Oct 17 2014

“Travelers, say bon voyage to privacy”

We talked at length with Watchdog investigative reporter Dave Lieber for his column in today’s Dallas Morning News: Travelers, say bon voyage to privacy.

Lieber hits the nail on the head by calling out how few travelers realize that the U.S. government is keeping a permanent file of complete mirror copies of their reservations:

Did you know that when you buy an airline ticket and make other travel reservations, the government keeps a record of the details?

If airlines don’t comply, they can’t fly in the U.S., explains Ed Hasbrouck, a privacy expert with the Identity Project who has studied the records for years and is considered the nation’s top expert.

Before each trip, the system creates a travel score for you…. Before an airline can issue you a boarding pass, the system must approve your passage, Hasbrouck explains….

The idea behind extensive use of PNRs [Passenger Name Records], he says, is not necessarily to watch known suspects but to find new ones.

Want to appeal? “It’s a secret administrative process based on the score you don’t know, based on files you haven’t seen,” Hasbrouck says….

Hasbrouck says: “You can’t keep files on everybody in case you want some dirt on them. That’s what J. Edgar Hoover did. We’ve been through this before in this country. Think of all the ways those files targeted innocent people and were misused. People’s lives were destroyed on the basis of unfounded allegations.

“Do we want to go back to that?”

For those whose curiosity has been piqued, here are links to more about this issue:

The FAQ, What’s in a Passenger Name Record (PNR)?, includes links to examples of PNR data, templates to request your travel history and PNR files from DHS, and information about our lawsuit against DHS to try to find out what files it has about us and how it has used and “shared” them.

Requirements for airlines to send passenger data to the government, and receive individualized (per-passenger, per-flight) permission from the government before issuing a boarding pass, are contained in two separate sets of DHS regulations: Secure Flight for domestic flights and the Advance Passenger Information System (APIS) for international flights. (More about the APIS regulations.)

The system of “pre-crime” profiling and assigning scores to all air travelers was discussed in recent government audit reports and at a Congressional hearing last month, and in a front-page story in the New York Times, in which we were quoted, last year.

There’s a good overview of the government’s travel surveillance and control process in a talk by Edward Hasbrouck of the Identity Project that was broadcast on C-SPAN</a> last year. The slides from that talk include diagrams of the system and examples of PNR data and other government files about travelers.

Oct 16 2014

“Jetsetting Terrorist” confirms DHS use of NSA intercepts

We’ve been reading the Jetsetting Terrorist blog (highlighted last week by Boing Boing) to see what we can learn from the anonymous author’s chronicles of his experiences traveling on commercial airlines, within the U.S. and internationally, after being convicted of a nonviolent misdemeanor criminal offense the U.S. has since defined as “terrorism”:

Since 2009, I’ve been on the TSA’s “terrorist watch list” [because] years ago I was convicted of an activist-related property crime.  The government deemed it “terrorism.” My “weapon of mass destruction” was a small tool purchased at a hardware store for under $30. My crime resulted in a loss of profits to several businesses. No one was injured. And it wasn’t even a felony.

Some of what the Jetsetting Terrorist describes is unsurprising, such as the inconsistency and unpredictable of the TSA’s “There are no rules” operational practices (a/k/a, “We make up the rules as we go along”, or “The rules are whatever we say they are today”). Or the confusion of TSA and airport checkpoint contractor staff, accustomed to carrying out crude profiling on the basis of race, religion, and national origin, when they receive instructions to treat a white-skinned hipster techie U.S. native like the Jetsetting Terrorist as a second-class citizen.  We’ve heard many accounts like these from other travelers about the TSA’s real-world Standard Operating Procedures, as distinct from those contained in the secret written manuals for TSA staff and contractors.

