Papers, Please!

The Identity Project

Jan 03 2024

“No-Fly” case to be argued Jan. 8th in the Supreme Court

The U.S. Supreme Court will hear oral argument this Monday, January 8, 2024 on an appeal brought by the FBI challenging a Circuit Court decision in favor of Yonas Fikre. It’s the second case on the Supreme Court’s 10 a.m. EST calendar for oral argument Monday.

You can listen live online, attend a live watch party in DC if you can’t get into the Supreme Court, or listen to recorded audio that should be posted by the end of the day on Monday.

The complete Supreme Court docket and links to the pleadings in FBI v. Fikre are here.

The question presented to the Supreme Court in this case doesn’t directly address what substantive criteria or procedures are Constitutionally required for the government to order common carriers not to transport an otherwise-qualified U.S. citizen. A separate challenge to the entirety of the blacklisting system remains pending in U.S. District Court in Boston.

But this case in the Supreme Court does address one of the government’s standard tactics for evading judicial review of its blacklisting decisions: taking people who sue the government off blacklists to “moot” their cases if it looks like they might have a chance of getting a court to rule on the legality of the government’s procedures or criteria for blacklisting decisions or or the sufficiency of the evidence (if any) against them.

If anyone deserves to have the U.S. government’s decision to put him on its no-fly list reviewed by a judge, it’s Yonas Fikre.

Read More

Dec 26 2023

Congress watches the “watchlists” — but will Congress act?

Earlier this month  CBS News broadcast an in-depth report confirming that more than two million names (up from 1.75 million names in 2019) are now on U.S. government blacklists (euphemistically described as “watchlists”) restricting travel and other rights.

CBS also interviewed some of the U.S. citizens who, without ever being accused of any crime or having their day in court, and for no reason they know or that the government will tell them, have been stopped at gunpoint, delayed, or prevented from flying.

Less than a week later, the Senate Homeland Security and Government  Affairs Committee (HSGAC) released a detailed staff report on the same issue, “Mislabeled as a threat: How the terrorist watchlist & government screening practices impact Americans“.

The Chair of the HSGAC, Sen. Gary Peters (D-MI), also sent a formal request to the Inspectors General of each of the Federal departments that participate in the “Watchlisting Council”,   asking the Inspectors General to “coordinate on an assessment of the full implementation of the Terrorist Screening Dataset.”

“I have heard from my constituents, and in particular my Arab and Muslim American constituents, that they face undue levels of scrutiny and screening atairports, other ports of entry, and in their daily lives, which they believe is the result of their placement on the terrorist watchlist,” Sen. Peters  noted. “Inspectors General have not conducted a coordinated, independent assessment of the full watchlisting enterprise – from the nominations process; to how information is shared, used, and audited; to the redress options available to individuals who may match to the list.”

The same day, five other Senators and eight members of the House of Representatives sent a joint letter about “watchlisting” practices  to the heads of the Department of Justice, FBI, Department of Homeland Security, Transportation Security Administration, U.S. Customs and Border Protection, and several other agencies.

The joint letter asks for answers “no later than January 9, 2024” to a long list of questions about how many people are on U.S. government watchlists, how many have been added and removed, what procedures have been followed, what data has been collected or purchased about these people,  what if any redress is available to them, and what the criteria for adding names are supposed to be. “Beyond the spouses and children of individuals on the watchlist, what other categories of ‘non-terrorists’ may be included as exceptions to the reasonable suspicion standard for placement on the watchlist?”

We’re pleased that members of Congress are asking increasingly pointed questions about the U.S. government’s system of secret, arbitrary, extrajudicial blacklists.

But asking questions isn’t enough. What’s needed from Congress is legislative action.

We hope that members of Congress don’t stop at “making inquiries” or “demanding answers”.  There’s ample evidence already that the watchlisting/blacklisting system is out of control. It’s up to Congress to bring that system under control by enacting legislation restoring the rule of law to decision-making about who is allowed to exercise their rights.

