Papers, Please!

The Identity Project

Category Archives: Surveillance State

Oct 18 2010

Airlines to cancel reservations and deny passage to travelers who won’t provide “Secure Flight” info

Airlines are moving rapidly toward global industry standards, effective November 1, 2010, that could lead to cancellation of reservations — including already ticketed reservations — without notice to travelers and in violation of the contractual conditions in effect when tickets were sold, and denial of transportation to would-be passengers in violation of airlines’ operating licenses and international aviation treaties that require them to operate as “common carriers”.

We’ve previously noted the impossibility of knowing how the TSA will enforce its Secure Flight passenger surveillance and control scheme, since the enforcement of “Secure Flight” demands for information will, presumably, be carried by airlines acting on secret TSA Security Directives.  And in one of their most recent non-responses to our FOIA requests, the TSA reiterates their claim that all such Security Directives are by definition exempt from disclosure, regardless of whether their disclosure would have any actual effect on safety or security.

But we’ve also noted the recent announcements by some airlines, apparently starting with American,  that they plan to cancel or inhibit the creation or ticketing of reservations that don’t contain the additional personal information that the TSA wants each traveler to provide to both the airline (who is free to retain, use, sell, or otherwise disclose it) and the TSA: “full name” (whatever that means — there’s no definition in the Secure Flight regulations), gender, and date of birth.

Now airlines are going even further, with more airlines announcing their intent to cancel ticketed reservations if passengers don’t, on their own initiative, come forward with Secure Flight passenger Data (SFPD), and the airline trade association (and sometimes cartel) IATA reportedly expected to pass a global standard this week mandating inhibition of ticketing of all reservations without SFPD.

Read More

Oct 17 2010

Europeans start asking questions about the role of reservation systems

We’re pleased to see that — perhaps as part of the fallout from publicity in Europe (see the links in these comments) for our lawsuit against the DHS — questions are finally being asked in the European press about the role of Computerized Reservation Systems (CRSs, also known as Global Distribution Systems or GDSs) in passing travel reservations to the US and other governments.

We’ve pointed out repeatedly that most airlines, travel agencies, and tour operators have outsourced their PNR database hosting to the major CRSs, including Sabre and Travelport (Galileo and Worldspan) in the USA and Amadeus in Europe.  Earlier this month the Süddeutsche Zeitung became the first major European news organization to publicly question Amadeus about its (illegal) role in granting DHS access to Passenger Name record (PNR) data stored with Amadeus. Amadeus falsely claimed that “We are not involved in the decision” to pass data from the EU to the DHS.  But that claim is unlikely to stand up to an inquiry such as the one we’ve been told the Article 29 Working Group of European national data protection officers is currently conducting.  And more and more other Europeans are beginning to ask similar questions as well.

Overly simplistic usage of the term “European PNRs” has contributed to an erroneous conflation with “PNRs for flights operated by European airlines”, and an even more erroneous conflation with “PNRs stored in Europe”. PNRs are, by design, globally accessible in ways similar to that of data “in the cloud”, so this is a largely meaningless concept.  In practice, a single PNR routinely contains data collected in multiple locations. EU data protection laws apply to all PNRs that include data collected in the EU, even PNRs for flights within the USA if the reservations are made, or some of the data is entered, by travel agencies or tour operators in the EU or by European ticket offices of USA-based airlines.  Those laws apply equally to Amadeus and its USA-based competitors Sabre and Travelport, each of which has thousands of airline, travel agency, and tour operator subscribers in the EU.

As we pointed out in our testimony at the European Parliament in April, Amadeus’ location of its main servers in Erding, Germany (Europe’s largest private data center)  doesn’t mean that it complies with EU data protection law or shields its PNRs from US or other authorities (or other threats) outside the EU. In fact, Amadeus offices as well as Amadeus subscribers (including airlines, travel agencies, and tour operators) in the USA and around the world have full access to Amadeus reservation data including data collected in Europe.

