Apr 01 2024

Tracking vehicles across state lines

As the number of women traveling across state lines to obtain abortions continues to grow (analysis of trends, statistics and map), recent reports have confirmed the reality of some of the ways we feared that motorists traveling for these or other purposes can be identified and tracked.

The ACLU of Northern California and Bob Egelko of the San Francisco Chronicle have reported that, despite a directive from the California Attorney General forbidding California state and local government agencies from sharing automated license plate recognition (ALPR) data with out-of-state entities, police in some California cities are continuing to share this location data with out-of-state police and/or interstate data brokers.

The order from the Attorney General was specifically intended to prevent other states from using ALPR data from California to identity or take action against abortion travelers.

Even if California police bring their practices into compliance with state law and the state Attorney General’s directive, that won’t stop police in other states from buying ALPR data collected by private entities in California — the owner or operator of a parking garage across from an abortion clinic, for example — and aggregated and resold by commercial data brokerages.

Meanwhile, in the New York Times, Kashmir Hill reveals that automobile manufacturers have been selling motor vehicle telemetry information, collected by onboard sensors and control systems and transmitted by cellular data transceivers embedded in euphemistically-named “infotainment” systems, to data brokers including Lexis-Nexis.

While the focus of Hill’s article is on the use of this data by auto insurance companies, law enforcement agencies including the TSA are customers of Lexis-Nexis.

Hill says the data sold in bulk by vehicle manufacturers and disclosed to vehicle owners by Lexis-Nexis in response to requests pursuant to the Fair Credit Reporting Act didn’t explicitly include vehicle location data.  But that doesn’t mean that location data isn’t available to vehicle manufacturers or police.

Most vehicles with embedded cellular data transceivers also have embedded GPS receivers. Enabling those systems to send GPS location pings to the manufacturer, if that isn’t being done already, would require only a remote software “upgrade”. As long as the manufacturer has the ability to push out software turning on location reporting, the manufactuerer could be compelled to do so by a court order such as has been used to force other companies to spy on and report travelers’ movements.

The only way to prevent this is not to build this capability into vehicles. But most vehicle purchasers or drivers don’t know that their car has a built-in self-surveillance system with its own wireless data transmitter that “phones home” to the manufacturer, much less what data it transmits or could be silently and remotely enabled to transmit.

That’s not the only threat model inherent in having an embedded SIM  and wireless data connectivity built into your vehicle. Because the telemetry system connects to the Internet over the wireless cellular data network, the network operator knows which cell tower the unique SIM in the vehicle is registered with whenever the telemetry system is active, which is generally whenever the vehicle is in operation — and could be switched to be always on.

Law enforcement agencies already use fishing-expedition “geofence” warrants to identify all cellphones in the vicinity of times and places of interest. As the percentage of new vehicles with embedded SIMs and always-on cellular modems continues to increase, they are likely to use similar warrants directed to wireless network operators to identify all the “connected cards”  that were registered on those networks in specific locations and times.

We’d welcome reports from anyone who has obtained a complete report of the data collected by either (a) the manufacturer of their vehicle or (b) the  operator of the mobile network uses by the vehicle telemetry system. (It may be easier for vehicle owners in Canada than in the USA to obtain this data through access requests under the Canadian PIPEDA law, which has no US counterpart.) We’d also welcome reports from anyone who has tried to opt your vehicle out of manufacturer telemetry or have the telemetry system removed, disabled, or placed under driver control.

Mar 21 2024

US Department of Transportation to investigate airline data privacy

Today the U.S. Department of Transportation (DOT) announced plans for a “a privacy review of the nation’s ten largest airlines regarding their collection, handling, maintenance, and use of passengers’ personal information.”

The review will include airlines’ compliance (or not) with the so-called Privacy Shield framework for transfers of personal data from the European Union to the US. As DOT notes on its website, “DOT is the enforcement authority for airlines participating in Privacy Shield. DOT shares jurisdiction with the FTC regarding ticket agents participating in Privacy Shield.”

This is a positive step, but we’re reserving judgment until we see what DOT actually does.

