Papers, Please!

The Identity Project

Sep 03 2010

Napolitano outlines US travel control agenda for ICAO

In a speech to the Air Line Pilots Association earlier this week, Secretary of Homeland Security Janet Napolitano made explicit the US government’s intentions to, as we have repeatedly predicted, use the International Civil Aviation Organization (ICAO) as its primary international policy-laundering forum to bypass and override national laws restricting surveillance and control of travel.

ICAO isn’t mentioned in the DHS press release, and the DHS doesn’t seem to have posted the full text of Napolitano’s speech.  But according to reports in Homeland Security Today and elsewhere:

Napolitano will seek a formal resolution from the general assembly of the International Civil Aviation Organization (ICAO) Sept. 28-Oct. 8 in Montreal, Canada, to build upon five regional security declarations obtained by the United States….

Each of the five meetings resulted in a security declaration focusing on vulnerabilities in the international aviation system in four key areas: developing and deploying new security technology, strengthening aviation security measures and standards, enhancing information collection and sharing, and coordinating international technical assistance

ICAO assisted in coordinating the five agreements, which Napolitano hopes to use as a springboard to obtain a declaration covering the international organizations 190 member states in the fall.

“Enhancing information collection and sharing” is of course a euphemism for mandatory airline and national government participation in the compilation of lifetime logs of individuals’ movements, while “developing and deploying new security technology” refers mainly, as of now, to mandatory use on airline passengers of virtual strip-search machines.

With Members of the European Parliament asking new questions about DHS demands for European collaboration in US travel surveillance and control schemes,  DHS and the US government are turning increasingly to ICAO as a less transparent, less publicly accountable “plan B” for internationalization of its travel regime.

It’s unclear whether the resolutions to be proposed for adoption by ICAO at its upcoming general assembly will constitute ICAO “security standards”, or will merely be a step toward their adoption through he slow but inexorable multi-year ICAO decision-making process.  But the goal of the US government is clear: Whatever surveillnace and control measures can be incorporated into ICAO security standards can be backported into national and international laws through innocuous-seeming statutory and treaty mandates for compliance with ICAO security standards, and imposed on recalcitrant countries through denial of landing rights oin the US to flights from countries or on airlines that don’t comply with such surveillance and control standards.

Sep 03 2010

From our mailbag

Thank You, and good luck!

I have come across information on your suit against the US Gov’t and DHS, and the fantastic summary you did. I just felt I should thank You for your effort and bravery.

I just wanted to let You know there are people and organisations all over the world (Poland here, by the way) that see the diffusion of privacy and personal rights and freedoms in America as a very dangerous precedent that might “inspire” other countries (and indeed, often it already does) to follow suit (pun not intended).

I come from a nation that had to fight for independence and freedom many times throughout its history. For 21 years we are finally Free – after almost 200 years of enslavement. I have the distinct privilege to not remember the Polish People’s Republic and the times long gone by (I’m 25), but we all here either remember, or simply know (from history lessons, from relatives, from literature) what Orwellian surveillance was like. We all remember or know about the atmosphere, the Kafka-esque processes of law, the fright… And we remember or know what sacrifices had to be made to be finally Free.

Maybe that’s why ideas like secret lists, internet filtering and similar ideas meet with a decisive public resistance. For now. But if the USA, the country people 15-20 years older than me saw as a symbol of freedom and one of the only allies we had against the USSR, slides down this slippery slope any more, resistance can only become harder.

The more can we admire what You are doing.

Hence, for Your sake, and for the sake of all the people that watch and see what’s going on, I wish you strength and good luck in your fight. In times like these there’s always the need for a single fighter to fight for the principles.

It was like that in the fifties in USA with the McCarthy-ism at its height, when Ed Murrow took a stand.

It was like this in the Big Tobacco suits in early nineties when Brown & Williamson almost destroyed Jeff Wigand’s life when he took a stand.

I’ll be watching, and with me two Polish NGOs.I’ll be watching, and with me two Polish NGOs.

Best regards,

Michal “rysiek” Wozniak

Aug 25 2010

Lawsuit filed against DHS travel surveillance

In the first lawsuit to challenge one of the U.S. government’s largest post-9/11 dragnet surveillance programs, the First Amendment Project (FAP) filed suit today under the Privacy Act and the Freedom of Information Act (FOIA) against U.S. Customs and Border Protection, the DHS division that operates the illegal “Automated Targeting System” of lifetime travel histories and travel surveillance dossiers including complete airline reservations (Passenger Name Records or PNRs).  The Identity Project is part of FAP, and the lawsuit was filed on behalf of Identity Project consultant and travel expert Edward Hasbrouck.

The complaint filed today in Hasbrouck v. CBP asks the court to declare that CBP violated the Privacy Act and FOIA, and order CBP to turn over the travel records about himself that Hasbrouck has requested, as well as an accounting of who else CBP has disclosed these records to, what happened to Hasbrouck’s previous unanswered Privacy Act and FOIA requests and appeals (some of which have been pending and ignored by CBP for almost three years, and may have been among those recently revealed to have been improperly held up for “political review” by higher-ups in DHS and/or the White House), and how these records in the CBP “Automated Targeting System” are indexed, searched, and retrieved.

