Papers, Please!

The Identity Project

Sep 28 2023

DHS uses travel as pretext for search of researcher and journalist

According to a report by Zack Whittaker on TechCrunch, security researcher, and blogger Sam Curry “was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service’s Criminal Investigation (IRS-CI) unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington DC about a ‘high profile phishing campaign,’ searched his unlocked phone, and served him with a grand jury subpoena to testify in New York the week after.”

How did this happen, and what recourse do you have if you are similarly searched?

Sadly, the used of (entirely unrelated) international travel as a pretext for searches of electronic devices and data, including searches or researchers and journalists, is not new.

A TECS Lookout can be used by the DHS or other Federal agencies to flag, watch for, and intercept any “person of interest” whenever they take an international flight to or from the US, regardless of whether there is probable cause for a search warrant.  A TECS Lookout can be set at the request of any Federal law enforcement agency, for any reason.  It’s also no surprise that this loophole for pretextual searches is being used by IRS agents: As we have noted previously, it’s described in detail in the section of the IRS’s manual on techniques for “Locating Taxpayers and their Assets”.

Mr. Curry reportedly said he was later told that the copies of data seized from his phone by Federal agents had been deleted, and the subpoena was withdrawn. But it also appears that, as a blogger, his data was protected from seizure by the Privacy Protection Act, which provides greater protection for many travelers’ data than most other forms of privilege. If Mr. Curry had known to assert his status and rights under the Privacy Protection Act, he would probably be entitled to damages from the agents who searched and seized his data.

Sep 26 2023

Broader challenge to Federal blacklists filed in Boston

In a nationally-significant lawsuit, the Council on American-Islamic Relations (CAIR) has filed the most comprehensive challenge  to date to the US government’s system of arbitrary and extrajudicial blacklists (“watchlists”) used to stigmatize and impose sanctions on innocent people — almost all of them Muslim — without notice, trial, conviction, or any opportunity, even after the fact, to see or contest the allegations or evidence (if any) against them.

The lawsuit, Khairullah et al. v. Garland et al., was filed last week in Federal District Court in Boston on behalf of twelve Muslims from Massachusetts and other states who have been stopped, prevented from traveling to, from, or within the US by air, harassed, delayed, interrogated, threatened, strip-searched, had all the data on their electronic devices copied, detained at gunpoint, denied permits, and had banking and money-transfer accounts summarily and irrevocably closed, among other adverse consequences:

Plaintiffs, along with over one million other people, have been placed by Defendants on the federal terrorist watchlist. Defendants claim the power to place an unlimited number of people on that list and, as a result, subject them to extensive security screening, impose adverse immigration consequences on them, and distribute their information to thousands of law-enforcement and private entities, which then use it to affect everyday interactions like traffic stops, municipal permit processes, firearm purchases, and licensing applications.

Congress has never statutorily authorized the creation, maintenance, use, or dissemination of the Terrorist Screening Dataset, its subsets like the Selectee List and No Fly List, the Quiet Skies and Silent Partner systems, or any other rules-based terrorist targeting lists.

WHEREFORE, Plaintiffs requests this Honorable Court grant declaratory and injunctive relief….

The complaint includes a depressingly thorough, detailed, and diverse litany of incidents of interference with normal life, especially with normal travel.

One US citizen plaintiff now abroad has been effectively exiled because the US government won’t allow any airline to transport him back to the US from overseas.

The effects of blacklisting can last for life. Because the US government continues to stigmatize “formerly” blacklisted individuals and flag them to its own agents and third parties including foreign governments, some of the plaintiffs continue to suffer these consequences despite having purportedly been “removed” from US “watchlists”.

Because the US government’s blacklisting algorithms incorporate explicit guilt-by-association criteria, some plaintiffs have had their friends, family members, and colleagues targeted for adverse treatment solely on the basis of having “associated” (an act protected by the First Amendment to the Constitution) with a blacklisted person.

As the complaint explains:

[B]ecause Defendants consider being a relative, friend, colleague, or fellow community member of a TSDS [Terrorist Screening Dataset] Listee “derogatory information” supporting placement on the watchlist, Muslim communities are subjected to rapidly-unfolding network effects once one member is watchlisted. One nomination, even if grounded in probable cause or a preexisting criminal conviction, can quickly spiral into Defendants classifying nearly every member of an extended family or community mosque as a suspected terrorist.

