Papers, Please!

The Identity Project

Category Archives: Surveillance State

Aug 27 2014

“I don’t want a unitary, unfakeable identity.”

Dan Geer’s keynote speech at the Blackhat security conference earlier this month (video, transcript) included an important discussion of the often-misunderstood “right to be forgotten” and the larger context of why it matters: the threat posed by compelled identification, and how we can defend ourselves against that threat:

Privacy used to be proportional to that which it is impossible to observe or that which can be observed but not identified.  No more — what is today observable and identifiable kills both privacy as impossible-to-observe and privacy as impossible-to-identify, so what might be an alternative?  If you are an optimist or an apparatchik, then your answer will tend toward rules of data procedure administered by a government you trust or control.  If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be my definition: the effective capacity to misrepresent yourself…

The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace [NSTIC] is a case in point; it “calls for the development of interoperable technology standards and policies — an ‘Identity Ecosystem’ — where individuals, organizations, and underlying infrastructure — such as routers and servers — can be authoritatively authenticated.”  If you can trust a digital identity, that is because it can’t be faked…. Is having a non-fake-able digital identity for government services worth the registration of your remaining secrets with that government?  Is there any real difference between a system that permits easy, secure, identity-based services and a surveillance system? Do you trust those who hold surveillance data on you over the long haul, by which I mean the indefinite retention of transactional data between government services and you, the individual required to proffer a non-fake-able identity to engage in those transactions?  Assuming this spreads well beyond the public sector, which is its designers’ intent, do you want this everywhere?…

I conclude that a unitary, unfakeable digital identity is no bargain and that I don’t want one.  I want to choose whether to misrepresent myself.  I may rarely use that, but it is my right to do so.  If that right vanishes into the panopticon, I have lost something and, in my view, gained next to nothing. In that regard, and acknowledging that it is a baby step, I conclude that the EU’s “Right to be Forgotten” is both appropriate and advantageous though it does not go far enough.  Being forgotten is consistent with moving to a new town to start over, to changing your name, to a definition of privacy that turns on whether you do or do not retain the effective capacity to misrepresent yourself…. A right to be forgotten is the only check on the tidal wave of observability that a ubiquitous sensor fabric is birthing now, observability that changes the very quality of what “in public” means….

There’s more: video, transcript.

Mr. Geer’s comments help answer one of the questions we are most frequently asked: What’s Wrong With Showing ID?

Read More

Aug 22 2014

Passenger tracking = “Happy Flow” at Aruba Airport

(Vendor's vision of "Happy Flow". Click image for larger version.) [Vendor’s vision of “Happy Flow”. Click image for larger version.]

Later this year, passengers traveling on KLM Royal Dutch Airlines between Aruba and Amsterdam will begin to be subjected to what airlines, airports, governments, and their vendors and suppliers envision as the “passenger experience” of the future: an integrated biometric panopticon in which travelers are identified and tracked  at each stage of their passage through the airport by surveillance cameras and automated facial recognition.

KLM's vision of "Happy Flow". Click image for larger version. [KLM’s vision for “Happy Flow”. Click image for larger version.]

The vendor and the airline call this touchless total tracking, “Happy Flow”.  We call it Orwell’s airport.

Travelers won’t have to identify themselves: They will be identified in spite of themselves. Travelers won’t have to worry about whether they are dealing with, or providing information to, the airline or the airport or a government agency or a third party: Biometric identifiers and surveillance data will be seamlessly shared for multiple purposes between the airline, the airport operator, government agencies, and their contractors.

Aruba is part of the Kingdom of the Netherlands, and the Aruba Airport (IATA code AUA) is managed by the company that operates Amsterdam’s Schiphol Airport.  That creates unusual opportunities for collaboration between the airline, both airports, and government agencies concerned with flights between AUA and AMS.

The system is scheduled to go live by the end of 2014, according to recent conference presentations and press releases. But nothing has been made public by any of the partners in the joint venture (KLM, the operator of the Aruba and Amsterdam airports, the government of the Netherlands, and their contractors) regarding the data to be collected about travelers’ movements or any technical measures or policies controlling biometric, identification, or movement data storage, transmission, access, or retention.

Don’t worry. Be happy!

Aug 21 2014

FOIA appeals reveal problems with PNR data

We’ve noticed a disturbing pattern in how the DHS, and specifically US Customs and Border Protection (CBP), has responded to people who have asked the DHS for its files about themselves.

