Sep 16 2011

Court hearing in our lawsuit for DHS travel records

A little more than a year after we filed suit on behalf of Edward Hasbrouck against the Customs and Border Protection (CBP) division of DHS to find out what records they are keeping about our international travels, and what they have done with those records, we had our first real day in court yesterday in front of Federal Judge Richard Seeborg in San Francisco.

Judge Seeborg was appointed as a judge of the U.S. District Court by President Obama, after a decade as a Federal magistrate and seven years before that as a Federal prosecutor. On first impression, he seems fair-minded and thoughtful, although — like most judges — inclined to give more “deference” than is warranted to even implausible claims by police and prosecutors, such as some of those made in the declarations submitted by the CBP in opposition to Mr. Hasbrouck’s complaint.

Mr. Hasbrouck was represented by David Greene of Holme Roberts & Owen (formerly executive director and staff counsel of the First Amendment Project), who conducted yesterday’s argument, along with FAP staff attorney Lowell Chow. Former FAP staff attorney Geoffrey King also worked on earlier stages of the case, as did several FAP law school student interns, who we were pleased were able to attend the argument. We are grateful to them all for their contributions.

CBP was represented by Assistant U.S. Attorney Neill Tseng, who conducted the argument, accompanied by an attorney from the CBP.

As we expected, and as is usual, no decision by the court was announced at yesterday’s hearing. In each of the other cases on Judge Seeborg’s motion calendar yesterday, he began by describing how he was “inclined” to rule on the matters before him. In our case, however, Judge Seeborg began — after some comments about how ill-suited the typical summary judgment motion practice is to FOIA or Privacy Act cases like this, where the issues only gradually become clear in the course of the briefing — by saying that after reading the lengthy pleadings he had only the most tentative “impression” as to how he might rule on any of the issues.

In other words, he still had an open mind, and oral argument might actually matter.

With that preface, Judge Seeborg invited Mr. Hasbrouck’s attorney, David Greene, to address whatever issues he thought were most important, and then gave AUSA Neill Tseng an opportunity to respond for the CBP.

If you’re just tuning in, the best places to start are the Identity Project FAQ (for the political issues and significance of the case) and our last reply brief before yesterday’s argument (for the legal issues).

Broadly speaking, the argument focused on what we would group into four main questions:

Read More

Sep 12 2011

Illegal Israeli-style traveler interrogations come to Boston

If you’re going to be flying through Logan Airport in Boston, you might want to have a copy of the Paperwork Reduction Act handy when you go through the TSA checkpoint.

The TSA has celebrated the 10th anniversary of the September 11, 2001, hijackings — two of them of flights that originated at Logan — by rolling out a new program of Israeli-style interrogations of air travelers passing through TSA checkpoints at Logan.

Rafi Ron, a former director of security at Ben-Gurion Airport in Tel Aviv, relocated to the U.S. and hung out his shingle (“New Age Security Systems”) as an airport security consultant just before September 11, 2001. His first post-9/11 U.S. client was MASSPORT, which operates Logan. Ever since, as Ron’s client list has expanded to the Massachusetts State Police (the notorious racists who patrol Logan) and then the TSA, Logan has remained the cutting edge of U.S. testbed for Ron’s Israeli-style gospel of  human profiling, from the TSA’s SPOT “behavior detection” program to the new TSA “chat-downs“.

We’re pleased that Rep. Bennie Thompson (D-MS), the ranking minority member of the House Committee on Homeland Security, has publicly questioned the TSA about the Logan pilot program.

But whether or not it’s a good idea (it’s not), the immediate problem for the TSA is that it’s illegal.

Previous case law on airport checkpoints has authorized administrative searches, but never compelled responses to administrative interrogations.  Responses to police questioning in such circumstances have been presumed by courts to be voluntary.

If the TSA’s Constitutional case for such interrogation is untested, their lack of statutory authority is clear. The Paperwork Reduction Act, — a Reagan-era Republican anti-bureaucracy law — requires that any Federal “information collection” be justified in advance to, and approved in advance by, the Office of Management and Budget. An “information collection” is defined as any solicitation — even verbally — of answers to identical questions from ten or more people by a Federal agency, which clearly covers what the TSA “Assessors” (interrogators) are doing in Boston.

