Papers, Please!

The Identity Project

Category Archives: Surveillance State

Feb 23 2010

DHS using ICAO again for policy laundering

News reports about recent diplomatic initiatives by the US Department of Homeland Security suggest that the DHS may once again be using the International Civil Aviation Organization (ICAO) as a vehicle for policy laundering.

In the past, ICAO has been the focus of attention for its role in the imposition of RFID passports and the associated systems of automated monitoring and control of international travel.

Now, the DHS appears to be trying to use ICAO as the vehicle through which to impose its ideas of passenger searching (virtual strip-search machines) and passenger surveillance (pre-flight government access to PNR data and its use in conjunction with identity-linked travel histories and personal profiles for control of who is allowed to fly)  as global norms.

Secretary of Homeland Security Napolitano, accompanied by Asst. Secretary for Policy David Heyman (successor to former NSA and DHS attorney Stewart Baker), has been barnstorming the globe in pursuit of this agenda over the last month.  She met with ICAO officials and their airline industry partners at IATA in Geneva, attended a regional European ministerial meeting on aviation security in Spain which issued a joint statement agreeing to “Promote international co-ordination … through ICAO”, followed by a regional ICAO meeting in Mexico for the Americas and the Caribbean (attended by ICAO’s Secretary General) which declared participating goverments’ commitment to “systematically collaborate within ICAO… with a view to convene both international expert and intergovernmental meetings to agree upon actions in the following fields:”

  • Broaden existing cooperation mechanisms among our countries and with other parties to the Chicago Convention, and the civil aviation industry, for information exchange …
  • Share best practices in a range of areas related to civil aviation, such as … screening and inspection techniques, airport security, behavioral detection, passenger targeting analysis…
  • Utilize modern technologies to detect prohibited materials and to prevent the carriage of such materials on board aircraft.
  • Transmit in a timely manner passengers’ information prior to takeoff to effectively support screening … as well as develop and improve compatible systems for the collection and use of advance passenger information (API) and passenger name record (PNR) information.

In a detailed video news release, Napolitano herself described this as “an unprecedented international initiative” centered on “a series of regional meetings around the globe facilitated by ICAO”:

There were four broad areas for discussion: Information sharing, passenger vetting, technology, and international standards…. Look for announcement in each of these four areas in the weeks ahead.

The agenda and the forum could not be more clear: Unless defenders of civil liberties and human rights mobilize effective opposition, the goal of the US and the DHS is for ICAO to put forward “international standards”, effectuated by national laws on “compliance with standards”, which will mandate virtual strip-search machines (“modern technology”), worldwide government access to PNR data, and government “vetting” (identity-based and permission-based control) of international air travelers.  That is perfectly in line with the 10-year plan of ICAO’s working group on Machine-Readable Travel Documents (MRTD), “MRTD Vision 2020,” as laid out in the latest ICAO MRTD Report.

ICAO is a UN-affiliated intergovernmental organizing most of whose decisions are made in invitation-only working groups. The interests of citizens are supposed to be represented in ICAO decision-making by their national governments, but national delegations to ICAO are invariably drawn from security, surveillance, law enforcement, and aviation regulatory agencies, and have never included representatives of data protection, civil liberties, or human rights authorities.

In effect, ICAO’s decisions reflect the desires of the world’s police.  By enacting national laws requiring “compliance” with ICAO “standards”, national governments can effectively outsource national law-making to those police, while justifying repressive measures (which their own representatives have proposed and championed at ICAO) as being the reult of an extenral, international mandate for which they aren’t responsible. Policy laundering.

ICAO’s importance to the DHS (and its counterparts in Europe and elsewhere) is heightened by the likelihood that, in the wake of the precedent set by its rejection of the SWIFT agreement on financial transaction data sharing with the US government, the European Parliament will reject the similar PNR agreement for travel transaction data sharing with the US government. The DHS had been pressuring the Europarl to fast-track approval of the PNR agreement. With the writing on the wall that the PNR agreement is headed for defeat in the Europarl, the DHS is already making it clear that ICAO standards are their back-door “Plan B” for how to impose a global PNR and identity-based travel sureveillance and control regime.  They are losing in Brussels, so they are trying to shift to more “Big Brother friendly” ICAO forums in Geneva and Montreal.