The review is to be conducted by DOT’s Office of Aviation Consumer Protection, which has demonstrated little expertise or interest in privacy issues despite its enforcement authority with respect to airline privacy practices. DOT’s Advisory Committee on Aviation Consumer Protection raised these issues a decade ago, but there’s been little visible change or enforcement activity. And the terms of reference for the review, as described in DOT’s press release today, make it unclear whether DOT will be looking into how personal information in airline reservations is made available to US and foreign governments, or whether DOT’s review will be limited to commercial use of airline data.

Stay tuned.

Dec 26 2023

Congress watches the “watchlists” — but will Congress act?

Earlier this month  CBS News broadcast an in-depth report confirming that more than two million names (up from 1.75 million names in 2019) are now on U.S. government blacklists (euphemistically described as “watchlists”) restricting travel and other rights.

CBS also interviewed some of the U.S. citizens who, without ever being accused of any crime or having their day in court, and for no reason they know or that the government will tell them, have been stopped at gunpoint, delayed, or prevented from flying.

Less than a week later, the Senate Homeland Security and Government  Affairs Committee (HSGAC) released a detailed staff report on the same issue, “Mislabeled as a threat: How the terrorist watchlist & government screening practices impact Americans“.

The Chair of the HSGAC, Sen. Gary Peters (D-MI), also sent a formal request to the Inspectors General of each of the Federal departments that participate in the “Watchlisting Council”,   asking the Inspectors General to “coordinate on an assessment of the full implementation of the Terrorist Screening Dataset.”

“I have heard from my constituents, and in particular my Arab and Muslim American constituents, that they face undue levels of scrutiny and screening atairports, other ports of entry, and in their daily lives, which they believe is the result of their placement on the terrorist watchlist,” Sen. Peters  noted. “Inspectors General have not conducted a coordinated, independent assessment of the full watchlisting enterprise – from the nominations process; to how information is shared, used, and audited; to the redress options available to individuals who may match to the list.”

The same day, five other Senators and eight members of the House of Representatives sent a joint letter about “watchlisting” practices  to the heads of the Department of Justice, FBI, Department of Homeland Security, Transportation Security Administration, U.S. Customs and Border Protection, and several other agencies.

The joint letter asks for answers “no later than January 9, 2024” to a long list of questions about how many people are on U.S. government watchlists, how many have been added and removed, what procedures have been followed, what data has been collected or purchased about these people,  what if any redress is available to them, and what the criteria for adding names are supposed to be. “Beyond the spouses and children of individuals on the watchlist, what other categories of ‘non-terrorists’ may be included as exceptions to the reasonable suspicion standard for placement on the watchlist?”

We’re pleased that members of Congress are asking increasingly pointed questions about the U.S. government’s system of secret, arbitrary, extrajudicial blacklists.

But asking questions isn’t enough. What’s needed from Congress is legislative action.

We hope that members of Congress don’t stop at “making inquiries” or “demanding answers”.  There’s ample evidence already that the watchlisting/blacklisting system is out of control. It’s up to Congress to bring that system under control by enacting legislation restoring the rule of law to decision-making about who is allowed to exercise their rights.

If members on Congress want to do something about the problem of travel blacklists, not just talk about it, a good way to start would be to reintroduce and bring to a vote the Freedom to Travel Act, which was introduced in 2021 but never got a hearing or a vote.

Sep 28 2023

DHS uses travel as pretext for search of researcher and journalist

According to a report by Zack Whittaker on TechCrunch, security researcher, and blogger Sam Curry “was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service’s Criminal Investigation (IRS-CI) unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington DC about a ‘high profile phishing campaign,’ searched his unlocked phone, and served him with a grand jury subpoena to testify in New York the week after.”

How did this happen, and what recourse do you have if you are similarly searched?

Sadly, the used of (entirely unrelated) international travel as a pretext for searches of electronic devices and data, including searches or researchers and journalists, is not new.