The case is important in part because it shows that, despite DHS claims that everyone who has asked for their travel records has received them, and that no one has complained about DHS misuse of PNR data, DHS has entirely ignored many such requests and complaints, even when they have come from U.S. citizens like Mr. Hasbrouck.

There’s more about the case and its significance in our FAQ: Edward Hasbrouck v. U.S. Customs and Border Protection.

Aug 18 2010

DHS scrambles to cover up FOIA scandal

Within weeks after documents released by the DHS to the Associated Press revealed that FOIA (“Freedom Of Information Act”) requests had been systematically referred for “political review” at higher levels of the executive branch of the government, and responses illegally delayed while those reviews were pending, the DHS published new rules in the Federal Register today purporting to exempt itself from any obligation to disclose records of the processing of FOIA or Privacy Act requests, or any accounting of disclosures of those requests to other agencies or departments (such as White House political commissars).

Presumably, the new Privacy Act exemption rules promulgated today by DHS are intended to keep us, or anyone else, from finding out which FOIA requests were interfered with or vetted, by whom, or for what political reasons.  It’s a shameful attempt at a cover-up, and we hope that these new exemption rules will be overturned as lacking any statutory basis.

Fortunately, even if they are upheld, the rules published today won’t apply to requests that have already been made, including the request we made a few weeks ago, as soon as we learned of the confirmation of political interference with FOIA requests, for all records related to the processing of our previous FOIA requests and appeals.

We strongly suspect that our requests were among those interfered with, and that our request for an accounting of what had happened to them was part of what prompted the DHS to issue today’s new rules to preclude any more such requests from others.   Having gotten confirmation that our request was received by DHS before the new rules were promulgated, we intend to pursue it diligently.

Aug 10 2010

DHS designates point of contact for human rights complaints

Apparently in response to repeated inquiries from the Identity Project about what has happened to our most recent complaint to the DHS and TSA that their procedures violate the right to freedom of movement guaranteed by Article 12 of the International Covenant on Civil and Political Rights (ICCPR), the TSA has officially informed us that “the Department has designated the Officer for Civil Rights and Civil Liberties as the point of contact for Executive Order 13107” on implementation of human rights treaties.

Executive Order 13107 requires that, “The head of each agency shall designate a single contact officer who will be responsible for overall coordination of the implementation of this order” including “responding to … complaints about violations of human rights obligations that fall within its areas of responsibility or, if the matter does not fall within its areas of responsibility, referring it to the appropriate agency for response.”

Despite that clear requirement, none of our previous complaints of violations of the ICCPR have been acknowledged or answered. So far as we can determine, the July 22, 2010 letter we received from the TSA is the first public indication by any Federal agency, ever, of the designation of the point of contact for human rights complaints required of each agency by Executive Order 13107.

Since the TSA has, at the same time, said that they will take no action to investigate complaints unless the complaint is received while the violation is ongoing — which in most cases is impossible — we have forwarded our latest complaint and our previous unanswered complaints of violations of the ICCPR by the DHS and DHS component agencies to the DHS Officer for Civil Rights and Civil Liberties for Departmental action.  Our letter to the OCRCL: with attachments (2 MB), without attachments

[Immediate response the same day from Margo Schlanger, DHS Officer for Civil Rights and Civil Liberties: “I have received your email and, as requested, we will examine your complaints. ”  But that was followed not by an acknowledgement letter  but by a “request for clarification” from the OCRCL. We responded but only in February 2011 did we finally receive confirmation that our complaints had docketed. Further correspondence with the DHS Office for Civil Rights and Civil Liberties (CRCL): Letter from CRCL to IDP, Jan. 18, 2011; email from IDP to CRCL, Jan. 31, 2011; email from CRCL to IDP, Feb. 2, 2011; email from IDP to CRCL, Feb. 2, 2011; email from CRCL to IDP, April 1, 2011]

Aug 07 2010

Public says “No” to national cyberspace ID proposal

In June, the Department of Homeland Security and the President’s Cybersecurity Coordinator published a proposal and request for comments on a for a “National Strategy for Trusted Identities in Cyberspace” (NSTIC).

It’s hard to belive that such a system implemented from the top down at the behest of DHS and the White House would remain, as its proponents claim it would be, truly “voluntary”.

In practice, it will be required for online interactions with government agencies as well as private compnaies, rendering it “voluntary” the way it’s “voluntary” to show ID to travel: you don’t have have government ID credentials as long as you are prepared to walk (or walk on water or paddle a sea kayak if you want to get between, say, Hawaii and the U.S. mainland).

