May 04 2020

Dare County tries to evade court review of its entry controls

Local government controls on travel to the Outer Banks (barrier-beach islands) of North Carolina remain in place, but local officials are making changes to try to head off a court decision on the Constitutionality of their emergency orders restricting free movement.

A month ago, as we reported earlier,  Dare County, North Carolina, set up checkpoints on all three roads leading into or out of the county. Police began denying passage along these public rights-of-way on the basis of  criteria including whether travelers have government-issued ID (even if they are passengers rather than drivers, or traveling on foot or by bicycle,  for which no drivers’ license is needed); what address is shown on their ID (if any —  U.S. passports, for example, show no address); which direction they are traveling; and whether they have been sponsored for an “entry permit” by an entity with a business license issued in Dare County.

County officials represented their emergency orders imposing these restrictions on travel  as health measures in response to the COVID-19 pandemic. But none of the criteria for who is allowed to pass through the checkpoints, or in which direction, have anything to do with whether travelers were believed, suspected, or likely to be infected with the novel coronavirus.

The emergency orders gave no indication of what, if any, procedures were available for administrative or judicial review of decisions to deny passage in or out of the county. But non-resident owners of homes in Dare County quickly brought suit in Federal court against the prohibition on traveling to their own seasonal, rental, or second homes.

Since then, the case has been referred for mediation, and the parties (non-resident property owners and the Dare County government) have requested and been granted a delay on the basis that they are in negotiations towards a possible settlement.

Today Dare County is beginning to allow passage across the bridges and into the county by non-resident owners of real property in Dare County, if and only if they have both an “entry permit” issued by the county and matching government-issued ID.

Read More

Apr 29 2020

No cellphone? Not at address on your ID? Hawaii threatens arrests.

“Aloha!” Passengers arriving at Honolulu International Airport on April 28th are interrogated and their cellphones are tested. Photo provided by the Hawaii Department of Transportation.

We’ve been puzzling over this press release issued April 24th by the Department of Transportation of the State of Hawaii, entitled, “Improved verification process implemented for airline passenger,” which begins as follows:

The Hawaii Department of Transportation (HDOT) has implemented improved measures to verify incoming passenger information before they leave the airport to help ensure people are abiding by the traveler quarantine order. The enhanced process is underway at the Daniel K. Inouye International Airport (HNL) and will begin statewide in the coming days.

We’ve read through the emergency proclamations by the Governor of Hawaii, and can’t find anything in the quarantine orders purporting to give authority to state officials to “verify passenger information.”

The press release threatens that anyone who arrives without  a working cellphone, charged, with service and coverage in the arrival area at the airport, will be arrested:

An airport representative will collect the two forms and begin verifying their information. First, they will call their mobile phone number to confirm it rings right in front of them. If it does not ring, the person may have listed inaccurate information and is asked to verify the number. If the person refuses to provide a phone number that can be answered on the spot, law enforcement is contacted and they are subject to citation and arrest.

We have no idea what the purported basis would be for arresting someone who isn’t carrying a cellphone, whose phone doesn’t have service in Hawaii (especially likely if they are arriving from another country), or whose cellphone battery has run down from watching  videos or playing games in airplane mode during a trans-oceanic flight.

But that’s not all:

Read More

Apr 20 2020

COVID-19, the REAL-ID Act, and ID to fly

A month ago — in what seems like it was long ago and in a galaxy far, far, away, before the COVID-19 pandemic reduced air travel in the US by more than 95% —  the US Department of Homeland Security was stepping up its baseless threats to begin “enforcement” of the REAL-ID Act against airline passengers on October 1, 2020.

There’s been no change (yet) in the REAL-ID Act or the regulations for its implementation, despite proposals that remain pending in Congress.

Over the last month, though, President Trump, Acting Secretary of Homeland Security Chad Wolf, and the Transportation Security Administration have each issued formal or informal notices or statements about their intentions with respect to the REAL-ID Act and ID demands for air travel.

As of now, it appears that the DHS/TSA “ultimatum” to air travelers to obtain “compliant” ID cards or be denied passage through TSA and contractor checkpoints at airports will be postponed yet again, this time for another year, until October 1, 2021.

