Are TSA actions subject to judicial review?

December 18th, 2015

The real test of whether the TSA is above the law isn’t whether TSA or DHS officials, flacks, or lobbyists claim that there are legal procedures which (hypothetically) permit judicial oversight of TSA actions. The real test is what happens when real people object to specific conduct by TSA staff and contractors, or private parties such as airlines acting at the behest of the TSA, and ask the courts to review and decide whether the TSA or its minions are breaking the law or violating the US Constitution.

Nobody has done more to test the real-world limits of TSA lawlessness than our friend Sai, who has been waging a one-person, pro se legal crusade against the TSA for its disregard of the Constitution and of a variety of Federal laws providing for transparency, fairness, and due process. Sai’s pending lawsuits against the TSA include one of the most important challenges anyone has made to the TSA’s claims of authority for secret lawmaking, as discussed below.

Remarkably, and unlike most of those aggrieved by TSA general disregard for the law as well as more specific misconduct, Sai has even had some success. But that limited success gives a sense of just how outrageous is the TSA’s disregard for the law, and how far it has to go before the courts will rein it in.

Read the rest of this entry »

No Social Security number? No passport. Why?

December 15th, 2015

When we reported last week on the passport provisions in the new “Fixing America’s Surface Transportation Act”, we focused on the details of the rules for denial or revocation of US passports of citizens alleged to owe more than $50,000 in Federal taxes.

We should, perhaps, have put more emphasis on the other new basis we mentioned for the denial of a passport application: failure to provide a valid Social Security account number on the passport application form. This could affect more people than the linkage of passports to taxes.

While the shorthand title on our blog post referred to people who “don’t have” a Social Security number, the same fate could befall anyone who chooses not to disclose their Social Security number. The new law would authorize but not require the Secretary of State — at her standardless “discretion” — to deny any passport application that doesn’t contain a valid Social Security number.

There are probably more US citizens who don’t have a Social Security number than who owe more than $50,000 in taxes. And there are good reasons for even those citizens who do have a Social Security number not to want to disclose it to the State Department and to all the other government agencies (including the DHS) with which it shares passport data.

Federal law and IRS regulations already imposed a $500 civil penalty for applying for a passport without providing a Social Security number. This was a high price to pay for freedom from travel dataveillance based on Social Security number. But it wasn’t always enforced (more “discretion”), and it was not a basis for denial of a passport. Now it is.

Why would someone who has a Social security number not want to give it to the State Department? The answer is obvious once you reverse the question: Why does the State Department want to record the Social Security number of each passport holder? And how do the State Department, and the other agencies with which it shares this data, plan to use it?

There’s a separate legal requirement and required form, which includes the passport number, for reporting any international transportation of $10,000 or more in cash or “monetary instruments”, either as accompanied baggage or in an unaccompanied shipment. So the State Department doesn’t need Social Security numbers in passport files to know whether large sums of money are being taken in or out of the country by the holder of a particular passport.

The new law doesn’t just require that you show that you have a valid Social Security number before you can receive or renew your passport. You must provide your Social Security number to the State Department, so that it can be entered into the passport records database.

Nor is your Social Security number used only to check with the IRS whether you are suspected of owing back taxes. The principal routine users of this data outside the State Department are the DHS, “for border patrol, screening, and security purposes.” Screening is, of course, a euphemism for algorithmic profiling and profile-based search and control.

In other words, the real point of requiring each US passport applicant to supply their Social Security number is to enable all the financial records linked to that Social Security number to be combined with the travel records linked to the passport number in the DHS “Automated Targeting System” and included in the inputs to the pre-crime “black box” that decides whether to give airlines and other common carriers permission to transport each US citizen, and how intrusively to search and/or interrogate each US citizen who is allowed to travel.

DHS Automated Targeting System records include many identifiers and pointers that can be used to link them to other databases: timestamped IP addresses, cellphone numbers, passport numbers, credit card numbers, names of emergency contacts and traveling companions, etc. But they haven’t yet contained Social Security numbers, so far as we know. Now they will, or will be linked to a related database that does.

