May 22 2024

New DHS publicity about REAL-ID

[Portion of airport sign from May 2024 DHS media toolkit.]

A year before the most recently self-imposed “deadline” on which the Department of Homeland Security (DHS) has threatened to start illegally denying passage through Transportation Security Administration (TSA)  checkpoints at airports to would-be travelers without ID it deems sufficiently “compliant” with the REAL-ID Act of 2005,  the DHS has launched a new campaign of advertisements, press releases, and signs in airports to publicize its threat to start restricting the right to fly without ID.

“Starting May 7, 2025, you need a REAL-ID* to board domestic flights,” the TSA says, with a footnote in much smaller print, “or acceptable alternative”.

Is this threat for real? No, no, and no.

No #1: The May 7, 2025 date is entirely arbitrary, not fixed by law, has been extended time and time again for years, and can and likely will be extended again.

This is a threat, not a deadline. As our friend Jim Harper notes in his latest article in The Atlantic, “The Real ID Deadline Will Never Arrive”:

[T]hose airport signs and travel stories have been telling us about a final deadline for more than 15 years. And yet, that deadline has never arrived. If past extensions are any indication, it probably never will….

Fortunately, the threat of being denied boarding without a compliant license is hollow…. Under any likely scenario, the political costs of turning Americans away at airports in May 2025 will be too high. Here’s my prediction: Well before next May, the Real ID compliance deadline will be rolled back again.

No #2: Perhaps in response to our criticism of their previous litany of lies about the REAL-ID Act and ID to fly, the TSA has added a footnote to its latest signage, “or acceptable alternative”.

What’s not obvious is that an “acceptable alternative” to REAL-ID to fly is no ID at all.

As the TSA has admitted, thousands of people fly without ID every year. Nothing in the REAL-ID Act, and no current or proposed legislation or regulations, would change that.

No #3: Imposing a requirement to have, carry, or show ID to travel by common carrier– even if that were  Constitutional, which we don’t think it would be — would require new legislation and/or regulations.

The TSA has twice (in 2016 and again in 2020) given notice that it intended to propose new procedures to require air travelers to show ID. But it never actually submitted those proposals, much less obtained the required regulatory approvals. Numerous procedural steps would be required before any such plan could go into effect.

Travelers can and should say “No” to these DHS/TSA attempts to intimidate us into surrendering our rights.

But while the DHS and TSA aren’t about to follow through on their latest ultimatum — not now, not next year, and probably never — they aren’t going to stop making these baseless threats until Congress and/or the courts  say “No” as well.

States should prepare to litigate to defend their residents’ right to travel. Congress should put an end to this endless shakedown by repealing the REAL-ID Act in its entirety. It was a bad idea when it was enacted in a post-9/11 panic, and it’s still a bad idea today.

May 09 2024

Office of Legal Counsel recognizes the right to travel

In researching the law on the right to travel to obtain an abortion, we were pleased to notice an advisory opinion from the Office of Legal Counsel (OLC) that, although only in passing, explicitly acknowledges the right to travel.

OLC is the division of the US Department of Justice that serves as the office legal advisor to the White House and all Executive Branch agencies of the federal government. OLC publishes only a handful public advisory opinions each year, so each of them is significant.

In late 2022, the General Counsel of the US Postal Service asked OLC for advice on whether existing Federal laws (specifically the Comstock Act of 1873) should be interpreted as prohibiting the Postal Service from accepting packages containing abortion-inducing drugs.

OLC’s opinion on this issue includes the following comment, with footnote:

[Even] if a state prohibits a pregnant person from ingesting mifepristone or misoprostol for the purpose of inducing an abortion, such an individual has a constitutional right to travel to another state that has not prohibited that activity and to ingest the drugs there.

Footnote: See Dobbs, 142 S. Ct. at 2309 (Kavanaugh, J., concurring) (“[M]ay a State bar a resident of that State from traveling to another State to obtain an abortion? In my view, the answer is no based on the constitutional right to interstate travel.”); id. (referring to the question as “not especially difficult”); see also Bigelow v. Virginia, 421 U.S. 809, 824 (1975) (explaining that Virginia could not “prevent its residents from traveling to New York to obtain [abortion] services or . . . prosecute them for going there” (citing United States v. Guest, 383 U.S. 745, 757–59 (1966))).