If members on Congress want to do something about the problem of travel blacklists, not just talk about it, a good way to start would be to reintroduce and bring to a vote the Freedom to Travel Act, which was introduced in 2021 but never got a hearing or a vote.

Nov 30 2023

Senate bill introduced to ban TSA use of facial recognition in airports

Six US Senators led by Sen. Jeff Merkley (D-OR) and Sen. John Kennedy (R-LA) have introduced a bill to prohibit the Transportation Security Administration (TSA) from using automated facial recognition at airports.

S.3361 the “Traveler Privacy Protection Act of 2023”, was introduced on November 29, 2023 by Sens. Merkley, Kennedy,  Edward Markey (D-MA), Roger Marshall (R-KS), Bernie Sanders (I-VT), and Elizabeth Warren (D-MA).

Introduction of this bill comes more than five years after these and other Senators started to raise questions about whether airline passengers can be, should be, or are already being required to submit to automated facial recognition at airports, despite questionable claims by the TSA that passengers can “opt out” of facial recognition.

We find it notable and praiseworthy that this bill (text of bill as introduced), isn’t an attempt to “regulate” TSA use of automated facial recognition or to bolt on controls on how this surveillance technology or facial images or other data (event logs, etc.) collected by such systems. Rather than imposing regulations, the bill would impose a categorical ban on TSA use of automated facial recognition at airports, at least for now. If this bill is enacted, the TSA would be allowed to use facial recognition technology in airports only if that use is explicitly authorized by new legislation enacted after the passage of the “Traveler Privacy Protection Act of 2023”.

The “Traveler Privacy Protection Act of 2023” would close a significant loophole in current and proposed laws. Other proposals for regulation of facial recognition are pending in Congress, but they exempt the TSA and/or fall short of a categorical ban on use of facial recognition. And Federal preemption of regulation of air travel has given the TSA  impunity from state and local attempts to restrict government use of facial recognition.

The “Traveler Privacy Protection Act of 2023” would do nothing about the use of automated facial recognition by US Customs and Border Protection (CBP) at international airports, but it would create a model for legislation that could also be applied to CBP.

Nov 13 2023

Advance Travel Authorization (ATA) and the “CBP One” app

 

As we’ve discussed before in this blog, and as other human rights advocates have noted, asylum requires traveling to a border. Since you can only apply for asylum after you arrive in a country of refuge, freedom to travel from a place where you are subject to persecution to a country of refuge is a prerequisite for asylum.

But as we have also noted, including in comments earlier this year to the U.N. Office of the High Commissioner for Human Rights concerning the rights of migrants, governments including the US government have steadily increased their efforts to undermine the right to asylum by preventing  asylum seekers from traveling to their borders.

The latest step in this direction is the Advance Travel Authorization (ATA) system operated by U.S. Customs and Border Protection (CBP). Under this program, asylum seekers can request permission through the CBP One mobile app to travel to the US. CBP is already operating this system under a temporary “emergency” authorization from the Office of Management and Budget (OMB), but is seeking OMB approval to make it permanent.

As we explain in comments we submitted today to CBP:

Because the US has no jurisdiction and CBP has no statutory authority over travel by non-US citizens within or between other countries or their departure from other countries, and because whether or not a non-US citizen has requested or been granted “permission” from CBP has no bearing on their right to leave any other country or to travel within or between other countries by common carrier or otherwise, this collection of information is of no practical utility for any lawful activity of CBP or any US agency.

Do asylum seekers need permission from the US government to leave other countries where they are being persecuted, or to travel to the US?

No, they do not, as we explain in our comments to CBP: Read More

Oct 16 2023

The TSA wants to put a government tracking app on your smartphone

Today the Identity Project submitted our comments to the Transportation Security Administration (TSA) on the TSA’s proposed rules for “mobile driver’s licenses”.

The term “mobile driver’s license” is highly misleading. The model Electronic Credential Act drafted by the American Association of Motor Vehicle Administrators (AAMVA) to authorize the issuance of these digital credentials and installation (“provisioning”) of government-provided identification and tracking apps on individual’s smartphones provides that, “The Electronic Credential Holder shall be required to have their Physical Credential on their person while operating a motor vehicle.”

