Papers, Please! – Page 37 – The Identity Project

May 18 2015

DHS still playing politics with FOIA requests

The latest response to one of our Freedom of Information Act (FOIA) requests confirms our suspicion that despite sworn testimony to the contrary to Congress by the DHS Chief FOIA Officer, the DHS has resumed, or never abandoned, its illegal practice of political interference and specially disfavored and delayed treatment of FOIA requests from journalists and activist organizations — including the Identity Project.

In 2005, the Associated Press discovered from the response to one of its FOIA requests for FOIA processing records that the DHS Chief FOIA Officer had ordered FOIA officers for the DHS headquarters and all DHS components (TSA, CBP, etc.) to flag all “significant” FOIA requests for special handling. “Significant” FOIA requests were to include, inter alia, any request on a controversial topic; likely to generate news coverage; or from a journalist, news organization, or activist organization (those terms being undefined in the order).

All planned actions on “significant” FOIA requests (acknowledgments of receipt, releases of responsive records, appeals, litigation, etc.) were to be reported in advance to the DHS “front office” for inclusion in a weekly report to the DHS White House liaison. Crucially, both the general order and the memos accompanying the weekly reports when they were circulated to all DHS and component FOIA officers explicitly forbade the release of any records or any other response to a “significant” request without the express prior approval of the DHS “front office”.

Questioned about this before a Congressional oversight committee during the ensuing scandal, DHS Chief FOIA Officer Mary Ellen Callahan swore that these orders didn’t really mean what they appeared to say. This was merely an “awareness” or “notification” system, not really an approval system, Chief FOIA Officer Callahan claimed:

[T]o my knowledge, no information deemed releasable by the FOIA Office or the Office of the General Counsel has at any point been withheld.

The Chief FOIA Officer told Congress, under oath, that the “notification” period had been reduced from indefinite to one day, and the default after one day, in the absence of “front office” action, had been changed from continued indefinite withholding to release of the response:

In fact, we continue to improve the system; DHS has now moved to a one-day awareness review for significant FOIA responses…. Significant FOIA releases are uploaded into a SharePoint system for a limited awareness review period – now one business day – and then automatically released by the relevant component FOIA office back to the requester.

But had anything really changed? We got an answer last week, as we were attempting to find out when we should expect a response to one of our requests for information about the “Federal Security Level” (FSL) that determines the date of applicability of certain REAL-ID Act rules for access to Federal facilities.

We requested information about what, if any, FSL has been assigned to each of a sampling of Federal facilities in the San Francisco Bay Area, including symbolic targets and critical infrastructure (the Golden Gate and Bay Bridges), Federal courthouses and office buildings, and more. We’ll be publishing those responses, and our analysis of them, in a future article.

At its mid-point, the San Francisco-Oakland Bay Bridge passes (in a tunnel between the east and west high-level spans) through Yerba Buena Island, a Federal reservation which constitutes the US Coast Guard Station San Francisco. We asked for records about the FSL for Station San Francisco, including the Bay Bridge, and about the FSL for the (former?) NSA listening post at Two Rock Ranch in Sonoma County, which operates as USCG Training Center (“TRACEN”) Petaluma.

The Coast Guard is a partially military, partially civilian component of both the DHS and the Department of Defense. The DoD also has special rules for “significant” FOIA requests, but they are quite explicitly a notification system, not an approval system like the (former?) DHS system. In any case, it appears that the Coast Guard generally processes FOIA requests in its civilian, DHS capacity.

Our request was submitted to USCG headquarters, but after some run-around was referred to local USCG FOIA Officers in San Francisco and Petaluma for their separate responses directly to us. So far, so good. We had several cordial conversations with Mr. Kevin Fong, the FOIA Officer for USCG Sector San Francisco. So far as we could tell, he seemed to be making a sincere effort to identify any records responsive to our request.

The week before last, Mr. Fong told us that he had been unable to identify any responsive records (which would seem to indicate that the Bay Bridge had never been assigned an FSL). Mr. Fong said that he would be sending us formal notice of his failure to find any responsive records.

Since no responsive records had been found, there were no legal or interpretive issues that might have required higher-level consultation or decision-making regarding whether any of those records might be exempt from disclosure. No further “processing” of records was required, since there were no records to process. The statutory deadline for the Coast Guard’s response to our FOIA request had long since passed, and a response could and should have been provided immediately.