A similar lawsuit, also brought by CAIR, led a Federal District Court judge in Virginia to rule in 2019 that the Federal blacklisting system was unconstitutional. But that ruling was overturned in 2021 in a strikingly poorly-reasoned opinion by the 4th Circuit Court of Appeals.

The new lawsuit has been brought in a different circuit (the 1st Circuit), and the new complaint includes more recent information — including the disclosure of the no-fly and “selectee” lists — and arguments to bolster the case and counter the claims made by the 4th Circuit judges.

Lawsuits like this take years to be resolved, but we’ll be watching this one closely.

Sep 04 2023

Transit payment systems and traveler tracking

Last week 404 Media published a report by Joseph Cox on how the New York Metropolitan Transit Agency’s website can be used as a remote stalking tool: anyone who knows a credit card number that was used to purchase or add value to an OMNY transit farecard could view a historical log of the last seven days of trips taken using the card, including the dates, times, and locations where the card was read at subway entrances or boarding buses.

Less than 24 hours after this report was published, this “feature” was removed from the MTA website.

But that doesn’t solve the problem.

The main problem with the MTA payment system — and similar systems in other cities — isn’t that anyone could access your trip history by typing in your credit card number (which every waiter you ever bought a meal from with that credit card has access to,  and every domestic violence abuser in your household also knows).

The real problem is that the MTA transit system is building a permanent database of all your trips, period. The MTA is still logging transit passengers’ movements, and those logs are still available to the MTA itself, police, anyone the MTA chooses to share them with, or anyone who hacks into the TSA’s records.

If the MTA didn’t collect this data in the first place, there would be no way for anyone to abuse it.

Read More

Aug 24 2023

Border and airport searches for “privileged” information

Most people think of communications between attorneys and their clients as being among those having the highest level of legal “privilege” against compelled disclosure to the government.  And it is widely believed that the US lacks a Federal “shield law” protecting journalists against being forced to reveal confidential sources.

The assumptions are, in some situations and with respect to certain information, well founded. But a recent Federal decision by the 5th Circuit Court of Appeals has belied those assumptions and created a situation — at least in the 5th Circuit — in which attorney-client communications have significantly less protection at borders and ports of entry than information in the possession of journalists and others involved in communicating information to the public.

This makes it more important than ever for all travelers — including lawyers who assume that the information in their possession is best protected under the attorney-client privilege, and individuals who don’t think of themselves as journalists — to be familiar with the protections of the Federal Privacy Protection Act of 1980 (42 US Code §2000aa), and to proactively assert their protected status and their rights under this law if their data or devices are searched or seized

Here’s what was decided in this recent case about attorney-client communications, and what protections travelers still have pursuant to the Privacy Protection Act:

Read More

Aug 02 2023

Challenges to mandatory facial recognition for air travel

[US Senator Jeff Merkley films the signage and what happens when he opts out of facial recognition at the TSA checkpoint at Reagan National Airport]

Attempts by airlines, airports, and government agencies to make facial recognition mandatory for air travel, while pretending that it is “optional” or based on “consent”, are being challenged in both the United States and the European Union.

In the US, the Transportation Security Administration continues to tell Congress and the public that it is “testing” facial recognition and that mug shots are optional for air travel.

But Senators continue to question whether, as the TSA claims, this is really a “field demonstration” or actually a phased rollout,  and whether, “Providing this information is voluntary.”

The latest in a series of increasingly skeptical letters to the TSA from groups of US Senators was sent in February of this year, asking questions including these:

  • How are travelers notified of their right to opt-out of facial recognition?
  • What are the effects on a traveler who chooses to opt-out of facial recognition?
  • Under TSA’s current system, do travelers who choose to opt-out face any additional consequences or additional screenings, pat-downs, interrogations, or even detention, beyond what they would have encountered at a non-facial recognition airport?

