Papers, Please!

The Identity Project

Category Archives: Surveillance State

Dec 03 2019

Seattle Port Commission to consider rules for airport facial recognition

We’ll be in Seattle on December 10, 2019, to give public comments (see our detailed written testimony submitted in advance) at a meeting of the Port of Seattle Commission concerning a proposed resolution on use of facial recognition by airlines at the Seattle-Tacoma International Airport (SEA).

This will be the first time that any operator of a US airport has publicly considered any policies to govern use of facial recognition by airlines or on airport property.

The public authorities that operate almost all major US airports have a key role to play in oversight of traveler surveillance systems deployed on their premises by their tenants.

Read More

Aug 28 2019

Public/private partnerships for travel surveillance

In preparation for the annual Future Travel Experience – Global conference next month in Las Vegas, which will include tours of the TSA’s prototype biometric checkpoint and a “Biometrics Summit” featuring joint presentations by the TSA, CBP, and their partners, both the DHS and its airline, airport, and industry partners (Part 1, Part 2) have released new previews of their plans for collaboration in surveillance and control of air travel through automated facial recognition.

As we’ve noted before, one of the more significant lies being told by the US Department of Homeland Security about its plans for increased surveillance and tracking of travelers is  that airlines and airport operators have no commercial interest in retaining or using facial images and other biometric data collected on behalf of DHS components including the TSA and CBP.

In reality, airlines and airport operators are eager to share facial recognition insfrastructure (cameras, kiosks, etc.) and data with the DHS. Airlines, airports, and the DHS all see this collaboration as fundamental to their plans to transform the airline and airport passenger “processing” experience through a panopticon of shared-use biometric ID systems.

According to a  two-part post in the Future Travel Experience conference blog (Part 1, Part 2), “Biometric technology is expected to play a key role in shaping the seamless passenger experience of the future.”

One of the briefings at the FTE Global 2019 Biometric Summit will be given by CBP’s “Director of Entry/Exit Transformation”, who described his mission as “developing U.S. biometric entry/exit system through private sector partnerships”.

Some of the airline and airport executives quoted in the FTE blog post have begun to argue that airline passengers should be allowed to opt out of biometric identification. But there’s no mention of how that would work or how long those who opt out would be delayed.

The FTE blog post also notes that:

[A]s the use of biometrics is becoming more widespread and the technology is advancing quickly, there have been rising concerns around privacy and data security from a civil rights point of view. For instance, San Francisco became the first US city to ban facial recognition technology as part of an anti-surveillance ordinance, though the ban doesn’t affect federal agencies, such as San Francisco International Airport.

This claim that SFO is a Federal agency exempt from San Francisco legislation is wishful thinking on the part of proponents of biometric surveillance and control of air travelers. While SFO is located in unincorporated San Mateo County, the land and buildings are owned by the City and County of San Francisco and operated by an instrumentality of the City and County of SF. The San Francisco ordinance applies to all City and County departments, including SFO.

Most other major airports are, like SFO, operated by state, county, or municipal governments and/or by other public or publicly-chartered entities subject to state and local public records laws and accountable, at least in theory, to state and local elected officials. These entities could, and should, prohibit any use of automated facial recognition on their property or by their lessees or contractors. Only Federal agencies themselves could escape the jurisdiction of such conditions on use of airport property.

Contradicting the public claim that airlines and airports have no interest in using biometric data shared with CBP, the FTE blog says that, “CBP’s view is that we will see further expansion into other aspects of the travel continuum, such as bag drop, international boarding and improved arrival process.” And of course a CBP spokesperson also tells the FTE blog that, “This is not a surveillance programme .”

Meanwhile, the DHS has released a Privacy Impact Assessment for the Travel Document Checker Automation Using Facial Recognition to be tested and first deployed at LAS airport, with its unveiling to attendees of the FTE Global 2019 conference.

The PIA acknowledges, in a footnote, that, “For passengers who are unable to present verifying identity documentation, TSA offers an alternative identity verification process in which passengers answer knowledge-based questions.” But the PIA ignores the fact that this questioning is being conducted illegally, without the required OMB approval, in violation of the Paperwork Reduction Act and other statutes.

In late 2016, the TSA gave notice that it planned to request OMB approval for the form that air travelers without ID or with ID deemed unacceptable are asked to complete. But the TSA received numerous objections, including ours, in response to this notice, and has not yet submitted a request to OMB for approval of the form or the “knowledge-based” questioning of travelers (which is based on commercial data aggregated by the Accurint division of Lexis-Nexis).