OMB approval is evidence by an OMB control number provided on the form or to those being questioned. in the absence of an OMB control number, (a) the collection of information is illegal, (b)  nobody can be required to answer the questions or provide the requested information, and (c) no sanctions can be imposed for failure to respond or provide information.

The TSA has never gone through the process of seeking OMB approval, or obtained an OMB control number, for its ID verification form or any of its other information collections from travelers.

So if the TSA’s goons at logan (or anywhere else) ask you, “Who are you?”, “Where are you going?”, “What’s the purpose of your trip?”, or any of their other standard questions, ask them what the OMB control number is for their collection of that information.

If they can’t or won’t provide you with a valid OMB control number (you can look up and verify any valid OMB control number here), politely but firmly decline to answer. If necessary, remind them — it might help to show them a copy of the law — of the provisions of  44 U.S.C. § 3512:

§ 3512. Public protection

(a) Notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information that is subject to this subchapter if–

(1) the collection of information does not display a valid control number assigned by the Director in accordance with this subchapter; or

(2) the agency fails to inform the person who is to respond to the collection of information that such person is not required to respond to the collection of information unless it displays a valid control number.

(b) The protection provided by this section may be raised in the form of a complete defense, bar, or otherwise at any time during the agency administrative process or judicial action applicable thereto.

Document what happens, so that you can, if necessary, prove that any sanctions such as a more intrusive search, denial of passage through the checkpoint, or denial of access to common-carrier transportation were based on your refusal to provide illegally-request information without having been provided with a valid OMB control number and notice that without it you don’t have to answer.

Sep 07 2011

“Why should I care about PNR?”

Our guest post for European travelers at NoPNR.org:

Why should I care about PNR?

More for our European readers about PNR data and how it is used by governments:

What can Europeans do?

Aug 16 2011

Hearing in our lawsuit against DHS postponed until September 15th

The hearing in our Privacy Act and FOIA lawsuit against the Customs and Border Protection division of DHS, previously scheduled for August 25, has been postponed by the court until Thursday,  September 15, 2011, 1:30 p.m. in Federal court in San Francisco.

The hearing will still be held before Judge Richard Seeborg (Courtroom 3, 17th Floor), U.S. District Court for the Northern District of California, Phillip Burton Federal Building and U.S. Courthouse, 450 Golden Gate Ave. (between Polk and Larkin, near Civic Center), San Francisco, CA.

The public is welcome to attend the oral argument, although the guards at the entrance to the courthouse require visitors to show government-issued ID and submit to search to be admitted to the courthouse. (See also the court’s information for journalists and the local court rules for electronic devices in the courthouse.)

Aug 12 2011

Grassroots European opposition to US access to airline reservations

An almost-unprecedented campaign of pan-European grassroots lobbying and activism has emerged this summer in opposition to US access to PNR (Passenger Name Record) data from European airline reservations.

During the European Parliament’s summer recess, people from throughout the EU have been sending postcards from their holiday travels to the members of the European Parliament’s LIBE (civil liberties) Committee, urging MEPs to vote against the proposed EU-US agreement that would grant immunity from EU data protection law to both European and US companies that give the US Department of Homeland Security access to PNR data collected in Europe.

It’s a clever way of mobilizing grassroots action and popular pressure on a travel-related issue during the peak summer holiday travel period, when Parliament itself is on holiday along with most of the European travelers concerned about US access to airlines’ records of their travels.

Direct popular lobbying of MEPs is rare at any time of year. Each member of the US Congress receives hundreds or thousands of letters and dozens of constituent visitors in their offices each day, but a visit from a constituent is a once-a-month event, if that, for a typical MEP’s office in Brussels.  Despite widespread dislike of many decisions taken by the EU institutions, and growing power of the EU relative to that of individual EU members, grassroots European campaigning remains almost entirely focused on national issues and national legislatures.