So the purpose of “mobile driver’s licenses” isn’t actually licensing of motor vehicle operators, as one might naively assume from the name. Rather, the purpose of the “mobile drivers license” scheme is to create a national digital ID, according to standards controlled by the TSA, AAMVA, and other private parties, to be issued by state motor vehicle agencies but intended for use as an all-purpose government identifier linked to a smartphone and used for purposes unrelated to motor vehicles.

We’ve seen the ways that government-mandated tracking apps on citizens’ smartphones are used by the government of China, and that’s not an example we want the US to follow.

AAMVA’s website is more honest about the purpose and planned scope of the scheme: “The mobile driver’s license (mDL) is the future of licensing and proof of identity.”

As we note in our comments:

The fact that the TSA seeks to require the installation of a government app on a mobile device of a certain type suggests that the government has other purposes than mere “identification”, such as the ability to track devices as well as people. But we don’t know, because we haven’t been able to inspect the source code for any of these apps.

Most of the details of the TSA proposal remain secret, despite our efforts to learn them. So our comments focus on the unanswered questions about the proposal, the deficiencies in the TSA’s “notice”, and the TSA’s failure to comply with the procedural requirements for consideration of proposed regulations and for approval of collections of information from members of the public — which the TSA is already carrying out illegally, without notice or approval, with digital ID apps that state agencies are already installing on smartphones:

By this Notice of Proposed Rulemaking (NPRM), the Transportation Security Administration (TSA) proposes to establish “standards” (which are not included in the NPRM and not available to the public) for a national digital ID to be used by Federal agencies in an unknown range of circumstances for unknown purposes (also not specified in the NPRM, and for which the notices and approvals required by law have not been provided or obtained).

The NPRM, which includes a proposal to incorporate by reference numerous documents which are not included in the NPRM and have not been made available to would-be commenters who have requested them, fails to provide adequate notice of the proposed rule or opportunity to comment on the undisclosed documents proposed to be incorporated by reference. It violates the regulatory requirements for incorporation by reference of unpublished material….

The proposed rule would also implicitly incorporate the Master Specification for State Pointer Exchange Services (SPEXS) published by the American Association of Motor Vehicle Administrators (AAMVA), which is not included or mentioned in the NPRM or publicly available and which AAMVA has actively attempted to remove from public availability….

The NPRM purports to include an analysis, pursuant to the Paperwork Reduction Act (PRA), of “the information collection burdens imposed on the public,” and claims to have requested approval for these information collection from the the Office of Management and Budget (OMB). But both the NPRM and the request for OMB approval omit any mention of the collection of information from individuals that occurs each time a “mobile ID” is “presented” and an app on a mobile device interacts with TSA or other Federal agency devices or servers….

What data fields will be collected when a TSA or other Federal agency device interacts with a mobile ID app on an individual’s device? We don’t know. What code will an individual be required to allow to run on their device, and with what privileges? We don’t know, although this could be critical to the risks and potential costs to individuals if, for example, they are required to allow closed-source code to run on their devices with root privileges.

From which people, how many of them, in what circumstances, and for what purposes, will this information be collected? We don’t know, although all of this is required to be included in an application for OMB approval of a collection of information….

What will individuals be told about whether these collections of information are required? We don’t know this either, although this is a required element of each PRA notice, because the TSA provides no PRA notices to any of those individuals from whom it collects information at its checkpoints, including information collected from mobile IDs.

As the TSA itself has argued in litigation, no Federal statute or regulation requires airline passengers to show ID. And hundreds of people pass through TSA checkpoints and board flights without showing ID every day. An accurate submission to OMB, and an accurate PRA notice (if approved by OMB), would inform all individuals passing through TSA checkpoints that ID is not required for passage. But instead of providing OMB-approved PRA notices at its checkpoints in airports, the TSA has posted or caused to be posted knowingly false signage claiming that all airline passengers are “required” to show government-issued ID credentials. Individuals incur substantial costs as a result of these false notices, particularly when individuals without ID forego valuable travel in reliance on deliberately misleading signs that ID is required.