The last time we tried to attend a government-industry lovefest like FTE Global, we were ordered to leave and our registration fee and, eventually, our travel expenses were refunded. We’d welcome reports from our readers, workers at the conference venue, or other whistleblowers or leakers as to what gets said at FTE Global 2019.

Aug 27 2019

Guilt by social media and cellphone association

Ismail B. Ajjawi, a Palestinian freshman admitted to Harvard College, arrived at Logan Airport in Boston last Friday, Lebanese passport and US student visa in hand.

But after Mr. Ajjawai complied with demands by US customs and immigration officers at the airport to unlock his cellphone and laptop, the officers read what his “friends” had posted on social media. Five hours later, after questioning Mr. Ajjawai about his religious beliefs and his friends’ political statements, the officers revoked Mr. Ajjawi’s visa on the spot, denied him entry to the US, and deported him back to Lebanon — at his own expense, of course, using the return ticket he was required to have before being allowed to board a flight to the US.

According to a report in the Harvard Crimson, which broke the story today:

“After the 5 hours ended, she called me into a room , and she started screaming at me. She said that she found people posting political points of view that oppose the US on my friend[s] list.” Ajjawi wrote that he told the officer he had not made any political posts and that he should not be held responsible for others’ posts. “I responded that I have no business with such posts and that I didn’t like, [s]hare or comment on them and told her that I shouldn’t be held responsible for what others post,” he wrote. “I have no single post on my timeline discussing politics.”

Harvard’s lawyers are working to get Mr. Ajjawi’s visa reinstated and get him admitted to the US. Most people turned away at US borders don’t have Harvard at their back, and are unlikely ever to be admitted to the US once they are branded as undesirable.

In a 2017 notice of intent to expand DHS surveillance of immigrants’ and visitors’ expressive activities on social media, the DHS claimed that “consular officers are directed not to request user passwords [and] not to violate or attempt to violate individual privacy settings or controls.” But that’s belied by what Mr. Ajjawi says happened to him at Logan Airport, according to the Crimson: “The … officer then asked him to unlock his phone and laptop, and left to search them for roughly five hours, Ajjawi alleges.”

It’s hard to imagine anyone from a place as politicized as Palestine (or Kashmir, or many other places) who doesn’t have any social-media “friends” who mention political opinions. The answer to social-media surveillance shouldn’t be that immigrants or visitors have to  try to isolate themselves from politics or ostracize their political associates.

Rather, the lessons reinforced by this incident are that:

  1. Nothing good can come of consenting to any search by law enforcement officers, including searches of your digital devices. Border guards and customs and immigration officers are police, not your friends. Their job is to find reasons to suspect you or bar your entry. No matter how “innocent” you think you are, anything you or your “friends” say, or have ever said, can and will be used against you.
  2. If government officials have access to social-media networks of “friends”, associations, and messages, they will use this information invidiously. The way to prevent misuse of information about how travelers exercise their First Amendment rights of expression and association is not to allow police access to this information in the first place. Just say no to requests for your passwords or data.
Aug 12 2019

CBP databases for travel surveillance and profiling

An advance notice posted last week by US Customs and Border Protection (CBP) of a forthcoming request for bids by IT contractors includes one of the most detailed inventories made public to date of the databases and interfaces used by CBP and its government and commercial partners (some of which are shown in the illustration above from the notice) for tracking, profiling, and control of travelers’ and our movements.

According to the 5-year plan in the draft Request For Quotations (RFQ), CBP’s Passenger Systems Program Directorate (PSPD) already outsources some of these databases to Saleforce.com, but plans to migrate them all to commercial cloud “Software-As-A-Service” contractors in 2020. According to the draft RFQ:

CBP’s vision for primary inspection processing of the future is to transform the way travelers are processed…  The paradigm will evolve from biographic data focused to biometric data centric. CBP will identify travelers biometrically based on information already in CBP holdings as an alternative to having the traveler present their travel document. A biometric-based approach allows threats to be pushed-out further beyond our borders before travelers arrive to the U.S…. Integration of facial recognition technologies is intended throughout all passenger applications.

Throughout the draft RFQ, facial recognition is described as a substitute for document checks, rather than as an (optional) alternative. “GE [Global Entry] kiosks are expected to be replaced with a facial recognition solution to identify GE members,” for example. There’s no mention of any provision in user interfaces for opt-out from facial recognition.