Instead, we got radio silence for another week. When we called Mr. Fong at the end of last week to find out what was holding up his response, he told us that our request had been designated as “significant”. No surprise there. We’re an educational and activist organization that takes an interest in controversial and newsworthy topics. So far as we know, all of our requests are designated as “significant” and included in the weekly reports to the DHS White House liaison.

Mr. Fong continued, however, that because our request was “significant” he had been required to submit his proposed response to national headquarters (whether of the USCG or of DHS wasn’t clear), and had been forbidden to provide his formal written response until he received approval from headquarters. He had been waiting a week for that approval.

Assuming what Mr. Fong told us is true, this is exactly the practice that the DHS Chief FOIA Officer swore under oath before Congress had been ended five years ago.

We’ve called the attention both of Mr. Fong and of the USCG headquarters FOIA office to the discrepancy between the way our current request is being handled and the previous DHS claims about the alleged reform of the process for “significant” FOIA requests.

DHS responses to others of our pending FOIA requests may be similarly blocked, but we can’t tell for sure. An otherwise-complete response to another of our FOIA requests, two years overdue, is also being held up pending “final review”. For this request, however — unlike the request referred to the Coast Guard discussed above — we don’t know whether the review that is delaying the response the additional review and approval by the DHS “front office” required because =our request was deemed “significant”, or some other review.

We’re still waiting for any comment, or any official response to our original FOIA request.

May 01 2015

“Secondary inspection” used as pretext for airport drug searches

Air travelers are expected to identify themselves truthfully to law enforcement officers and “screening” personnel at checkpoints and in “secure” areas of airports. But the reverse isn’t true, apparently, for the police and other personnel carrying out airport “screening”.

Members of drug interdiction “Task Force Groups” (TFGs) comprised of state and local police and agents of the federal Drug Enforcement Agency (DEA) have been representing themselves to air travelers in “secure” areas of airports (beyond the TSA checkpoints) as conducting “secondary inspections”. In fact, these TFGs were conducting warrantless, suspicionless searches for illegal drugs that can be seized and generate forfeiture revenue for the agencies participating in the TFGs.

When these searches were reported (sometimes no records were kept), they were represented as having been “consensual”, even though the use of the term, “secondary inspection” could reasonably have been interpreted by travelers as implying that the TFG members were conducting airport security “screening” to which travelers were required to submit. Similar misrepresentations may have been made at train and bus stations and other transportation facilities where TFGs operate as part of the DEA’s “Jetway” drug interdiction program.

The misrepresentations by DEA agents and other law enforcement officers were revealed in a report by the DEA Office of Inspector General (OIG), which has the role within the DEA that an “internal affairs” office might play in a local police department.

Apr 28 2015

Toll payment devices used to track vehicles on toll-free roads

Public records obtained by the ACLU from New York City and State agencies have confirmed the extensive use of RFID readers to track RFID toll payment devices on streets and roads where there are no tolls.

The ACLU’s report on the responses to its public records requests speaks for itself, but raises more questions about where else, by which government agencies, and for what purposes motor vehicle movements are being tracked, and whether vehicles without these RFID toll payment devices are also being tracked.

In New York, toll-tag RFID readers were systematically deployed on toll-free city streets for traffic monitoring. By logging the time and a unique vehicle identifier (broadcast by the RFID toll tag) for each vehicle passing each set of sensors, the system can calculate the most recent travel times between any tow sets of sensors. That’s what’s used (at least in New York City) to generate the travel times displayed on road signs, and for other traffic management and traffic signal control optimization purposes.

The problem is that measuring the time required for an individual vehicle to travel between any two points in the road network requires uniquely identifying each vehicle and logging the time it passes each sensor. It’s unclear from the documents obtained by the ACLU how long these logs are retained, to whom they are accessible, or how they are used.

The E-ZPass toll tags used in New York and other states in the Northeast and Midwest use the same long-range RFID technology, with the same potential for surveillance use, as FasTrak in California, SunPass in Florida, and RFID toll payment systems in many other states including (we are not making this up) Freedom Pass for toll roads in Alabama.

The RFID transponders in these toll payment devices are designed, of course, to be read from above or alongside the road, even when the device is inside the vehicle. These RFID transponders are promiscuous: they will respond with their unique ID number to a query from any RFID reader. In general, no license, permit, or consent is required to operate an RFID reader. Anyone can legally buy an off-the-shelf RFID reader, install it wherever they want — near a road, or in a vehicle — and start logging the time, location, and unique ID of each toll tag that comes within range. They can use or sell these logs without restriction.