ICAO draws on invited technical experts from the aviation industry, but unfortunately their interests in surveillance for commercial purposes coincide with those of the police in the same surveillance for political purposes. Airlines and other travel companies are happy to help governments monitor travelers, as long as they get get paid for collecting the data and are allowed to use it themselves too. We’ve heard them tell ICAO so in so many words.

ICAO’s dual secretariats in Montreal and Geneva, and its process in which most decisions have effectively been made before they are presented to rubber-stamp plenaries, makes effective civil society participation difficult without long-term commitment and international cooperation.  A useful model is provided by environmental activists, who have formed a single-issue international NGO coalition for the sole purpose of obtaining accreditation and observer status with ICAO. Despite previous joint appeals to ICAO by an ad hoc international civil liberties coalition, human rights groups haven’t yet formalized their coalition or sought observer status with ICAO, and have had no presence at ICAO meetings or working groups.

If you are interested in working with the Identity Project to get our voices heard at ICAO, please get in touch — before its too late.

Feb 19 2010

Travelport becomes first CRS to claim it complies with EU privacy law

This week Travelport — the holding company that owns two of the big four Computerized Reservation Systems (CRSs) or Global Distribution Systems (GDSs) — announced that it has “certified” that it complies with “Safe Harbor” privacy and data protection principles for companies that want to be eligible to receive transfers to the US of personal data collected in the EU or Switzerland.

As travel industry technology news site Tnooz reports, quoting Identity Project consultant Edward Hasbrouck:

Travelport’s headline on its press release about the issue, “Travelport is First GDS Provider to be Safe Harbor Certified,’ may be true, but can easily be misconstrued because Safe Harbor is a self-certification process.

Privacy expert Edward Hasbrouck, who has written extensively about the issue, notes that what Travelport’s Safe Harbor designation “means is that Travelport has made a formal claim … that Travelport complies with certain Safe Harbor principles. That claim has not been vetted, audited or verified by anyone.”…

“None of the GDS companies comply with EU data protection law, or have made any effort even to pay lip service to it until now,” Hasbrouck says. … Read More

Feb 11 2010

European Parliament rejects deal for US access to SWIFT financial data. Next on the agenda: PNR deal for access to travel data

Today the European Parliament voted 378 to 196 to reject an “agreement” negotiated between the Council of the European Union and the US Department of Homeland Security which would have created a new extrajudicial basis for the DHS to obtain records of bank transfers and payments made via the Society for Worldwide Interbank Financial Telecommunication (SWIFT).

Understanding today’s EP vote and its significance requires first an explanation of the EU decision-making process for US readers, and then an explanation of some of the parallels between SWIFT and US-based Computerized Reservation Systems (CRSs):

Read More

Feb 08 2010

DHS exempts dossiers used for “targeting” from the Privacy Act

In a final rule published last week at 75 Federal Register 5487-5481, the Customs and Border Protection (CBP) division of the Department of Homeland Security has exempted most of the data used by the illegal “Automated Targeting System – Passenger” (ATS-P) from the various requirements of the Privacy Act that information used to make decisions about individuals must be accessible to them on request, accurate, relevant, collected directly from the data subjects whenever possible, and so forth.

The proposal to exempt ATS records from the Privacy Act has been pending for more than two years. In the final rule, the Obama administration adopts, with no changes whatsoever, all of the exemptions proposed by the DHS under the previous administration.  The analysis accompanying the final rule acknowledges, but dismisses more or less out of hand, our comments from two years ago objecting to the proposed exemptions as illegal.  (These followed two sets of comments we filed in 2006, when the ATS itself was first disclosed, objecting to the entire system as illegal.)

On the same day last week, the DHS published a separate final rule similarly exempting from the Privacy Act portions of the “Border Crossing Information” (BCI) system, a log of each person’s entries to and exits from the U.S. which was first disclosed as a part of ATS before being declared a separate system of records. The final BCI exemption rule similarly adopted all of the proposals the previous administration has proposed in 2008, and dismissed our objections to its illegality out of hand.

You can still request your own ATS and other travel records from the DHS.  Even if the newly-promulgated exemptions are upheld, they leave you entitled to substantial portions of your ATS dossier.  We are continuing to pursue our own pending Privacy Act requests and appeals, some of which are themselves more than two years old and all of which were made before the new exemptions were finalized and thus are not subject to the “exemptions”.