Beyond that, several things stand out from our reading of the Jetsetting Terrorist blog:

  1. Anyone could be subjected to the same treatment as the “Jetsetting Terrorist”. Millions of people in the U.S. have been convicted, at some point in their lives, of some nonviolent property crime or other nonviolent misdemeanor.  There are no limits to what crimes the government can retroactively define as “terrorism”, and courts have enforced few constraints on what additional burdens, restrictions, and prohibitions can retroactively be imposed — by law or by extrajudicial administrative fiat — on anyone who has ever in their life been convicted of any crime.  Once someone has a criminal record, they are considered to “deserve” whatever they later get when additional administrative infirmities are later piled on to their long-ago-completed judicially-imposed sentence.  And it’s not just people convicted of crimes later defined as “terrorism”. Where will it end? “First they came for the terrorists.  Then they came for the drug dealers…. Then they came for you and me.”
  2. So-called “watchlists” are really blacklists. The word “watchlist” is an Orwellian euphemism which the government uses to minimize its infringement of the rights of people on these lists. Properly speaking, a “watchlist” implies a list used to target surveillance, and the consequences of being on a “watchlist” are limited to being watched, i.e. surveilled. A bad thing, but very difference from the consequences of being on a blacklist, on the basis of which the government actively interferes with one’s movements, lays hands on one’s body (calling genital groping by another minimizing euphemism, “patdown”), and rips open one’s luggage to paw through one’s possessions.
  3. DHS pre-crime profiling is not binary, and can lead to many levels of consequences. Most travelers  naively assume that unless you are “on the no-fly list”, there are only three levels of pre-crime “risk scores” and consequent levels of intrusiveness of DHS action against you at airports: the TSA Pre-Check line, the “normal” (in the post-9/11 sense of “normal”) screening line, and the “secondary screening” line for those “selectees” who get “SSSS” printed on their boarding passes. But as the experiences reported by the Jetsetting Terrorist remind us, not all “selecteees” are selected for like treatment.  As was made public in a government filing in the first no-fly trial last year, each entry on the “selectee” list is assigned a numeric “handling code”. The range of handling codes and their meanings remains secret, but while some “selectees” merely get the full monty (“enhanced patdown”), others like the Jetsetting Terrorist are prevented from proceeding through TSA checkpoints until the checkpoint staff phone the FBI to report their itinerary and get permission for them to travel. In the case of the Jetsetting Terrorist, everyone on the same plane is subjected to an additional guilt-by-proximity ID document check and luggage inspection at the gate, at the entrance to the jetway.
  4. DHS components are among the “customers” for NSA electronic surveillance. On a recent international trip, the Jetsetting Terrorist spent time, while he was abroad, with a friend from the US: “My friend went back one day before me. We didn’t arrive together. We didn’t leave together. We don’t live anywhere near each other. Separate itineraries, everything. But a few hours before I was to leave for the airport, I get an email. Customs got her. Details were sparse, but she said they’d detained her for over an hour, asked her a thousand questions, took her computer in the back room, and asked her about me. A lot about me.  What’s most interesting: Somehow, they knew we were traveling together. This could not be gleaned from airline records. In fact, it could only have been learned of from electronic surveillance.”  Assuming these facts are accurately reported, we agree. (The Jetsetting Terrorist blog is anonymous and unverifiable. But we have no reason to doubt its legitimacy.)  This isn’t the first report of DHS employees questioning a US citizen about information that could only have been obtained from surveillance of electronic communications: that’s part of the basis for an ongoing  lawsuit in federal court in Indiana.  We continue to believe, as we said when  we reported on that case earlier this year, that it’s more likely that the DHS is one of, and possibly the most frequent, “customer” and user of information obtained from the illegal NSA electronic communications dragnet than that the DHS is running its own parallel illegal surveillance scheme on the same scale.

The Jetsetting Terrorist is looking for help finding a way to film and/or record his interactions with the TSA, in spite of being separate from his belongings while he is being searched and interrogated.  Since he plans to distribute these recordings publicly, they would be protected from search (as would his other work product documents and data) by the federal Privacy Protection Act, 42 USC 2000aa.  Most journalists aren’t aware of this law.  But it has important implications at airports, and protects anyone with an intent to distribute information publicly — not just full-time professional journalists.

Sep 30 2014

Argentina takes lead in Latin American air travel surveillance

Argentina has promulgated regulations which will require operators of all flights in or out of the country to send copies of both Advance Passenger Information (API) and Passenger Name Record (PNR) data for each passenger and crew member to the government before any flight departs.