After that date, it appears that the TSA intends to continue to allow people to fly even if they don’t show ID at checkpoints, but only if it the TSA or its contractors thinks that they have been issued some compliant ID (even though they don’t have it with them).

Is this legal? No. Does this make any sense? No. But it’s what the TSA seems to saying it plans to propose. The TSA  is asking for comments on this proposal from the public through May 19, 2020.

Read More

Apr 14 2020

Dare County wants to see your papers

Providing the rest of the USA with an object lesson in how not to react to a pandemic,  Dare County, North Carolina, has established checkpoints on all roads crossing the county borders, at which travelers must show their papers to enter the county.

Pursuant to a series of emergency declarations issued by the Dare County Board of Commissioners, law enforcement officers are demanding that each person seeking to enter the county show either a government-issued ID card with an address in Dare County, or both some other government-issued photo ID and a county-issued entry permit.

A Federal lawsuit has been filed, seeking to have this enjoined as unconstitutional (at least as applied to the named plaintiffs). But as discussed below, the lawsuit barely scratches the surface of the issues this raises.

Why is Dare County doing this? What’s wrong with this ID requirement? Is it legal?

Read More

Apr 09 2020

The Port of Seattle shouldn’t collaborate in Federal surveillance of travelers

The Identity Project is one of thirty organizations that have issued a joint open letter  calling on the Port of Seattle Commission to reverse its decision to purchase and deploy facial recognition systems, in collaboration and sharing data with US Customs and Border Protection (and through CBP with an unknown  variety of other Federal, foreign, and private entities), to track travelers passing through the  Seattle-Tacoma International Airport:

We, the undersigned organizations dedicated to protecting people’s rights and civil liberties urge the Commission to reverse the decision authorizing the Port to work collaboratively with U.S. Customs and Border Protection (CBP) to procure and implement facial recognition technology at SeaTac International Airport.

The Port of Seattle Commission:

  1. Has a choice to not collaborate with CBP.
  2. Should not facilitate the infrastructural expansion of powerful face surveillance technology.
  3. Should not facilitate CBP’s unauthorized surveillance of US citizens.
  4. Should abide by its professed principles by rejecting collaboration with CBP.

On March 10, 2020, Port Commissioners voted unanimously to collaborate with CBP in rolling out its facial recognition program, ignoring the many privacy, civil liberties, and community organizations that urged the Port to reject participation.

Instead of taking into account the serious constituent concerns about the Port participating in CBP’s unlawful mass collection of biometric data, Commissioners voted to authorize a $5.7 million Request for Proposal (RFP) to procure and implement a facial recognition system at SeaTac International Airport….

We urge you to reject collaboration in CBP’s face surveillance program and reverse the decision to
authorize the procurement of facial recognition systems.

The real motives of the members of the Port Commission in reneging on their professed principles and spending $5 million in Port funds to build an infrastructure of facial recognition surveillance into the new international terminal at Sea-Tac remain unclear.

But the reduction in demand for air travel during the COVID-19 pandemic, which will delay any need for a new terminal for many months, gives the members of the Port Commission time to reconsider and reverse the hasty decision they made last month under CBP pressure.

Do you live, work, or travel in the Seattle area? Do you care about the right to travel? The Port of Seattle Commission needs to hear from you.

The Port Commission has suspended in-person meetings. It’s not clear when the Commission’s next public meeting will take place, or what means of public input or participation will be available. So if you want to be heard by the Commissioners, it’s best to e-mail them now.

If you’d like to join us and the other 29 allied organizations in this call for action, the ACLU of Washington state has a form on their Web site to send a customizable message to each of the members of the Port of Seattle Commission.

Apr 06 2020

Airline passenger data and COVID-19

The New York Times published a lengthy but deeply flawed report last week,  “Airlines Refused to Collect Passenger Data That Could Aid Coronavirus Fight.” Here’s the lede:

For 15 years, the U.S. government has been pressing airlines to prepare for a possible pandemic by collecting passengers’ contact information so that public-health authorities could track down people exposed to a contagious virus.