Government records indexed by Social Security number aren’t just tax records, but records of your worldwide assets and financial affairs. Records identified by Social Security Number (but not passport number, so they would otherwise be at least somewhat more difficult for DHS to use for this profiling), include not only US bank accounts but also foreign bank accounts (reported by Social Security number on the required annual FBAR form) and other foreign “financial assets” (a partially overlapping category) required to be reported each year on IRS Form 8938.

None of this has anything to do with citizenship, which should be the sole criterion of entitlement (not merely “eligibility” at the government’s “discretion”) to a US passport.

The right to travel and the right to bear arms

December 14th, 2015

Last Thursday, December 3rd, the US Senate rejected a proposal to authorize the Attorney General to deny firearms licenses or permits to anyone the Attorney General suspects to “be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism, or providing material support or resources for terrorism.”

Just three days later, President Obama made a somewhat similar proposal, but based on the no-fly list and thus — under the latest revisions to no-fly listing procedures — on the discretion of the Secretary of Homeland Security rather than the discretion of the Attorney General:

“Congress should act to make sure no one on a no-fly list is able to buy a gun. What could possibly be the argument for allowing a terrorist suspect to buy a semi-automatic weapon?” (Address to the Nation by the President, December 6, 2015)

Since the President asks, we’ll try to answer.

Read the rest of this entry »

More pre-crime profiling of visitors to the US?

December 11th, 2015

President Obama’s televised speech last Sunday included a smorgasbord of proposals (and endorsements for proposals already made by members of Congress) for more control and surveillance of travel.

We’ll look first at the proposals for restrictions on travel by foreign visitors to the US, followed in our next post by some of those that would affect US citizens.

According to the President:

We should put in place stronger screening for those who come to America without a visa so that we can take a hard look at whether they’ve traveled to warzones. And we’re working with members of both parties in Congress to do exactly that.

What does “stronger screening” mean? And what’s a “warzone” [sic] when on the one hand there has been no declaration of war against anyone, anywhere, and on the other hand the government apparently believes that it has the authority to treat the entire planet as a battlefield on which to wage its “War on Terror”?

To understand what the President really means, let’s look at the proposed legislation. The President appears to have been referring to H.R.158, the so-called “Visa Waiver Program Improvement Act of 2015”, which passed the House this week and is pending in the Senate.

The “Visa Waiver Program” (VWP) is a scheme under which citizens of certain preferred countries are given US government permission through the “Electronic System for Travel Authorization” (ESTA) to board flights to the US — provided that they agree in advance that they when they arrive in the US, they can be denied admission for any or no reason, that they will not contest any denial of admission, and that they will bear their own costs of deportation if they aren’t admitted.

This isn’t based on reciprocity. Citizens of all other second-class countries must obtain paper visas, which require a much higher fee and an in-person interview at a US Embassy or Consulate, even for short visits as tourists or to change planes in the US in transit between e.g. Europe or Asia and Latin America.

Most of the countries that the US “allows” to participate in the VWP allow US citizens to enter as tourists, and sometimes for other purposes, without obtaining any permission or submitting any information to the destination government prior to their arrival.

An ESTA walks like a visa and quacks like a visa, except that it is issued electronically rather than stamped in a passport. To obtain an ESTA, a would-be foreign visitor must apply through a cumbersome CBP Web site, providing a variety of personal information to enable the application to be matched with the applicant’s “travel history” and other secret data in the CBP’s Automated Targeting System (the information required on the ESTA application was just increased last month) and pay a fee with a credit card so that the application can also be matched with any US government records about the applicant’s finances.

The travel industry reportedly wants the current euphemistic name of this program changed to the more Orwellian, “Secure Travel Partnership”, which gives a pretty accurate indication of the industry’s willingness to partner with governments in surveillance and control of travelers, as long as doing so doesn’t cost the industry money.

Any foreign citizen who “intends” to enter the US under the VWP is required to obtain an ESTA before CBP will give an airline permission to issue a boarding pass for a flight to the U S.

After operating the VWP/ESTA scheme for seven years under an “interim” rule, the DHS finalized the VWP/ESTA regulations and made them permanent earlier this year, dismissing our objections that the rules are unconstitutional, violate US obligations under international human rights treaties, and exceed the authority of CBP or the DHS.