We find this portion of the OLC opinion noteworthy for two reasons:

First, it’s been relatively rare in recent decades for the U.S. government, perhaps especially at the highest levels of overall Federal policy and legal thinking, to explicitly acknowledge the right to travel, much less to acknowledge that it is well established Constitutional law.

Second, the fact that this opinion was issued in this particular context highlights the truism that most people become concerned about rights only when their own rights, or those of people they identify with, are threatened. In other contexts, the same Federal administration (like its predecessors) has been vigorously defending the authority of Federal agencies to impose arbitrary extrajudicial restrictions on the right to travel.

The reality, of course, is that it could be any one of us whose rights are restricted. Human right should be a concern for each of us, whether or not we are currently being targeted. Each of us could become a target of the government, for reasons we may not be able to anticipate. The only way to effectively defend our rights is to defend everyone’s rights.

Legislators and Federal agency officials shouldn’t wait until their own rights, or the rights of those they can identify with, are threatened. But better late than never.

We are glad that OLC has, in this case, recognized the right to travel. We hope they remember to apply the same principles and act consistently in other cases.

May 06 2024

Facial recognition and “identity verification”

A new effort is being made by some Senators to restrict the use of facial recognition by the Transportation Security Administration (TSA), airlines, and airports in the US.

But the proposed cure may be worse than the disease. The latest version of the proposed legislation, while undoubtedly well intentioned, includes a provision that would, for the first time, provide a basis in Federal law for “identity verification” of airline passengers.

The problem with facial recognition is that it’s a tool for identifying people. Legalizing (unjustified and previously unlawful) demands for travelers to identify ourselves in other ways is not a solution to the problems of either facial recognition or ID demands.

S. 3361, the “Travel Privacy Protection Act of 2023”, was introduced in the Senate in November 2023, and remains pending. But standalone bills like this have very little chance of being considered, especially in the current Congress.

With Congress acting on only a few bills that are considered essential to keep the  government operating, other legislation is likely to be acted on only if it can be attached to one of these “must-pass” bills. So some of the sponsors of S. 3361 have incorporated provisions to restrict the use of facial recognition, plus new provisions for alternative means of “identity verification” of travelers, into an amendment to the pending  bill to authorize continued operations of the Federal Aviation Administration (FAA).

We assume that the new “identity verification” provisions in the proposed amendment to the FAA reauthorization bill were added to the previous version of the legislation to address objections from the TSA, the airline industry, and airport operators, all of whom have invested heavily in shared infrastructure for facial recognition at airports on the assumption that it has already been agreed to as a government and industry standard.

The proposed amendment to the FAA reauthorization bill would explicitly authorize the use of facial recognition at US airports, provided that the TSA “provides each protected individual, at the request of the protected individual, with the option to choose between identity verification with or without facial recognition or facial matching software.”

This would be a major change, since no provision of current law authorizes the TSA to operate, or to require travelers to submit to, any sort of ID verification.

Congress should not be intimidated by the threat of facial recognition into authorizing the TSA, airlines, or airport operators to  require travelers to identify ourselves.

A choice between submitting to facial recognition so that we can be identified, and showing documents so that we can be identified, is not a choice we should have to make.

Regardless of how we are identified, we know how our identity will be used by the TSA and its commercial and governmental partners in the US and around the world.

The TSA will check our identity against the million and a half mostly Muslim names on the TSA’s no-fly blacklist, use our identity as one of the inputs to the algorithmic black box they use to decide whether to send the airline a Boarding Press Printing Result (BPPR) that “permits” the airline to issue a boarding pass for each of our flights, and use it to link its record of our flight to the permanent file it keeps about each of us. None of this is lawful or serves any legitimate purpose. Congress should put a stop to all of this.

The TSA offers the misleading reassurance that unless we are determined to pose a threat, it won’t retain facial images and other information about our travel. But since the threat-assessment algorithms and outcomes are secret, there’s no way to know whether information about us and any particular flight we take has been retained.

Compelled warrantless, suspicionless ID requirements violate the Fourth and Fifth Amendments to the US Constitution and international treaties protecting the right to freedom of movement both internationally and within the US.

If Congress wants to rein in the TSA and its use of facial recognition, Congress can and should explicitly prohibit the TSA from requiring travelers to identify ourselves, regardless of whether that identity verification is conducted by inspection of ID documents, facial recognition, or other means. Unless our right to travel has been restricted by court order, who we are is irrelevant to our right to travel by common carrier.