An equally-rare demonstration and other networking and activist events on this and related issues are being planned as part of Freedom Not Fear 2011 in Brussels on September 17-19, 2011.

We congratulate our European colleagues for taking the issue of US travel surveillance to the people and to the streets, and we urge our European supporters to join these campaigns.

Jul 30 2011

Our reply to DHS claims that travel dossiers are exempt from the Privacy Act

Our reply brief and a supporting declaration were filed yesterday in Hasbrouck v. CBP, our Privacy Act and Freedom of Information Act (FOIA) lawsuit seeking records from and about the DHS “Automated Targeting System” of individualized government dossiers about each of the the millions of international travelers to and from the USA, including US citizens.

ATS includes complete copies of airline reservations (“Passenger Name Records” or PNRs), as well as a “risk assessment” for each would-be traveler that is used to decide whether or not to give the airline permission to transport them into, out of, or through the airspace of the USA. As Mr. Hasbrouck’s supplementary declaration supporting our latest reply brief explains:

Tens of thousands of travel agencies, airline offices, and offices of other travel companies around the world, and a million or more individual employees and contractors of these companies, have access through CRSs [Computerized Reservation Systems] or otherwise to PNR databases and the ability to enter data in PNRs. PNRs thus can, and do, contain an unlimited quantity and variety of data originating with numerous third parties around the world, some of it in the form of unstructured free text. CBP requires that, in all cases where a PNR contains a flight between a point in the U.S. and a foreign point, or overflying U.S. airspace, the entirety of the PNR — including the free-text general remarks and whatever other data has been entered by anyone with access to the PNR — must be made available to CBP for import into ATS.

PNRs can contain information about aspects of a journey other than air transportation, such as hotel reservations and other travel services, even in what are considered in travel industry jargon to be “air-only” PNRs. Information about these other travel services can be included in the “OSI” (Other System Information), and “SSR” (Special Service Request) elements of the PNR. For example, in reviewing records from ATS released to another requester by CBP, I have seen a PNR for two people, for whom the airline had reserved a hotel for an involuntary overnight layover, which included an SSR entry with a code showing whether a room with one bed or two had been requested for those two travelers. This is a normal and expected example of standard travel industry practices.

The SORNs [System Of Records Notices, required by the Privacy Act] for ATS specifically mention OSI, SSR, and “General Remarks” 10 among the “Categories of Information in the [ATS] System” and among the types of data derived from PNRs and included in ATS. “OSI” entries can be used by travel agency or airline staff with access to PNRs to enter, and to send to airlines, arbitrary free-text messages. “Remarks” in PNRs are intended to be used for an unlimited range of free-text data entry. This information can — and in some cases does — include remarks about the personal foibles of the traveler (to assist other travel agency or airline staff in dealing with the traveler), and/or derogatory descriptions of interactions with customer service staff. Travelers do not normally see the PNRs that contain information pertaining to them, and do not know or control what information has been entered about them.

Our reply brief also notes that:

Acknowledging the sensitivity of the data in PNRs, Canadian and European Union laws require that private entities that control or host PNRs allow individuals to inspect their own PNRs and obtain information about how they are used. However, U.S. law contains no such requirement.

The focus of our latest arguments is on the government’s claim that — after receiving Mr. Hasbrouck’s Privacy Act request and his appeal of the government’s failure to respond — CBP had the right to issue new regulations retroactively exempting itself from any obligation to respond to the pending request or appeal, to provide Mr. Hasbrouck any of the ATS or other records about him and his travels, to provide him with any accounting of the disclosures of those records to third parties, or to correct inaccurate records or expunge irrelevant ones. As our brief notes:

The retroactive application of the ATS and BCIS exemptions is especially egregious in this case where the processing of Hasbrouck’s Privacy Act requests was completed by CBP’s Office of Intelligence and Operation Coordination on April 2, 2009, but was then sat on for 17 months until after the exemption rules were finalized.

We also contest CBP’s failure to search for Mr. Hasbrouck’s records, in response to his request, in the same way they would if they were searching for records about him as a suspected terrorist. And we contest their refusal to disclose even the records about Mr. Hasbrouck that they admit to having found.