The new regulations are to be fully implemented within six months, and apply to all international flights including charters and general aviation as well as airlines.

This may seem surprising. Argentines remember the Dirty War and the ways that government dossiers about individuals were compiled and misused by the dictatorship. Argentina has been considered one of the leaders among Latin American governments in enacting legal protection for personal data. Argentina was the first country in Latin America to be certified by the European Union as providing adequate protection for personal data.  But things can be different in practice than in theory.

The excuses offered by Argentine officials for this ratcheting-up of travel surveillance are typically examples of (1) laundering of travel surveillance and control policies through international organizations and (2) use of “because terrorism and drugs”  as a pretext for measures actually intended and used for general law enforcement, tax collection, other government revenue generation, etc.

According to the regional English-language Latin American Herald Tribune:

Cabinet chief Jorge Capitanich and Tourism Minister Enrique Meyer on Friday rebuffed criticisms of a rule obliging airline operators to answer a questionnaire of 32 queries about passengers on international flights, ranging from their identity to their seating preferences to how many suitcases they carry.

Capitanich … said the questionnaire does not constitute an additional control on passengers.

“The requisites for trips abroad now are no different from what they were before – the database has simply been unified to comply with international regulations,” he said during his daily press conference.

The tourism minister also said that, … “In fact, the passenger has no say in this matter, they’re measures that the International Civil Aviation Organization is requiring of all countries,” he told Argentine radio.

In fact, no “international regulations” require the collection, retention, or provision to governments of any of this data — only rules of specific countries such as the USA and now Argentina.  The ICAO white paper on transfers of PNR data to governments, Document 9944, is explicitly a set of nonbinding “guidelines” suggesting how PNR transfers should be carried out, if they are required by specific countries.

And according to Argentina’s English-language newspaper of record, the Buenos Aires Herald:

The government said that the information will be used in the fight against “drug trafficking, international terrorism, human trafficking and illegal migration.”

Other observers immediately suggested that the real purpose of the new regulations is to control the outflow of hard currency prompted by the growing disparity between the official and black-market exchange rates of the Argentine peso, along with fears of further devaluation, another currency freeze, or more bank failures.

By taking a conspicuous leading role in adopting travel surveillance and control measures that the US has been trying to globalize (with little success until now, particularly in Latin America) as part of the “war on terror”, and labeling them as “counter-terrorist” measures, Argentina may be hoping to curry favor with the US and perhaps gain diplomatic capital that Argentina can use in negotiations with the US regarding Argentina’s default on its sovereign debt.

Sep 26 2014

What happens if you fit the DHS profile even though you aren’t a threat?

In a self-assessment published this week by the DHS on the integration of DHS programs for surveillance, profiling, and control of airline passengers (the TSA’s Secure Flight for domestic flights and the CBP’s Automated Targeting System for international flights), the DHS says it is reducing to 15 years the length of time for which DHS will retain logs of people who were singled out for special treatment as “matches” on the basis of (secret) DHS profiling algorithms, but who were “ultimately determined not to be a threat.”

The DHS will still keep its TECS log entries for the trip itself, and will be able to retrieve a new copy of your PNR (airline reservation record) from the airline or CRS (database hosting company) at any time, even if DHS has deleted its previous mirror copy or copies.  But the DHS will purge its record of having wrongly flagged you as a suspect if you’ve stayed out of trouble for the subsequent 15 years:

Records created about an individual associated with a confirmed or possible match to a watchlist that require additional analysis in the ATS case management module ATS-Targeting Framework (TF) will be retained for 15 and seven years respectively in ATS if the individual is ultimately determined not to be a threat. However, COP information maintained only in ATS that is linked to a specific case or investigation will remain accessible for the life of the law enforcement matter to support that activity and other enforcement activities that may become related. In addition, CBP may include information in TECS on individuals who may need additional scrutiny.