If the TSA provided these Senators with any answers, they haven’t been made public. But it seems likely that any response from the TSA was unsatisfactory, since a month after this letter was sent, some of these same Senators and others, along with members of the House of Representatives, reintroduced a bill (S. 681 and H.R. 1404) first introduced in the previous session of Congress that would outlaw use of facial recognition by Federal agencies except with explicit statutory authorization which the TSA lacks.

The “Facial Recognition and Biometric Technology Moratorium Act of 2023” has yet to be considered by either the House or the Senate. But in the meantime, Senator Jeff Merkley (D-OR)has been opting out of facial recognition when he flies home to Portland, filming what happens at the TSA checkpoint, and posting the videos on YouTube.

TSA policies are expressed in “standard operating procedures” (SOPs) for checkpoint staff that the TSA refuses to make public. So except to the extent that the SOPs have been leaked or inadvertently released by the TSA itself, this sort of observation-based reverse engineering is the best available evidence of de facto TSA policies and procedures.

On his first tests of TSA signage and practices, Sen. Merkley found that there were no signs at the TSA checkpoint at Reagan National Airport telling travelers that mug shots were optional.   After he posted video of the lack of signage, some signs were added — but with notices about facial recognition buried in fine print and not next to the mug shot cameras.

TSA staff told Sen. Merkley that opting out of TSA mug shots would result in “significant delay” in his passage through the TSA checkpoint, and detained him (although seemingly only briefly), contrary to what the TSA claims is supposed to happen.

In his latest video posted this week, Sen. Merkley encourages air travelers to film the signage or lack of signage at TSA checkpoints and what happens when they opt out of facial recognition:

Know that you can refuse to use facial recognition technology at the airport and you should be easily accommodated by an agent checking your physical ID….

You ARE allowed to take photos and videos at a security checkpoint.

The Algorithmic Justice League is also collecting reports from travelers about facial recognition at TSA checkpoints, including signage and consent (or the lack thereof).

It’s a sad day when a member of the US Senate has to enlist the help of members of the public to find out whether a Federal agency is lying to Congress and the public about its practices.  But the TSA has earned our mistrust and that of Congress. We commend Sen. Merkley for his skepticism and for judging the agency by what it does and not what it says.

Meanwhile, in the European Union, a complaint has been brought against the airline Ryanair for requiring either facial images or earlier check-in from certain passengers.

While this complaint has been made under EU law, it’s significant as the first complaint against an airline anywhere in the world, so far as we know,  for requiring for requiring passengers to provide mug shots or imposing additional burdens on those who opt out.

As we’ve noted before, there’s a malign convergence of interest between airlines, airport operators (public or private), and law enforcement agencies in tracking and control of air travelers. In practice, it’s often impossible to tell whether cameras — including those used for automated facial recognition — are being operated by the airline, the airport, or the police, or are part of a common-use shared surveillance-as-a-service infrastructure. In such cases, there’s no meaningful distinction between a requirement for passenger mug shots imposed by a common carrier that shares photos with the government and a mug shot requirement imposed and carried out directly by a government agency.

The complaint against Ryanair under EU law also has implications for US travelers and US airlines. Most major US and international airlines operate flights, sell tickets, and/or collect personal information in the EU and are thus subject, in at least some of their operations, to EU data protection laws. If they can respect their European customers’ rights, they could — and should — afford their US customers those same rights.

Jun 26 2023

9th Circuit rejects TSA claim of impunity for checkpoint staff who rape travelers

Last December, we attended and reported on oral argument before the 9th Circuit Court of Appeals in a case in which the Transportation Security Administration (TSA) argued that TSA checkpoint staff have absolute immunity from lawsuits for assault, even sexual assault or rape, committed against travelers they are “screening”.

We’re pleased to report that today the 9th Circuit panel of judges rejected the TSA’s claim of impunity. The three judges found unanimously that the Federal Tort Clams Act (FTCA) allows lawsuits against the TSA for damages caused by checkpoint staff who assault travelers. The 9th Circuit thus joins every other Circuit Court of Appeals (the 3rd, 4th, and 8th) to have addressed this issue in a published opinion.

The case decided today by the 9th Circuit will now return to the U.S. District Court in Las Vegas for much-belated consideration of the claim against the TSA and its officers. The precedent set by today’s decision will apply throughout the 9th Circuit, the largest of the Federal judicial circuits, including all of the states on the West Coast.