Read More

Oct 09 2023

The difference between stating your name and showing ID

The 11th Circuit Court of appeals has ruled that it is clearly established law that even in a state with a “stop-and-identify” law, and even if police reasonably suspect you of a crime, police may not require you to show ID or arrest you if you refuse to do so.

We don’t think people should be required to identify themselves. Self-identification can amount to self-incrimination, and compelling individuals to answer any question from police or other government agents would violate the Constitutional right not to be compelled to give evidence against oneself. You have the same right to remain silent if police ask, “What is your name?” as you have if you are asked any other question.

Despite this bedrock principle, some states have passed “stop and identify” laws of dubious Constitutionality that purport to require people to identify themselves on demand to any law enforcement officer who reasonably suspects them of a crime.

Even in those states, however, there’s a fundamental difference between being required to state your name verbally and being required to have, to carry, or to show ID credentials.

That distinction was central to the decision of the US Supreme Court in Hiibel v. Nevada, in which the court didn’t reach the question of whether a law requiring suspects to “show” ID would be Constitutional because it found that Mr. Hiibel could have satisfied the Nevada “stop and identify” law by verbally stating, “My name is Dudley Hiibel.”

Other cases in the lower courts since Hiibel have touched on this issue, but until now, none that we are aware of has depended squarely on this distinction between stating your name and showing ID.

The clarity and significance of the 11th Circuit panel’s opinion in Edger v. McCabe makes it worth quoting at length:

The facts of this case are not in dispute, as the entirety of the encounter between Mr. Edger and the police was captured on the police officers’ body-worn and dash cameras….

Mr. Edger is a mechanic in Huntsville, Alabama….. One of Mr. Edger’s longtime clients is Kajal Ghosh, who owns a red Toyota Camry. The Camry is primarily driven by Mr. Ghosh’s wife, who works as a teacher at Progressive Union Missionary Baptist Church. One or
two days before June 10, 2019, Mr. Ghosh called Mr. Edger and reported that the Camry had broken down while his wife was working at the Church. He asked Mr. Edger to fix the car and told him the keys would be waiting for him at the Church’s front office.

On June 10, around 2 p.m., Mr. Edger went to the Church to pick up the keys and to inspect the Camry. He determined something was wrong with either the car’s steering or its tires, and he concluded he would need to come back later with tools to fix the car. That evening, he returned to the Church with his stepson, Justin Nuby, in tow, intending to either fix the Camry on-site or to take it back to the shop for further repairs. Mr. Edger and Mr. Nuby drove a black hatchback to the Church.

After Mr. Edger and his stepson entered the Church’s lot, the Church’s security guard observed them and grew concerned…. At about 8:05 p.m., the security guard called 911 and told dispatch: “I have two Hispanic males, messing with an employee’s car that was left on the lot.”

Police arrived, and the court describes what the video evidence showed as follows:

Mr. Edger continued to work, and the following conversation began:

Officer McCabe: What are y’all doing?

Mr. Edger: Getting the car fixed.

Officer McCabe: Is this your car?

Mr. Edger: Yeah, well, it is one of my customer’s.

Officer McCabe: One of your customer’s?

Mr. Edger: Ghosh Patel, yep. I was over here earlier….

From here, the interaction rapidly escalated:

Officer McCabe:  Alright. Take a break for me real fast and do y’all have driver’s license or IDs on you?

Mr. Edger: I ain’t going to submit to no ID. Listen, you call the lady right now. Listen I don’t have time for this. I don’t mean to be rude, or ugly, but …

Officer McCabe: Okay. No, you need to—

Mr. Edger: I don’t mean to be—

Officer McCabe: —give me your ID or driver’s license.

Mr. Edger: No. I don’t. Listen, I don’t want you to run me in for nothing.

Officer McCabe: Are you refusing me—are you refusing to give me your ID or driver’s license?