Eventually — typically months later than the statutory deadline for responding to a FOIA request — CBP has sent the requester a file of information about their international travel, including a log of entries, exits, and borders crossings.

But even when the requester has explicitly asked for the Passenger Name Record (PNR) data that CBP has obtained from their airline reservations, or has asked CBP for “all” its records about their travel, or for all data about themselves from the CBP “Automated Targeting System” (most of which consist of CBP copies of PNRs), CBP has completely omitted PNR data — or any mention of it — from its response.

People who don’t work in the air travel industry typically don’t know what PNRs look like. So it isn’t obvious to most recipients of these incomplete responses that what they’ve been given doesn’t include any PNR data. Only when these people showed us copies of the responses they received from CBP have we been able to point out, or confirm, that PNR data was completely absent from the initial CBP response.

When these people have filed administrative appeals, specifically pointing out that their requests included PNR data, CBP has responded to their appeals by sending them redacted copies of CBPs mirror archive of airline PNRs, as contained in ATS.  But there’s been no apology, and explanation in any of these responses to appeals of why the PNR data wasn’t included in the initial response. It seems likely that CBP didn’t even bother to search its PNR database in response to the initial requests, either out of gross negligence, gross incompetence, malice, and/or bad faith. (CBP has refused to disclose how PNR data and other information in ATS is indexed, queried, or retrieved. Even though the Privacy Act requires this information to be published in the Federal Register, the judge hearing our lawsuit ruled that it was exempt from disclosure.)

We’ve seen this pattern even in responses to requests from journalist and public figures which, according to DHS policy, would have been subject to pre-release review and approval by the DHS “front office”.  The DHS front office has been intimately involved in international disputes related to PNR data, and is fully aware of the existence of this component of DHS dossiers about innocent travelers. So the incomplete responses to FOIA requests can’t be blamed on low-level staff or a lack of oversight or awareness by senior officials.

One of those high-profile cases was that of Cyrus Farivar, Senior Business Editor at Ars Technica.  As Mr. Farivar reported earlier this year, CBP’s initial response included no PNR data, even though he specifically included PNR data in his request.  After Mr. Farivar appealed, CBP gave him the PNR data he had originally requested.

There was nothing Mr. Farivar’s DHS file that we haven’t seen in other DHS copies of PNRs.  But his report about what he received highlights some of the problems with the contents of these DHS records.

Read More

Aug 19 2014

Sai v. TSA: A case study in TSA secrecy

Time and time again, the TSA has acted as though its middle name was “secrecy” rather than “security”.

Case in point: Sai v. TSA.

There’s a lot at issue in this case, but here are some of the problems with the TSA that it has exposed:

Sai poses no threat to aviation security. He has an unusual but recognized medical condition, attested to by documentation from his doctor that he carries when he travels, for which he needs ready access to liquids.  The TSA is required by law to accommodate such medical disabilities, as it easily could.  TSA press releases claim that travelers are allowed to bring medically necessary liquids through TSA checkponts in any quantity.

But TSA employees at airport checkpoints at Logan Airport in Boston and the TSA contractors who staff the checkpoints at San Francisco International Airport have, among other improper actions, seized Sai’s medical liquids, denied him access to his medical liquids while detaining him, and refused to allow him to pass through checkpoints or travel by air unless he abandoned his medical liquids.

While detaining Sai, TSA employees and contractors have conducted searches unrelated to weapons or explosives (but directly related to activities protected by the First Amendment), including reading through and copying documents Sai was carrying.

The TSA has never tried to claim that any of these actions were justified by “security” concerns. Instead, the TSA has responded to Sai’s requests for information, administrative complaints, and eventual federal lawsuit solely on the basis of secrecy, when it has responded at all, arguing that it isn’t required to divulge anything about what it has done, why, or whether it is justified.

The TSA claims to practice “layered security,” but Sai’s saga shows how the TSA actually practices “layered secrecy” to shield its activities from public and judicial accountability.

Read More

Aug 14 2014

Lawsuit challenges “watchlisting” of Michigan Muslims

A lawsuit filed today in Federal District Court in Michigan challenges “the widespread government practice of placing names on watch lists without providing individuals with any notice of the factual basis for their placement and without offering a meaningful opportunity to contest the designation.”