May 01 2024

Combining radio and visual tracking of road vehicles

[Jenoptik “Trafficatch” wireless detection device and the data it collects ]

In the latest escalation of surveillance of travelers, data from automated license plate readers (APLRs) is being merged with data from devices that record the unique identifiers of passing WiFi, Bluetooth, and Bluetooth Low Energy (BLE) devices, including always-on devices intended for in-vehicle communications, entertainment, and network access.

Most new cars, SUVs, and light trucks have built-in WiFi access points and Bluetooth and/or BLE connectivity. Each of these wireless access points transmits a unique identifier — usually fixed or not readily changeable by the vehicle owner or operator — to enable devices in the vehicle — cellphones, wireless earbuds, etc. — to establish and maintain connections. Each of those devices broadcasts its own unique and often fixed identifier.

Once the unique identifying numbers of the in-vehicle wireless access points are linked to a vehicle and the vehicle’s registration record and owner by matching the time and location of device detection with an ALPR scan of the vehicle’s license plate, they can be used to track those devices and log their movements in a permanent file associated with the registered owner, even when those devices leave the vehicle.

So if you use your Bluetooth or BLE earbuds to listen to music or make a phone call in a car, even as a passenger, police can and possibly will continue to track your earbuds’ movements and associate them with that car.

According to a report by Byron Tau for NOTUS  (a new nonprofit newsroom founded and funded by Robert Allbritton, the former publisher of POLITICO), wireless “device detectors” and the back-end systems to link ALPR and wireless device tracking data have been purchased by local police departments in border communities in Texas using grant money from the US Department of Homeland Security (DHS) and the  state of Texas.

According to responses to requests for information about bids for government contracts from Jenoptik, the supplier of this system of detectors and databases:

Jenoptik’s Trafficatch wireless device detection is a value add addition to its Vector fixed ALPR solution. Trafficatch records wireless device Wifi, Bluetooth, and Bluetooth Low Energy (BLE) signal identifiers that come within range of the device to record gathered information coupled with plate recognition in the area. This can provide additional information to investigators trying to locate persons of interest related to recorded
crimes in the area.

This should be illegal without a warrant, but current case law leaves enough uncertainty that police may feel that they can get away with this sort of tracking without a warrant.

According to the report by NOTUS, this vehicle and device tracking data is being shared through NLETS (the National Law Enforcement Telecommunications Network). The unusual status of NLETS makes it almost impossible to tell how this data is being used. It could be used to track people and vehicles across state lines or other jurisdictional boundaries, including to identify and track people traveling to obtain abortions.

Like AAMVA, NLETS is nominally a nongovernmental nonprofit organizations, but its members are government agencies.  AAMVA members are the heads of state driver and motor vehicle licensing agencies; NLETS members are Federal, state, and local law enforcement agencies for which NLETS has long served as a private police network in parallel with public communications networks. Once the operator of a dedicated police telex network (like the parallel special-purpose networks operated for airlines and banks)  NLETS is today the hub of the “police Internet“, providing both communications and database hosting services. Because NLETS is nominally “private” and nongovernmental, it itsn’t directly subject to any Federal, state, or local FOIA, public records,  or open meeting laws.

Apr 23 2024

10th Circuit: Demand for ID requires suspicion of a crime

Narrowing the damage done by its 2015 ruling in the Identity Project case of Mocek v. Albuquerque, the 10th Circuit Court of Appeals has ruled that it is clearly established law that, even in a state such as New Mexico that requires individuals suspected of crimes to identify themselves to police on demand, a valid demand for ID must be predicated on “reasonable suspicion” that an individual has committed some other predicate crime.

The plaintiff in the latest 10th Circuit case, Albert Jerome Bustillos, is an independent journalist and YouTuber. He was wrongly arrested for video and audio recording from a public street outside an oil refinery in Artesia, NM, on September 11, 2018.

Like Mr. Mocek, who was falsely arrested for recording TSA checkpoint staff at the Albuquerque airport, Mr. Bustillos was wrongly charged under a New Mexico law that makes it a crime to “conceal” your identity if you are lawfully stopped by police.

The Supreme Court has — wrongly, we believe — upheld state laws that require individuals to identify themselves verbally by name to police, but only if police already have an objectively reasonable, articulable basis to suspect them of some specific crime.

We think these laws are facially unconstitutional because they violate the Fifth Amendment right to remain silent. If you aren’t lawfully detained by police on reasonable suspicion of having committed a crime, you can (and generally should) entirely ignore any questions from police. If you are suspected of a crime, that is all the more reason why you can (and generally should) assert your Fifth Amendment right to remain silent.