Mr. Edger: I’m telling you that if you will call this lady that owns this car—

In the middle of Mr. Edger’s sentence, as he was attempting to explain the situation to Officer McCabe, Officer Perillat seized Mr. Edger from behind. He led Mr. Edger to the side of the Camry and started handcuffing him. As Mr. Edger protested, Officer Perillat told Mr. Edger: “We don’t have time for this,” and, “You don’t understand the law.” During this time, the video shows that Mr. Edger offered his driver’s license at least three times before the officers could finish handcuffing him. Eventually, the officers managed to handcuff and search Mr. Edger, and then detain him in a squad car. Throughout this process, the officers never asked Mr. Edger or his stepson for their names or addresses….

Mr. Edger was charged with obstructing governmental operations in violation of Alabama Code § 13A-10-2(a)(1). The City of Huntsville dropped all charges relating to this incident. After the dismissal of the charges, Mr. Edger filed a § 1983 civil rights lawsuit, alleging a false arrest in violation of his Fourth Amendment rights against unlawful searches and seizures, as well as a state law false arrest claim….

Turning now to the defendant’s theory that probable cause existed to support Mr. Edger’s arrest because he violated Alabama’s Stop-and-Identify statute, Alabama Code § 15-5-30. The Stop-and-Identify statute allows an Alabama police officer who “reasonably suspects” a crime is being, has been, or is about to be committed to stop a person in public and “demand of him his name, address and an explanation of his actions.” Id.

Mr. Edger argues that he cannot possibly have violated § 15-5-30, because it clearly delineates three things the police may ask him for: his name, his address, and an explanation of his actions. He argues nothing in the statute requires him to produce physical identification, and that Officer McCabe’s question, “Do y’all have driver’s license or IDs on you?” and repeated references to “IDs” were clearly demands for him to produce physical identification of some kind. He notes that physical identification is not one of the three enumerated things that the police may ask for under Alabama law, and that he was never asked for his name or address.

We agree with the district court’s assessment that Mr. Edger did not actually violate § 15-5-30… Section 15-5-30 does not require anyone to produce an “ID” or “driver’s license” as Officer McCabe demanded. Indeed, it does not require anyone to produce anything. Instead, it grants Alabama police the authority to request three specific pieces of information. Here, the video evidence is clear that neither Officer McCabe nor Officer Perillat asked for Mr. Edger’s name or address. Additionally, Mr. Edger’s objection was clearly related to the unlawful demand that he produce physical identification…. Because the Alabama statute, by its plain text, does not permit the police to demand physical identification, the officers lacked probable cause and thus violated Mr. Edger’s Fourth Amendment rights by arresting him….

We hold that the plain text of the Alabama statute is so clear that no reasonable officer could have believed they could arrest Mr. Edger for failing to produce his “ID” or “driver’s license” under § 15-5-30….

[T]he broad background rule is that the police may ask members of the public questions and make consensual requests of them, Florida v. Bostick, 501 U.S. 429, 434–35 (1991) (collecting cases and examples), “as long as the police do not convey a message that compliance . . . is required.” Id. at 435. But the person “need not answer any question put to him; indeed, he may decline to listen to questions at all and may go on his way.” Florida v. Royer, 460 U.S. 491, 497–98 (1983)….

[T]he Alabama statute is clear. It lists only three things that the police may ask about. This is not an issue of “magic words” that must be uttered. There is a difference between asking for specific information: “What is your name? Where do you live?” and demanding a physical license or ID. The information contained in a driver’s license goes beyond the information required to be revealed under § 15-5-30. Compare Ala. Code § 32-6-6 (“Each driver license . . . shall contain a distinguishing number assigned to the licensee and a color photograph of the licensee, the name, birthdate, address, and a description of the licensee . . . .”), and Ala. Code § 22-19-72 (requiring that there be “a space on each driver’s license . . . to indicate in appropriate language that the [licensee] desires to be an organ donor”), with Ala. Code § 15-5-30 (“A [police officer] may stop any person abroad in a public place whom he reasonably suspects is committing . . . a [crime] and may demand of him his name, address and an explanation of his actions.”).