According to the complaint:

This lawsuit is an expression of anger grounded in law.  Our federal government is imposing an injustice of historic proportions upon the Americans who have filed this action, as well as thousands of others.  Through extra-judicial and secret means, the federal government is ensnaring individuals into an invisible web of consequences that are imposed indefinitely and without recourse as a result of the shockingly large federal watch lists that now include hundreds of thousands of individuals.

So far as we can tell, this is the first lawsuit informed by the publication last month of the US government’s “Watchlisting Guidance“, and last week of a breakdown of who has been “watchlisted”.

These leaked documents, published by The Intercept, make clear that names can be added to “terrorism” watchlists without any individualized basis for suspicion. They also confirmed the overwhelming focus of “terrorist” watchlisting on Arab and Muslim Americans. The leaked documents don’t explicitly categorize watchlist entries by religion or ethnicity, but the correlation is strongly suggested by the fact that more people in Dearborn, Michigan, have been watchlisted than people in any other U.S. city except New York.  Dearborn has only 96,000 people, but 40% of them — the highest percentage of any U.S. city — are of Arab descent.  Not surprisingly in light of this pattern of watchlisting, the Council on American Islamic Relations (CAIR) has played a leading role in challenges to watchlisting practices and consequences.

Read More

Aug 05 2014

One million people are on watchlists, but all travelers are being watched

A million people around the world were listed in the US government’s “Terrorist Identities Datamart Environment” (TIDE) as of August 2013, of whom 680,000 were included in the “Terrorist Screening Database” (TSDB), according to a classified breakdown of watchlist entries and uses published today by The Intercept.

Two weeks ago, The Intercept made public the US government’s watchlisting/witchhunting manual. Now the same publication from the aptly named First Look Media has provided a first look at how many people are affected by “watchlisting” practices, and who these people are.

(Ironically, these revelations come at the same time that the National Counter-Terrorism Center (NCTC) is advertising “Watchlisting” jobs.)

The internal government documents published by The Intercept categorize TSDB entries by “group affiliation”, rather than by what (if any) threat these people are believed to pose. But 280,000 of the 680,000 people listed in the TSDB were described as having “no recognized terrorist group affiliation”.

Of the entries on the watchlists in the TSDB, 47,000 were on the no-fly list, and 16,000 were on the “selectee” list of people subjected to more intrusive “screening” whenever they fly.  Five thousand “US persons” (US citizens and permanent residents or green-card holders) were on watchlists, including 800 on the no-fly list and 1,200 on the “selectee” list.

As of August 2013, according to these documents, 240 new names were “nominated” to these lists each day, while only 60 entries were removed. That means the million-entry TIDE list was growing at the rate of 180 entries per day, or 65,000 entries per year.

But don’t be misled by the government’s Orwellian use of the term “watchlist” into thinking that “only” a million people are being “watched” by the government or treated as supected terrorists when they travel. US government surveillance of travelers is a dragnet that affects all travelers, not just those on watchlists.

All air travelers are “watched” and our movements and associations are recorded in secret, permanent government dossiers.  All travelers are profiled and assigned secret “risk assessment” scores each time we fly.  All travelers must obtain individualized, per-passenger per-flight government permission before any airline is allowed to issue a boarding pass.

The million people on US government watchlists (as of August 2013) are those who are subjected, on the basis of this blacklisting and dragnet surveillance, to even more intrusive surveillance and/or other restrictions on the exercise of fundamental rights, such as the rights to freedom of association and freedom of movement.

Jul 28 2014

US government’s witchhunting manual made public

The Intercept has published the March 2013 edition of the US government’s Watchlisting Guidance. This 166-page document, previously kept secret as Sensitive Security Information (SSI), provides standardized but not legally binding “guidance” to Federal executive agencies as to how, on what basis, and by whom entries are to be added to or removed from terrorism-related government “watchlists”, and what those agencies are supposed to do when they “encounter” (virtually or in the flesh) people who appear to match entries on those lists.

The Intercept didn’t say how it obtained the document.

The “Watchlisting Guidance” is the playbook for the American Stasi, the internal operations manual for a secret political police force.  As such, it warrants careful and critical scrutiny.

Most of the initial reporting and commentary about the “Watchlisting Guidance” has focused on the substantive criteria for adding individuals and groups to terrorism watchlists.  Entire categories of people can be added to watchlists without any basis for individualized suspicion, as discussed in Section 1.59 on page 26 of the PDF.