There are no access logs in PNRs, so neither Amadeus nor its subscribers actually know who has retrieved PNRs, or from which countries.  But we’ve seen a growing number of examples, as we first reported more than three years ago, of DHS records of flights within the EU, operated by EU-based airlines, that could only have been obtained through “root” access by the DHS to the CRSs.

For example, portions of a PNR showing root access to the Galileo CRS by DHS/CBP were reproduced on page 5 of our initial 2007 report on our research into DHS travel records. This was a real PNR for a real person obtained from the DHS. The traveller went from the USA (SFO) to Berlin (TXL) on United Airlines. She stayed six days in Berlin. Then she went from Berlin to Prague to London on Czech Airways (IATA code “OK”). Then she stayed for another 6 days in London. Then she returned from London to SFO on United. The flights on Czech Air were entirely within the EU. They did not connect to or from flights to or from the US, or on a US airline. The PNR shows that travel agent issued a separate ticket, and a separate fare, for the Czech Air flights — they weren’t on same ticket with the United flights. But the travel agent followed standard travel agency procedures and made all the reservations for the entire journey in the same CRS, in this case Galileo (the CRS used by United). When DHS pulled the PNR, they didn’t just pull the portion on United, but pulled the entire travel agency PNR, including the flights on Czech Air. This confirms that DHS had root access to Galileo, not just access through United, since United would not have been able to see the details of the Czech Air flights and ticket.

Meanwhile, the US government is growing increasingly worried that the European Parliament might no longer capitulate to their bullying.  In a recent white paper, former CBP director Jayson Ahern, now an influence-peddler working with his former boss Michael Chertoff oas a lobbyist for various DHS contractors, pleads with European parliamentarians not to “pull back” from continuing to give DHS/CBP free access, in violation of EU law, to PNR data collected in the EU.  Ahern says that, “In 2009 … PNR data together with APIS helped identify one-third of all known and suspected terrorists ultimately denied entry to the US.”  But since none of those denials were ever reviewed by any US judge, it’s impossible to tell whether this statistic is evidence of the successful use of PNR data… or of the number of PNR-based violations of travelers fundamental human and civil rights.

[Update: While Amadeus offices and subscribers in the USA and around the world already have unlogged access to data stored on Amadeus servers in the USA, Amadeus is reportedly considering opening a data center in the USA, which would make it even more difficult to comply with EU law.]

Sep 27 2010

The right to remain silent at airports and borders

Our friend the attorney, frequent traveler, and blogger Paul Karl Lukacs has been generating lots of long-belated discussion (see links in the CBP category in his blog) in response to his report last January on the right of US citizens not to answer questions from US border inspectors, and why many lawyers, if consulted, would advise their clients not to answer such questions.

We highly recommend his latest, extremely cogent analysis of the law on Refusing To Answer Questions At U.S. Passport Control, and in particular his critique of the erroneous and misleading, but widespread, conflation of the Fourth Amendment issues with border searches and the Fifth Amendment issues with border interrogation, as well between between either and the absolute right of US citizens to enter the country (even without considering the near-absolute right of departure and return guaranteed by Article 12 of the International Covenant on Civil and Political Rights, a treaty ratified by and binding on the US).

While his analysis is limited to borders, the distinctions between search and interrogation, and between search and denial of passage, are equally significant at TSA checkpoints for domestic flights, as we have noted repeatedly.   How the travelers can exercise their right to remain silent without TSA retaliation is one of the specific questions to which we are still waiting for answers from the TSA.

Sep 21 2010

How will “Secure Flight” be enforced?

Recent announcements by airlines suggest that, either on their own initiative or in response to secret Security Directives from the TSA, they are implementing new and clearly illegal Secure Flight enforcement measures.

One of the many questions about the TSA’s Secure Flight program has been how it would be enforced.

None of the published Secure Flight regulations include any enforcement provisions or any provisions imposing obligations on travelers, and the details of Secure Flight implementation are spelled out, if at all, only in secret Security Directives to airlines that by their nature cannot impose any obligations on travelers.