How would any of this change if the bill endorsed by the President, H.R.158, becomes law?

Aside from reporting requirements, the only substantive change that would be made by the House bill would be to require that the secret pre-crime prediction algorithm incorporated into the ESTA approval/denial decision-making black box must consider “terrorism risk” in addition to, as is already required, “security risk”. We have no idea what this means. What sort of “terrorism risk” wouldn’t also constitute a “security risk”? But we can only assume that the proponents of this bill, including the President, want more secret rules added to the algorithm, to keep away even more visitors.

The White House has also talked about denying ESTA approvals and entry under the VWP on the basis of which other countries travelers have previously visited. A European citizen who has visited friends or family in Syria, for example, might find themselves barred from the US for the next five years unless they go through the drawn-out and expensive process of applying for a full US visa. A provision to this effect is part of both the Democratic (S. 2337) and Republican (S. 2362) versions of Visa Waiver Program bills pending in the Senate, but wasn’t included in the version approved by the House.

No passports for US citizens who haven’t paid taxes or don’t have a Social Security number

December 9th, 2015

Buried in the Fixing America’s Surface Transportation Act (“FAST Act”) signed into law last week is an unrelated rider to provide for revocation of the passport and/or refusal to issue a passport to anyone against whom the IRS has assessed a lien or levy for $50,000 or more in tax debt, or who doesn’t provide a valid Social Security number.

Since a change in Federal regulations in 2009 eliminated the last exception for crossing land borders to or from Canada and Mexico, it is a violation of Federal law “for any citizen of the United States to depart from or enter, or attempt to depart from or enter, the United States unless he bears a valid United States passport.”

This requirement for a passport can be “waived” at the “discretion” of the Department of State. But there is no right to a waiver, no formal procedures or standards for requesting such a waiver, and no apparent mechanism for judicial review of denial of a waiver.

So denying or revoking a US passport amounts to closing the US borders to that US citizen.

A US citizen who is denied a passport, or whose passport is revoked, is still a US citizen even if they are unable to exercise the rights of a citizen. As a citizen, they are still liable for US taxes on their worldwide income and assets, even if they are living outside the US. So any tax debt will continue and is likely to increase with interest, penalties, and new taxes.

It’s not clear at whom, or at what conduct, this new provision in US law is directed.

Are Congress and the President concerned that suspected criminal violators of the tax laws might flee the country before they can be charged or arrested? So much for the presumption of innocence, the distinction between tax debts and crimes, and the Constitutional prohibition on imprisonment for debt.

Is the intent to prevent tax debtors from spiriting their untaxed assets out of the country before they can be seized? If so, restrictions on personal movement are both overbroad and likely to be ineffectual. Most international transfers of wealth occur electronically, and most cross-border shipments of tangible goods are in the form of unaccompanied freight, not accompanied luggage.

Is the goal to exile tax debtors from US territory? Many of the US citizens who might be assessed large tax debts are already living outside the US. Under international human rights treaty law, the right to enter the country of one’s citizenship is the most absolute of the rights of freedom of movement: “There are few, if any, circumstances in which deprivation of the right to enter one’s own country could be reasonable.”

Denial or revocation of a US passport under this new law is an elaborate five-step process, although most of the steps are purely clerical:

  1. The IRS “assesses” a tax liability of at least $50,000 in 2016, or the equivalent amount adjusted according to the cost of living index in future years.
  2. The IRS issues a lien or levy for the tax assessment (again, for at least $50,000 or the latest adjusted equivalent).
  3. The Commissioner of Internal Revenue certifies the existence of this assessment and lien or levy to the Secretary of the Treasury (the head of the parent department of the IRS), and notifies the citizen of this certification and of their right to challenge it in court.
  4. The Secretary of the Treasury transmits the IRS certification to the Secretary of State
  5. Once the State Department receives this certification, it must not issue a new passport to the citizen, and may (apparently at the standardless discretion of the Secretary of State) revoke any current passport.