Moreover, “The vision for Global Entry of the Future (GE Next Gen) is a kiosk-less solution that uses facial recognition to identify GE members…. GE-Face aligns with CBP’s Biometric Entry-Exit strategy of identifying travelers with biometrics.”

A “kiosk-less solution” suggests that travelers will be identified by cameras that surveil them as they walk through, with neither the need to “present” themselves at a kiosk nor any way to pass through the airport or checkpoint without being photographed and identified — and having one’s presence at that place and time entered into a permanent ID-based government surveillance log.

Capturing photos of all US citizens — including those who currently opt out — so that their movements can be accurately logged is an explicit goal of the planned systems:

Simplified Arrival (SA) is a new and innovative approach that incorporates advanced facial recognition technologies into the primary inspection…. The new Simplified Arrival application will eventually replace TPAC and TPAC-Face. Simplified Arrival leverages facial recognition technologies in … the processing of arriving passengers and airline crew…. Capturing facial biometrics of all passengers adds additional security, as currently there is no biometric verification of U.S. Citizens, most Canadians, citizens of a few other countries and travelers who are exempted for other reasons such as age and class of admission. Using facial matching as the primary biometric verification modality provides a previously unavailable method to verify and facilitate travel for almost everyone, not just those travelers for whom DHS has fingerprints…. The Simplified Arrival process for air travel … Replaces document scan with facial recognition.

Not all CBP databases or systems and interfaces for populating and accessing them are included in the draft RFQ. These include the “Secure Flight”pre-crime program for profiling and tracking air travelers, which is used by both CBP and the TSA but “owned” by the TSA.

Also not mentioned in the draft RFQ is CBP’s Silent Partner pre-crime program for algorithmic profiling, scoring, and targeting of travelers for more intrusive searches and surveillance, and the associated rule-sets and blacklists of targeted travelers.

Silent Partner was first mentioned publicly in DHS testimony to Congress in 2011 as “an aviation security screening program…. the details of this program are classified.” Quiet Skies, a TSA program which uses a subset of the Silent Partner database to target domestic air travelers within the US, was made public by DHS whistleblowers in 2018.

More information about Silent Partner and Quiet Skies was released in Sai v. Pekoske (a pro se challenge to TSA “orders” originally filed as Sai v. Neffenger) and  Elhady v. Kable (a challenge by CAIR to DHS blacklisting originally filed as Elhady v. Piehota).

Only then did the DHS publish a years-belated Privacy Impact Assessment for Silent Partner and Quiet Skies. The PIA makes clear that these are pre-crime programs based on algorithmic profiling, not on suspicion of having committed any criminal or civil violation of law. But the profiling and scoring rules remain a secret to those against whom action is taken.

Jul 25 2019

Can you “opt out” of TSA groping or virtual strip-searches?

Two recent decisions — one an administrative decision by the TSA,  and the other a judicial decision by the 11th Circuit Court of Appeals —  have dealt with, but failed to resolve, the question of whether, in the face of unpredictable demands for more intrusive searches, an airline passenger can “opt out” if they decide they would rather abandon their attempt to board a flight than submit to whatever search TSA or contractor checkpoint staff demand.

The TSA has withdrawn its proposed administrative fine against Jonathan Cobb, a passenger who, when selected for a pat-down (manual groping of his body, including his genitals, by which he had previously been traumatized), chose to abandon his attempt to fly and left the airport. That’s good, but sets no legally binding precedent.

Meanwhile, the 11th Circuit Court of Appeals has dismissed a petition filed by Jonathan Corbett seeking judicial review of the TSA’s policy of requiring selected passengers to submit to imaging of their bodies by virtual strip-search machines. That’s bad, but at least the decision was based solely on whether Mr. Corbett could expect to be selected for this sort of search, and left undecided whether these searches are Constitutional.

These decisions leave the law unclear in practice — even if the Constitution seems clear — as to whether or when an airline passenger can opt out of which sorts of searches.

How far can the TSA and its contractors legally go? How can tell if they are going too far? And when, if ever, can you “opt out” or say no to an escalated search?

Read More

Jul 10 2019

Automated DHS searches of state drivers’ license photos

State agencies that issue drivers’ licenses are conducting warrantless searches of their databases of license photos, using automated face recognition software, at the request of  law enforcement agencies including the Immigration and Customs Enforcement (ICE) division of the Department of Homeland Security.

The use of automated facial recognition to search databases of drivers’ license mug shots was revealed in responses to requests made under the Freedom Of Information Act and  state public records laws by the Georgetown University Center on Privacy & Technology.  It was reported in recent days in the Washington Post, New York Times, and in two stories on NPR, and was discussed in a Congressional hearing today on the use of automated facial recognition by Federal agencies. (Earlier Congressional hearings on automated facial recognition were held on May 22nd and June 4th.)