The TSA’s own secrecy leaves us no choice but to rely on whistle-blowers and leakers within the government and the airline industry (please keep those calls, letters, and e-mail messages coming!) and on what we can infer from airlines’ public disclosures.

This new notice from American Airlines is typical of what we’ve been seeing and hearing lately:

As a result of the Transportation Security Administration (TSA) and Department of Homeland Security (DHS) mandate, beginning November 1, all passengers will be required to have Secure Flight Passenger Data (SFPD) in their reservation at least 72 hours prior to departure….

In compliance with this mandate you will be required to provide Secure Flight Passenger Data:

  • To purchase any ticket on or after September 15, 2010
  • To travel November 1, 2010, or later regardless of purchase date

What’s wrong with this picture?

The “mandate” described on the AA website doesn’t exist in any Federal statute or publicly-disclosed regulation, or in AA’s tariff or contractual conditions of carriage.  On the contrary, airlines are required by Federal law to be licensed as common carriers. They are required to sell a ticket to, and to transport, any would-be passenger willing to pay the fare and comply with the rules in their published tariff.

Federal agencies including the TSA and Department of Transportation (DOT) are required when issuing regulations to take into consideration “the public right of freedom of transit” by air, and have no authority to issue administrative regulations or directives that would override the statutory definition of airlines as common carriers.

No court has ever even considered, much less upheld, any suggestion that air travelers forfeit their right to remain silent in response to questions from the TSA or other Federal employees, much less from TSA contractors or airlines.

On international routes, bilateral and multilateral aviation treaties similarly require airlines to operate as common carriers, in accordance with published rules and a published tariff.

So if AA or any other airline refuses to sell you or a ticket, or to transport you, solely on the basis of your declining to provide Secure Flight data, they render themselves liable to Federal civil suit and damages for refusal of transportation in violation of their duty as a common carrier, as well as to formal complaint and revocation of their operating license for the same violation.

While the US government might intervene in US court to block such a suit on the grounds that any Security Directives issued to the airline were a state secret, that wouldn’t be possible if the lawsuit for refusal to transport were brought in the courts of a foreign country from which the airline refused to transport you to the US.

If an airline tried to file new conditions of carriage incorporating such a provision for denial of transportation, the US Department of Transportation would be duty bound, by Federal statute, to disapprove it.  And if the DOT approved such a filing applicable to an international route, the government of other affected country or countries would be entitled both to disapprove the filing (by treaty, international tariffs typically require approval by both or all countries involved) and to protest its approval by the US as a treaty violation.

We hope that, faced with these choices and risks, airlines will choose to follow Federal law and international aviation and human rights treaties, and will vigorously and publicly litigate their challenges to any US attempt, through secret Security Directives or otherwise, to get them to depart from their duty to the traveling public as common carriers.

Sep 21 2010

ESTA fees: the whole is worse than the sum of its parts

New U.S. Customs and Border Protection (CBP) regulations took effect this month that combine two bad ideas — fees to encourage foreigners to visit the US by charging them more to do so, and fees for the Electronic System for Travel Authorization (ESTA) — in a way that creates new possibilities for travel surveillance and control that are far worse than either component alone.

The Interim Final Rule for ESTA and Travel Promotion Act fees took effect on an emergency basis on September 8, 2010, with public comments and objections being taken only after the fact. In promulgating the new rule, CBP continues to ignore the objections we raised to the fundamental illegality of the ESTA scheme. CBP also continues to ignore the Presidential Directive that it consider in its rulemakings US obligations under international human rights law, and continues to claim, in direct contravention of the applicable law, that it doesn’t need to consider the impact of the rule on individuals because “individuals are not small economic entities”, despite the fact that a sole proprietor, freelancer, or other self-employed individual is the epitome of a small economic entity (as the DHS has itself admitted in response to some of our previous objections to this same false boilerplate claim in other rulemakings). And it remains unclear if and when an ESTA is actually required, or how the “requirement” is supposed to be enforced.