The airlines have repeatedly refused, even this month as the coronavirus proliferated across the United States. Now the country is paying a price.

The implication of both the headline and the article is that airlines “could” have collected and provided the government with the (additional) information it wants. But that isn’t true.

While the Times’ reporters interviewed multiple government sources, they failed to fact-check this allegation with any sources independent of airlines or the government. And they failed to mention — if they even realized, which they may not have — that this isn’t an isolated dispute, but part of a continuing saga that has been going on since 9/11.

The supposed basis for the government’s demands for airlines to collect and pass on more information about travelers has shifted from “security” to “health.” But what’s happening is just another chapter in a long-running story.

Understanding that story requires a deep dive into twenty years of history of airline and government collaboration and conflict over collection and use of data about travelers.

Here’s some of the factual and historical context that the Times overlooked:

Read More

Mar 30 2020

“Known Traveler Digital Identity” (KTDI)

On March 26, 2020, the World Economic Forum published specifications  and launched a new website for a project it has christened “Known Travel Digital Identity” (KTDI):

KTDI is a “surveillance-by-design” vision for tracking and control of travelers more dystopian than anything we have seen before.

KTDI would use a blockchain-based distributed ledger to bind together, through an app on a traveler’s mobile device, all of the following data:

  • Biometrics (initially facial images, possibly also fingerprints, etc.)
  • Government-issued ID credentials (passport number, etc.)
  • Travel history including logs of border crossings, hotel stays, and possibly also car rentals and/or other events
  • Purchase logs and possibly bank account information and/or other financial and transaction records
  • Pre-crime predictive “risk assessment” and profiling scores generated at each “intervention” point before and during each trip or transaction

Read More

Mar 24 2020

How drivers license photos are aggregated and shared

During a press conference yesterday, President Trump announced a postponement of the “deadline” previously announced by the Department of Homeland Security for “enforcement” of the REAL-ID Act of 2005 at TSA checkpoints:

I’m also announcing that we’re postponing the deadline for compliance with REAL ID requirements…. We will be announcing the new deadline very soon. It’s going to be announced in a very short moment.

The REAL-ID Act “deadline” was set by DHS press release, not by law or regulation. It’s unclear if a new date will be announced by decree of the Secretary of Homeland Security, or by promulgation of regulations. There has been no further announcement by the DHS, and there is no notice of rulemaking in the Federal Register today.

As we noted yesterday, neither a postponement nor any of the other proposed amendments to the REAL-ID Act would address the central problems in this law: the requirement for states that want to be deemed “compliant” to share their drivers’ license and state-ID databases with all other states.

Read More

Mar 23 2020

In a pandemic, freedom is the first casualty

We’ve seen before — notably after September 11, 2001 — how a crisis can result in damage to rights and freedoms that persists long after the initial cause of public panic.

Some advocates for restrictions on individuals and our movements and activities will exploit any crisis to ratchet the mechanisms of surveillance and control tighter.

Other officials, including many who mean well but are too traumatized to recognize the long-term consequences of their short-term actions, will advocate “temporary” restrictions on individual rights and freedoms that almost inevitably become permanent.

We don’t yet know what the cost in lost lives of the coronavirus pandemic will be. But we can already see the outlines of some of its potential cost in lost civil liberties.

Earlier in the pandemic, we reminded our readers of the risks of abuse of overbroad quarantine powers. But that’s only one aspect of the problem.

The basic methodology of control of travel and movement is that compulsory identification of travelers enables surveillance (tracking and logging) of travel and movement histories, and control of future movements based on individuals’ identities and the histories and other databases of personal information linked to those identities.

Already, changes to policies and practices related to (1) identification, (2) surveillance, and (3) control of travelers have all been proposed in response to the coronavirus pandemic: Read More

Mar 10 2020

Seattle Port Commission reneges on its “principles” for facial recognition

[CBP sign at biometric boarding gate at Newark Liberty International Airport. Note the absence of the OMB Control Number and other notices required by the Paperwork Reduction Act.]

