Sep 17 2020

New CBP propaganda on facial recognition and other biometrics

US Customs and Border Ptotection (CBP) has launched an entire new subdomain of its website, biometrics.cbp.gov, devoted to propaganda intended to persuade the traveling public to submit to, and airlines and airport operating authorities to collaborate in, the use of facial recognition and other biometrics to identify and track travelers.

There’s nothing in CBP’s happy-talk sales pitch for facial recognition on this new website that we haven’t seen before. And there are still no answers to any of the questions we’ve asked CBP officials about these practices and the legal basis (not) for them.

Biometrics.cbp.gov features links to the (nonbinding) Privacy Impact Assessments (PIAs) that are supposed to describe how mug shots obtained by CBP or its airport and airline “partners” are to be used. But the new CBP site doesn’t link to the legally binding System Of Records Notices (SORNs) that disclose a much wider range of routine and permitted uses of these images.

If there’s anything noteworthy on this site, it’s under the Resources tab, where you can download  copies of the official CBP signs that are supposedly posted at airports, seaports, and land border crossings, including those for airport arrivals (shown at the top of this blog post), airport departures, cruise ports, and pedestrian lanes at land borders.

Leaving aside questions of the accuracy of the claims on these signs, they provide definitive confirmation that all of these biometric programs are in flagrant violation of Federal law — as we’ve pointed out repeatedly to CBP, but to no avail.

None of these signs contain any Paperwork Reduction Act (PRA) notice or any OMB Control Number. Even if the collection of photos or other biometric information were authorized by law, even if it were voluntary, even if it were limited to non-US persons, and even if none of the images or other data were retained, this collection of information would still have to be approved in advance by OMB, assigned an OMB Control Number confirming the approval, and accompanied by PRA notices including that OMB Control Number.

Some people wonder why we care about OMB approval or PRA notices. OMB approval is often little more than a rubber stamp. It’s not an onerous burden on the agency, and it doesn’t usually involve any meaningful scrutiny of the legal basis claimed by an agency for collecting information from individuals. PRA notices don’t give much information about how the data that’s being collected will be used.  Few people know to look for PRA notices or OMB Control Numbers, how to interpret them, or what they signify.

The significance of CBP’s complete disregard for the PRA — a minimal administrative formality that CBP could easily comply with — is that it is indicative of CBP’s complete disregard for the law in general. It’s not that CBP or its parent agency the US Department of Homeland Security (DHS) are lazy. The choice not to seek OMB approval for their actions, or to post PRA notices, is not an accident. It’s emblematic of the extent to which CBP and the DHS assume that they can disregard any of the substantive or procedural rules that apply to all other agencies, and make their own laws through secret diktats. The real problem is not the violation of the PRA, but that CBP and DHS have no greater respect for human rights treaties or the US Constitution than they do for Federal laws like the PRA.

Sep 15 2020

DHS lies again about REAL-ID

As it’s been doing for years, the US Department of Homeland Security (DHS) is still lying about the state of compliance by states with the Federal REAL-ID Act of 2005.

The latest DHS whopper is this DHS press release issued September 10, 2010:

The DHS claims that “All U.S. States [Are] Now Compliant” with the REAL-ID Act. But as we’ve noted many times before, the REAL-ID Act explicitly and unambiguously requires that to be “compliant”, a state must “Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

How many states do that today? At most, 28, not all 50, as shown in the map below:The only mechanism available for states that want to share their drivers’ license databases is the outsourced “State to State” (S2S) system operated by the American Association of Motior Vehicle Administators (AAMVA), a private contractor not subject to the Federal or any state Freedom Of Information Act (FOIA) or other laws proviidng transparency and accountability for government agencies. Despite the misleading name, S2S is not a mechanism for messaging directly from state to state. It’s a centralized system which depends on a central national ID database, SPEXS, aggregated from state drivers’ license and ID data.

Here’s the latest list released by AAMVA of states that are particpating in S2S. Each particpating state has uploaded information about all drivers’  licenses and state ID to SPEXS. Together these 28 states include substantially less than half the U.S. population:

We wish we didn’t have to keep saying, again and again, that the DHS is lying about REAL-ID. But as long as Federal and state agencies keep putting these lies in their headlines, we’re going to keep on pointing out that the emperor (still) has no clothes.