Kudos to Jonathan Corbett, Esq., who has represented the plaintiffs in each of these cases.  Coals for Christmas to the TSA for continuing to argue for impunity for its staff to one Circuit Court after another, despite the growing weight of precedent against the agency and, perhaps more importantly, the moral repugnance of arguing that any agents of the government should be entitled to assault or rape members of the public with impunity.

Jun 13 2023

98% of names on U.S. travel blacklist are Muslim

98% of the names on the U.S. government’s travel blacklists, including all of the top 50 names that appear most frequently on those lists, appear to be Muslim, according to a statistical analysis commissioned by the Council on American Islamic Relations (CAIR).

This analysis of the so-called “watchlist” (a euphemism for “blacklist”) is included in a report released this week in conjunction with the annual Muslim Advocacy Day on Capitol Hill organized by the US Council of Muslim Organizations (USCMO).

When the U.S. government’s “No-Fly list” and “Selectee list” were made public earlier this year, we were the first to point out that more than 10% of the entries on the No-Fly list (174,202 of 1,566,062) contain “MUHAMMAD” in either the first or last name fields, in addition to those entries with other spellings of Muhammad.

CAIR’s latest report goes into more detail:

CAIR has studied more than 1.5 million entries on a 2019 version of the FBI’s list, provided to us by a Swiss hacker who found them online after a regional air carrier accidentally posted them to the public internet. One scroll through it reveals a list almost completely comprised of Muslim names. In fact, more than 350,000 entries alone include some transliteration of Mohamed or Ali or Mahmoud and the top 50 most frequently occurring names are all Muslim names….

CAIR shared the leaked list with statistical experts for review to determine what percentage of the list is Muslim. The expert analysis of the people on the list—approximately 1.5 million entries—indicates that more than 98% of all records in the watchlist identify Muslims.

In its report and at the press conference announcing its findings, CAIR called out the lack of any legislative basis for secret blacklists, the difficulty of challenging secret decisions in court, and the failure of Congress to exercise its oversight responsibilities:

Congress did not give the FBI this authority. There is no law that made the watchlist…. But neither the FBI nor any other government agency should have a secret list. They’ve abused the one that they have now, and there is no such thing as a good, lawful kind of secret government list made available to hundreds of thousands of government actors. It is time to bring this practice to a close.

CAIR and other advocates for the civil rights of Muslim Americans are making this issue a priority in their meetings with members of Congress this week. We hope that their efforts will help prompt members of Congress to reintroduce and enact the Freedom To Travel Act or include it in other omnibus legislation.

Jun 12 2023

TSA misstates the case law on ID to fly

During an online panel last week hosted by the Cato Institute, TSA Privacy Officer Peter Pietra made some bold but false claims (starting at 18:05) about the case law on ID to fly:

Patrick Eddington, Cato Institute: I’m trying to understand if there is in fact a statutory basis for TSA to essentially say, “If you don’t show us an ID, you’re not getting on that airplane.”

Peter Pietra, TSA Privacy Officer: … I know that there was a case… where John Gilmore — Gilmore vs. Gonzales, I think was the case — did challenge ID requirements, and the 9th Circuit upheld them…. The one … case that I’m aware of being brought resulted  in upholding TSA’s ability to require ID.

But as Mr. Pietra and the TSA should know, that’s not what was decided in Gilmore v. Gonzales.

Based on pleadings submitted to the court ex parte and under seal by the TSA, the 9th Circuit found that the TSA’s “identification policy” did not require passengers to show ID credentials in order to fly, but provided an alternative of a more intrusive search:

The identification policy requires airline passengers to present identification to airline personnel before boarding or be subjected to a search that is more exacting than the routine search that passengers who present identification encounter….

Gilmore had a meaningful choice. He could have presented identification, submitted to a search, or left the airport. That he chose the latter does not detract from the fact that he could have boarded the airplane had he chosen one of the other two options.

Neither Mr. Gilmore nor his lawyers saw or had any chance to rebut the claims made to the 9th Circuit judges by the TSA in its secret submissions. But the court’s description of the TSA’s identification policy as not requiring passengers to show ID, but allowing a more intrusive search as an alternative, was based entirely on the TSA’s own claims.