But the most problematic consequences of the new rule result from the new requirement, completely lacking in statutory authority, that the the new “travel promotion” and ESTA fees can be paid only by one of four specified brands of credit or debit cards.  This implies:

  1. Travel control by credit and debit card issuers: If you do not have one of these four types of cards, you cannot travel to the US intending to enter under the Visa Waiver Program (VWP), but may enter the US only if you obtain a visa at a cost of at least US$135 plus a personal interview at a US consulate or embassy (for which there may be a waiting list of several months). Since the regulations impose no obligations whatsoever on the issuers of these cards, this means that collectively the four companies (Visa, MasterCharge, American Express, and Discover) have absolute, secret, standardless commercial veto power over eligibility for VWP entry to the US.
  2. Universal financial surveillance of VWP travellers: Because the credit or debit card details must be provided as part of the same online ESTA application with the would-be visitor’s personal information, it is now illegal to travdel to the US intending to enter under the VWP without having at least one currently valid credit or debit card on file with CBP and linked to your identifying and travel details.  As some news reports have already noted, this creates new possibilities for financial surveillance of travelers. All of the four acceptable types of cards are issued through US-based commercial entities, so all records related to them can be accessed by the US government in secret, without warrant, through “National Security Letters”. Even if you use a different card while in the US, it will in almost all cases be linkable through card application or other banking records (such as those obtainable by the US government from SWIFT or other companies through the “Terrorist Finance Tracking Program”).
  3. Vastly increased potential for identity theft, phishing, and other ESTA-based fraud: Because ESTA requires entry through an easy-to-imitate website of exactly the sort of personal information that’s needed for identity theft, together with travel itinerary information that makes it easy to carry out the attack while the victim is away from home and less likely to notice or be able to respond quickly and effectively, ESTA phishing and fraud are already rampant.  But the addition of current valid credit or debit card data to the online-only ESTA application requirements has put phony ESTA websites in the vanguard of current phishing techniques. Already, most of the top search results for “ESTA application” in the languages of countries in the VWP are fraudulent phishing sites, and the problem is getting steadily worse. We can tell you that the only legitimate ESTA application website is at https://esta.cbp.dhs.gov — but how do you, or anyone else, know to believe us rather than to believe any of the other bogus websites that say otherwise?:Visitor beware!
Sep 05 2010

Former DHS policy director describes “calling the EU bluff”on PNR

We’ve been reading with great interest Skating on Stilts, the political memoir of former DHS Assistant Secretary for Policy and current lobbyist and influence-peddler for the homeland security industrial complex Stewart Baker.

Despite our disgust at Baker’s continued insistence on distorting both facts and law, we recommend it highly to those interested in understanding (from the perspective of a self-serving spin-doctor and self-professed bureaucratic in-fighter) some of the mentality behind DHS policy-making. Substantial portions of the book are available online for free.

Most notable, of course, is the complete absence of any consideration for human rights.  It’s impossible to tell whether the idea that freedom of movement is a right, much less one guaranteed by international treaty, is literally incomprehensible to someone like Baker, or whether he regards it as so obviously impropoer as not to need any rebuttal. Whatever the reason, and despite considerable introspection about the implications of the policies he advocates, Baker never even considers the idea of “rights”, preferring to cast a more nebulous concept of “privacy” as his bogeyman.

The central story of the book is Baker’s negotiation for DHS of a (non-treaty, and therefore non-binding) “agreement” with the European Union to give a fig-leaf of legality to DHS access to airline reservation (PNR) data collected in the EU.  And the climactic event in this episode comes at the end of September 2006, when a decision of the European Court of Justice invalidating the first DHS-EU agreeement of PNR data transfers took effect.

Baker describes, with great pride, the brinkmanship with which — with the support of his boss Michael Chertoff and his deputy Paul Rosenzweig — he maneuvered to get the US to allow the ECJ decision to take effect without any successor agreement in place. It was, indeed, a dramatic moment for those following the issue: Would airlines chose to comply with EU data protection and international human rights law, or with extra-judicial DHS data demands? And if airlines went along with DHS demands for continued root access to their reservation systems, would the EU and its members actually enforce their laws against those airlines?