The Privacy Act gives agencies the authority to exempt certain types of information, by rulemaking, from certain of the requirements of the Privacy Act.  The rules published last week are, however, the first time that the DHS has attempted to  exercise this authority with request to ATS records.

In the meantime, the CBP has simply ignored the Privacy Act and its lack of exemptions entirely: Every response we have seen to a request pursuant to the Privacy Act for PNR or other ATS data has been processed by the CBP under the Freedom of Information Act (FOIA) instead of the Privacy Act.  Information exempt from disclosure under FOIA has been withheld or redacted, citing specific FOIA exemptions, even when that same information was required by the Privacy Act to be disclosed. This has been in flagrant violation of the Privacy Act, which has different disclosure requirements and exemptions which only partially overlap with those of FOIA. So far as we know, however, CBP and DHS have never responded to a Privacy Act appeal of these wihtholdings and redactions at all — some of our Privacy Act appeals are more than two years old — and while there have been several lawsuits under FOIA concerning ATS data, there have been none yet under the Privacy Act.

Our primary objection is to the very existence of a system under which the government requires common carriers to identify each would-be traveler and get the government’s permission (“clearance”) before they can travel.  Such a scheme is made far worse, however, when those “fly/no-fly” or “cleared/inhibited/not cleared” decisions are made not only in secret by unknown bureaucrats, not judges, and on the basis of secret files about each citizen.

The new exemptions, applicable to future requests for ATS records, are sweeping.  But we are particularly disturbed that the exemption rules purport to authorize the DHS to collect and use an entirely undefined and open-ended category of commercial data obtained from airlines as part of their Passenger Name Records (PNR), and withhold that commercial data, on grounds of “business confidentiality”, from the would-be travelers against whom it is used.

That exemption for commercial data in PNRs creates a limitless loophole through which the DHS could secretly make use, in passenger profiling and “targeting” decisions, of commercial data of any sort.  As long as it is channeled to the DHS through inclusion in PNRs (which as commercial records are themselves subject to no U.S. privacy or disclosure requirements at all), the DHS could base passenger “targeting” decisions on derogatory free-text remarks by customer service representatives, commercial blacklists, credit scores, or records or ratings by data aggregators.  But those are not legal grounds to prevent travel by common carrier.

Feb 01 2010

TSA budget: 1000 more strip-search machines

The Obama Administration announced their fiscal year 2010 budget proposal today. Under the administration’s proposal for DHS appropriations, the TSA’s annual budget would increase by more than a billion dollars from 2009 to 2011, with most of that going toward the purchase of “up to 1,000” new virtual strip-search (“Whole Body Imaging” or, in the latest euphemistic language of the budget, “Advanced Imaging Technology”) machines.

Up to a point, it was possible to argue that the TSA was still being operated on auto-pilot by holdovers from the previous administration — as indeed it still is.  But the President has had plenty of time in the year since his inauguration to clean house, to put someone new in charge, or simply to give the legacy administrators new marching orders (for which we gave his transition team an explicit itemized blueprint to bring the TSA within the rule of law).

The President’s budget makes clear his deliberate choice to identify his Administration with, and to perpetuate and expand, the TSA’s culture of disregard for civil liberties, human rights, or judicial accountability.  It also makes clear the need for Americans who oppose that march toward the abyss to let their members of Congress and the Senate know how they feel about being inspected by virtual voyeurs who themselves are protected from public view in a private back room, and then being groped, if they are wearing a sanitary napkin or a padded bra or anything else underneath their clothes, every time they want to exercise their right to move about the country.

Jan 13 2010

TSA lies again about what the strip-search machines see

Already this week the TSA was caught in a lie about what it likes to call whole body imaging (virtual strip search) machines, when the Electronic Privacy Information Center (EPIC) obtained documents showing that, despite TSA claims that “this state-of-the-art technology cannot store, print, transmit or save the image,” the TSA actually requires all of these capabilities — image storage, printing, and transmission — as part of the contract specifications for the body scanners.

But the TSA can’t seem to keep their nose from growing: the post in their official propaganda blog responding to EPIC’s analysis of TSA documents contains even more lies about what they see when they look under your clothes with these machines.

