Surveillance State – Page 38

May 26 2009

Add your name to the campaign against TSA “Virtual Strip Searches”

The Identity Project has joined with the Privacy Coalition in a campaign to stop “Whole Body Imaging” in U.S. airports.

The TSA is in the process of substituing these “Virtual Strip Search” machines as a replacement for, or an addiiton to, metal detectors for primary screening of all travelers. You’ll be able (at least at first) to opt out of the virtual strip search “Whole Body Imaging”, but then you’ll automatically get the full secondary screening pat-down, as though you had set off the metal detector. The “Whole Body Imaging” machines use microwaves that go through your clothes and reflect off your skin to display a detailed picture of your naked body to a TSA operator, in a back room where you can’t see who they are or what they are doing while they ogle your as-though-naked image.

Individual travelers as well as organizations can sign up until May 31, 2009 (Sunday) to endorse a joint letter (scroll ot the bottom of this page for the sign-on form) calling for on Secretary of Homeland Security Napolitano to suspend the use of “Whole Body Imaging” for primary screening. Read More →

May 16 2009

Air France passenger data and “no-fly” orders

Follow-up reports have provided more details but also raised more questions about the incident last month in which the US government refused to allow an Air France flight en route from Paris to Mexico City to follow its normal route through US airspace, because the passengers included a journalist on the US “no-fly” list. The orders from the US authorities, coming while the plane was already in flight, resulted in a lengthy detour to avoid overflying US territory, and an unscheduled refueling stop in Martinique. (Air France’s Paris-Mexico flights used to stop in Houston, but these days they are scheduled to operate nonstop, in significant part to spare through passengers the need for US transit visas and US-VISIT processing including fingerprinting and photgraphing, now required even for foreign passengers merely transiting a US airport.)

As with previous incidents of blacklisted passengers and delayed, diverted, or canceled flights, this episode should be a reminder that the problems with the “no-fly” list are not limited to mistaken for other people on the watchlist. The problem, in this case, is that one of the passengers actually was on the list of people administratively banned from the US, without any way of knowing why, confronting his accusers or the evidence (if any) against him, or obtaining judicial review of their decision to deny him the right of passage by common carrier through US airspace (a right guaranteed by international treaties to which the US is a party).

Also at issue has been how, when, and through what intermediaries or data pathways US authorities learned who was on the plane, espcially since it wasn’t scheduled to touch US soil. Read More →

May 14 2009

California DMV plans crackdown on “look-alikes”

Has anyone ever looked at your face and mistaken you for someone else?

If so, and if you live in California, you could be a victim of a proposal by the California Department of Motor Vehicles which is now under consideration in the state legislature.

At a hearing yesterday (May 13, 2009) before the Assembly Budget Subcommittee No. 5 on Information Technology/Transportation, the Director and Chief Information Officer of the DMV pleaded for more money (in spite of the desperate state budget crisis) to hire a contractor to digitize and store the photographs taken for every California drivers license or state ID, and then use “biometric” facial recognition and matching software to compare each new photo of an applicant for a license or ID with every photo in the database. (The DMV proposal next goes before the Senate Budget Subcommittee No. 2 on Resources, Environmental Protection, Energy and Transportation on Wednesday, March 20th.)

If the computer thinks your picture looks like any other picture in the database, both you and the other person whose photo the robot thinks looks like yours would be placed under suspicion of fraud, identity theft, or worse. Read More →

May 03 2009

EU Council renews push for government access to PNR data

The Council of the European Union has put forward its new version of the “Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes” originally made by the European Commission. (More background on the proposal is available from Statewatch.)

The latest Council version of the proposal is essentially the same as the original Commision proposal, with only trivial changes in repsonse to input from Council members. Like the original version introduced by the European Commission, the new Council version of the PNR proposal would require each member state to establish a new surveillance agency (a government “Passenger Information Unit” or PIU), and would require each airline operating flights to, from, or within the EU to make PNR data available to the PIU of each origin or destination state.

The Council appears to have entirely ignored the criticisms raised by the European Parliament in its consideration of the PNR proposal, as detailed in its most recent November 2008 resolution withholding Europarl approval. As the Europarl rapporteur said in the plenary session preceeding the vote:

I think the European Parliament is a serious partner, fully available to give input in this process. However, we will only issue a formal position once there are full, satisfactory and detailed answers to all the concerns and objections that were raised on several occasions by the European Parliament, the European Data Protection Supervisor, the national data protection authorities, the fundamental rights agencies and the airlines, because I think they are entitled to a real answer.

The latest Europarl vote in favor of this resolution (and against approval of the PNR proposal) was overwhelming: 512 to 5, with 19 abstentions. Under the “codecision” procedure, Europarl approval is required in order for the PNR proposal to be adopted. But neither the Commission nor the Council have responded in any meaningful way to their critics, or provided any evidence that any benefit of the PNR scheme would be proportionate to the grave damage it would do to funadamental freedoms.

Europeans should encourage their MEPs to continue to demand answers before they approve any scheme with such profound implications for justice and civil liberties, and not to allow the EU to repeat the mistakes made by the U.S. in establishing PNR-based systems of travel surveillance and control.

