebook, Max Schrems, asked the data protection authority in Ireland, where Facebook’s European subsidiary is based, to prohibit the transfer of personal data about him to Facebook servers in the USA where it would be subject to uncontrolled and secret access by the NSA and possibly by other US government agencies. The Irish authorities refused to investigate Facebook’s practices and dismissed Mr. Schrems’ complaint on the grounds that the European Commission had already determined that the so-called “Safe Harbor framework” for self-regulation assured adequate protection for personal data transferred from the EU to the US by participating companies.

The ECJ found that, “without there being any need to examine the content of the safe harbour principles,”  the Commission’s finding that US law “ensures” adequate protection for personal data transferred to the US was invalid, because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” of Fundamental Rights and Freedoms of the European Union.

Too bad that US courts haven’t yet recognized, as of course they should, that these US laws and government practices also violate fundamental rights guaranteed by the US Constitution.

The European Commission has previously brushed off questions — including questions from Members of the European Parliament and in a more recent expert report commissioned by the Council of Europe — about the legality of outsourcing and transfers of PNR data to CRSs to which the US government has unlogged root access. And EU data protection authorities have dismissed or declined to investigate complaints against airlines, travel agencies, and CRSs.

Now, however, the European Commission and European DPA’s have an explicit mandate to investigate complaints like that of Mr. Schrems against companies that are transferring personal data from the EU to the US, and the explicit authority and obligation to order the termination of such transfers.

It’s in this context that the European Parliament resolved today that it:

Urges the Commission to assess the legal impact and implications of the Court of Justice ruling of 6 October 2015 in the Schrems case (C-362/14) vis-à-vis any agreements with third countries allowing for the transfer of personal data, such as the EU-US Terrorist Finance Tracking Programme (TFTP) Agreement, passenger name record (PNR) agreements, the EU-US umbrella agreement and other instruments under EU law which involve the collection and processing of personal data.

What does this mean for the future of travel surveillance in the EU, the example it might set for other countries, and the prospects for US efforts to globalize a panopticon of travel dataveillance as a new norm?

Read More