The next step in the case will be oral arguments on the cross-motions for summary judgment on Thursday, August 25, September 15, 2011, 1:30 p.m., before Judge Richard Seeborg (Courtroom 3, 17th Floor), U.S. District Court for the Northern District of California, Phillip Burton Federal Building and U.S. Courthouse, 450 Golden Gate Ave. (between Polk and Larkin, near Civic Center), San Francisco, CA. [Note revised hearing date of September 15th.]

It’s unlikely that any decision will be announced on the spot at the oral argument. Judge Seeborg will most likely take the written submissions and oral arguments under advisement, and issue an initial decision on the motions for summary judgment some weeks or months later. (There is no mandatory deadline for most Federal judicial decisions.)

The public is welcome to attend the oral argument, although the guards at the entrance to the courthouse require visitors to show government-issued ID. See the specific rules for electronic devices in the courthouse and additional rules and information for journalists.

Jul 18 2011

DHS reply to our arguments for release of travel records

Late last Friday night, lawyers for U.S. Customs and Border Protection (one of the divisionS of the DHS) filed their reply to our motion for summary judgment in Hasbrouck v. CBP, our lawsuit under the Privacy Act and Freedom Of Information Act (FOIA) seeking release of PNR data and other information from and about the CBP “Automated Targeting System” (ATS) and other records of the travel of innocent US citizens neither accused nor suspected of any crime.

We’ve added CBP’s latest pleadings and self-serving (and often false) declarations to our posted documents from the case.

Our legal responses are due to be filed with the court by July 29th, followed by oral argument before Judge Seeborg of the U.S. District Court for the Northern District of California in San Francisco on August 25th.

In the meantime, the government’s latest filings raise disturbing new legal and factual claims:

First, CBP’s main response to our Privacy Act arguments is to claim the authority (a) to delay action indefinitely on Privacy Act requests (“The Privacy Act contains no provisions addressing processing procedures or deadlines”, they say), and (b) to promulgate new Privacy Act exemption rules applicable retroactively to pending requests and appeals, even ones made years earlier.

If these arguments are accepted by the courts, the result would be that the Privacy Act cannot be relied on to provide any guarantee of “rights” with respect to future access to personal information. Whenever an agency receives any request it doesn’t want to fulfill — for access to records about an individual, for an accounting of disclosures of those records, or for correction of inaccurate records — the agency could simply delay acting on the request (without even needing any reason or excuse for the delay) while it promulgates a new rule retroactively exempting the system of records from the requirement to act on the request.  Or the agency could simply delay action indefinitely, effectively denying the request without the need for any formal exemption, denial, or statement of reasons.

Anyone considering relying on the Privacy Act, or on the (current) rules for any particular system of records, should be aware that this is now officially the DHS interpretation of the Privacy Act.

Second, CBP claims (paragraph 11) that the “audit logs” of access to ATS records (including PNR data) were not likely to contain any information responsive to our requests because they are “neither intended nor designed to be used to generate reports to memorialize the terms used [to] search for records.”

CBP thus appears to be admitting that — despite the claims in its Privacy Impact Assessment and reports to the European Union that “ATS retains audit logs for all user access”, those audit logs show only who logged in to the ATS system, not what PNR data they retrieved.

Apparently, once an “authorized” user logs in, they can retrieve any PNR — of a politician, of a celebrity, of their personal enemy, or of anyone else — without any record being kept of which PNRs they have retrieved.

The absence of logs showing which PNR data is retrieved, when, and by whom make a mockery of any reliance on these logs as proving or disproving whether CBP misuses its access to PNR data.

We’ve often said in the past that the absence of access logs for access to PNR data held by commercial computerized reservation systems makes it impossible for those CRSs to comply with EU or Canadian privacy law. But we’ve taken at face value CBP’s claim to maintain logs of access to the copies of PNR data in CBP’s ATS database.