Further, neither the parties nor our own research can identify any Alabama law that generally requires the public to carry physical identification—much less an Alabama law requiring them to produce it upon demand of a police officer. There simply is no state
law foundation for Officer McCabe’s demand that Mr. Edger produce physical identification

So to summarize, it has been clearly established for decades prior to Mr. Edger’s arrest that the police are free to ask questions, and the public is free to ignore them. It has been clearly established prior to Mr. Edger’s arrest that any legal obligation to speak to the
police and answer their questions arises as a matter of state law. And the state statute itself in this case is clear and requires no additional construction: police are empowered to demand from an individual three things: “name, address and an explanation of his actions.” Ala. Code § 15-5-30. It was thus clearly established at the time of Mr. Edger’s arrest that she could not demand he produce physical identification. And because Officer McCabe’s demands for an “ID” or a “driver’s license” went beyond what the statute and state law required of Mr. Edger, she violated clearly established law. Under this set of facts and these precedents, no reasonable officer could have believed there was probable cause to arrest Mr. Edger for obstructing governmental operations by violating § 15-5-30. And this theory cannot support the grant of qualified immunity to the officers.

We welcome this decision and commend it to the attention of other courts and other cops.

Sep 28 2023

DHS uses travel as pretext for search of researcher and journalist

According to a report by Zack Whittaker on TechCrunch, security researcher, and blogger Sam Curry “was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service’s Criminal Investigation (IRS-CI) unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington DC about a ‘high profile phishing campaign,’ searched his unlocked phone, and served him with a grand jury subpoena to testify in New York the week after.”

How did this happen, and what recourse do you have if you are similarly searched?

Sadly, the used of (entirely unrelated) international travel as a pretext for searches of electronic devices and data, including searches or researchers and journalists, is not new.

A TECS Lookout can be used by the DHS or other Federal agencies to flag, watch for, and intercept any “person of interest” whenever they take an international flight to or from the US, regardless of whether there is probable cause for a search warrant.  A TECS Lookout can be set at the request of any Federal law enforcement agency, for any reason.  It’s also no surprise that this loophole for pretextual searches is being used by IRS agents: As we have noted previously, it’s described in detail in the section of the IRS’s manual on techniques for “Locating Taxpayers and their Assets”.

Mr. Curry reportedly said he was later told that the copies of data seized from his phone by Federal agents had been deleted, and the subpoena was withdrawn. But it also appears that, as a blogger, his data was protected from seizure by the Privacy Protection Act, which provides greater protection for many travelers’ data than most other forms of privilege. If Mr. Curry had known to assert his status and rights under the Privacy Protection Act, he would probably be entitled to damages from the agents who searched and seized his data.

Sep 26 2023

Broader challenge to Federal blacklists filed in Boston

In a nationally-significant lawsuit, the Council on American-Islamic Relations (CAIR) has filed the most comprehensive challenge  to date to the US government’s system of arbitrary and extrajudicial blacklists (“watchlists”) used to stigmatize and impose sanctions on innocent people — almost all of them Muslim — without notice, trial, conviction, or any opportunity, even after the fact, to see or contest the allegations or evidence (if any) against them.

The lawsuit, Khairullah et al. v. Garland et al., was filed last week in Federal District Court in Boston on behalf of twelve Muslims from Massachusetts and other states who have been stopped, prevented from traveling to, from, or within the US by air, harassed, delayed, interrogated, threatened, strip-searched, had all the data on their electronic devices copied, detained at gunpoint, denied permits, and had banking and money-transfer accounts summarily and irrevocably closed, among other adverse consequences:

Plaintiffs, along with over one million other people, have been placed by Defendants on the federal terrorist watchlist. Defendants claim the power to place an unlimited number of people on that list and, as a result, subject them to extensive security screening, impose adverse immigration consequences on them, and distribute their information to thousands of law-enforcement and private entities, which then use it to affect everyday interactions like traffic stops, municipal permit processes, firearm purchases, and licensing applications.

Congress has never statutorily authorized the creation, maintenance, use, or dissemination of the Terrorist Screening Dataset, its subsets like the Selectee List and No Fly List, the Quiet Skies and Silent Partner systems, or any other rules-based terrorist targeting lists.