Most motorists, of course, have no idea how the travel times on highway signs are estimated, and these vary from place to place. The state of Washington, for example, has experimented with a homebrewed system for tracking vehicles through the unique MAC addresses broadcast by in-vehicle Bluetooth systems.

Most toll-collection agencies provide foil bags in which RFID toll tags can be kept when they aren’t in use. But it’s a nuisance at best, and potentially dangerous for someone driving alone, to remove the toll tag from the foil bag while driving, and replace it in the bag after passing each toll payment point. Most people leave these ID-broadcasting devices permanently mounted and exposed on the sun visor, windshield, or dashboard of their vehicle.

What about those motorists who don’t carry these RFID-based toll payment and tracking devices in their vehicles? Many toll roads are moving to “all electronic tolling” (AET) in order to eliminate toll booths and any possibility of on-the-spot payment of tolls. At least as currently being deployed in the US, most if not all of these AET systems use automated license plate readers in each lane to identify each motor vehicle without an RFID toll payment device. A bill for the toll is then mailed to the registered owner of the vehicle. One way or another, either by RFID tag serial number or license plate number, every vehicle is uniquely identified and the time, location, and direction of its passage is logged by the toll agency or its contractors. These all electronic tolling and vehicle tracking systems are already in use on bridges, tunnels, and toll roads from the Mystic/Tobin Bridge in Boston to the Golden Gate Bridge in San Francisco.

License plate readers are increasingly widely deployed, but RFID readers are a cheaper and more versatile technology for vehicle tracking than LPRs, at least at present. A separate, properly positioned LPR camera is typically required for each lane, and optical character recognition software is needed to extract license plate numbers from raw imagery. A single, cheaper, RFID reader can cover multiple lanes, from a wider range of placement locations.

Vehicles without toll payment devices have other promiscuous RFID chips that broadcast unencrypted unique identifiers. New motor vehicles sold in the US are required to have automated tire pressure monitoring systems (TPMS), most of which rely on sensors and transponders attached to, or embedded in, new tires. There are no legal controls on tracking or logging of vehicle movements by means of these tire tags, and no way for ordinary motorists to know when, where, or by whom their position has been recorded, who has logs of past vehicle movements, or how those logs might be used in the future. Similar (and similarly uncontrolled) but shorter-range unique-numbered RFID chips are used as stored-value transit fare payment devices in many major metropolitan areas, so even non-drivers are at risk of being covertly tracked.

Apr 24 2015

Feds pay $40K to settle claim for false arrest at airport

The US government has paid $40,000 as part of the settlement of a lawsuit by a traveler who was falsely arrested by Federal agents and local police when a Frontier Airlines flight she was on arrived at the Detroit airport in 2011, arrive, taken off the plane in handcuffs, locked in a cell for four hours, and strip searched (in a cell with a video camera).

All of this happened without probable cause for an arrest, before any attempt was made to question her, and before any attempt was made by any of the police, airline, airport, or TSA staff to determine whether there was any basis for any of their actions. No criminal or administrative charges were ever filed against her.

The traveler, Ms. Shoshana Hebshi, sued the Federal government, the airline, and named and unknown Federal law enforcement agents, TSA employees, and Wayne County Airport Authority police.

Ms. Hebshi’s lawsuit was dismissed earlier this week on the basis of a settlement, after the Federal judge hearing the case rejected the defendants’ claims of “qualified immunity” with respect to Ms. Hebshi’s complaints of both discrimination and false arrest. “There is no ‘suspected terrorist activity exception’ to the probable cause requirement of the Fourth Amendment,” the judge had ruled.

The details of the settlement were not included in court filings, but the ACLU, which represented Ms. Hebshi, disclosed the $40K payment by the Feds in a public statement about the settlement.

No specific Federal agency or individual took responsibility. The lawsuit named “the United States of America” as a defendant, rather than any specific Federal agency or agencies, and multiple Federal agencies (TSA, FBI, ICE, CBP, etc.) were named in the complaint as having been involved in mistreating Ms. Hebshi. We don’t know whether others of the defendants (the airport, the airline, or any of the individual defendants) paid money to Ms. Hebshi as part of the settlement, in additional to the $40K from the US Treasury.