Now we know that there are no meaningful access logs — logs showing which PNRs are retrieved when, and by whom — for ATS either.  There is thus no way for anyone to know who has retrieved your PNR data, when, or from what other countries, and no way for anyone to carry out any meaningful audit of compliance with policy restrictions on access.

Jul 14 2011

TSA plans yet another “trusted traveler” scheme

Bowing to ongoing lobbying from the “fascism’s fine with us if it makes the planes run on time” segment of the travel industry, the TSA announced today that it plans a new “trusted traveler” (“less mistrusted traveler”?) pilot program beginning this fall.

The pilot program will be by invitation only, for certain frequent flyers on certain airlines. In exchange for “volunteering” additional, as yet unspecified information about themselves, these travelers “may be eligible for expedited screening” at certain airports.

This pilot program has all the same security defects as the various previous “trusted traveler” schemes. The TSA continues to describe it as “risk-based”, but there’s still no evidence that the TSA has any profile of what the personal data or airline reservations of a “risky” person would look like, or has any authority as a “pre-crime” police agency to substitute its judgment in such matters for that of the courts.

The pilot program will involve a partnership with the DHS Customs and Border Protection division, suggesting that it may involve the use of PNR data and international travel histories from CBP’s Automated Targeting System as part of the basis for decisions about domestic flights.

In addition, there’s no indication in today’s announcement that the selection of those invited to have a chance at less-intrusive search will be based on any publicly-disclosed criteria or due process.

The TSA’s goal, of course, is to make its virtual strip-searches and/or genital groping so invasive that travelers will “volunteer more information about themselves prior to flying” in the words of today’s TSA announcement) for even a chance to be subjected to a slightly less-intrusive warrantless search.

In the end game, the treatment of mistrusted travelers who don’t “volunteer” to submit to additional surveillance and interrogation will get steadily worse, and the lines for their checkpoints longer, while any of us who object will be told that we’ve brought this treatment on ourselves, and that all we have to do to avoid it is to “consent” to lifetime “identity-based” (the TSA’s own term) tracking and logging of our movements.

Jun 30 2011

Our arguments for disclosure of DHS travel surveillance records

Our main briefs were filed last Friday in the Privacy Act and Freedom of Information Act (FOIA) case of Hasbrouck v. CBP.

In this case, we are seeking to compel U.S. Customs and Border Protection (one of the components of the DHS) to disclose:

  1. The CBP/DHS “travel history” dossier  about Mr. Hasbrouck, compiled from airline reservations (PNRs) and other commercial and government data and contained in the (illegal) CBP “Automated Targeting System” (ATS), including “risk assessments” of Mr. Hasbrouck and the rules used to determine those risk assessments;
  2. An “accounting of disclosures”, as required by the Privacy Act, showing which other government agencies or other third parties have been given access to which of this data, and when; and
  3. General information about how ATS data is indexed and retrieved.

Our main argument for summary judgment in our favor (and in opposition to CBP’s cross-motion) is contained in our proposed order, supporting brief, and Mr. Hasbrouck’s supporting declaration. Additional supporting declarations and exhibits are linked here.  Following reply briefs to be filed next month by each side, oral argument is scheduled for August 25th in Federal District Court in San Francisco.

Jun 07 2011

DHS moves to dismiss our Privacy Act lawsuit

Late last Friday, June 3rd, the U.S. government filed a motion for summary judgment against us in our Privacy Act and FOIA lawsuit for records from the government’s files of records of our international travels.  The government’s motion and supporting affidavits and exhibits are posted here.

We won’t try to give a detailed response right now. Our answer to the government’s motion, and our own motion for summary judgment, are due to be filed with the court by June 24th. Reply briefs for each side will follow, and then oral argument is scheduled for August 25, 2011 [note change from originally scheduled date], in San Francisco.

We’ve posted the government’s pleadings for informational purposes, but they should not be accepted as accurately representing either the facts or the law. As we expected, the government’s argument is a mix of lies about the facts and claims that nobody — not even a U.S. citizen — has any rights under the Privacy Act to see what’s in the DHS dossier about their travels, or how it is used.

We look forward to seeing the DHS in court on August 25th.