Repudiating the principles for assessment of biometric identification of travelers  it adopted in December 2019, and effectively mooting the policy development process it had begun since then, the Port of Seattle Commission voted unanimously today to authorize a $5 million, ten-year contract to purchase and install Port-owned common-use cameras and facial recognition stations at all 30 departure gates of a new international terminal.

The Port issued a detailed, self-congratulatory press release within minutes after the vote, which strongly suggests that Port staff knew how the Commissioners would vote before today’s charade by the Commissioners of taking comments from the public and “debating” the issue even began.

Behind the scenes, US Customs and Border Protection (CBP) appears to have been playing hardball, using the typical law enforcement line of, “We’re going to do this to you anyway. You can either choose to make it easy for us, or we’ll make it hard on you.” The Seattle Times reported after the Port Commission vote that CBP recently began fingerprinting non-U.S. citizens boarding some international flights at Sea-Tac Airport. It seems likely that the implicit or explicit threat by CBP was that if the airport didn’t install and deploy automated facial recognition to track passengers, CBP would use a more humiliating form of biometric tracking, fingerprinting departing non-U.S. citizens the way it already fingerprints non-U.S. citizens when they arrive in the U.S.

The choice for the airport and its governing board was whether to collaborate with CBP. Port Commissioners seemed to want to reign in CBP. But at the end of the day, they proved unwilling to assert their authority as an elected public oversight  board against the malign convergence of interest between government agencies, airlines, and Port staff who identify with the police and the airline industry more than with the public. The Port Commissioners  chose to have the airport actively collaborate with and front for CBP, at the airport’s expense, rather than dissociating itself from CBPs flagrantly illegal activities, making CBP do its own dirty work at its own expense, or trying to mitigate the damage through signage informing travelers of their rights.

The Port press release claims that “the Commission’s goal is to replace CBP”, but that’s clearly false and appears intended to mislead the public. In fact, the sole purpose of the cameras and software to be purchased by the Port is to augment, not replace, the ability of CBP to use, retain, and share photos as its sees fit. Every photo of a traveler taken by the Port cameras will immediately be sent to CBP. There’s no plan to replace CBP, deny it access to any photos, or expose its secret algorithms and secret biometric databases.

All of the comments from the public to the Port Commission on this issue, as members of the Commission acknowledged, were opposed to the Port collaborating with CBP on facial recognition or spending Port money to do so. Members of the public, including experts in cybersecurity and threat modeling, pointed out that many key questions about the Port’s proposal and CBP’s and airline’s practices, plans, and policies remain unanswered. Most urged the Commission to reject the proposal outright and withdraw its request for bids for facial recognition equipment. All commenters agreed that approval of the procurement contract would be premature until more information is made available to the public and the current policy development process is completed.

In our latest written comments to the Port Commission today, which we summarized in person at today’s meeting (see also our previous submissions to the Port Commission on December 10, 2019, and February 25, 2020), we pointed out that:

The proposed procurement and deployment would violate Federal law, the norms of Fair Information Practices (FIPPs), and the professed “principles”, including FIPPs, of both the Port and US Customs and Border Protection (CBP). It should be rejected, and the RFP for this project should be withdrawn or, at a minimum, postponed….

It isn’t just that CBP is violating the Privacy Act, or that collecting facial images and sending them to CBP would make the Port complicit in this violation of Federal law. The violation of the Privacy Act by CBP lies specifically in CBP’s outsourcing the collection of this personal data to the Port, airlines, or any other non-Federal entities.

This provision was and is included in the Privacy Act for good reason. The Port should heed it, and make CBP comply with Federal law by collecting any personal data it uses for making decisions about individuals, including facial images of travelers, directly from those individuals. CBP could collect this data itself at Sea-Tac, as it does at some other airports. It doesn’t want to, but it has clearly demonstrated that it could do so.

If there is one lane at a departure gate, or on arrival, where a uniformed CBP agent is photographing travelers, and one lane without a Federal law enforcement officer with a camera, travelers will have a much clearer and more informed choice – and one that, unlike the proposal before the Port Commission, might comply with the Privacy Act.