Sep 14 2020

10th Circuit: No qualified immunity for police who demand ID

A panel of the 10th Circuit US Court of Appeals has ruled, in the case of Mglej v. Gardner, that it is “clearly established law” that police in Utah may not require suspects (or anyone else they detain, except operators of motor vehicles) to show ID documents, and therefore that the Garfield County Sheriff who wrongly arrested Matthew T. Mglej for “refusing to identify himself” is not entitled to qualified immunity and can be held liable for damages.

In the summer of 2011, Mr. Mglej, then 21 years old, set out on his motorcycle from his family home in Portland, OR, to visit relatives in Dallas, TX. Mid-way on that road trip, his motorcycle developed problems, and he stopped in Boulder, UT (population around 200), to see if he could get his bike repaired and replace a tire that was threatening to blow.

Read More

Sep 09 2020

Portland bans facial recognition by city agencies or in places of public accommodation

Today the City Council of Portland, Oregon, voted unanimously to ban the use of facial recognition technology by City agencies or by private entities in places of public accommodation within the City limits, including at the Portland International Airport (PDX), effective immediately.

Many local and national organizations and individuals testified eloquently in favor of these proposals. We don’t need to repeat all of their general arguments.

But a point of particular concern and particular pleasure for us is that the Port of Portland asked the City Council for an exemption from the ban to allow use of facial recognition “for air carrier passenger processing” — and was turned down.

No member of the City Council mentioned the Port’s request for a carve-out for facial recogntion of air travelers during the City Council discussion, and the proposals were adopted without amendment except for making the ban on private use of facial recognition in places of public accommodation effective immediately, as had already been proposed for the ban on use by city agencies. (The amendment to make the private entity ban effective immediately was made verbally during the City Council meeting, so it isn’t reflected in the advance text of the proposal.)

This is an important precedent , as Portland is only the second jurisdiction in the US to consider local rules related to facial recognition at its airport.

Earlier this year, after behind-the-scenes threats by the US Department of Homeland Security (DHS) to make life difficult for the Port of Seattle if it didn’t collaborate with DHS facial recognition schemes at Sea-Tac International Airport (SEA) and allow airlines and contractors also to do so, the Port of Seattle Commission reneged on the aspirational policy principles it adopted in 2019  and decided to buy and operate common-use facial recognition cameras integrated with DHS and airline databases and operations.

(See our written testimony to the Seattle Port Commission on use of facial recognition at SEA: 1, 2, 3., and articles in our blog here and here.)

The decision by the Port of Seattle was made just before the COVID-19 pandemic drastically reduced traffic at SEA and other airports and delayed the need for the new gates at SEA where the DHS-linked cameras were to be installed. A broad coalition of local and national community and civil liberties organizations has called on the Seattle Port Commission to use the opportunity provided by this delay to reconsider its decision on facial recognition.

Portland did significantly better than Seattle in working to distance itself from and isolate the DHS — not surprisingly in light of the object lesson the DHS has provided in Portland recently with respect to DHS trustworthiness (not), self-restraint (not), commitment to the rule of law (not), and respect for civil and human rights (not). Portlanders don’t trust the DHS to behave any better at PDX Airport than it’s been behaving on the streets of Portland.

PDX airport is located within the City of Portland but operated by the Port of Portland, a special-purpose agency of the state of Oregon governed by a board appointed by the Governor of Oregon. The City of Portland can’t prevent use of facial recognition by the DHS or the Port of Portland, but can regulate or prohibit its use by private entities, including airlines, within the city limits, including at the airport.

The Port of Portland has the authority to enter into contracts, borrow and spend money, manage its employees, and enact rules for activities at PDX Airport. But in addition to the requirements of due process and other Constitutional rights, and the obligations on the airport as a publicly owned and operated place of public accommodations and common-carrier facility, the legislative authority of the Port is limited to the issuance of rules consistent with city ordinances. That appears to mean that the Port may not prohibit that which the city has duly prohibited. (If readers have more expertise on this jurisdictional issue, feel free to leave a comment or drop us a line.)