According to the TSA blog, “Below, you will see accurate examples of what our officers see while using advanced imaging technology. Anything else you see is inaccurate.”

Above, we’ve linked directly to the images on the TSA website, exactly as sized and posted by them.

In fact, it’s the images posted by the TSA that are inaccurate and misleading. The actual images seen by the people in the back room (they watch you through your clothes, but you can’t watch them) are: (1) full-screen, not thumbnail-sized like those the TSA posted in their blog, (2) higher-resolution than those on the TSA blog, and (3) capable of being zoomed even larger, on the actual TSA displays, using the magnifying-glass tool in the lower right corner of the TSA-provided thumbnails.

Accurate images are visible in the video below (although even if you click through to the full-screen version the video doesn’t have as high resolution as the displays used by the TSA, especially when they zoom in on areas of the body that attract their interest):

Note also that the video clearly demonstrates that the TSA policy for pat-down searches to be performed by a person of the same gender won’t be applied to the virtual strip-searchers.

The TSA website says that, “Multiple signs informing passengers about the technology, including sample images, are displayed in plain sight at the security checkpoints, in front of the advanced imaging units.” When the signs are displayed, however, the “sample images” — like the ones above from the TSA website — are only a small fraction of the size and resolution of those the scanner operator sees.

EPIC has now filed another FOIA lawsuit against the TSA for failing to disclose what the images look like. Notably, the EPIC complaint filed in court today confirms that our experience with the ongoing TSA FOIA black hole wasn’t an isolated incident. EPIC’s request for expedited FOIA processing was made on July 2, 2009 — more than six months ago — and referred to the TSA by the DHS on July 16, 2009. On July 31, 2009, EPIC filed an administrative appeal of the constructive denial of its request. An expedited request should have been acted on within 10 days, and an appeal within twenty days. But to date, according to the complaint, the TSA has made no response whatsoever to either the request or the appeal. In our experience, this is typical of the TSA’S complete contempt for the FOIA law.

We aren’t reassured by the TSA’s further claim in the same blog post that, “These machines are not networked, so they cannot be hacked.” Apparently they’ve never heard of an inside job, or anyone hacking a computer from the keyboard. (Security hint to the TSA: The keyboard is the easy way, compared to having to carry out an attack over a network.) That just reconfirms that the TSA’s threat model is grossly deficient and that they aren’t really even trying to rein in the temptations (can you say, “naked celebrity pix”?) that the virtual strip-searchers inevitably will face.

Finally, the TSA is still saying that “Use of advanced imaging technology is optional to all passengers.” What they don’t say is that your other “option” will be to submit to a full manual pat-down, regardless of whether you would have set off the metal detector. So if the alternative to a virtual strip-search is a non-virtual strip search, can someone explain to us how that’s a “choice” that should make us more willing to submit to either option?

If we have to be exposed to the TSA, maybe we should just expose ourselves when we get to the airport.

P.S. We forgot to mention the TSA’s claim that no 8-year-old is on the no-fly list, debunked today in the New York Times. Maybe 8-year-old Mikey Hicks isn’t on a watch list, but his name is, and the effect is the same: He can’t fly without getting the 3rd degree. What did that entail? We can’t show you. The TSA demands the right to look (and feel) under your clothes, but they wouldn’t let Mikey’s mother take pictures of how he was frisked.

Jan 12 2010

“Fleshmob” against virtual strip-search machines at Berlin airport

Don’t like being stripped naked by “whole body imaging” machines or “body scanners”, and then groped to determine whether what they see under your underwear is a padded bra, a mastectomy prosthesis, a menstrual pad, an adult diaper, … or plastic explosives?  You could sign this petition …  and/or you could organize your own “fleshmob” like this one (video) at Tegel Airport in Berlin. (More links including videos of similar fleshmobs at other airports here.)