There are some options, but they are entirely at the discretion of the Secretary of State:

If the Secretary of State decides to revoke a passport…, the Secretary of State, before revocation, may — (i) limit a previously issued passport only for return travel to the United States; or (ii) issue a limited passport that only permits return travel to the United States.

The law also permits (although it does not require — more standardless discretion for the Secretary of State) the denial of any application for a US passport that doesn’t include a valid Social Security number.

There’s an impunity clause in the law, although it’s unclear to what if any extent it is Constitutional, that attempts to protect government agents from liability for violating US citizens’ right to travel:

The Secretary of the Treasury, the Secretary of State, and any of their designees shall not be liable to an individual for any action with respect to a certification by the Commissioner of Internal Revenue.

There is a procedure for judicial review, but only of the certification of a tax assessment and lien or levy:

After the Commissioner notifies an individual … , the taxpayer may bring a civil action against the United States in a district court of the United States or the Tax Court to determine whether the certification was erroneous or whether the Commissioner [of Internal Revenue] has failed to reverse the certification. If the court determines that such certification was erroneous, then the court may order the Secretary [of the Treasury] to notify the Secretary of State that such certification was erroneous.

The new law is silent on what, if any, redress is available, or through what procedures, for a US citizen whose right to travel is violated when they are denied a passport, their passport is revoked or restricted, or they are subsequently prevented from entering or leaving the US. Responsibility for the deprivation of rights is divided among three Departments: Treasury certifying a tax debt, State denying or revoking a US passport, and DHS enforcing the passport requirement at airports and borders.

A citizen could bring an action for a writ of mandamus ordering the State Department to issue a passport, which in some other cases has prompted the State Department to issue a passport before the case could be decided.

Or a citizen could bring an action for an injunction prohibiting the DHS from interfering with their entry or exit to or from the US.

In either case, we look forward to a declaratory judgement that this law is unconstitutional, and violates US obligations as a party to the International Covenant on Civil and Political Rights.

The human rights of migrants in transit

November 16th, 2015

Last year the UN Office of the High Commissioner for Human Rights (OHCHR) developed and promulgated a set of “Recommended Principles and Guidelines on Human Rights at International Borders”, including respect for the right to freedom of movement, on which we made recommendations at the invitation of the OHCHR.

As a follow-up, and in response to ongoing refugee crises in Europe and elsewhere, the OHCHR has been tasked by the UN Human Rights Council with preparing further recommendations in relation to the rights of migrants in transit, including, “[e]xit restrictions … and the externalisation of border controls which could have an impact on the human rights of migrants in transit.”

Our latest recommendations to the OHCHR focus on the human rights implications of restrictions on travel by common carrier:

As we discussed in our previous submission to the OHCHR concerning the human rights of migrants, refugees, and asylum seekers, the right to leave any country is routinely and systematically violated – even where there is no explicit requirement for an “exit permit” – through (1) requirements for identity credentials or other travel documents as a condition of travel by common carrier, without respect for the right to leave any country and to return to the country of one’s citizenship regardless of what, if any, credentials or documents one possesses, (2) requirements for “screening” and approval of common carrier passengers that amount to de facto exit visa, transit visa, and/or entry visa requirements, (3) sanctions imposed on common carriers to induce carriers not to transport certain would-be passengers, on the basis of decisions not made, and not subject to appeal, through effective judicial procedures, and (4) failure by governments to enforce the duties of common carriers to transport all would-be passengers, regardless of their legal status or possession of documents.

Some of the most important decision-makers for asylum seekers, refugees, and other migrants are airline and other common carrier ticket sellers and check-in staff. Many eligible asylum seekers are unable to reach places of refuge, and others die trying, as a direct result of improper denial of transportation by common carrier staff.

Many eligible asylum seekers could afford to purchase airline tickets or tickets on other common carriers (ferries, trains, buses, etc.) to travel to countries where, on arrival, they would be eligible for asylum. They risk their lives as “boat people”, and some of them die, not for financial reasons, but because airlines or other government-licensed common carriers improperly refuse to sell them tickets or deny them boarding.

