Jan 31 2018

DHS threatens to harass American Samoan travelers

In the latest installment of the game of chicken between the Department of Homeland Security and US states and territories over the REAL-ID Act of 2005, the DHS has announced that drivers licenses and IDS issued by American Samoa won’t be accepted at TSA checkpoints for “domestic” flights beginning next Monday, February 5, 2018 — unless the DHS, in its standardless discretion, backs down again as it has so many times before, and gives American Samoan travelers a last-minute reprieve.

Why American Samoa? And what will this actually mean?

Read More

Jan 30 2018

Government and industry collaborate in travel surveillance

Senior officials of US Customs and Border Protection (CBP) came to San Francisco last week to meet with representatives of the Identity Project and other civil liberties and human rights organizations regarding CBP “biometric entry/exit” schemes. These CBP programs, some of which are already in operation, involve taking digital mug shots of international travelers — including US citizens — as they enter and leave the US. The meeting in San Francisco was a follow-up to one in Washington, DC, in August 2017.

Debra Danisek, CBP Privacy Officer, and John Wagner, Deputy Executive Assistant Commissioner in charge of the CBP “Office of Field Operations”, were accompanied to the meeting by CBP national, regional, and SF Bay Area local CBP policy anbd operations staff.

We welcomed the opportunity to point out to the CBP officials in charge of these programs that — especially as they apply to US citizens — they violate multiple Federal laws,  involve unconstitutional warrantless, suspicionless dragnet surveillance of how we exercise our right to assemble  as protected by the First Amendment, and should be abandoned.

It was an infuriating meeting, however. Rather than offering explanations for many of the CBP’s practices, the CBP officials acorss the table flatly denied much of what is happening at airports throughout the US, even in the face of first-person testimony to the contrary from many of the civil liberties advocates in attendance.

Since they wouldn’t admit that some of the most abusive CBP practices — the ones we thought the meeting had been called to discuss — are actually happening, the CBP officials wouldn’t talk about what, if any, legal basis these practices might have. Meanwhile, these unlawful practices by CBP and other DHS components continue and  expand.

Here are some of the counter-factual claims made by CBP in our meeting, and some of the issues left unaddressed: Read More

Jan 21 2018

Kudos to Lufthansa. Coals to the DHS.

A redacted version of the report of an internal review by the DHS Office of the Inspector General (OIG) of DHS implementation of President Trump’s January 2017 “Muslim Ban” Executive Order has been made public several months after the report was prepared.

Both the manner in which the OIG report was eventually released and the contents of the report are worthy of note, as discussed below.

Federal law requires every Cabinet-level Federal department, including the DHS, to have  an Inspector General. The DHS Inspector General is part of the DHS, but is appointed by the President, operates with considerable autonomy, and comes closer to the role of an “independent counsel” than does any other officer or office within the DHS.

The existence of the OIG report on DHS actions under the first “Muslim Ban” Executive Order (EO) was revealed in a November 2017 letter to Congress from IG John Roth. In this letter, IG Roth said that his office had delivered a draft of the Muslim Ban EO report to DHS “leadership” (presumably meaning the office of the Secretary of Homeland Security) in early October 2017, but that DHS leadership was taking an unusually long time to approve release of the report and had requested unusually extensive redactions. Days later, Roth took early retirement.

Open The Government (OTG) requested a copy of the report under the Freedom Of Information Act, but that request was denied on highly questionable grounds.  However, two days after Open The Government and the Project on Government Oversight (POGO) appealed that FOIA denial, the DHS posted a redacted version of the report.

OTG and POGO are continuing to appeal the redactions, but even the expurgated version of the report is a damning indictment of DHS operational divisions, particularly US Customs and Border Protection (CBP), for illegal defiance of Federal court orders.

In our analysis of the Muslim Ban Executive Orders, we focused on DHS efforts to induce airlines to (illegally) deny boarding at foreign airports to blacklisted individuals and citizens of blacklisted countries, preventing refugees from reaching the US and thus preventing them from even applying for asylum.

We are struck that the OIG report assessing the legality of DHS actions focused on exactly the same issue we had highlighted: DHS efforts to induce airlines not to board citizens of the countries subject to the Muslim Ban EO on flights to the US from foreign airports, even after Federal courts in Boston and later elsewhere in the US had enjoined DHS to admit these people to the US.