Not all states have “stop and identify” laws. California, among others, does not. Even in states that have such laws, they require only verbal self-identification. They do not require anyone to possess, carry, or show ID credentials or any other evidence of their identity.

All of this is, we think, clearly established Constitutional law. But courts more eager to protect police against accountability than to protect the rights of their victims have sometimes strained, after the fact, to come up with reasons that police might reasonably have suspected those they stop of crimes — even if in fact the police had no such suspicion.

Like Mr. Mocek, Mr. Bustillos was eventually found not guilty of all of the charges against him, and like Mr. Mocek he then sued the police for violating his civil rights.

Read More

Apr 01 2024

Tracking vehicles across state lines

As the number of women traveling across state lines to obtain abortions continues to grow (analysis of trends, statistics and map), recent reports have confirmed the reality of some of the ways we feared that motorists traveling for these or other purposes can be identified and tracked.

The ACLU of Northern California and Bob Egelko of the San Francisco Chronicle have reported that, despite a directive from the California Attorney General forbidding California state and local government agencies from sharing automated license plate recognition (ALPR) data with out-of-state entities, police in some California cities are continuing to share this location data with out-of-state police and/or interstate data brokers.

The order from the Attorney General was specifically intended to prevent other states from using ALPR data from California to identity or take action against abortion travelers.

Even if California police bring their practices into compliance with state law and the state Attorney General’s directive, that won’t stop police in other states from buying ALPR data collected by private entities in California — the owner or operator of a parking garage across from an abortion clinic, for example — and aggregated and resold by commercial data brokerages.

Meanwhile, in the New York Times, Kashmir Hill reveals that automobile manufacturers have been selling motor vehicle telemetry information, collected by onboard sensors and control systems and transmitted by cellular data transceivers embedded in euphemistically-named “infotainment” systems, to data brokers including Lexis-Nexis.

While the focus of Hill’s article is on the use of this data by auto insurance companies, law enforcement agencies including the TSA are customers of Lexis-Nexis.

Hill says the data sold in bulk by vehicle manufacturers and disclosed to vehicle owners by Lexis-Nexis in response to requests pursuant to the Fair Credit Reporting Act didn’t explicitly include vehicle location data.  But that doesn’t mean that location data isn’t available to vehicle manufacturers or police.

Most vehicles with embedded cellular data transceivers also have embedded GPS receivers. Enabling those systems to send GPS location pings to the manufacturer, if that isn’t being done already, would require only a remote software “upgrade”. As long as the manufacturer has the ability to push out software turning on location reporting, the manufactuerer could be compelled to do so by a court order such as has been used to force other companies to spy on and report travelers’ movements.

The only way to prevent this is not to build this capability into vehicles. But most vehicle purchasers or drivers don’t know that their car has a built-in self-surveillance system with its own wireless data transmitter that “phones home” to the manufacturer, much less what data it transmits or could be silently and remotely enabled to transmit.

That’s not the only threat model inherent in having an embedded SIM  and wireless data connectivity built into your vehicle. Because the telemetry system connects to the Internet over the wireless cellular data network, the network operator knows which cell tower the unique SIM in the vehicle is registered with whenever the telemetry system is active, which is generally whenever the vehicle is in operation — and could be switched to be always on.

Law enforcement agencies already use fishing-expedition “geofence” warrants to identify all cellphones in the vicinity of times and places of interest. As the percentage of new vehicles with embedded SIMs and always-on cellular modems continues to increase, they are likely to use similar warrants directed to wireless network operators to identify all the “connected cards”  that were registered on those networks in specific locations and times.

We’d welcome reports from anyone who has obtained a complete report of the data collected by either (a) the manufacturer of their vehicle or (b) the  operator of the mobile network uses by the vehicle telemetry system. (It may be easier for vehicle owners in Canada than in the USA to obtain this data through access requests under the Canadian PIPEDA law, which has no US counterpart.) We’d also welcome reports from anyone who has tried to opt your vehicle out of manufacturer telemetry or have the telemetry system removed, disabled, or placed under driver control.

Mar 25 2024

City ID and the right to travel

In recent overviews, we’ve discussed the barriers to getting a passport or state-issued driver’s license or ID card (especially in states that have chosen to participate in the national REAL-ID system and database) and the difficulties faced by travelers without ID.