The Federal government could preempt the Portland ordinances if it enacted valid laws or promulgated valid regulations mandating use of facial recognition by Federally-regulated airlines and/or airports. But no law mandates use of facial recognition for US citizens, even when traveling internatoinally, or for passengers on domestic flights

The DHS has refrained from promulgating any such regulations, preferring to operate outside the law than to establish any legal framework for its use of facial recognition or subject it claim of authority to notice-and-comment rulemaking or judicial review. A petition for rulemaking on use of biometrics for traveler identification submitted to the DHS by the Portland-based World Privacy Forum has been ignored by the DHS for almost two years.

While the DHS has engaged in heavy-handed behind-the-scenes lobbying and threats to “persuade” airlines and airport operating agencies to become its “partners” in biometric surveillance and control of air travelers, as it did in Seattle, the DHS has continued to maintain — correctly — that this “cooperation” is entirely voluntary. In declining to participate, and by exercising its jurisdiction to prohibit airlines or other contractors form doing so within the city limits, the City of Portland is doing only what the DHS has consistently said that local jurisdictions have the authority to do, if they so choose.

The July 14, 2020, letter from the Port of Portland to the Portland City Council requesting exemption from the facial recognition ban made numerous false factual claims and specious arguments. Since these bogus arguments are likely to be raised again in other cites despite having failed to persuade any of the members of the Portland City Council, it’s worth noting and debunking them:

Read More

Sep 04 2020

ICAO mandates worldwide government surveillance of air travelers

Playing out the endgame we predicted last year of a two-decade campaign by the US government to establish a global regime of government surveillance of air travelers, the International Civil Aviation Organization (ICAO) has adopted an amendment to the Chicago Convention on Civil Aviation that will require each of the 193 state parties to that treaty — essentially every national government in the world — to require all airlines operating international flights to provide a designated government agency with complete mirror copies of all reservation records (“Passenger Name Records“) in a standard PNRGOV transmission format.

This is an extraordinary and, so far as we can tell, unprecedented globalization and normalization of suspicionless mass surveillance of the innocent exercise of legal rights.

To the best of our knowledge, this is the first time that any industry — much less an industry of common carriers required by law (including by international aviation treaties) to transport all would-be passengers, without discrimination, in the exercise of a right to freedom of movement also recognized by international treaties — has been mandated by international treaty to provide government agencies worldwide with complete copies of its commercial records of each of its transactions with a customer. No such treaty obligation exists, for example, with respect to records of postal, telephone, Internet, or financial transactions.

The exercise of rights should not be deemed per se suspicious or a legitimate grounds for surveillance.

The requirement for PNR-based surveillance of air travelers is included in Amendment 28 to Annex 9 to the Chicago Convention. This amendment was approved by ICAO’s Council — an executive committee of countries elected by ICAO’s members to make decisions between ICAO’s triennial General Assembly of all member states — on June 23, 2020.

Read More

Sep 03 2020

GAO report on DHS use of facial recognition on travelers

The Government Accountability Office (GAO) has released a new report requested by Congressional oversight committee chairs describing and assessing the ways that US Customs and Border Protection (CBP) and the Transportation Security Administration (TSA) use facial recognition to identity and track international (CBP) and domestic (TSA) travelers.

Here’s how the GAO says it works  (click flowchart for larger version): The GAO report doesn’t address several of the most significant issues with DHS use of facial recognition to identify travelers, including:

Read More

Sep 01 2020

TSA tries out another (illegal) biometric “ID verification” system

Today the Transportation Security Administration (TSA) announced that it has launched a “pilot” at Washington National Airport (DCA) of yet another scheme for biometric identification and tracking of domestic air travelers.

[Screen capture from TSA video]

The new “touchless ID verification” stations at DCA include a webcam (at top center of photo above) a magnetic-stripe reader (lower left) for drivers licenses and other ID cards, and a photographic scanner for passports (lower right).

Travelers who volunteer to use the new system are directed to insert their drivers license, ID card, or passport into the appropriate reader, stand on a marked spot in front of the webcam, and remove their face mask, so that the image from the ID (or, more likely, from some back-end image database linked to the ID, although that hasn’t been disclosed) and the image from the webcam can be compared by some undisclosed algorithm.

[Traveler being directed by TSA staff to remove her face mask for digital mug shot.]