The OIG concluded that, “It is our considered view that the issuance of no-board instructions violated the Louhghalam and Mohammed [U.S. District Court] orders.”

The OIG report includes examples such as the following: Read More

Jan 20 2018

All the fake news that’s fit to print about REAL-ID and ID to fly

We’ve been spending a lot of our time lately writing letters to the editor pointing out errors and requesting corrections of news stories reporting DHS propaganda as fact.

Earlier this month, the DHS postponed from January 22, 2018, to October 10, 2018, the date on which it had threatened to have the TSA begin (illegally) interfering with air travel by residents of certain states.  Since neither the January 22, 2018, date nor the choice of which states to threaten was set by law or regulation, but solely by DHS press release, the DHS could and did withdraw its threat merely by issuing another press release.

The DHS had little choice, after its bluff was called by reality (compliance with the REAL-ID Act would require more money, more time, and changes to state laws and in some states incluidng California, changes to state constitutions) and the likelihood of resistance by the flying public (any attempt to prevent residents of certain states from flying without ID would lead to protests at airports and lawsuits that the TSA and DHS would likely lose).

But we are not surprised, given the long history of DHS lies about the REAL-ID Act and ID to fly, that the DHS press release withdrawing the threat of a January 22, 2018, crackdown on air travel without ID by residents of certain states was immediately followed by a renewed DHS public relations campaign of lies about the law and the facts.

DHS press releases should no more be published as “facts” without fact-checking or acknowledgment that they contain contested (and readily refuted) factual and legal claims than should President Trump’s,  President Obama’s, or anyone else’s Tweets.

The New York Times is the latest news outlet to have been taken in, yet again, by this DHS “fake news” campaign, with an article this week on the Times’ website and in the travel section, “Is Your ID Approved for Travel? These Are the Latest Rules“. Many of the DHS falsehoods in this article were reported as facts in an earlier story in the Times in November, 2017, by the same reporter, Shivani Vora. We wrote to Ms. Vora at that time to correct the errors in that story, but received no reply.

To be clear, DHS claims are worthy of reporting as news. It is newsworthy that the DHS has engaged in a decade-long campaign, through both Democratic and Republican Administrations,  of brazen public lies about the REAL-ID Act and ID to fly.

It is equally newsworthy, however, that a “newspaper of record” appears to have made no attempt to fact-check the claims made by DHS spokespeople or to include any other points of view, and repeats demonstrably false DHS claims as undisputed facts even after their falsehood was pointed out to the reporter on the story.

Specifically, the latest article in the New York Times reports the following DHS “fake news” as fact: Read More

Jan 15 2018

Citizens: Just say “No” to requests for your passwords

Our article last week on the new DHS policy on demands for passwords to travelers’ electronic devices has prompted extensive discussion on Hacker News and elsewhere.

One theme in the comments is that travelers who are not US citizens could be turned away at the US border or sent back when they arrive at a US airport if they decline to disclose the passwords to their electronic devices, and might also be blacklisted from the US for life.

That’s a legitimate concern for non-US citizens.

We would argue that denial of entry or blacklisting and denial of future entry on the basis of declining to provide passwords would be illegal, but the DHS might well do it anyway, and it could be hard for non-US persons to challenge in court.

It’s not clear that a non-US citizen would have no means of redress in court. As we noted in our earlier article, the Paperwork Reduction Act (44 US Code, Section 3512) provides that:

(a) Notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information that is subject to this chapter if—
(1) the collection of information does not display a valid control number assigned by the Director in accordance with this chapter; or
(2) the agency fails to inform the person who is to respond to the collection of information that such person is not required to respond to the collection of information unless it displays a valid control number.
(b) The protection provided by this section may be raised in the form of a complete defense, bar, or otherwise at any time during the agency administrative process or judicial action applicable thereto.

Denial of entry to the US would certainly seem to be a “penalty” proscribed by the PRA. However, we are unaware of any case law on whether “person” as used in the PRA is limited to US citizens.

More pragmatically, the DHS might claim that the denial of entry was for some other reason, rather than admitting that it was as retaliation for declining to disclose passwords.

Arbitrary or baseless denial of entry to non-US citizens often evades US judicial review.