When airlines or other common carriers deny passage, they often claim that they are doing so in compliance with government mandates or government-authorized carrier “discretion”. But decisions about these “mandates” and how to apply them, and about the scope of common carrier “discretion”, are enforced not by judicial or police personnel but by airline or other common carrier staff, or by contractors, at the points of ticket sales, check-in, or boarding. As a result, it is almost impossible for would-be passengers to obtain judicial review of carrier decisions to refuse ticket sales, check-in, or boarding.

Asylum seekers who are trying to leave a country where they are subject to persecution, and who are denied transport, are unlikely to have access to effective judicial review and redress through the courts of the country that is persecuting them. Airlines know that they can violate the rights of asylum seekers with de facto impunity.

Respect for the right to freedom of movement requires significant changes in the practices of carrier staff. To fulfill their human rights obligations, governments need to ensure that common carriers are aware of, and respect, the right to freedom of movement.

[More.]

Accurint exposed as data broker behind TSA “ID verification”

November 9th, 2015

The most recent documents released in response to one of our Freedom of Information Act (FOIA) requests may have identified the data broker powering the TSA’s “ID verification” system as Accurint — the current incarnation of a component of the discredited and supposedly disbanded Total Information Awareness program — rather than Acxiom as we had speculated (and as had powered other TSA passenger-profiling schemes).

We found this clue to the company behind the curtain in the daily reports on the operation of the TSA Identity Verification Call Center (IVCC) that gets the call whenever someone tries to fly without having, or without being willing to show,  government-issued ID satisfactory to the TSA or contractor staff at an airport checkpoint:

Over the past 48 hours the IVCC experienced on-going internet connectivity issues that caused IVCC operations to be disconnected from Accurint and WebEOC databases…. The interrupted service resulted in extended call times when either database conductivity was abruptly discontinued or unavailable. At approximately 1430, TSOC IT contacted the Accurint Customer Support who indicated the issue was internal to Accurint. At approximately 1615, service appeared to be restored. At 1900, the connectivity issue resurfaced but with limited impact to operations. The TSOC Network Engineer is monitoring the Accurint situation and EMOC Security is working to identify and resolve those issues separate to Accurint.

This report strongly suggests that it’s Accurint that provides the database and “verification” algorithms used by the IVCC, the TSA, and TSA contractors to decide who to allow to fly, and who not to allow to fly.  There’s no other apparent reason why the IVCC would need connectivity to Accurint, or why an outage in IVCC connectivity would would be significant.

Who are these guys? It’s a shell game of acronyms, acquisitions, and corporate restructuring.

Accurint is a service of the LexisNexis brand of the UK-incorporated RELX Group plc, which until June 2015 was named Reed Elsevier.  The aggregated “garbage in, garbage out” database and pre-crime profiling algorithms used by Accurint for “ID verification” were developed by a company called Seisint, under contracts (brokered in part by Rudy Giuliani’s influence-peddling consultancy) to the DHS and Department of Justice, for the MATRIX (Multistate Anti-Terrorism Information Exchange) component of Total Information Awareness (TIA).

In the midst of public controversy over MATRIX, TIA, and other aspects of Seisint and its operations, Seisint was acquired by Reed Elsevier for $775 million in 2004.  Seisint’s Accurint service was folded into LexisNexis, part of what is now RELX Group plc.

“Matrix reloaded”?

Here’s what Megan Kaushik of the Brennan Center for Justice found when she tried to find out what’s in Accurint’s files about herself:

After an exhaustive search, I ultimately received records from … LexisNexis’s Accurint…. The report[] listed every phone number and address I had ever been associated with, from my college mailbox to the relative’s home where I’d forwarded mail while abroad. Accurint listed the apartment I rented while interning in DC, along with the names and phone numbers of its current occupants. It even provided the sale price and mortgage on each home I’d lived in.

Surprisingly, much of the information was also inaccurate….

Accurint listed someone named Florinda as “Associated with Subject’s SSN” though it assured me this “doesn’t usually indicate fraud.”

Obtaining my data … was difficult. Amending incorrect information was impossible. Unlike Canada or the UK where data brokers must allow individuals to access and amend their data, American law lacks such requirements. Accurint’s report stated it “may not contain all personally identifiable information in our databases” and they “do not verify data, nor is it possible to change incorrect data.”