As we’ve noted previously, it appears to us that (1) the TSA has no general authority to require travelers to show their faces or remove face masks, and (2) in many jurisdictions, orders issued by state or local health authorities currently require all people in public places such as airports to wear masks.

The TSA describes this system as “touchless”. But while TSA staff don’t have to touch travelers’ IDs, each traveler has to touch the same ID card or passport scanner. Then, immediately after touching the scanner, they have to touch their face again to put their mask back on.

Read More

Aug 31 2020

8th Circuit finds TSA agents can be liable for assault

A panel of the 8th Circuit Court of Appeals decided today, over a dissent, that TSA checkpoint staff at airports (“Transportation Security Officers”) are “officer[s] of the United States … empowered by law to execute searches… for violations of Federal law”, making TSOs liable for damages if they commit assault, battery, or certain other torts against travelers.

With today’s decision in Iverson v. TSA the 8th Circuit joins the 3rd Circuit (en banc) in what is now a 2-1 split with the 11th Circuit, which ruled in 2014 that TSOs, despite their title and the fact that their primary job is to carry out searches, are not “officer[s] of the United States … empowered by law to execute searches… for violations of Federal law” and thus are completely immune from liability for even intentional assaults on travelers.

Most people unfamiliar with the law assume that the government is generally liable for damages if its agents attack innocent citizens. While the law is complex, the general principle is just the reverse: The US government generally enjoys “sovereign immunity” — a despicably undemocratic vestige of the idea that the king is above the law — and private individuals can sue the government only with the government’s permission.

There are exceptions to this principle, in the form of laws that “waive sovereign immunity” for certain offenses, as well as exceptions to the exceptions. The dispute with respect to liability or impunity for violent or negligent TSOs revolves around the interpretation of the language in Federal law defining one of those exceptions to an exception.

Read More

Aug 11 2020

TSA considers new system for flyers without ID

According to a solicitation to potential contractors published last week, the Transportation Security Administration (TSA) wants to outsource its current questioning of airline passengers without ID, and its decisions about which travelers without ID to allow to travel and which to prevent from flying, to a fee-based system operated through a cellphone app provided by a private contractor and based on (secret) commercial databases.

There’s some good news and some bad news in the TSA’s posting of this Request for Information.

First, the good news:

1. The TSA admits that people can and do fly without ID.

According to the TSA’s Request for Information:

Prior to the COVID-19 National Emergency, TSA encountered over 2.5 million passengers a day and, on average, 600 instances of passengers without acceptable ID. These individuals are able to verify their identity via telephone through our National Transportation Vetting Center (NTVC).

That’s almost three times the average daily number of airline travelers without ID disclosed in the most recent of the TSA’s belated and still-incomplete responses to our Freedom of Information Act (FOIA) requests for records of travelers without ID.

2. You will still be able to fly without ID, even after the TSA “implements” and “enforces” the REAL-ID Act.

In their most recent notice of postponement of their REAL-ID threats, the TSA and the Department of Homeland Security (DHS) have said that they plan to fully implement and enforce the REAL-ID Act, with respect to airline travel, beginning October 1, 2021.

The TSA and DHS have repeatedly claimed that after that date, all air travelers will “need” to show ID that the DHS deems compliant with the REAL-ID Act in order to fly. And the TSA has previously indicated — in 2016 and again in May of 2020 —  that it intended to modify its current ID verification procedures to (illegally) deny passage through TSA checkpoints to would-be travelers who don’t present REAL-ID Act compliant ID cards.

But the TSA is now soliciting information preparatory to soliciting bids for a contract to provide outsourced “identity verification” services for air travelers without ID.

The TSA wouldn’t be preparing to solicit bids for a system to deal with air travelers without ID if the TSA planned, in a little more than a year, to stop allowing those people to fly at all.

And the TSA says that the contractor’s ID verification system for flyers without ID must “be able to process thousands of transactions per hour per day [sic] distributed across the TSA enterprise of airports.”  Whether the TSA means “thousands per hour” or “thousands per day”, that’s several times more than the current number of travelers without acceptable ID.