A TECS Lookout can be used by the DHS or other Federal agencies to flag, watch for, and intercept any “person of interest” whenever they take an international flight to or from the US, regardless of whether there is probable cause for a search warrant.  A TECS Lookout can be set at the request of any Federal law enforcement agency, for any reason.  It’s also no surprise that this loophole for pretextual searches is being used by IRS agents: As we have noted previously, it’s described in detail in the section of the IRS’s manual on techniques for “Locating Taxpayers and their Assets”.

Mr. Curry reportedly said he was later told that the copies of data seized from his phone by Federal agents had been deleted, and the subpoena was withdrawn. But it also appears that, as a blogger, his data was protected from seizure by the Privacy Protection Act, which provides greater protection for many travelers’ data than most other forms of privilege. If Mr. Curry had known to assert his status and rights under the Privacy Protection Act, he would probably be entitled to damages from the agents who searched and seized his data.

Sep 04 2023

Transit payment systems and traveler tracking

Last week 404 Media published a report by Joseph Cox on how the New York Metropolitan Transit Agency’s website can be used as a remote stalking tool: anyone who knows a credit card number that was used to purchase or add value to an OMNY transit farecard could view a historical log of the last seven days of trips taken using the card, including the dates, times, and locations where the card was read at subway entrances or boarding buses.

Less than 24 hours after this report was published, this “feature” was removed from the MTA website.

But that doesn’t solve the problem.

The main problem with the MTA payment system — and similar systems in other cities — isn’t that anyone could access your trip history by typing in your credit card number (which every waiter you ever bought a meal from with that credit card has access to,  and every domestic violence abuser in your household also knows).

The real problem is that the MTA transit system is building a permanent database of all your trips, period. The MTA is still logging transit passengers’ movements, and those logs are still available to the MTA itself, police, anyone the MTA chooses to share them with, or anyone who hacks into the TSA’s records.

If the MTA didn’t collect this data in the first place, there would be no way for anyone to abuse it.

Read More

Aug 24 2023

Border and airport searches for “privileged” information

Most people think of communications between attorneys and their clients as being among those having the highest level of legal “privilege” against compelled disclosure to the government.  And it is widely believed that the US lacks a Federal “shield law” protecting journalists against being forced to reveal confidential sources.

The assumptions are, in some situations and with respect to certain information, well founded. But a recent Federal decision by the 5th Circuit Court of Appeals has belied those assumptions and created a situation — at least in the 5th Circuit — in which attorney-client communications have significantly less protection at borders and ports of entry than information in the possession of journalists and others involved in communicating information to the public.

This makes it more important than ever for all travelers — including lawyers who assume that the information in their possession is best protected under the attorney-client privilege, and individuals who don’t think of themselves as journalists — to be familiar with the protections of the Federal Privacy Protection Act of 1980 (42 US Code §2000aa), and to proactively assert their protected status and their rights under this law if their data or devices are searched or seized

Here’s what was decided in this recent case about attorney-client communications, and what protections travelers still have pursuant to the Privacy Protection Act:

Read More

Apr 03 2023

CBP wants more information to surveil and control air travelers

Today the Identity Project and allied civil liberties and human rights organizations submitted comments objecting to a proposal by US Customs and Border Protection (CBP) to require all travelers on international flights to or from the US to provide an address in the US, two phone numbers, and an email address, and prohibit or recommend that airlines not permit anyone who is unable or unwilling to provide this information to board any flight to or from the US. (See our report when this proposal was announced.)

In return for collecting this information and passing it on to CBP, airlines would be allowed to retain and use it for their own purposes, without permission from travelers. Airlines would also be allowed (and in some cases required) to pass it on to foreign governments.

The proposed CBP rule would apply to all travelers, including US citizens (regardless of whether they reside in the US), visitors, and asylum seekers.

The proposed rule is far more significant and far worse than it appears at first glance.

Although the proposal is represented by CBP as a minor change to an existing program that would cost airlines nothing and impose no costs on travelers, it would cost the airline industry hundreds of millions of dollars and impose costs on would-be travelers, especially asylum seekers, that would be measured not only in dollars but  also in lives. The proposed rule would also violate multiple provisions of the Privacy Act, including in ways that would force travelers to make personal information available to hostile foreign governments.