Having gotten the court to uphold its policy by representing that policy to the court as not requiring passengers to show ID, the TSA can’t now claim that the court’s decision “upheld” a policy requiring passengers to show ID — a policy the TSA specifically disclaimed in that litigation. The TSA told the 9th Circuit in its sealed, ex parte filings that pursuant to its policy Mr. Gilmore could have flown without ID if he had submitted to a more intrusive search, and the 9th Circuit decided the case on that basis.

Neither the 9th Circuit panel in Gilmore v. Gonzales, nor any other court, has reached the question of whether a requirement for airline passengers to show ID to fly has any statutory basis or would be Constitutional, much less upheld such a requirement

Mr. Pietra went on to suggest that, if the Constitutionality or statutory basis for requiring airline passengers to show ID were in question, the issue would have been litigated. But that ignores the fact that, when Mr. Gilmore tried to litigate exactly this issue, the TSA evaded the issue by denying to the court that it had a policy requiring ID to fly.

We continue to believe that both the TSA’s de facto efforts to require ID to fly, and any TSA policy to require ID to fly, lack a statutory basis and are unconstitutional. We hope that passage of the Freedom To Travel Act will clarify this issue and make it possible for those who are prevented from flying without ID to obtain redress through the courts.

May 12 2023

IDP input to UN report on human rights of migrants

At the invitation  of the U.N. Office of the High Commissioner for Human Rights (OHCHR), the Identity Project has submitted our input for a forthcoming report by the U.N. Secretary-General to the General Assembly on “The Human Rights of Migrants”.

Our previous submissions on this issue (2014, 2015) have been cited favorably in reports and recommendations of the OHCHR. But as we note in our latest submission to the OHCHR, the rights of migrants, especially asylum seekers, continue to be violated:

The pattern of violations of the rights of migrants, particularly asylum seekers, by states and common carriers (the latter often both encouraged and given de facto impunity by states) discussed in our our previous submissions to the OHCHR has continued and has become more pervasive and globally normalized.

As we discussed in our previous submissions to the OHCHR, the right to leave any country is routinely and systematically violated through (1) requirements for identity credentials or other documents or information as a condition of travel by common carrier, without respect for the right to leave any country and to return to the country of one’s citizenship regardless of what, if any, credentials or documents one possesses, (2) requirements for “pre-screening” and approval by destination states of common carrier passengers, prior to departure from origin states, that amount to de facto foreign-imposed exit visa requirements, (3) sanctions imposed by states on common carriers to induce carriers not to transport certain passengers on vessels departing from origin states, on the basis of necessarily unreliable predictions of admissibility to, or asylum in, destination states, and (4) failure by states to enforce the duties of common carriers (pursuant to common carrier laws and aviation treaties) to transport all would-be passengers, including asylum seekers, regardless of their legal status or possession of documents.

All of these actions involve the assertion of extraterritorial authority by a State X over individuals seeking to depart from the territory of a State Y, on the basis of potential inadmissibility of those individuals to State X, if and when they were to arrive in State X.

These are all, essentially, attempts to conflate exit, entry, and movement, and to convert the requirements established by State X for entry to State X into extraterritorial requirements for exit from State Y and for travel between State Y and State X, including travel by common carrier through international airspace or international waters.

There are (at least) three reasons why any such assertion of extraterritorial authority is fundamentally contrary to international law, including human rights law:

First, the right of State X to control entry to its territory does not imply any right to control exit from State Y or movement between State Y and State X. With respect to international air travel, Article 13 of the Chicago Convention on Civil Aviation provides that entry requirements of a state party apply only “upon entrance into or departure from, or while within the territory of that State”. Extraterritorial authority by a destination state over departure from other states or movement through international airspace or waters would be fundamentally contrary to the freedom of navigation by air and sea.

Second, the right to leave any country, as recognized by Article 12, Paragraph 2 of the International Covenant on Civil and Political Rights, is not contingent on admissibility to any other country. If a claim for asylum is denied, an asylum seeker may be deported, subject to the prohibition on refoulement. But the possibility that they might be denied admission or have their claim for asylum rejected on arrival is not a lawful basis for denial of their right to leave any other country, including by common carrier.