We invite you to compare what’s exposed by the Pirate Party fleshmob video with what’s exposed to the TSA agents in the little room hidden behind the strip-search machines in the video below:

Jan 08 2010

Lessons from the case of the man who set his underpants on fire

We’ve been having a hard time keeping up with events over the last few weeks. Every time we think the keystone cops from the Department of Homeland Security can’t come up with anything dumber to do, they prove us wrong. At this point we’re not sure who is most deserving of derision: (1) the would-be terrorist who tried but failed to explode his underpants, and succeeded only in burning his balls, (2) the goons the TSA sent to intimidate bloggers who tried to tell travelers what to expect when they got to the airport, and find out who had “leaked” the TSA’s secrets, but who left their own notebook of “secret” notes about their investigation of this and other cases behind in a public place, or (3) the TSA agents who felt so ill at the smell of honey they found in checked luggage that they checked themselves into a hospital and shut down the airport. It’s a tough call. Leave your votes, or other nominations, in the comments.

What’s most striking about the government’s response to this unsuccessful bombing attempt is the complete lack of any rational relationship between the actions that have been taken and are being proposed, any analysis of which of these and similar tactics did or did not contribute to the success or failure of the Christmas Day attack on Northwest Airlines flight 253, and any likelihood that they would make future attempts at terrorism less likely to succeed.

Now that the dust has settled a bit, perhaps it’s time to survey the security, security theater, surveillance, and travel control techniques at issue: Read More

Dec 16 2009

He’s got a little list (and we’re on it)

TSA Acting Administrator Gail Rossides testified today before the Subcommittee on Transportation and Infrastructure of the House Homeland Security Committee.  You can watch the archived video from the public portion of the hearing yourself; a closed subcommittee “executive session” with Acting Administrator Rossides followed. In addition to the anticipated spat over the TSA’s refusal to show the SOP to the members of the Congressional Committee, as the law requires, here are some things we thought were noteworthy:

  • Rossides claimed that the unredacted version of the TSA’s Screening Management Standard Operating Procedures was “removed within hours” after the TSA learned last Sunday, December 6th, that it had been posted on a federal website at fbo.gov. That’s not true: it was available on the same site, although at a slightly more obscure URL, for several more days.
  • Rossides mentioned that the TSA has “12 other SOPs”.  We’ve already filed a FOIA request for the two other SOPs whose names we now know (the “Checkpoint Screening SOP” and the “Checked Baggage Screening SOP”).  We’re following up with a FOIA request for all TSA SOPs regardless of what they are called. We’ll ask for the other ten by name as soon as we learn their names.  If you know, and you’d like to play, “Name that SOP”, leave a comment or send us a message.
  • Rossides claimed that there had been “6 updates that had very significant changes” to the Screening Management SOP since the version that was posted.  But she wasn’t asked about, and didn’t repeat under oath, the TSA’s earlier claims that the version they posted (which matched the version number, date, and text of the redacted excerpts they sent us in response to our earlier FOIA request) “was neither implemented nor issued to the workforce”, or if that was true, why it posted or provided to us. We’re currently waiting for the TSA to act on our appeal of their stonewalling of our FOIA request for the most recent version of the Screening Management SOP, so that we can compare it.
  • Rossides said she had “asked that we not release any other SOPs until we’ve completed a review.”  It wasn’t clear who she was referring to, but the only current effort to have any SOPs released are our and others’ similar FOIA requests.  In that context, Rossides appears to have been describing a directive, from the top, to stonewall those requests — which is exactly what seems to have been happening.  Rossides’ testimony could come back to haunt her, and the TSA, if the “good faith” and/or “diligence” of the TSA’s processing of FOIA requests for the SOPs becomes an issue in FOIA litigation.  If Rossides’ legal advisors know what’s good for the agency, they’ll have her issue a prompt, public disavowal of this statement, and a public overriding directive to the TSA FOIA office to process requests for the SOPs, like all other requests, in accordance with the law.
  • The blatant discrimination in the SOP wasn’t mentioned by anyone.
  • In response to a specific question about whether any effort was being made to identify who had downloaded the documents posted by the TSA, Rossides said that, “I believe that is part of what the [DHS] Inspector General is looking at…. The Inspector General has a list of those who have downloaded it and have it on their websites. We do know that.”  Rossides wasn’t asked, and didn’t say, what, if anything, the TSA or IG might do with that list.  But since we’re on that list — in good company with many others, of course — we’d love to know.

There’s more about the hearing on Flyertalk, where the unredacted SOP first came to light, and from a Flyertalk regular and blogger who spread the news further afield, and attended today’s hearing.