These criticisms of the watchlisting criteria are well-founded. But we think that there are at least as fundamental problems with what this document shows about the watchlisting procedures and the watchlist system as a whole.

Read More

May 27 2014

Ars Technica asks DHS for PNR data, but gets none of it

Cyrus Farivar, Senior Business Editor at Ars Technica, reports today on the initial response to his Freedom Of Information Act (FOIA) request to US Customs and Border Protection (CBP) for CBP’s records about his travel history, including CBP’s copies of airline Passenger Name Records (PNRs).

Nine months after making his request (seven months longer than the maximum allowed by law), Mr. Farivar received 72 pages from the CBP TECS database including a log of his exits and entries from the US for the last 20 years, beginning in 1994 when he was 12 years old.  He also received one report of a “secondary inspection”. He didn’t even remember the incident, but one of the CBP agents who questioned him recorded in his permanent CBP file that he was a journalist, in apparent violation of the prohibition in the Privacy Act on keeping records of how US citizens like Mr. Farivar exercise rights protected by the First Amendment.

Most significantly, despite explicitly requesting “any and all Passenger Name Records,” Mr. Farivar received none of them, even though CBP requires all airlines operating flights to, from, or through the airspace of the US to provide them to CBP, in their entirety including any information collected by airlines or their agents for their own business purposes, or entered into PNRs by other travel companies for their business purposes.

CBP’s response to Mr. Farivar was typical. As we’ve noted previously, two New York Times reporters are suing the DHS (the parent department of CBP) for failing to provide records about their travel which they requested, including PNR data.  CBP Every response we have seen to a request to CBP for its travel history records about an individual has been obviously incomplete, in one or another way.  We’ve seen other CBP secondary inspection records recording a traveler’s profession, what book a traveler was reading, and other information about activities protected by the First Amendment.  See the examples in our reports here and here and this presentation.

Mr. Farivar has filed an administrative appeal, as should anyone who receives such a response. CBP claimed to have lost all record of one of our appeals, and of the person who signed the certified mail receipt for it. We had to sue before we received much of our PNR data. While our request was pending CBP retroactively exempted most of the data in its “Automated Targeting System” from the access requirements of the Privacy Act, but some PNR data should still be available, albeit partially redacted, in response to a FOIA request.

If you’d like to find out some of what records CBP has about you, we’ve provided forms here.  Please let us know if you’d like help interpreting responses.

May 23 2014

TSA includes all air travelers in pre-crime profiling

Since late last year, we’ve gotten several inquires from readers wondering why they got a boarding pass marked “TSA Pre-Check” or were sent through the “Pre-Check” lane at a TSA checkpoint even though they hadn’t participated in the “TSA Pre-Check Application Program”.

The confusion stems from the TSA’s own misleading publicity about the program, which tries to persuade travelers “voluntarily” to provide additional information to be used by the TSA, in exchange for the hope of being subjected to slightly less intrusive searches at TSA checkpoints.

The logical (but wrong) inferences are that TSA Pre-Check is a members-only program, and that the Pre-Check lane at a TSA checkpoint is only for those travelers who have “applied” and been “accepted” into the program.

There are actually three distinct components to “TSA Pre-Check” as a pre-crime scheme:

  1. “Voluntary” submission and collection of additional personal information about those travelers who chose to participate in the TSA Pre-Check Application Program.
  2. Pre-crime profiling of all travelers and determination of a “risk assessment” score for each traveler, based on all information available to the TSA including the information, if any, submitted through the TSA Pre-Check Application Program.
  3. Graduated treatment of travelers at TSA checkpoints, including searches of varied intrusiveness and potential total denial of passage, on the basis of these risk assessments and other secret algorithms.

Only the application component of the program — the submission of additional personal information by travelers to the TSA — is voluntary.  The TSA obtains information from various sources about all travelers. All travelers are profiled. All travelers are assigned risk assessment (pre-crime) scores based on whatever information is available to the TSA.  All travelers are subjected to a more or less intrusive search, and may or may not be allowed to pass through the checkpoint, on the basis of these scores and other secret factors.