Third, because eligibility for asylum can only be determined after an asylum seeker arrives in a destination country, it is per se impossible for anyone – even government authorities, much less common carrier staff – to determine prior to departure from a country of origin whether an asylum seeker will be found eligible for asylum if and when they reach a particular destination country and apply for asylum. Any attempt to determine eligibility for asylum prior to departure from a country where an individual is in fear of persecution is necessarily premature and unreliable, and must be rejected as categorically impermissible and a violation of the right to seek asylum on arrival.

The right to leave any country and the right to travel by common carrier must be recognized as essential to the human rights of asylum seekers, including their right to life.

Today there is no practical, affordable, or safe alternative to air travel as a way to leave many countries. Denial of access to travel by common carrier amounts to denial of the right to leave the country and of the possibility to seek asylum anywhere else.

Restrictions on the right to leave any country, including restrictions on departure by common carrier, can endanger the lives of persecuted individuals by trapping them in situations of persecution or by forcing them to resort to irregular and dangerous means of transport as the only way to flee a country where they are suffering persecution.

Restrictions on travel by common carrier force asylum seekers – desperate to escape persecution – to risk their lives to travel by irregular means. Many of them die.

Many eligible asylum seekers could afford to purchase airline tickets or tickets on other common carriers (ferries, trains, buses, etc.) to travel to countries where, on arrival, they would be eligible for asylum. They risk their lives as “boat people” or walking across mountains and deserts, and some of them die, solely because airlines or other common carriers improperly refuse to sell them tickets or deny them boarding.

Many, perhaps most, deaths of asylum seekers in transit are directly attributable to “carrier sanctions” that incentivize common carriers to deny passage to asylum seekers.

Carrier sanctions kill, and they must be strongly and unequivocally condemned.

[Full submission of the Identity Project to the OHCHR, May 12, 2023]

We look forward to the forthcoming report and to the discussion in the General Assembly.

Apr 18 2023

4th Circuit agrees that TSA checkpoint staff are liable for assault

In a decision published today, the 4th Circuit Court of Appeals has joined the 3rd Circuit and the 8th Circuit in finding that staff of the Transportation Security Administration (TSA) who search travelers at airport checkpoints are liable for damages if they commit assault or battery in the course of performing their official “screening” duties.

This shouldn’t be a difficult or surprising decision, as a matter of either fairness or law. But despite the TSA’s complete lack of success in any published appellate decision on this question to date, the agency continues to argue — as it did in another case on the same issue pending in the 9th Circuit — that checkpoint staff should have absolute impunity, even if they rape travelers at checkpoints or in back rooms during “secondary” searches.

Jonathan Corbett, who has argued all of these cases on behalf of abused air travelers, says that, “I am ecstatic to open the courthouse doors for all injured by abusive feds [and] I am thrilled to bring my client closer to getting some justice for this brazen misconduct.”

We’re thrilled too at this common-sense ruling, and we hope the 9th Circuit will follow the lead of its sister circuits in its pending case.

The most common situation in which Federal agents lay their hands on innocent citizens is the TSA checkpoint at the airport. Checkpoint staff have far too much power, with far too much temptation and opportunity for abuse, to be allowed to grope travelers with impunity.

The 4th Circuit panel summarized the facts of the case it decided today as follows:

As all commercial air travelers must, plaintiff Erin Osmon passed through security at Asheville Regional Airport before a scheduled flight. A TSA screener told Osmon “the body scanner alarmed on her and that she would need to submit to a ‘groin search.’ ” JA 9. During the resulting interaction, Osmon alleges the screener forced her to spread her legs wider than necessary and fondled her genitals twice.

Osmon sued the federal government under the FTCA [Federal Tort Claims Act], alleging one count of battery.

A magistrate judge recommended dismissing Osmon’s suit for lack of subject matter jurisdiction in a detailed memorandum devoted solely to whether the FTCA waives sovereign immunity for the type of claim Osmon brought. The district court adopted the magistrate judge’s recommendation.

That District Court decision has now been reversed by the Court of Appeals, and the case will be remanded for Ms. Osmon to get a chance to prove her claims and obtain damages.