Questions are being asked by members of Congress, state officials, and civil libertarians: What is the legal basis, if any, for these dragnet searches of drivers’ license photo databases? How have they have evaded judicial oversight?  Warrants or court orders were neither requested by DHS or other law enforcement agencies, nor demanded by the state agencies that carried out the searches in response to extrajudicial administrative requests.

A letter sent this week by a coalition of civil liberties organizations calls on Congress to suspend the use of facial recognition technology by the DHS. While that is appropriate, it doesn’t address how, from what sources, or on what legal basis databases of ID-linked mug shots of innocent individuals are being created and obtained by the DHS.

Additional questions ought to be asked about the implications of the latest revelations for the REAL-ID Act and the use of facial recognition by airlines, airport operators, and DHS officers and agents at airports and borders:

Read More

Jul 01 2019

PCLOB to review use of PNR (airline reservation) data

Following its most recent meeting on May 31, 2019, the Privacy and Civil Liberties Oversight Board (PCLOB) announced last week that “The Board has voted to conduct an oversight project related to the use of airline Passenger Name Records.”

We welcome this announcement by the PCLOB, and look forward to whatever opportunities may be presented to assist the PCLOB and its staff in this project.

Mass surveillance and permission-based predictive control of movement and travel, which in practice has relied on compelled identification of travelers and government access to PNR data (commercial airline reservations), was one of three issues we recommended as priorities for investigation by the PCLOB once enough members were appointed and confirmed for the Board to again have a quorum able to make decisions after a hiatus of several years.

PNR data is used to target searches and seizures and to make predictive decisions about who is, and who is not, “allowed” to exercise their right to travel by common carrier.

Government access to and use of PNR data needs to be recognized, and denounced, both as suspicionless, warrantless, and unconstitutional mass surveillance (through dragnet collection of personally identified travel metadata about the exercise of rights of freedom of movement and travel by common carrier) and as the most pervasive current program of unconstitutional predictive “pre-crime” control of the exercise of rights protected by the First Amendment (“the right of the people… peaceably to assemble”) and international human rights treaties.

The PCLOB is one of the most important advisory bodies within the Federal government. Although it lacks any enforcement power, the PCLOB has more autonomy and more ability to investigate and publicly criticize the practices of Federal agencies than agency “Privacy Officers” who serve at the pleasure of, take orders from, and whose public statements are subject to control by the heads of Federal agencies and by the President.

Members of the PCLOB are appointed by the President and confirmed by the Senate. Unlike most Federal advisory bodies, the PCLOB can set its own agenda and choose which issues to investigate. The PCLOB is considered an independent Federal agency. The PCLOB has the authority to review records of all Federal agencies, and to request that the Attorney General subpoena records held by third parties. But despite its name, the PCLOB has no “oversight” authority  other than the authority to issue reports that the President, Congress, Federal prosecutors, and Federal agencies are free to ignore.

Jun 25 2019

DHS continues to target traveling journalists for illegal searches

A new report by Seth Harp in The Intercept confirms that, despite by ongoing litigation challenging warrantless, suspicionless searches of travelers’ electronic devices, the US Customs and Border Protection (CBP) division of the DHS is continuing to target journalists for these illegal searches and for interrogation about their journalistic travel and other activities.

Mr. Harp’s experience shows yet again why the lawsuit brought in Federal District Court in Boston by the ACLU, ACLU of Massachusetts, and EFF is so important. CBP officials have admitted in deposition testimony and documents produced in response to the lawsuit that they use — and claim the authority to use — warrantless searches at borders and international airports to search travelers’ electronic devices (smartphone, laptops, memory sticks, etc.) for  “general law enforcement purposes” unrelated to customs or immigration laws, for pre-crime predictions (“risk assessments”), and on behalf of other government agencies including state and local police, the IRS, etc.

Several of the plaintiffs in the lawsuit are journalists who have been subjected to warrantless searches of their electronic devices when they traveled internationally.

As of now, the court is considering the plaintiffs’ motion for a finding that searches of electronic devices at  international borders or airports require a warrant approved by a judge and based on probable cause for suspicion of a crime. But CBP has made clear that will continue its suspicionless searches unless and until it is ordered to stop.