Some travelers who are assigned sufficiently low risk assessment scores and meet other secret criteria are directed to the “Pre-Check” lane and subjected to slightly less intrusive searches, regardless of whether they participated in the TSA Pre-Check Application Program.  The TSA calls this process “managed inclusion” in TSA Pre-Check.

A traveler whose risk assessment score is low enough, and who meets the other secret criteria (again, regardless of whether they participated in the TSA Pre-Check Application Program) can be selected for less intrusive search when she applies for a boarding pass.  The TSA’s assignment of such a traveler to the Pre-Check lane is sent to the airline with, or as part of, the permission message or Boarding Pass Printing Result (BPPR) for that traveler sent to the airline by the TSA.

The TSA’s Pre-Check designation is printed on the boarding pass and included in a 2D bar code in IATA-standard format. “For flights originating in the USA, the digital signing of barcodes and the management of security certificates and key pairs is required by the TSA.”

The TSA also assigns some travelers to Pre-Check lanes on the spot at its checkpoints, using secret criteria and techniques including a randomizer app (like the magical Sorting Hat at Hogwarts) to determine how intrusively to search each person.

Through this process, the TSA chooses one of four basic levels of search and seizure for each traveler:

  1. “TSA Pre-Check” (slightly less intrusive search)
  2. “Standard screening” (including virtual strip-search or manual groping)
  3. “Secondary screening” (more intrusive search including more thorough groping)
  4. “No-fly” (denial of the right to travel by common carrier, possibly accompanied by other adverse actions)

There are refinements within these basic categories. In a document filed with the court following the trial of Dr. Rahinah Ibrahim’s lawsuit challenging her placement on the no-fly list, the government disclosed that that each entry in the Terrorist Screening Database (which includes the no-fly list and the list of “selectees” for secondary screening) includes a “handling code” indicating what airline and checkpoint personnel should do if that person attempts to check in for a flight or pass though a TSA checkpoint.

We don’t know how many handling codes there are. But according to the government’s court filing:

[FBI Agent] Kelley designated Dr. Ibrahim as “handling code 3.” … [T]he majority of individuals in the TSDB were assigned handling codes 3 or 4…. Defendants state that the advantages of Handling Code 3 include allowing law enforcement officers to ask the individual probing but non-alerting questions, and searching the individual’s passport [REDACTED].”

Presumably, other handling codes include those that tell airline or checkpoint personnel to attempt to detain the traveler and contact local law enforcement agencies, the FBI, or the Terrorist Screening Center.

You can’t “opt out” of pre-crime profiling by choosing not to participate in the TSA Pre-Check Application Program.  You will be profiled, on a per-flight basis, every time you try to fly.

“Anything you say may be used against you,” although the TSA doesn’t say this on the TSA Pre-Check application forms.  If you participate in the Pre-Check Application Program, the additional information you provide will be added to the other inputs to the TSA’s black box. It might result in the TSA assigning you a lower risk score, and subjecting you to a less intrusive search.  Or it might result in the TSA assigning you a higher score, and searching you more intrusively or preventing you from traveling by air.

May 22 2014

Albuquerque Journal investigates DHS “Mission Creep”

For many years after 9/11,  the Department of Homeland Security got a “free pass” from most mainstream media. This has been especially true of the largely unreported negative impact of the DHS and the homeland security industrial complex at the state and local level.

We’re pleased to call the attention of our readers to one of the most notable exceptions to date: a recent series of articles by Michael Coleman, Washington correspondent for the Albuquerque Journal, on what the DHS and its contractors and state and local accomplices are actually doing “on the ground” in New Mexico:

  1. Homeland Security a ‘runaway train’ (April 27, 2014)
  2. NM footprint grows: ‘We’ve up-armored’ (April 28, 2014)
  3. Feds help militarize police agencies (April 29, 2014)
  4. Editorial: Homeland’s ‘mission creep’ works on 3 levels (May 4, 2014)
  5. Follow-up: New DHS head says agency needs change (May 4, 2014)

We’ve been paying particular attention to events in Albuquerque, of course, as part of our work with Phil Mocek, whose lawsuit against DHS and Albuquerque police personnel is currently on appeal from the US District Court for the District of New Mexico to the Court of Appeals for the 10th Circuit.

But we suspect that what the Albuquerque Journal uncovered in New Mexico is a typical case study that could usefully be repeated in any other state or metropolitan area.  We hope that national and other local journalists are inspired by this example to look into DHS activities throughout the country.