Below are excerpts from our objections to the CBP proposal. You can read the complete comments of the Identity Project and our allies here. You can submit your own comments until midnight EDT tonight, Monday, April 3, 2023, by filling out this form.

The undersigned civil liberties and human rights organizations – the Identity Project (IDP), Government Information Watch, Restore The Fourth (RT4), Privacy Times, and the Electronic Privacy Information Center (EPIC) – submit these comments in response to the Notice of Proposed Rulemaking, “Advance Passenger Information System: Electronic Validation of Travel Documents”, Docket Number USCBP-2023-0002, FR Doc. 2023–02139, RIN 1651-AB43, 88 Federal Register 7016-7033 (February 2, 2023).

By this Notice of Proposed Rulemaking (NPRM), U.S. Customs and Border Protection (CBP) proposes to (1) expand the fields of information that all international travelers flying to or from the U.S. by common carrier are required to provide to airlines and that airlines are required to pass on to CBP (while being free to retain copies for their own profitable use); and (2) prohibit airlines from allowing certain individuals including those who don’t have, or are unable or unwilling to provide, two phone numbers, an email address, and an address in the U.S. (even if they are U.S. citizens who reside abroad), to board flights, or recommend that airlines not board them (in violation of airlines’ duties as common carriers to transport all passengers paying the fares in their tariffs, and in violation of travelers’ rights under Federal statutes, the Bill of Rights, Executive Orders, and international human rights treaties to which the U.S. is a party).

The proposed rule is purportedly intended to “enable CBP to determine whether each passenger is traveling with valid authentic travel documents prior to the passenger boarding the aircraft.” Aside from the fact that CBP has no jurisdiction over foreign citizens boarding foreign-flagged aircraft at foreign airports, the proposed rule would have little or no effect on CBP’s ability to detect travelers using documents issued to other people. The proposed rule would not serve its stated purpose, but would only serve to expand CBP’s systematic warrantless, suspicionless, surveillance of air travelers and CBP’s attempt to control airline travel.

As discussed below, the proposed rule exceeds CBP’s authority and jurisdiction and is contrary to law. It is also bad policy. It amounts to an attempt to impose a travel document requirement in the guise of document “validation”, to outsource to airlines surveillance and control of travelers that CBP would have no authority to conduct itself, and to frustrate the human right to asylum by preventing asylum-seekers from reaching the U.S.

Read More

Mar 19 2023

9th Circuit upholds secret US monitoring of foreign airline reservations

In a case we’ve been following closely, the 9th Circuit Court of Appeals has ruled that orders requiring the Sabre computerized reservation system to provide real-time reports to the FBI on any reservations made in or through Sabre associated with specific individuals can continue to be kept secret, at least as long as warrants for these individuals’ arrest remain outstanding, which could be indefinitely.

The wanted individuals aren’t US citizens and aren’t believed to be in the US. US Customs and Border Protection (CBP) already receives complete mirror copies 72 hours in advance of all international airline reservations (Passenger Name  Records) for flights to, from, or via the US. CBP has a well-established system of TECS alerts — which don’t even require a warrant — that it can use to generate a message to the FBI or other law enforcement agencies whenever planned travel to or from the US by a person of interest is detected.

This is a much simpler process than going to court to get an order directing Sabre to maintain a lookout and report to the FBI on planned travel by a suspect.

Why, then, has the FBI repeatedly gone to court to get orders requiring Sabre and in some cases other CRSs to watch for, and report, planned travel by persons of interest? The only reason would be for the US to obtain advance notice of a suspect’s planned travel within or between countries other than the US, so that the US could try to persuade some allied government to arrest and deport or render the wanted person to the US for trial.

Everyone should be concerned that reservation hosting companies are secretly monitoring and reporting their travel plans to the US government.

Other countries should be concerned that the US government is forcing CRSs that are based or have a presence in the US to carry out ongoing real-time monitoring and reporting to the US government of planned flights by non-US persons between non-US points — in effect, serving as remote agents of US surveillance within other countries.