The DHS privacy impact self-assessment confirms that the DHS has shifted from blacklist/whitelist matching to real-time profiling and scoring as its methodology for making fly/no-fly and “intrusiveness of search” decisions.  The self-assessment also makes explicit that the reason for long-term retention by DHS of mirror copies of the commercial airline records is to enable subsequent pre-crime data mining:

It is over the course of time and multiple visits that a potential risk becomes clear. Travel records (including historical records), are essential to assist CBP officers with their risk-based assessments of travel indicators and identifying potential links between known and previously unidentified terrorist facilitators. Analyzing these records for these purposes allows CBP to effectively identify suspect travel patterns and irregularities.

Aug 27 2014

“I don’t want a unitary, unfakeable identity.”

Dan Geer’s keynote speech at the Blackhat security conference earlier this month (video, transcript) included an important discussion of the often-misunderstood “right to be forgotten” and the larger context of why it matters: the threat posed by compelled identification, and how we can defend ourselves against that threat:

Privacy used to be proportional to that which it is impossible to observe or that which can be observed but not identified.  No more — what is today observable and identifiable kills both privacy as impossible-to-observe and privacy as impossible-to-identify, so what might be an alternative?  If you are an optimist or an apparatchik, then your answer will tend toward rules of data procedure administered by a government you trust or control.  If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be my definition: the effective capacity to misrepresent yourself…

The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace [NSTIC] is a case in point; it “calls for the development of interoperable technology standards and policies — an ‘Identity Ecosystem’ — where individuals, organizations, and underlying infrastructure — such as routers and servers — can be authoritatively authenticated.”  If you can trust a digital identity, that is because it can’t be faked…. Is having a non-fake-able digital identity for government services worth the registration of your remaining secrets with that government?  Is there any real difference between a system that permits easy, secure, identity-based services and a surveillance system? Do you trust those who hold surveillance data on you over the long haul, by which I mean the indefinite retention of transactional data between government services and you, the individual required to proffer a non-fake-able identity to engage in those transactions?  Assuming this spreads well beyond the public sector, which is its designers’ intent, do you want this everywhere?…

I conclude that a unitary, unfakeable digital identity is no bargain and that I don’t want one.  I want to choose whether to misrepresent myself.  I may rarely use that, but it is my right to do so.  If that right vanishes into the panopticon, I have lost something and, in my view, gained next to nothing. In that regard, and acknowledging that it is a baby step, I conclude that the EU’s “Right to be Forgotten” is both appropriate and advantageous though it does not go far enough.  Being forgotten is consistent with moving to a new town to start over, to changing your name, to a definition of privacy that turns on whether you do or do not retain the effective capacity to misrepresent yourself…. A right to be forgotten is the only check on the tidal wave of observability that a ubiquitous sensor fabric is birthing now, observability that changes the very quality of what “in public” means….

There’s more: video, transcript.

Mr. Geer’s comments help answer one of the questions we are most frequently asked: What’s Wrong With Showing ID?

Read More

Aug 22 2014

Passenger tracking = “Happy Flow” at Aruba Airport

(Vendor's vision of "Happy Flow". Click image for larger version.) [Vendor’s vision of “Happy Flow”. Click image for larger version.]

Later this year, passengers traveling on KLM Royal Dutch Airlines between Aruba and Amsterdam will begin to be subjected to what airlines, airports, governments, and their vendors and suppliers envision as the “passenger experience” of the future: an integrated biometric panopticon in which travelers are identified and tracked  at each stage of their passage through the airport by surveillance cameras and automated facial recognition.

KLM's vision of "Happy Flow". Click image for larger version. [KLM’s vision for “Happy Flow”. Click image for larger version.]

The vendor and the airline call this touchless total tracking, “Happy Flow”.  We call it Orwell’s airport.

Travelers won’t have to identify themselves: They will be identified in spite of themselves. Travelers won’t have to worry about whether they are dealing with, or providing information to, the airline or the airport or a government agency or a third party: Biometric identifiers and surveillance data will be seamlessly shared for multiple purposes between the airline, the airport operator, government agencies, and their contractors.

Aruba is part of the Kingdom of the Netherlands, and the Aruba Airport (IATA code AUA) is managed by the company that operates Amsterdam’s Schiphol Airport.  That creates unusual opportunities for collaboration between the airline, both airports, and government agencies concerned with flights between AUA and AMS.