In addition, “LexisNexis does not suppress personal information from databases used by law enforcement customers,” regardless of whether LexisNexis knows it to be inaccurate or misleading. As we said earlier,  “garbage in, garbage out”. All the garbage, no matter how much it stinks.

Since its latest latest corporate restructuring in June 2015, Accurint has been operated by a UK corporation, RLEX Group plc. Stock in RLEX Group plc is owned partly by a UK-based and partly by a Netherlands-based parent corporation. But there’s no US-incorporated subsidiary to shield RLEX Group plc, as a UK corporation, from its obligation to comply with UK law in its worldwide operations, whether in the US or anywhere else.

Many of Accurint’s policies and practices with respect to its services for the TSA and other law enforcement agencies appear to violate both the LexisNexis privacy policy and, more importantly, the obligations of RLEX Group plc pursuant to UK and European Union data protection law. The governing factor under UK and EU law appears to be that the data controller for Accurint, RLEX Group plc, is legally domiciled in the UK.

It doesn’t help rescue RELX Group plc from liability under UK and EU law that it has relied on self-certification that it complies with the “safe harbor” framework, which has now been ruled legally inadequate, as the basis for transferring personal data to entities in the US such as the TSA.

Accurint also integrates social media data from “Twitter, Tumblr, Disqus, Foursquare, WordPress, Instagram, Facebook, Google+, YouTube and more,”  monitored and mined by Digital Stakeout, Inc. This confirms what we have long feared: that (privatized but government-funded) surveillance of social media and other Internet activity is being used as one of the inputs to the black box that decides whether to allow us to exercise our rights. As we said five years ago in conjunction with the first “Social Network Users’ Bill of Rights”:

In such a world, your “identity” is what these companies say it is. Where do these private companies think you lived, and with whom, in a certain year, for example? An identity thief who has gotten your files may be more likely than you are to to know the “correct” answer.  And each time such a commercial service is used to verify your ID for government purposes, the service provider has a record of the transaction to add to its dossier about you, and use for whatever purposes it chooses.

We’ll be posting more details and statistics as the TSA releases more of its records about what happens to people who try to fly without ID. But the records we’ve received to date show that people are already being prevented from traveling by air, despite having valid tickets on common carrier airlines, because the private data broker(s) consulted by the TSA don’t have enough data to profile them, or their answers don’t correspond to the garbage in the aggregators’ data warehouses about things such as who Accurint thinks they live with or thinks who their neighbors are.

Most Federal agencies still ignore human rights complaints

November 6th, 2015

Despite a recent decision by the European Court of Justice based in part on the inability of US courts to enforce US obligations under human rights treaties to which the US is a party, and despite a direct order from the President, most Federal agencies have still done nothing to create even administrative channels or points of contact for handling complaints of human rights violations.

Last April, we joined a broad coalition of civil liberties and human rights organizations in a public letter to some of the Federal departments engaged in the most egregious human rights violations — torture, extrajudicial killings, mass surveillance, denial of freedom movement, etc. — calling on them to carry out the President’s longstanding orders to designate points of contact responsible for responding to complaints that they have violated human rights treaties.

Six months later, there’s been no response to our letter and no publicly-disclosed indication that any of the agencies and departments to which it was sent has taken any action to fulfill its duties under Executive Order 13107, which was issued by President Clinton in 1998 and has remained in effect ever since.

This week, we joined in a follow-up letter, pointing out the failure to act and the heightened importance of showing a US government commitment to human rights, including the right to privacy, if the US wants to persuade other countries and their citizens that personal information transferred to via the US will be adequately protected against unwarranted mass surveillance.

The real lesson, of course, is that neither US citizens nor foreigners can rely on merely administrative mechanisms  for the protection of fundamental rights. If direct orders from the President aren’t enough to get Federal department heads even to receive and log human rights complaints, what could be?

As the UN Human Rights Committee recommended last year at the conclusion of its latest review of US (non)implementation of its human rights treaty obligations, what’s really needed is for Congress to enact effectuating legislation for human rights treaties to grant US courts — not the agencies that are the subjects of the complaints — the jurisdiction to hear and rule on complaints of violations of rights guaranteed by those treaties that the US has ratified and promised to honor and implement.