Baker claims to have believed that any risk of EU enforcement action againt airlines was hollow because, even without any specific agreement on PNR data transfers, airlines were required by the Chicago Convention on civil aviation to demand from passengers and pass on to the DHS complete identifying, itinerary, and other PNR data.  And it was Baker, presumably, who was behind Secretary Chertoff’s making that same false claim before the European Parliament a few months later.  But both Baker and Chertoff are far too skillful lawyers to have possibly believed that claim if they had actually read the Chicago Convention, as Baker at least almost certainly had.

There is, however, an important truth to Baker’s portrayal of himself as having called the EU bluff on PNR:

Despite talk of an “interim” PNR agreement, there really is no such entity in place with any binding validity under EU law. From 1 October 2006 to today, DHS has been accessing EU PNR data in violation of EU law, and it has been the duty of EU data  protection authorities to enforce their laws against airlines that take part in this illegal data transfer.

But to date, so far as I can tell, neither any EU national data protection authority (exercising jurisdiction over airlines and other travel companies, of whatever nationality or place of incorporation, that do business or collect data in the EU), nor the European Commission (exercising its authority to enforce the EU Code of Conduct for Computerised Reservation Systems), has taken any enforcement action or imposed any sanctions on any travel company for illegally transferring travel records to both the US government and unregulated commercial entities in the USA.

It seems that Baker was, unfortunately, correct in the assessment, described in detail in his book, that airlines and the US government could get away with ignoring EU law by passing travel data to the US, and that EU authorities would not actually enforce their laws against them.

As time has passed, it has become clear that EU authorities will take no enforcement action on their own initiative. The only way to get the law enforced will be for EU citizens to request their records from both the DHS and travel companies, and to complain to their data protection authorities if they don’t receive full responses from both that demonstrate compliance with both the DHS undertakings to the EU and the laws of the EU and its members.

Sep 03 2010

Napolitano outlines US travel control agenda for ICAO

In a speech to the Air Line Pilots Association earlier this week, Secretary of Homeland Security Janet Napolitano made explicit the US government’s intentions to, as we have repeatedly predicted, use the International Civil Aviation Organization (ICAO) as its primary international policy-laundering forum to bypass and override national laws restricting surveillance and control of travel.

ICAO isn’t mentioned in the DHS press release, and the DHS doesn’t seem to have posted the full text of Napolitano’s speech.  But according to reports in Homeland Security Today and elsewhere:

Napolitano will seek a formal resolution from the general assembly of the International Civil Aviation Organization (ICAO) Sept. 28-Oct. 8 in Montreal, Canada, to build upon five regional security declarations obtained by the United States….

Each of the five meetings resulted in a security declaration focusing on vulnerabilities in the international aviation system in four key areas: developing and deploying new security technology, strengthening aviation security measures and standards, enhancing information collection and sharing, and coordinating international technical assistance

ICAO assisted in coordinating the five agreements, which Napolitano hopes to use as a springboard to obtain a declaration covering the international organizations 190 member states in the fall.

“Enhancing information collection and sharing” is of course a euphemism for mandatory airline and national government participation in the compilation of lifetime logs of individuals’ movements, while “developing and deploying new security technology” refers mainly, as of now, to mandatory use on airline passengers of virtual strip-search machines.

With Members of the European Parliament asking new questions about DHS demands for European collaboration in US travel surveillance and control schemes,  DHS and the US government are turning increasingly to ICAO as a less transparent, less publicly accountable “plan B” for internationalization of its travel regime.

It’s unclear whether the resolutions to be proposed for adoption by ICAO at its upcoming general assembly will constitute ICAO “security standards”, or will merely be a step toward their adoption through he slow but inexorable multi-year ICAO decision-making process.  But the goal of the US government is clear: Whatever surveillnace and control measures can be incorporated into ICAO security standards can be backported into national and international laws through innocuous-seeming statutory and treaty mandates for compliance with ICAO security standards, and imposed on recalcitrant countries through denial of landing rights oin the US to flights from countries or on airlines that don’t comply with such surveillance and control standards.