The system is scheduled to go live by the end of 2014, according to recent conference presentations and press releases. But nothing has been made public by any of the partners in the joint venture (KLM, the operator of the Aruba and Amsterdam airports, the government of the Netherlands, and their contractors) regarding the data to be collected about travelers’ movements or any technical measures or policies controlling biometric, identification, or movement data storage, transmission, access, or retention.

Don’t worry. Be happy!

Aug 21 2014

FOIA appeals reveal problems with PNR data

We’ve noticed a disturbing pattern in how the DHS, and specifically US Customs and Border Protection (CBP), has responded to people who have asked the DHS for its files about themselves.

Eventually — typically months later than the statutory deadline for responding to a FOIA request — CBP has sent the requester a file of information about their international travel, including a log of entries, exits, and borders crossings.

But even when the requester has explicitly asked for the Passenger Name Record (PNR) data that CBP has obtained from their airline reservations, or has asked CBP for “all” its records about their travel, or for all data about themselves from the CBP “Automated Targeting System” (most of which consist of CBP copies of PNRs), CBP has completely omitted PNR data — or any mention of it — from its response.

People who don’t work in the air travel industry typically don’t know what PNRs look like. So it isn’t obvious to most recipients of these incomplete responses that what they’ve been given doesn’t include any PNR data. Only when these people showed us copies of the responses they received from CBP have we been able to point out, or confirm, that PNR data was completely absent from the initial CBP response.

When these people have filed administrative appeals, specifically pointing out that their requests included PNR data, CBP has responded to their appeals by sending them redacted copies of CBPs mirror archive of airline PNRs, as contained in ATS.  But there’s been no apology, and explanation in any of these responses to appeals of why the PNR data wasn’t included in the initial response. It seems likely that CBP didn’t even bother to search its PNR database in response to the initial requests, either out of gross negligence, gross incompetence, malice, and/or bad faith. (CBP has refused to disclose how PNR data and other information in ATS is indexed, queried, or retrieved. Even though the Privacy Act requires this information to be published in the Federal Register, the judge hearing our lawsuit ruled that it was exempt from disclosure.)

We’ve seen this pattern even in responses to requests from journalist and public figures which, according to DHS policy, would have been subject to pre-release review and approval by the DHS “front office”.  The DHS front office has been intimately involved in international disputes related to PNR data, and is fully aware of the existence of this component of DHS dossiers about innocent travelers. So the incomplete responses to FOIA requests can’t be blamed on low-level staff or a lack of oversight or awareness by senior officials.

One of those high-profile cases was that of Cyrus Farivar, Senior Business Editor at Ars Technica.  As Mr. Farivar reported earlier this year, CBP’s initial response included no PNR data, even though he specifically included PNR data in his request.  After Mr. Farivar appealed, CBP gave him the PNR data he had originally requested.

There was nothing Mr. Farivar’s DHS file that we haven’t seen in other DHS copies of PNRs.  But his report about what he received highlights some of the problems with the contents of these DHS records.

Read More

Aug 19 2014

Sai v. TSA: A case study in TSA secrecy

Time and time again, the TSA has acted as though its middle name was “secrecy” rather than “security”.

Case in point: Sai v. TSA.

There’s a lot at issue in this case, but here are some of the problems with the TSA that it has exposed:

Sai poses no threat to aviation security. He has an unusual but recognized medical condition, attested to by documentation from his doctor that he carries when he travels, for which he needs ready access to liquids.  The TSA is required by law to accommodate such medical disabilities, as it easily could.  TSA press releases claim that travelers are allowed to bring medically necessary liquids through TSA checkponts in any quantity.

But TSA employees at airport checkpoints at Logan Airport in Boston and the TSA contractors who staff the checkpoints at San Francisco International Airport have, among other improper actions, seized Sai’s medical liquids, denied him access to his medical liquids while detaining him, and refused to allow him to pass through checkpoints or travel by air unless he abandoned his medical liquids.

While detaining Sai, TSA employees and contractors have conducted searches unrelated to weapons or explosives (but directly related to activities protected by the First Amendment), including reading through and copying documents Sai was carrying.