The clearest precedent for this threat is the case of Dr. Rahinah Ibrahim, whose name was added to the no-fly list by an FBI agent who checked the wrong boxes on a “nomination” form. Ten years of litigation culminated in the first (and to date only) trial in a no-fly case, and a court decision  in Dr. Ibrahim’s favor. The government took Dr. Ibrahim’s name off the no-fly list — but not before putting her name on a different blacklist, for reasons that remain secret, and denying her a visa to return to the US.

So it’s reasonable for non-US persons to fear that even if they have a “right” not to be penalized for refusing to tell the US government their passwords, they could be blacklisted and denied entry to the US then or in the future, withough legal recourse.

What this means, of course, is that it’s up to US citizens to stand up for the rights of all, including the rights of those more likely to be kept out of the US and out of US courts.

US citizens have a clear legal right, explicitly recognized by international human rights treaty,  to leave or return to the US. US citizens can’t be denied the right to enter or leave the US for exercising their right to remain silent once they have completed the approved customs declaration form. And US citizens have a much better chance of being able to challenge any denial of entry or exit or other adverse action in court. It’s up to us.

If travelers submit to these demands — even if they do so “under protest” — their acquiescense will be deemed to have been “voluntary”. Only those who decline to provide passwords are likely to ahve legal standing to challenge the legality of these demands.

If US citizens don’t resist, nobody will. Even if foreigners complain about the actions of US border guards, they may have no way to get their complaints considered by US courts.

If you are a US citizen and US government agents ask for your passwords, just say “No”.

Jan 08 2018

DHS postpones threats of REAL-ID Act enforcement

Again postponing its threats to interfere with air travel by residents of “noncompliant” states, the Department of Homeland Security announced today that it has given the last three remaining states either certifications of “compliance” with the REAL-ID Act of 2005, or extensions of time to comply until at least October 10, 2018.

Travelers in all 50 states can continue to ignore the false signs at airports, the false claims being made by state authorities collaborating with the Feds in the national ID scheme, and the blizzard of confused  and error-filled news stories (largely based on unverified and misleading DHS and state government press releases) claiming that U.S. citizens will need to obtain, carry, or show passports or other government-issued ID in order to travel by air.

This does not mean that all or most states have actually complied with the REAL-ID Act or are planning to do so. At most 14 states are arguably compliant with the Federal law.

The plain language of the Federal law requires that, “To meet the requirements of this section, a State shall … Provide electronic access to all other States to information contained in the motor vehicle database of the State.”  Only 14 states are participating in the outsourced SPEXS national ID database set up to enable this nationwide data access:

In addition to the 14 current SPEXS particpants, the contractor managing the national ID database optimistically lists 4 other states as “actively working on implementation.” But none of these states are listed as having signed letters of intent  to join the SPEXS national ID database.

The other 32 states are not compliant with the data-sharing provision of the REAL-ID Act, and have given no indication of intent to comply.

What will happen next?

Read More

Jan 05 2018

New DHS policy on demands for passwords to travelers’ electronic devices

US Customs and Border Protection, a component of the Department of Homeland Security, today posted a revised policy on Border Searches of Electronic Devices and a Privacy Impact Assessment of some of the changes made by the new policy.

CBP has received (and largely ignored) numerous complaints by travelers who have been detained and told they wouldn’t be allowed to go unless they told CBP the passwords to their smartphones, laptop computers, or other electronic devices. Electronic devices have been seized and copied, and in some cases returned only long afterward and/or in altered or damaged condition. A lawsuit challenging suspicionless searches and seizures of data stored on travelers’ electronic devices, brought by EFF and the ACLU, is pending in Boston.

Federal courts have generally been overly deferential to government claims to the existence of a general exception to the Fourth Amendment making it per se “reasonable” to search or seize anything at or “near” a border or at an international airport, regardless of whether there is any basis to suspect a traveler of anything except international travel.

But the new CBP policy stretches the government’s claim of authority for warrantless, suspicionless, searches and seizures of electronic devices and data even further than its 2009 predecessor.

As the new PIA correctly notes, “The 2009 policy was silent regarding CBP’s handling of passcode-protected or encrypted information.”

CBP now says as follows, without citing any basis for this assertion:

Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents… Passcodes or other means of entry may be requested and retained as needed to facilitate the examination of an electronic device or information contained on an electronic device, including information on the device that is accessible through software applications present on the device. If an Officer is unable to complate an inspection of an electronic device because it is protected by a passcode or encryption, the Officer may… detain the device pending a determination as to its admissibility, exclusion, or other disposition.