The case in the 9th Circuit was brought by a journalist. But the court noted that Sabre or other CRSs would have a stronger basis than journalist or other third parties to contest the government’s attempt to force them to spy on travelers and rat them out to the government:

[T]he notion that technical assistance proceedings will forever go unchallenged or unnoticed absent a constitutional right of access is overstated. Petitioners themselves assert that there today exists a robust public debate over these investigatory devices. The government acknowledges that AWA [All Write Act] technical assistance orders may still be subject to challenge through different legal pathways, such as by the suspects themselves or by entities like Sabre, who receive the AWA orders.

So far as we can tell, however, neither Sabre nor any other CRS, nor any airline, has contested any of the US government’s requests or demands for information from airline reservations. No CRS or airline has issued a “transparency report” on its responses to government requests or demand for information about travelers.

CRSs and airlines should stand up for the traveling public against government spying.

Travelers, and airlines that care about travelers, should demand that the “Big Three” CRSs — Sabre, Travelport, and Amadeus — promise to challenge any government demands for information about travelers, and issue regular transparency reports on what requests or demands for travel records they have received from the government (including both case-by-case information requests and ongoing bulk feeds of PNR and API data) and what they have done to resist compliance.

Read More

Mar 07 2023

Germany follows US lead in misuse of airline reservation data

[Florian Gutsche of the VVN-BdA: An embarrassment to Germany’s reputation? Or a credit to it? And does his black shirt prove that he’s dangerous?]

On Friday, February 24th, Florian Gutsche, a German citizen and the national chair of the German Association of People Persecuted by the Nazi Regime – Association of Anti-Fascists (VVN-BdA), was intercepted by German federal police at Berlin Brandenburg Airport, prevented from boarding a flight he had planned to take to Sofia, Bulgaria, and served with an order prohibiting him from leaving Germany for the duration of the weekend.

Formal parliamentary questions have already been submitted to the German government by a member of the Bundestag, asking by whom and on what basis the order prohibiting Herr Gutsche from leaving Germany was issued. These are important questions.

But we are also concerned about how this order was effectuated and what this says about the German government’s use of airline reservations to surveil, control, and restrict “resiefreiheit” — the right to freedom of movement. Read More

Feb 06 2023

CBP proposes to require even more information from international air travelers

US Customs and Border and Border Protection (CBP) has proposed new rules to expand its Advance Passenger Information System (APIS) to require all international airlines serving the US to provide additional information about all passengers, prior to flight departures.

CBP’s Notice of Proposed Rulemaking (NPRM), published last Thursday in the Federal Register, falsely claims that the proposed rules would not affect individuals, only airlines. But the mandate for airlines to provide additional information about each would-be passenger makes it a de facto requirement, as a condition of air travel, for travelers to provide this information to airlines and the government.

This would constitute a significant expansion of an ongoing unconstitutional surveillance and profiling program in which all international air travelers are required to respond to suspicionless, warrantless, interrogatories administered through airlines as intermediaries and outsourced government surveillance agents and interrogators.

APIS is not a passive surveillance scheme, however. It is part of a real-time system of  granular, per-passenger, per-flight government control of air travel:

After performing the security vetting, the CBP system transmits to the carrier an electronic message. This message is generally referred to as CBP’s response message. If the carrier is using an interactive transmission system, the response message provides certain instructions to the carrier. Specifically, it states whether each passenger is authorized to board, requires additional security screening, or is prohibited by TSA from boarding… Depending on the instructions received in the response message, the carrier may be required to take additional steps, including coordinating secondary security screening with TSA, before loading the baggage of or boarding the passenger at issue.

The Identity Project has objected to every step in the expansion of APIS since 2006, and we will be filing comments objecting to the latest NPRM. If you’d like to file your own objections, the deadline is April 3, 2023. We’ll post ours for others to use as a model.