The only plausible explanation for the expected many-fold increase in the number of travelers without acceptable ID is that the TSA’s implementation of the REAL-ACT will result in many more air travelers’ ID’s being deemed unacceptable, and that the outsourced system is the one the TSA plans to use for travelers without REAL-ID compliant ID.

The TSA is looking for a new system for dealing with travelers without ID only because it has been forced to abandon its original plan to prevent all such people from flying.

The most important takeaway from the TSA’s latest notice is that the TSA is (still) lying about what REAL-ID Act enforcement and implementation will mean. You will not need a compliant ID to fly. The procedures may change, but you will still be able to fly without ID.

This is a major victory for our legal objections and for the potential of popular resistance.

The TSA has implicitly acknowledged that — either because it lacks legal authority to prevent everyone without “acceptable” or REAL-ID Act compliant ID from flying, or because doing so would cause riots at airports or other forms of popular resistance, or both — it  won’t be able to stop travelers without ID or without compliant ID from flying.

The bad news is the nature of the TSA’s contemplated new procedures for flyers without ID (or without “acceptable” ID).

Currently, the TSA leaves the final decision on whether or not to allow airline passengers without ID to pass through TSA or contractor-operated checkpoints to the discretion of the Federal Security Director (FSD) or their designee on duty at the individual airport.

That decision can be based on what the FSD thinks of the traveler’s looks, the nature of any “unacceptable” ID they present, whether they are willing to complete and sign the illegal TSA Form 415, and their responses to questions relayed via the TSA’s Identity Verification Call Center (IVCC) from the TSA National Transportation Vetting Center (NTVC) based on information in records about the traveler held by the commercial data broker Accurint.

The new process apparently being considered by the TSA would outsource the questioning of travelers without ID or with unacceptable ID to a private for-profit contractor, with that questioning to be administered through a smartphone app. The questions would be based on some aggregation of government and commercial data, and the answers would be assessed according to some secret algorithm to generate a binary pass or fail result.

An identity thief (or ‘bot) with access to the commercial database used as the basis for “pass/fail” determinations would be better able to answer questions about the information in that database than would a real person who is unprepared for this questioning and who has no way to know (or to correct) what misinformation is contained in the database.

A traveler who shows up at a TSA checkpoint would, it appears, be told they have to install the mobile app, pay a fee through the app (which presumably would require a credit or debit card or bank account),  complete the in-app questioning, and show a “pass” result from the app to the TSA staff or contractors in order to “complete screening” and proceed through the checkpoint.

  • No cellphone? No fly. (We’ve seen this already in Hawaii.)
  • Your cellphone isn’t a smartphone? No fly.
  • Your smartphone has a different OS that can’t run the contractor’s app? No fly.
  • No charge in your cellphone battery? No fly.
  • No signal in the airport? No fly.
  • No credit or debit card? No fly.
  • Don’t know what misinformation is in data brokers’ records about you? No fly.
  • Your record fits a “fail” profile in the contractor’s secret algorithms? No fly.

Read More

Jul 28 2020

Senate bill would exempt REAL-ID from due process and oversight

Rather than responding to our comments on the latest proposal by the Department of Homeland Security to require ID for airline travel, the DHS has quietly gone to Congress to try to get the law changed so that it doesn’t have to answer us, and to preclude potential litigation to challenge an ID requirement or defend people who try to fly without ID.

A bill introduced earlier this month in the Senate, and already approved in committee, would exempt the implementation and administration of the REAL-ID Act from normal administrative requirements for due process in rulemaking and oversight and transparency in demands by Federal agencies for information.

Included in S. 4133, both as introduced and as amended and reported by the committee, are provisions that would allow the Secretary of Homeland Security, at his or her “discretion”, to issue regulations and administer the REAL-ID Act without regard for the Paperwork Reduction Act (PRA) or the notice-and-comment requirements of the Administrative Procedure Act (APA).

As of now, no comparable bill has been introduced in the House. (Several bills to amend the REAL ID Act are pending in the House, but none of them contain PRA or APA exemptions.) It’s unclear what effect these provisions would have if enacted. All Federal agencies are, of course, still subject to Constitutional requirements for due process. But these provisions of S. 4133  appear to be a direct response to the objections we raised in May 2020 to the latest DHS proposal to impose an ID requirement for airline travel without complying with the PRA or the APA.

Read More