In other words, CBP is now claiming the authority to confiscate your cellphones, laptops, memory cards, and any other electronic devices if you won’t tell CBP your passwords, and to retain the passwords you give them as well as the contents of those devices.

Yes, this applies to U.S. citizens and permanent residents as well as visitors.

Read More

Jan 05 2018

A REAL-ID Christmas present from the California DMV

On the Friday before Christmas Monday, when state officials hoped that everyone who might object would be sleeping, the California Department of Motor Vehicles finalized its regulations for partial compliance by the state with the Federal REAL-ID Act of 2005.

The final regulations and a statement of responses to public testimony and comments were posted on the DMV website on December 22, 2017, and went into effect the same day.

The final regulations are essentially unchanged from those the DMV proposed in September 2017, and that we objected to in written comments and in-person testimony at the DMV’s one hearing on the proposal in Sacramento in October.

The DMV’s response to public testimony and comments brushes off our objections, and the objections by other commenters and witnesses, on the basis of repeated invocation of patently false and/or irrelevant and unresponsive legal and factual claims.

Read More

Dec 19 2017

“Border control” as pretext for drug dragnet

The latest so-called “Privacy Impact Assessment ” (PIA) made public by the US Department of Homeland Security, “CBP License Plate Reader Technology“, provides unsurprising but disturbing details about how the US government’s phobias about foreigners and drugs are driving (pun intended) the convergence of border surveillance and dragnet surveillance of the movements of private vehicles within the USA.

The main reason for the publication of the CBP License Plate Reader Technology PIA is to provide the public with “notice that CBP is partnering with the Drug Enforcement Administration (DEA) to leverage each other’s .. LPR [License Plate Reader] systems.”

Since at least 2007, US Customs and Border Protection (CBP) has had a network of license plate readers continuously monitoring and recording the license plate numbers and locations of vehicles near US borders. “Near” and “border” in this context are euphemisms: Federal regulations define the “border” zone for purposes of CBP authority as including anywhere within 100 miles of any US border or seacoast,  which puts roughly two-thirds of the US population within “border” regions.

Meanwhile, the DEA has compiled an aggregated database of geotagged and timestamped license plate records purchased from commercial sources, including records of vehicle locations far from what even the DHS considers the “border zone”.

CBP and DEA are already able to query and retrieve data from each other’s LPR databases. A DEA agent can also set a “TECS alert” flag in the DHS database for a specific license plate number, the same way they  can for a specific passport number, so that they will be notified automatically whenever that plate is spotted by a DHS camera.

What’s changing is that instead of providing LPR information to each other only in response to specific targeting requests, CBP and DEA plan to “stream” all of the data from their LPR networks to each other in real time. “CBP intends to provide DEA access to CBP LPR information… through a real-time streaming service.”  Each agency will have a complete copy of the data collected by the other, so that they can merge and mine it and use it for “pre-crime” profiling.

As is the trend with all DHS surveillance systems, the goal is to convert a targeted system for investigating suspects into a dragnet system that treats everyone as a suspect subject to continuous surveillance and “continuous screening” or “continuous vetting”.

Read More

Dec 18 2017

Canada puts U.S. Customs and Border Protection officers above the law

A Canadian law which received final approval last week, Bill C-23, gives officers of U.S. Customs and Border Protection (CBP) staffing “preclearance” facilities within Canada police powers to detain, interrogate, and search travelers, while granting these agents of the U.S. government absolute and unconditional immunity from any civil lawsuit or liability under Canadian law, and immunity from criminal liability except in limited cases of death, injury, or property damage.

This immunity from civil lawsuits or liability in Canada extends to violations by US CBP officers at preclearance sites of fundamental rights, including the Canadian Charter of Rights and Freedoms, that are protected by law everywhere else in Canada,. Bill C-23 places CBP officers above Canadian law, as though they were diplomats enjoying immunity from local law inside extraterritorial enclaves, while giving them police-like powers to use force against ordinary people seeking to travel between the US and Canada.

Travelers passing through US preclearance facilities at Canadian airports, train stations, and ferry terminals are now required by Canadian law to: Read More