Can the US be a “safe harbor” for travel surveillance?

October 29th, 2015

At its plenary session today in Strasbourg, the European Parliament adopted a “Resolution on the electronic mass surveillance of European Union citizens”.

As part of that resolution, the European Parliament, “Calls on the EU Member States to drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistleblower and international human rights defender.”

We’re pleased, of course, to see such a democratically and popularly elected body as the European Parliament coming to Mr. Snowden’s defense and joining the calls for recognition of his claim for asylum. But while the Snowden clause is getting most of the attention, it’s not all that’s included in today’s Europarl resolution.

The resolution adopted today by the European Parliament discusses what needs to be done, and by whom, to address the “electronic surveillance” Mr. Snowden has helped to expose. Notably, the resolution explicitly includes the electronic surveillance of travel and finance along with surveillance of telephone and Internet communications.

We have long argued, and we suspect Mr. Snowden would agree, that warrantless, suspicionless dragnet collection of metadata about the movements of people through root access by governments to PNRs stored in airlines’ Computerized Reservation Systems, warrantless, suspicionless dragnet collection of metadata about the movements of money through government access to electronic funds transfer intemediaries like SWIFT, and warrantless, suspicionless dragnet collection of metadata about the movements of messages through government root access to telecom and Internet backbone networks are all part of the same overarching surveillance program that raises issues common to all of these types of movement metadata.  That point of view is implicitly endorsed by today’s Europarl resolution.

Today’s action by the European Parliament was prompted in part by the decision earlier this month by the European Court of Justice (sometimes abbreviated “ECJ”, sometimes “CJEU”) in Schrems v. Facebook.  In that case, an Austrian user of Facebook, Max Schrems, asked the data protection authority in Ireland, where Facebook’s European subsidiary is based, to prohibit the transfer of personal data about him to Facebook servers in the USA where it would be subject to uncontrolled and secret access by the NSA and possibly by other US government agencies. The Irish authorities refused to investigate Facebook’s practices and dismissed Mr. Schrems’ complaint on the grounds that the European Commission had already determined that the so-called “Safe Harbor framework” for self-regulation assured adequate protection for personal data transferred from the EU to the US by participating companies.

The ECJ found that, “without there being any need to examine the content of the safe harbour principles,”  the Commission’s finding that US law “ensures” adequate protection for personal data transferred to the US was invalid, because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” of Fundamental Rights and Freedoms of the European Union.

Too bad that US courts haven’t yet recognized, as of course they should, that these US laws and government practices also violate fundamental rights guaranteed by the US Constitution.

The European Commission has previously brushed off questions — including questions from Members of the European Parliament and in a more recent expert report commissioned by the Council of Europe — about the legality of outsourcing and transfers of PNR data to CRSs to which the US government has unlogged root access. And EU data protection authorities have dismissed or declined to investigate complaints against airlines, travel agencies, and CRSs.

Now, however, the European Commission and European DPA’s have an explicit mandate to investigate complaints like that of Mr. Schrems against companies that are transferring personal data from the EU to the US, and the explicit authority and obligation to order the termination of such transfers.

It’s in this context that the European Parliament resolved today that it:

Urges the Commission to assess the legal impact and implications of the Court of Justice ruling of 6 October 2015 in the Schrems case (C-362/14) vis-à-vis any agreements with third countries allowing for the transfer of personal data, such as the EU-US Terrorist Finance Tracking Programme (TFTP) Agreement, passenger name record (PNR) agreements, the EU-US umbrella agreement and other instruments under EU law which involve the collection and processing of personal data.

What does this mean for the future of travel surveillance in the EU, the example it might set for other countries, and the prospects for US efforts to globalize a panopticon of travel dataveillance as a new norm?

Read the rest of this entry »

6th Circuit Court of Appeals rules for right to trial over no-fly order

October 28th, 2015

On October 26th, by a 2-1 vote, a  panel of judges of the 6th Circuit Court of Appeals has overruled a District Court’s decision that it lacked jurisdiction to hear a substantive challenge to the order by the “Terrorist Screening Center” (TSC) placing a US citizen on the “No-fly” list.