The dollar value of the settlement is obviously inadequate to deter similar misconduct by government, airline, and airport personnel in the future. But we are pleased by several aspects of the preliminary rulings by US District Court Judge Terrence G. Berg which led to the settlement.

First, Judge Berg was willing to let the case against the airline, airport, and Federal government, and their employees, go to trial. We’ve talked before about how difficult it can be to overcome claims of “qualified immunity” if the court’s sympathies lean toward the defendants in a case like this — or, to put it another way, how easy it is for a judge to let government defendants and their private accomplices off the hook.

Apr 23 2015

Amtrak formats for passenger ID data dumps to governments

Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.

The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (“passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).

Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.

Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.

Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.

CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs

The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.

We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.

Apr 22 2015

DHS expands mining of travel data while reducing logging and controls

The US Department of Homeland Security has announced plans to expand its data mining and “sharing”of DHS files about travelers, while removing some of the limited access controls and audit logging that it had only recently claimed to be putting in place for its Department-wide surveillance data framework:

Privacy Impact Assessment for the DHS Data Framework — Interim Process to Address an Emergent Threat (DHS/ALL/PIA-051, April 15, 2015)

DHS has a critical mission need to perform classified queries on its unclassified data in order to identify individuals supporting the terrorist activities of: (1) the Islamic State of Iraq and the Levant (ISIL), (2) al-Qa’ida in the Arabian Peninsula (AQAP), (3) al-Nusrah Front, (4) affiliated offshoots of these groups, or (5) individuals seeking to join the Syria-Iraq conflict. (These individuals are often referred to as “foreign fighters” by the media and in public discourse.) The ability to perform classified searches of unclassified data for this uniquely time sensitive purpose will allow DHS to better identify and track foreign fighters who may seek to travel from, to, or through the United States. This type of comparison is a long-standing mission need; however, the specific threat has shortened the timeframe in which DHS must meet the need.

To meet this critical mission need, DHS will adopt an interim process that foregoes many of the automated protections of the DHS Data Framework, such as the tagging of necessary data sets in the unclassified data lake. By foregoing these automated protections, DHS will be able to expedite transfers of information from the Electronic System for Travel Authorization (ESTA), the Advance Passenger Information System (APIS), Form I-94 records, and Passenger Name Records (PNR) directly from the unclassified DHS domain to the classified DHS domain through a manual process….

The previously announced “protections” on DHS use and sharing of personal data are fig leaves of little value to the subjects of DHS travel surveillance. But the DHS decision to “forego” those protections is significant for what it shows about how the DHS carries out its activities.

Apr 20 2015

Does an airline have the “right” to refuse service to anyone?

This week cyber-security and threat modeling expert Chris Roberts of One World Labs was detained and interrogated for four hours and had his laptop and other electronic devices seized without warrant by the FBI, and later was denied boarding by United Airlines for a flight on which he had a valid ticket, for posting this Tweet questioning the security of IP-based networks on aircraft that commingle in-flight entertainment (IFE) data with data from navigation flight control sensors and avionics systems such as Engine Indication and Crew Alerting System (EICAS) data.

The incident raises important questions about the legality of Mr. Roberts’ detention, the search and seizure of his electronic devices, and the decision by United Airlines to refuse to transport him.

Apr 17 2015

Bill C-51 would match Canadian no-fly scheme to the US — and go further

This week is Stop C-51 Week, marked by events throughout Canada and elsewhere in opposition to Bill C-51, currently under consideration by the Parliament of Canada, “An Act to enact the Security of Canada Information Sharing Act and the Secure Air Travel Act, to amend the Criminal Code, the Canadian Security Intelligence Service Act and the Immigration and Refugee Protection Act and to make related and consequential amendments to other Acts.”

We’ve joined a who’s who of civil liberties and human rights organizations, activists, and experts from Canada and around the world who have co-signed a letter to Prime Minister Stephen Harper opposing Bill C-51.

It’s only a slight oversimplification to say that Bill C-51 is Canada’s version of the USA Patriot Act, 13 years later but on steroids. It appears to violate the Canadian Charter of Rights and Freedoms and Canadian obligations pursuant to several human rights treaties including the International Covenant on Civil and Political Rights (ICCPR). But if enacted, and if not voided on constitutional grounds by Canadian courts, it would purport to authorize a wide range of government spying, “pre-crime” policing (profiling), and preemptive interference with the exercise of fundamental rights.