Port Commissioners claimed, quite implausibly, to think that having the Port install and operate the cameras would give the Port some control of how CBP uses the photos after the Port sends them on, or at least more control over signage. But CBPs “Biometric Air Exit Business Requirements” for its airline and airport “partners”, which were finally disclosed only two days ago in response to our request, and were never provided to or reviewed by the Port’s “Biometrics External Advisory Group” (BEAG), tell a different story about who’s in control. As we explained in our comments:

Some Port staff, in their proposals to the BEAG and the Port Commission, have suggested that by owning and operating facial recognition systems the Port would have more control over signage and other notices provided to the public to enable more informed consent and mitigate the harm to the public of CBP’s (illegal) activities.

But in fact, the proposed procurement would have exactly the opposite effect. By agreeing to comply with CBP’s “Requirements” – which are explicitly incorporated by reference in the RFP and the proposal for action by the Port Commission – the Port would be tieing its own hands and committing itself to display CBP’s signs – regardless of their truth or falsehood or their compliance with the law – and not to display any signage, make any announcements, or provide any information not approved by CBP.

Item 8 of CBP’s “Requirements” would prohibit the Port from posting any signs or distributing any communications pertaining to CBP’s use of biometrics without CBP’s prior approval.

Item 13 of CBP’s “Requirements” would obligate the Port to post whatever signage CBP demands, regardless of whether the Port considers it inaccurate, misleading, or incomplete.

In effect, these provisions would amount to a (self-imposed) gag order not to criticize CBP, and a (self-imposed) agreement to serve as a mouthpiece for CBP propaganda, regardless of its truth or falsehood. Rather than enabling the Port to mitigate the harms of CBP’s (illegal) practices through more or better signs or announcements, the proposed action by the Port Commission would prevent the Port from doing so.

If CBP fails – as it has failed to date at Sea-Tac and all other airports with biometric departure gates – to post the notices required by the Paperwork Reduction Act, informing individuals, regardless of citizenship or immigration status, of their right not to respond to any Federal collection of information that does not display a valid OMB Control Number and PRA notice, the Port itself should post such notices at all gates. But the Port won’t be able to do so without CBP approval (which wouldn’t be likely to be granted) if the Port Commission approves the proposal on your agenda for action today.

Port Commissioners approved a motion declaring that CBP’s uses of facial recognition at airports are “lawful”, while simultaneously and hypocritically dismissing our objections to CBP’s flagrant violations of Federal law by saying that, “We’re not judges. If a court says it’s illegal, we won’t do it.” This ignores the fact that, as we also noted in our comments, CBP and DHS have promulgated regulations exempting the databases in which they store facial images from the rights otherwise available to individuals under the Privacy Act to access, accounting of disclosures, and civil remedies for violations. This makes it all but impossible to have CBP’s practices reviewed by the courts.

Today’s decision by the Port of Seattle Commission sets the worst possible national precedent. But it doesn’t render the Port’s ongoing  process of developing policies for use of biometrics at Sea-Tac entirely irrelevant. We will continue to monitor the process and engage with the Port Commission as it considers use of facial recognition (in collaboration with, and sending passenger photos to, CBP and perhaps in the future the TSA) by airlines and other commercial entities for their own purposes.

As we noted in response to the first draft of a Port of Seattle policy for “non-Federally mandated” uses of biometrics:

Missing from that draft is any explanation of the purpose or justification for airlines to identify passengers, independent of any Federal mandate.

Airlines could, and did, operate for decades without requesting ID from passengers. Airlines began asking (but not requiring) passengers to identify themselves only when they were ordered to do so by the FAA (the predecessor of the TSA). The only lawful reason for airlines to ask passengers for ID is to satisfy a government mandate.

As common carriers, airlines are required to transport all passengers, regardless of who they are, and are required to sell tickets at prices determined by a public tariff.

An airline cannot lawfully “reserve the right to refuse service”. It cannot lawfully personalize prices or charge different prices based on passengers’ identities.

So why do airlines think they “need” to identify passengers at all, by any means?

One cannot assess the justification (or lack thereof) for biometric identification of travelers for non-Federally mandated purposes without first assessing the justification (or lack thereof) for identification of travelers generally for such purposes.

This assessment is entirely absent from the draft recommendations for Port policy, but is essential.