WHEREFORE, Plaintiffs requests this Honorable Court grant declaratory and injunctive relief….

The complaint includes a depressingly thorough, detailed, and diverse litany of incidents of interference with normal life, especially with normal travel.

One US citizen plaintiff now abroad has been effectively exiled because the US government won’t allow any airline to transport him back to the US from overseas.

The effects of blacklisting can last for life. Because the US government continues to stigmatize “formerly” blacklisted individuals and flag them to its own agents and third parties including foreign governments, some of the plaintiffs continue to suffer these consequences despite having purportedly been “removed” from US “watchlists”.

Because the US government’s blacklisting algorithms incorporate explicit guilt-by-association criteria, some plaintiffs have had their friends, family members, and colleagues targeted for adverse treatment solely on the basis of having “associated” (an act protected by the First Amendment to the Constitution) with a blacklisted person.

As the complaint explains:

[B]ecause Defendants consider being a relative, friend, colleague, or fellow community member of a TSDS [Terrorist Screening Dataset] Listee “derogatory information” supporting placement on the watchlist, Muslim communities are subjected to rapidly-unfolding network effects once one member is watchlisted. One nomination, even if grounded in probable cause or a preexisting criminal conviction, can quickly spiral into Defendants classifying nearly every member of an extended family or community mosque as a suspected terrorist.

A similar lawsuit, also brought by CAIR, led a Federal District Court judge in Virginia to rule in 2019 that the Federal blacklisting system was unconstitutional. But that ruling was overturned in 2021 in a strikingly poorly-reasoned opinion by the 4th Circuit Court of Appeals.

The new lawsuit has been brought in a different circuit (the 1st Circuit), and the new complaint includes more recent information — including the disclosure of the no-fly and “selectee” lists — and arguments to bolster the case and counter the claims made by the 4th Circuit judges.

Lawsuits like this take years to be resolved, but we’ll be watching this one closely.

Sep 04 2023

Transit payment systems and traveler tracking

Last week 404 Media published a report by Joseph Cox on how the New York Metropolitan Transit Agency’s website can be used as a remote stalking tool: anyone who knows a credit card number that was used to purchase or add value to an OMNY transit farecard could view a historical log of the last seven days of trips taken using the card, including the dates, times, and locations where the card was read at subway entrances or boarding buses.

Less than 24 hours after this report was published, this “feature” was removed from the MTA website.

But that doesn’t solve the problem.

The main problem with the MTA payment system — and similar systems in other cities — isn’t that anyone could access your trip history by typing in your credit card number (which every waiter you ever bought a meal from with that credit card has access to,  and every domestic violence abuser in your household also knows).

The real problem is that the MTA transit system is building a permanent database of all your trips, period. The MTA is still logging transit passengers’ movements, and those logs are still available to the MTA itself, police, anyone the MTA chooses to share them with, or anyone who hacks into the TSA’s records.

If the MTA didn’t collect this data in the first place, there would be no way for anyone to abuse it.

Read More

Aug 24 2023

Border and airport searches for “privileged” information

Most people think of communications between attorneys and their clients as being among those having the highest level of legal “privilege” against compelled disclosure to the government.  And it is widely believed that the US lacks a Federal “shield law” protecting journalists against being forced to reveal confidential sources.

The assumptions are, in some situations and with respect to certain information, well founded. But a recent Federal decision by the 5th Circuit Court of Appeals has belied those assumptions and created a situation — at least in the 5th Circuit — in which attorney-client communications have significantly less protection at borders and ports of entry than information in the possession of journalists and others involved in communicating information to the public.

This makes it more important than ever for all travelers — including lawyers who assume that the information in their possession is best protected under the attorney-client privilege, and individuals who don’t think of themselves as journalists — to be familiar with the protections of the Federal Privacy Protection Act of 1980 (42 US Code §2000aa), and to proactively assert their protected status and their rights under this law if their data or devices are searched or seized

Here’s what was decided in this recent case about attorney-client communications, and what protections travelers still have pursuant to the Privacy Protection Act:

Read More