Mar 21 2009

DHS releases (censored) documents on Automated Targeting System

As part of its celebration of “Sunshine Week”, The Electronic Frontier Foundation has posted more than a thousand pages of documents about the Automated Targeting System (ATS) for archiving and data-mining airline reservations to asisgn risk scores to all international travelers, released by the Department of Homeland Security over the last two years in response to Freedom of Informaiton Act requests and a FOIA lawsuit by EFF’s FOIA Litigation for Accountable Government (FLAG) project.

DHS claims still to be searching for and “processing” yet more documents responsive to the original requests, the documents that have been released are heavily redacted, and the lawsuit is ongoing. Recently, EFF has asked the Court hearing the case to stay further proceedings while DHS decisions under the Bush Administration to withhold and redact documents at issue in the case are reviewed in light of the Obama Administration’s new instructions to Federal agencies on transparecncy and the processing of FOIA requests.

We’re still making our way through the newly-published documents for the first time, but they include extensive internal DHS discussion on how to respond to our criticisms, when the DHS first published the official notice (we’re still not exactly sure how many years after the fact) that was supposed to precede the deployment of any such system of Federal records about individuals, that the ATS was being used for a purpose specifically forbidden by Congress. The documents also seem to confirm, even through the redactions, the lack of understanding by DHS of what information is included in the Passenger Name Records (PNRs) being sucked into government databases by the ATS dragnet, or how to interpret it. Briefing memos prepared by operational staff for senior policy officials and public relations spokespeople refer to what PNRs “seem” to contain, and appear to be based on guesses and reverse engineering rather than on any expertise in industry standards, messaging protocols (such as the AIRIMP), or business practices.

Mar 18 2009

Air France puts digital fingerprints in RFID boarding passes

Yesterday (just in time for tomorrow’s planned strike by French air traffic controllers, which is expected to force the cancellation of many of their flights), Air France began a public beta test of what they are calling a “smartboarding” card, as depicted in this video (and third-party videos in English and another in French) and photos and as described in this press release:

This new system is a world first. With a personal card which contains the latest biometric technology (encrypted fingerprints), RFID (radio frequency identification) and thermal printing (the back of the card can be reused up to 500 times), these passengers will be able to board through a dedicated portal whenever they choose.

Developed together with Citizengate, the smartboarding® service has 4 stages:

1. In a special office at the airport (Paris-Charles de Gaulle Terminal 2F), customers can obtain their personal smartboarding® card in just a few minutes which is immediately operational. During registration, all the customer’s identity information (surname, first name, Flying Blue membership number), as well as their encrypted fingerprints is transmitted to the smart card. This registration stage is only carried out once and no files are kept by Air France. Read More →

Mar 18 2009

NPR parrots the government line on RFID passports

Today’s edition of “All Things Considered” includes a puff piece on e-passports with embedded RFID chips, based entirely on propaganda statements by government spokespeople. For the other side of the story that NPR didn’t bother to cover, see the listener comments in NPRs blog, our previous articles on RFID chips in government-issued identity documents, and reports elsewhere on how RFID passports facilitate ID theft, how the globally unique ID numbers on the RFID chips facilitate surveillance, how the encryption used for the rest of the data on the RFID chip has already been cracked, and how space has already been reserved in the data structure on the chip for logs of travelers’ movements.

Feb 11 2009

ID checks and government logs of hotel guests

Demands for ID credentials from hotel guests are once again in the public eye, with commenters in travel journalist Christopher Elliott’s blog weighing in with opinions on his recent article about an Orlando hotel, Hotel shows customer the door after he refuses to show ID — can it do that?

This sort of thing doesn’t happen only in the land of Disney World, though. Coincidentally, one of the final public acts of the outgoing Chief Privacy Officer of the DHS last month was to release a lengthy analysis of European laws and practices for requiring hotel guests to identify themselves, and for government access to those records: Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data. Read More →

Feb 03 2009

Drive-by reader for RFID drivers licenses and passport cards

Hacker and researcher Chris Paget has demonstrated the ability to read the globally unique serial numbers on RFID chips in passport cards and electronic drivers licenses in the purses and pockets of pedestians on the street from a passing car, at least 30 feet (9 m) away, and to make cloned copies that broadcast the same ID numbers, using a laptop computer and commercial surplus hardware bought on eBay for $250.

Recent developments in the USA in travel data

(Comments of the Identity Project at a workshop on “What’s on the agenda in the USA and Canada?” at the annual conference on Computers, Privacy, and Data Protection, Brussels, 16-17 January 2009)

Two major issues have emerged in the last year in relation to personal data about travel: (1) The overall goal of the government of the USA in its various policy initiatives on “travel security” has become increasingly clear. The USA is seeking to establish a global norm that:

Government-issued identity credentials should be required for all forms of travel, domestic and international.
All travel transactions should be recorded in a lifetime “travel history”.
Pre-departure government permission should be required for all travel (based on the identity credential and the associated historical dossier), particularly for air travel or international travel.

Papers, Please!

The Identity Project