Apr 16 2015

Feds change no-fly procedures to evade judicial review

In updates filed with Federal courts in at least two pending challenges to US government “no-fly” orders, lawyers for the government have revealed plans for changes to the internal procedures administrative agencies use in deciding who they “allow” to fly — and who they don’t.

While these changes look like cosmetic but inadequate improvements, they actually include an obscure but much more significant change designed to make it harder for people on the no-fly list to get the factual basis (if any) for the decision to put them on the list reviewed by a judge.

By shifting official responsibility for administrative no-fly decisions from the FBI to the TSA, the government hopes to bring those decisions fully within the scope of a special Federal jurisdictional law, 49 U.S.C. § 46110, which is designed to preclude any effective judicial review of TSA decisions — but which doesn’t apply to decisions (nominally) made by the FBI or other agencies outside the DHS.

This law allows TSA administrative orders to be reviewed only by Courts of Appeal (which have no ability to conduct trials or fact-finding), on the basis of the “administrative record” supplied to the Court of Appeals by the TSA itself. The Court of Appeals is forbidden to second-guess the TSA’s fact-finding, even if it was made through a secret and one-sided internal process: “Findings of fact by the Secretary, Under Secretary, or Administrator, if supported by substantial evidence, are conclusive.” As long as there is substantial evidence in the record constructed by the TSA to justify its actions, the Court of Appeals is forbidden to consider the weight of contrary evidence, even if it is also in the record. And the TSA is free to decide that evidence submitted by anyone on the no-fly list is, for that very reason, not credible.

No-fly cases have been considered by District Courts, and one of them has gone to trial, only because the FBI (as the agency nominally responsible for the inter-agency Terrorist Screening Center) has been declared by both TSA and FBI to be the agency officially responsible for no-fly decisions. When FBI decisions are challenged by people who claim their rights have been violated, those decisions are reviewed in the normal manner by District Courts that can conduct trials, hear testimony, receive evidence, and make their own findings of fact — without being required to rely exclusively on self-serving submissions by the FBI itself.

Apr 09 2015

Why did the TSA prevent these people from flying?

Documents newly released to us by the TSA strongly suggest that the TSA has been lying about whether people are “allowed” by the TSA to fly without showing ID, and that decisions about whether to allow travelers to fly without ID are being made arbitrarily, on the basis of irrelevant and unreliable commercial data and/or at the “discretion” of individual field-level TSA staff. The TSA documents also show that, at least for the limited sample of data initially released, the “false-positive” rate of watch-list matches is 100%.

The TSA has for many years been contradicting itself, both in word and in deed, as to whether travelers are required show government-issued (or any other) ID credentials in order to fly, or whether it is possible to fly without ID.

TSA signs at airports say that passengers are “required” to show ID. But the TSA has repeatedly told courts at all levels — from in camera (secret) submissions to the 9th Circuit Court of Appeals in Gilmore v. Gonzales in 2006 to public testimony of the TSA’s witness in the (unsuccessful) state court frame-up of Phil Mocek in Albuquerque in 2011 — that these and other official TSA notices to passengers are false, that ID is not required to fly, and that the TSA does have (secret) “procedures” that allow people to fly without having or showing ID.

The TSA’s actions are equally bipolar. People who say they have lost their ID cards or had them stolen are “allowed” to fly every day. But people who the TSA deems (for secret or not-so-secret reasons, or completely arbitrarily) to be”suspicious” or “uncooperative” are routinely subjected to retaliation and summary sanctions including denial of their right to travel. Mr. Mocek, for example, was both prevented from boarding the flight for which he had a valid ticket, and falsely arrested by local police at the behest of TSA staff, when he tried to fly without ID and to document the process that the TSA claimed would have allowed him to do so.

What’s the real story? From our close reading of the available evidence, it appears that:

There are no publicly-disclosed “rules” (and probably not even any unambiguous secret rules) defining what is or is not permitted or required of travelers at TSA checkpoints, or what conditions the TSA imposes on the exercise of the right to travel by air.
The TSA claims to have the legal authority, and in practice exercises actual power, to determine who to allow to fly, and who not to allow to fly, in an entirely secret, standardless, and arbitrary manner, at its sole discretion, which discretion is often delegated to front-line TSA staff.

How does this work in practice? We are just beginning to find out.