Some cities, notably including New York and San Francisco, have attempted to mitigate the discrimination against their residents who are unable to get Federal or state ID by issuing municipal ID cards.

How useful are these city IDs for travelers without other ID? Do they solve the problem of demands by common carriers for ID to travel by bus, train, or plane?

The short answer is that these city ID cards succeed in mitigating the damage that results from demands for ID to travel, but they aren’t a real solution to the problem.

Here’s what happens if you want to travel with a city ID: Read More

Mar 21 2024

US Department of Transportation to investigate airline data privacy

Today the U.S. Department of Transportation (DOT) announced plans for a “a privacy review of the nation’s ten largest airlines regarding their collection, handling, maintenance, and use of passengers’ personal information.”

The review will include airlines’ compliance (or not) with the so-called Privacy Shield framework for transfers of personal data from the European Union to the US. As DOT notes on its website, “DOT is the enforcement authority for airlines participating in Privacy Shield. DOT shares jurisdiction with the FTC regarding ticket agents participating in Privacy Shield.”

This is a positive step, but we’re reserving judgment until we see what DOT actually does.

The review is to be conducted by DOT’s Office of Aviation Consumer Protection, which has demonstrated little expertise or interest in privacy issues despite its enforcement authority with respect to airline privacy practices. DOT’s Advisory Committee on Aviation Consumer Protection raised these issues a decade ago, but there’s been little visible change or enforcement activity. And the terms of reference for the review, as described in DOT’s press release today, make it unclear whether DOT will be looking into how personal information in airline reservations is made available to US and foreign governments, or whether DOT’s review will be limited to commercial use of airline data.

Stay tuned.

Mar 20 2024

It’s not a crime not to show ID

In September of 2023, in a case that originated in Huntsville, Alabama, the 11th Circuit Court of Appeals ruled that “It was… clearly established at the time of Mr. Edgar’s arrest that [a police officer] could not demand he produce physical identification. And because Officer McCabe’s demands for an ‘ID’ or a ‘driver’s license’ went beyond what the statute and state law required of Mr. Edger, she violated clearly established law. Under this set of facts and these precedents, no reasonable officer could have believed there was probable cause to arrest Mr. Edger for obstructing governmental operations by violating [Alabama Code]  § 15-5-30.”

Apparently, the police in Andalusia, Alabama didn’t understand this already clearly-established state and Federal law, and didn’t get any training about this decision.

On February 23, 2024, a police officer in Andalusia arrested Ms. Twyla Stallworth in the doorway of her own house for declining to show ID and (correctly) telling the officer that she wasn’t required to show ID, least of all in her own home. “Provide ID or go to jail,” arresting officer John G. Barton of the Andalusia Police told Ms. Stallworth.

Toward the end of this cellphone video recorded by Ms. Stallworth’s son, Officer Barton specifically cites Alabama Code § 15-5-30 — the law the 11th Circuit found was already clearly established not to require showing ID or to provide a basis for such an arrest — as his basis for arresting Ms. Stallworth.

Officer Barton took Ms. Barton away in handcuffs even after he read the text of this law to her son, who pointed out to the officer (correctly, and as the 11th Circuit had recently found was already well established) that the law does not require anyone to show ID.

The charges against Ms. Stallworth were dismissed, and after she got a lawyer the Mayor of Andalusia publicly apologized to her. The Mayor described the arrest as a “mistake”, said that Officer Barton “has been disciplined” in an unspecified manner, and promised that “the entire [Andalusia Police] department will receive additional training on Constitutional law, the laws of the State of Alabama, and the City of Andalusia’s ordinances.”

One lesson of this incident, of course, is of the importance of recording the police. We doubt Ms. Stallworth would have gotten an apology without video of what happened.

But as it relates to demands for ID, here’s the takeaway:

The law is clear: Stating your name is not the same as showing ID.

There are some states in which state law requires you to (verbally) identify yourself to a police officer (who has identified themself as a police officer), by stating your name, if and only if there is probable cause to suspect you of some other crime. There are some activities such as driving a motor vehicle that require a license.

There is no US state in which — as a pedestrian, a passenger in a car driven by someone else, or in your own home — you are required to have, carry, or show ID, even if you are stopped and questioned and there is probable cause to suspect you of some other crime.

If police ask to see your ID, and you aren’t driving or doing something else that requires a specific license, you have the right to just say “No”.