Current mandatory APIS data fields include name, date of birth, gender, nationality, passport or travel document number, and flight details (airline, flight number, and departure and arrival airports, dates, and times). In addition to the information that CBP has been requiring since 2006, the new NPRM proposes that airlines operating flights to or from the US be required to collect and transmit to CBP additional information including:

  • Street address in the US (currently required of aliens but not of US citizens)
  • Telephone number and “alternate” telephone number (presumably the second phone number is required in order to help the government build social network maps and  guilt-by-association links of First Amendment protected associations between individuals)
  • Email address

What if a US citizen has no fixed address, or no address in the US — or doesn’t want to tell the US government? What if they don’t yet know at which hotel or with which friend or relative  they will be staying — or don’t want their host permanently linked with them in the government’s surveillance and suspicion-generating files?

Are two telephone numbers and an email address required as a condition of air travel?

The proposed rules are silent, but they imply that any airline that transports such a passenger would be subject to sanctions:

CBP cannot require that a passenger be denied boarding. However, if an air carrier boards a passenger who is then denied entry to the United States, the air carrier may have to pay a penalty and bear the costs of transporting that passenger out of the United States.

On arrival in the US, the US government has the duty to allow a US citizen to enter the country unless there is genuine doubt as to their US citizenship. They are not required to provide any information not related to, and needed to determine, their US citizenship.

If a CBP inspector at a border crossing or airport asks a US citizen their address in the US, phone number(s), or email address, they have the right to stand mute or to refuse to answer. CBP can search them, but cannot make them answer questions or deny them entry for standing mute.

If CBP would have no Constitutional authority to require a traveler to answer these questions after they arrive in the US, on what possible grounds would it claim authority to require answers to those same questions before a traveler even boards a flight to the US?

The NPRM does not mention the Bill of Rights or any limits on the authority of the government or a common carrier to demand personal information or answers to interrogatories as a condition of carriage.  We believe that there is no such authority. The proposed rules would violate the First, Fourth, and Fifth Amendments, the Privacy Act, and US obligations as a party to the International Covenant on Civil and Political Rights.

Since the creation  of the Department of Homeland Security (DHS) after September 11, 2001, the DHS has imposed more than a billion dollars in unfunded mandates to the airline industry  to collect additional information about all airline passengers, transmit that information to DHS components (CBP for international flights and the TSA for domestic flights), and receive and process instructions from the DHS before issuing any boarding pass.

The proposed new rules would send the airline IT industry back to the drawing board to modify all of its software, user interfaces, APIs, and business-process layers to collect and transmit additional data fields  about each passenger to CBP prior to departure of each international flight to or from the US.

CBP says that some airlines are already “voluntarily” providing personal information about passengers to CBP beyond what has been required by the current APIS regulations.

Why would airlines be willing to collaborate with the DHS in these schemes?

The proposed rules would leave airlines free to retain, use, share, sell, or otherwise monetize the additional personal information which travelers would be required to provide. This would amount to a huge informational windfall for airlines, and this is the quid pro quo to airlines for collecting this additional data for the government. To put it another way, the proposed rules would constitute a government-compelled taking and transfer to airlines of the value of travelers’ personal information.

Airlines don’t collect this data systemically now, and have not yet developed any standards for normalizing, storing, or exchanging it. This would be a massive unfunded mandate for modifications to airline industry IT systems, at every level from interline messaging protocols to user interfaces, and in training staff. But most of these costs would be one-time costs, and in the long term would be offset by the informational windfall to airlines.

Airlines are already experts in monetizing passenger data, making billions of dollars a year by selling advertising targeted to members of their frequent flyer programs. Compelled provision of additional contact information would enable airlines to expand these customer data monetization and ad targeting programs to all air travelers, including infrequent flyers who aren’t members of these programs.

Many foreign airlines are parastatal entities, so this rule would effectively require many asylum seekers to divulge info to the foreign governments from which they are trying to flee, prior to departure from those countries, placing themselves and their associates (linked to them by e.g. shared contact info)  at even greater peril.

Travelers and airlines should just say no. Travelers should decline to answer questions unrelated to their admissibility to the US, and airlines should transport them anyway and challenge any attempt to impose sanctions on them for refusing to spy on their passengers by interrogating them and collecting surveillance data for the government.