The TSA has never tried to claim that any of these actions were justified by “security” concerns. Instead, the TSA has responded to Sai’s requests for information, administrative complaints, and eventual federal lawsuit solely on the basis of secrecy, when it has responded at all, arguing that it isn’t required to divulge anything about what it has done, why, or whether it is justified.

The TSA claims to practice “layered security,” but Sai’s saga shows how the TSA actually practices “layered secrecy” to shield its activities from public and judicial accountability.

Read More

Aug 14 2014

Lawsuit challenges “watchlisting” of Michigan Muslims

A lawsuit filed today in Federal District Court in Michigan challenges “the widespread government practice of placing names on watch lists without providing individuals with any notice of the factual basis for their placement and without offering a meaningful opportunity to contest the designation.”

According to the complaint:

This lawsuit is an expression of anger grounded in law.  Our federal government is imposing an injustice of historic proportions upon the Americans who have filed this action, as well as thousands of others.  Through extra-judicial and secret means, the federal government is ensnaring individuals into an invisible web of consequences that are imposed indefinitely and without recourse as a result of the shockingly large federal watch lists that now include hundreds of thousands of individuals.

So far as we can tell, this is the first lawsuit informed by the publication last month of the US government’s “Watchlisting Guidance“, and last week of a breakdown of who has been “watchlisted”.

These leaked documents, published by The Intercept, make clear that names can be added to “terrorism” watchlists without any individualized basis for suspicion. They also confirmed the overwhelming focus of “terrorist” watchlisting on Arab and Muslim Americans. The leaked documents don’t explicitly categorize watchlist entries by religion or ethnicity, but the correlation is strongly suggested by the fact that more people in Dearborn, Michigan, have been watchlisted than people in any other U.S. city except New York.  Dearborn has only 96,000 people, but 40% of them — the highest percentage of any U.S. city — are of Arab descent.  Not surprisingly in light of this pattern of watchlisting, the Council on American Islamic Relations (CAIR) has played a leading role in challenges to watchlisting practices and consequences.

Read More

Aug 05 2014

One million people are on watchlists, but all travelers are being watched

A million people around the world were listed in the US government’s “Terrorist Identities Datamart Environment” (TIDE) as of August 2013, of whom 680,000 were included in the “Terrorist Screening Database” (TSDB), according to a classified breakdown of watchlist entries and uses published today by The Intercept.

Two weeks ago, The Intercept made public the US government’s watchlisting/witchhunting manual. Now the same publication from the aptly named First Look Media has provided a first look at how many people are affected by “watchlisting” practices, and who these people are.

(Ironically, these revelations come at the same time that the National Counter-Terrorism Center (NCTC) is advertising “Watchlisting” jobs.)

The internal government documents published by The Intercept categorize TSDB entries by “group affiliation”, rather than by what (if any) threat these people are believed to pose. But 280,000 of the 680,000 people listed in the TSDB were described as having “no recognized terrorist group affiliation”.

Of the entries on the watchlists in the TSDB, 47,000 were on the no-fly list, and 16,000 were on the “selectee” list of people subjected to more intrusive “screening” whenever they fly.  Five thousand “US persons” (US citizens and permanent residents or green-card holders) were on watchlists, including 800 on the no-fly list and 1,200 on the “selectee” list.

As of August 2013, according to these documents, 240 new names were “nominated” to these lists each day, while only 60 entries were removed. That means the million-entry TIDE list was growing at the rate of 180 entries per day, or 65,000 entries per year.

But don’t be misled by the government’s Orwellian use of the term “watchlist” into thinking that “only” a million people are being “watched” by the government or treated as supected terrorists when they travel. US government surveillance of travelers is a dragnet that affects all travelers, not just those on watchlists.

All air travelers are “watched” and our movements and associations are recorded in secret, permanent government dossiers.  All travelers are profiled and assigned secret “risk assessment” scores each time we fly.  All travelers must obtain individualized, per-passenger per-flight government permission before any airline is allowed to issue a boarding pass.

The million people on US government watchlists (as of August 2013) are those who are subjected, on the basis of this blacklisting and dragnet surveillance, to even more intrusive surveillance and/or other restrictions on the exercise of fundamental rights, such as the rights to freedom of association and freedom of movement.