Sep 03 2010

From our mailbag

Thank You, and good luck!

I have come across information on your suit against the US Gov’t and DHS, and the fantastic summary you did. I just felt I should thank You for your effort and bravery.

I just wanted to let You know there are people and organisations all over the world (Poland here, by the way) that see the diffusion of privacy and personal rights and freedoms in America as a very dangerous precedent that might “inspire” other countries (and indeed, often it already does) to follow suit (pun not intended).

I come from a nation that had to fight for independence and freedom many times throughout its history. For 21 years we are finally Free – after almost 200 years of enslavement. I have the distinct privilege to not remember the Polish People’s Republic and the times long gone by (I’m 25), but we all here either remember, or simply know (from history lessons, from relatives, from literature) what Orwellian surveillance was like. We all remember or know about the atmosphere, the Kafka-esque processes of law, the fright… And we remember or know what sacrifices had to be made to be finally Free.

Maybe that’s why ideas like secret lists, internet filtering and similar ideas meet with a decisive public resistance. For now. But if the USA, the country people 15-20 years older than me saw as a symbol of freedom and one of the only allies we had against the USSR, slides down this slippery slope any more, resistance can only become harder.

The more can we admire what You are doing.

Hence, for Your sake, and for the sake of all the people that watch and see what’s going on, I wish you strength and good luck in your fight. In times like these there’s always the need for a single fighter to fight for the principles.

It was like that in the fifties in USA with the McCarthy-ism at its height, when Ed Murrow took a stand.

It was like this in the Big Tobacco suits in early nineties when Brown & Williamson almost destroyed Jeff Wigand’s life when he took a stand.

I’ll be watching, and with me two Polish NGOs.I’ll be watching, and with me two Polish NGOs.

Best regards,

Michal “rysiek” Wozniak

Aug 25 2010

Lawsuit filed against DHS travel surveillance

In the first lawsuit to challenge one of the U.S. government’s largest post-9/11 dragnet surveillance programs, the First Amendment Project (FAP) filed suit today under the Privacy Act and the Freedom of Information Act (FOIA) against U.S. Customs and Border Protection, the DHS division that operates the illegal “Automated Targeting System” of lifetime travel histories and travel surveillance dossiers including complete airline reservations (Passenger Name Records or PNRs).  The Identity Project is part of FAP, and the lawsuit was filed on behalf of Identity Project consultant and travel expert Edward Hasbrouck.

The complaint filed today in Hasbrouck v. CBP asks the court to declare that CBP violated the Privacy Act and FOIA, and order CBP to turn over the travel records about himself that Hasbrouck has requested, as well as an accounting of who else CBP has disclosed these records to, what happened to Hasbrouck’s previous unanswered Privacy Act and FOIA requests and appeals (some of which have been pending and ignored by CBP for almost three years, and may have been among those recently revealed to have been improperly held up for “political review” by higher-ups in DHS and/or the White House), and how these records in the CBP “Automated Targeting System” are indexed, searched, and retrieved.

The case is important in part because it shows that, despite DHS claims that everyone who has asked for their travel records has received them, and that no one has complained about DHS misuse of PNR data, DHS has entirely ignored many such requests and complaints, even when they have come from U.S. citizens like Mr. Hasbrouck.

There’s more about the case and its significance in our FAQ: Edward Hasbrouck v. U.S. Customs and Border Protection.

Jul 30 2010

Washington Post: “Secure Flight may be making your privacy less secure”

We’re quoted today in the Washington Post in a story by Christopher Elliott about how airlines are able to use personal information — collected under government duress for the TSA’s Secure Flight passenger surveillance and control scheme — for the airlines’ own marketing and other purposes.

“Could it be that the information we give airlines doesn’t belong to anyone or, worse, isn’t regulated by anyone?” Elliott asks.

A good question — and “privacy” may be the least of the problems with Secure Flight, as discussed in our testimony (quoted from, in part, in the Post story) at the TSA’s only public hearing on Secure Flight, our more detailed written comments submitted to the TSA, and our FAQ about Secure Flight.