While the decision was based on arcane-seeming jurisdictional issues, and the government is already maneuvering to evade it and some other similar court decisions, it is a significant victory for the fundamental right to a trial in cases of challenges to no-fly orders.

The decision sends the lawsuit brought by Mr. Saeb Mokdad, represented by the Arab-American Civil Rights League,  back to the US District Court in Michigan where it was first filed more than two years ago.

The TSC is an inter-agency and inter-departmental entity, but the government has assigned nominal “ownership” of the TSC and its decisions — including, until recently, final authority for no-fly orders — to the FBI (a component of the Department of Justice).

At the same time, the government has argued that any challenges to the TSC’s no-fly orders must be made first through the kangaroo-court DHS TRIP administrative process, and then in a Court of Appeals that is allowed to consider only the “administrative record” of the TSA’s decision, as supplied to the court by the TSA itself.

Unlike some other people who have tried to challenge the government’s interference with their right to travel, Mr. Mokdad didn’t sue the TSA or DHS for implementing the TSC’s decision to put him on the no-fly list. Instead, he sued the TSC, FBI, and DOJ for ordering the TSA and DHS to put him on the no-fly list.

The government’s position is that no challenge to a no-fly order can be made with the agency that made the decision (the TSC/FBI/DOJ), and that any court review of the TSC decision must be based solely on TSA records (which will show, at most, that the TSA relied on a no-fly order from the TSC, and may not show anything about the factual basis, if any, or the criteria or procedures relied on by the TSC in its decision).

In its decision this week, the 6th Circuit rejected that duplicitous government position:

To the extent that Mokdad brings a direct challenge to his placement by TSC on the No Fly List, … he is challenging a TSC order, not a TSA order….  TSA does not determine who is placed on the No Fly List; TSC does. Notwithstanding the government’s attempts to characterize his claim as a challenge to TSA’s decision to deny him boarding, Mokdad makes clear that he is “challeng[ing] his actual placement on the No Fly List by the TSC.” R. 17, Appellant Br., 11. TSC is administered by the FBI. The fact that TSC is an inter-agency center that is staffed by officials from multiple agencies, including the FBI, DHS, Department of State, Customs and Border Protection, and also TSA, does not transform TSC’s order placing an individual on the No Fly List into an order of the TSA.

The 6th Circuit panel correctly held that the law assigning exclusive jurisdiction over challenges to TSA orders to Circuit Courts of Appeal, based on TSA administrative records, does not apply to challenges to TSC or other FBI orders — including no-fly listing orders.

The FBI’s hypocrisy in Mr. Mokdad’s case hasn’t been limited to its arguments in court.  The FBI has told Mr. Mokdad that it can’t tell him anything about why it put him on the no-fly list, and can’t even confirm or deny that he is barred from flying (although that’s obvious from the fact that he is denied boarding whenever he tries to fly). At the same time that the FBI officially declined to comment or give any information to Mr. Moktad, the FBI was happy to disclose derogatory alleagations about him to the local newspaper of record, the Detroit Free Press, in the form of leaks by “sources familiar with Mokdad” about what “the FBI suspects”.

Unfortunately, the next move in this legal chess game was already played by the government between the time that Mr. Mokdad’s case was argued a little over a year ago and when it was decided this week. While the Court of Appeals was contemplating its decision, the government shifted nominal final responsibility for no-fly decisions from the TSC/FBI/DOJ to the TSA/DHS, to try to bring them back within the scope of the jurisdiction-stripping statute, 49 USC §46110 (the Constitutionality of which is already being challenged in another no-fly case).

It’s unclear, in light of this evasive move by the government, what will happen to Mr. Mokdad’s case on remand. The next step will be discovery, and likely an assertion by the government in response that everything about no-fly decisions is a “state secret”.  Even if Mr. Mokdad eventually puts the FBI on trial, as has happened in only one no-fly case to date, he might win only a Pyrrhic victory, overturning the TSC’s no-fly order but then having to start from scratch, in a different court, with a new challenge to a new TSA no-fly order. Stay tuned.