Read More

May 14 2019

Government access to airline PNR data challenged in German courts

Complaints filed today in German courts and administrative complaints to data protection authorities in Austria challenge government access to and use and retention of Passenger Name Record data (commercial airline reservation records) as a violation of fundamental rights guaranteed  by European Union, German, and Austrian law:

We’ve made (unsuccessful) administrative complaints regarding PNR data to data protection authorities in EU member states incluidng the Netherlands, France, and Germany, and challenged  some aspects of the US governmet’s PNR-based travel surveillaace system in US court under the Privacy Act. But so far as we know, the lawsuits filed today se are the first court cases outside the US to challenge the legality of government demands for access to PNR data or other travel records.

The European legal campaign against PNR-based mass surveillance of travelers is a project of the Gesellschaft für Freiheitsrechte (GFF) in Germany and epicenter.works – Plattform Grundrechtspolitik in Austria, funded in part by one of the first grants from Digital Freedom Fund (DFF) for impact litigation.

The lead plaintiff in the case filed in German administrative court in Wiesbaden, Emilio De Capitani, is a retired former director of the staff of the LIBE (civil liberties) committee of the European Parliament. Mr. De Capitani and the plaintiffs in additional cases filed in other German local courts are represented by Prof. Dr. Remo Klinger and his colleagues at the law firm of Geulen and Klinger in Berlin. The plaintiffs in the Austrian cases are represented by attorney Ronald Frühwirth in Graz.

Mr. De Capitani plans to fly from  Brussels to Berlin for a meeting of GFF in November 2019. He has purchased tickets and informed the airline that he does not want PNR data pertaining to his travel to be made available to government agencies

In response, the airline has told Mr. De Capitani that regardless of his preferences, the airline will provide government agencies in Germany (and possibly also Belgium, although it is not clear if Belgium already has or will have established a “Passenger Information Unit” to receive and process PNR data) with complete copies of the PNRs pertaining to his travel.

This action by the airline is required by German law. Germany and each other member state of the European Union is required to establish a Passenger Information [surveillance] Unit within the government and to have such a law mandating airlines to provide PNR data to the government to comply with the EU PNR Directive adopted in 2016.

The legal analysis in the complaint is conducted primarily under the legal standard of “proportionality” of intrusions on rights to legitimate government purposes. It focuses on the suspicionless, dragnet character of the  surveillance and retention of data concerning  travelers carried out through government access to PNR data, and the use of PNR data not merely for carrying out judicial orders against identified individuals, but also for pre-crime predictive profiling of innocent individuals based on algorithms and “patterns”.

Mr. De Capitani has asked the German court to find that the German PNR law violates fundamental rights recognized by German law, a decision that would ultimately be made by the German Constitutional Court. Because national courts of EU member states do not have jurisdiction to invalidate EU legislation, Mr. De Capitani has asked the German court to refer the question of whether the EU PNR Directive violates fundamental rights recognized by EU law to the European Court of Justice for a binding determination. And Mr. De Capitani has asked for a temporary preventive injunction prohibiting the government from accessing or requiring the airline to give the government access to PNR data pertaining to him and his travel to government agencies while the case is pending.

Mr. De Capitani’s legal complaint is directed against the German government. Others of the lawsuits filed today name airlines including Lufthansa as defendants.

[This article has been updated with additional information and links.]

May 07 2019

Air travelers question use of facial recognition

A Tweet that went viral from an airline passenger questioning JetBlue Airlines about its use of automated facial recognition at departure gates has called new attention to the growing use of automated facial recognition to identify and track travelers.

Our friends at the Electronic Frontier Foundation have an excellent analysis in their Deeplinks blog of some of the unanswered questions raised by this practice. We’ve talked about these before, in our blog and in meetings with DHS officials:

  • What is the relationship between the government and its airline and airport “partners” for the use of mug shots of travelers and related identifying information?
  • Can travelers really opt out of airport mug shots, and if so how, especially if — as with ceiling-mounted cameras or other new airport designs for “touchless” passenger processing — facial images are automatically captured before travelers reach the point where they could ask to opt out
  • What, if any, restrictions apply to use or “sharing” of the images and tracking data by airlines, airport operators (which are often local government agencies or other parastatal entities), or DHS components or other government agencies?

We agree completely with EFF that travelers should “Skip the surveillance by opting out of face recognition at airports” and that both members of the public and members of Congress should question what is happening , why, and whether it is legally justified.

But we also want to call attention to two additional aspects of this problem that have been overlooked or misinterpreted in much of the recent discussion: retention of facial images and accuracy of automated facial recognition.

Read More