Although the official public comment period lasted only 30 days, many others have pointed out key problems with the NSIC concept. The NSTIC proposal places no value on anonymity; indeed, it evinces an apparent lack of understanding of what anonymity really means. It takes for granted the need for authentication (if we pay in cash, why does a merchant, much less a common carrier or government agency, need to know anything about us other than that our money isn’t counterfeit?) and confuses a policy that purportedly restricts disclosure  of our identity with actual non-knowledge of our identity.  The former protects us from those who comply with their own policies, while the latter protects us from bad actors as well.  But in reality, many of the threats to our freedom come from those who can’t be counted on not to cross the boundaries of privacy “policy”, including those within governments. Actual anonymity, non-linkability of transactions and identities, and the ability of the system (and our anonymity) to survive capture of the “identity provider” and/or the government by malign interests should be key design criteria, but weren’t even considered.

The question now is what the White House and DHS will do with the response to their request for public comment on the NSTIC draft. In the online forum where the public could submit and vote on feedback and ideas for NSTIC, the single most popular suggestion was an anonymous one (no, we didn’t submit it, and we don’t know who did), “Decentralize further, don’t centralize”:

A single centralized identity is inherently less secure than a dozen identities because it creates a single point of failure. Once that identity has been compromised – which will certainly happen no matter what technological measures are taken to protect it because there will always be a user in the chain – an individual’s entire life will be open for hijacking…. This effort will be counterproductive at best and has the potential to cause problems that are orders of magnitude worse than current identity theft issues. And this is before even considering aspects that potentially compromise privacy, anonymous speech, free access to the devices that an individual has purchased, etc.

Instead of attempting to centralize identity, simply ensuring that current best practices are followed would vastly improve online security. Making authentication services responsible for all outcomes of a data theft would be a good first step, as well as outlawing EULA language that forfeits a user’s ability to hold such services responsible for technology failure that result in theft, downtime, and data loss. Providing incentives such as these, combined with increased enforcement, will force corporations large and small to work toward increasing security. There should also be an enforced decoupling of identity data; if one of a user’s accounts is compromised, it should not contain personal identity information like SSNs which would allow another of the user’s accounts to be compromised. Web-based authentication has no need to have access to such information and it should be kept in separate, firewall-divided databases as a matter of law, not just habit.

There was more in this vein from other commenters, such as this on “Multiple roles, multiple identities”:

I play many roles in life. Some associated with my work, some associated with a sports league, others associated with my hobbies. If I can easily get several identities, I can use a different one for each role that I play and the issue of a national identity becomes less of a problem. I don’t have to worry about my employer having a problem with views I have shared as an individual person.

There were also numerous calls for a lengthier public comment period and more explanation of the details of any plan before it is adopted.

We urge the White House and DHS to heed the public comments on the NSTIC draft and scrap this scheme for a single, centralized scheme for de facto mandatory online credentialing and identification.

Aug 02 2010

TSA says all their Standard Operating Procedures are secret

The TSA is still stonewalling our FOIA requests for their Standard Operating Procedures (SOPs), which we presume are among those that have been (illegally) sidetracked and delayed for review by DHS and other administration political commissars.

But after the Associated Press pried loose internal DHS e-mail messages confirming the delays in processing “politically sensitive” FOIA requests and the DHS Inpector General started asking questions, the TSA has responded to a request from Phil Mocek (some months older than ours) for the TSA Screening Management SOP.

Not, of course, that the TSA has actually disclosed any more information about its standard operating procedures. The TSA’s response to Mr. Mocek’s request consists of a blanket claim that the entirety of the Screening Management SOP is exempt from disclosure because it would “benefit those attempting to violate the law” (by exercising their rights?) and “be detrimental to the security of transportation” if disclosed.  Despite having released excerpts from an earlier version of the same document in response to one of our previous FOIA requests, and despite an unredacted copy of the entire document having been posted on a public Federal government website, the TSA now claims that no portion of the current version can be released.

Mr. Mocek’s request had been pending for more than a year before he received even this categorical denisal. In response to his periodic requests for information concerning the status of his request, he was told by the same TSA FOIA office staff who are handling our requests that  “processing” of his request was completed in January 2010, but that the response (i.e. informing Mr. Mocek that his request had been denied in its entirety) was delayed until July for “management review”. According to one e-mail message from the TSA to Mr. Mocek in February, “Your FOIA has been processed and is currently being reviewed by TSA management before a response can be sent to you.” This seems to indicate that Mr. Moceks’s request — and, we presume, our still-pending request for the same document — was subjected to the process of political review and illegal delay described in the documents released to the AP.

[We eventually received a response identical to that sent to Mr. Mocek, denying our request in its entirety.  We have appealed that denial.  To confirm whether our requests were among those improperly delayed or subjected to political scrutiny, we’ve filed new FOIA requests for the documents released to the AP and for all records of the processing of our previous FOIA requests and appeals.]

Jul 30 2010

Washington Post: “Secure Flight may be making your privacy less secure”

We’re quoted today in the Washington Post in a story by Christopher Elliott about how airlines are able to use personal information — collected under government duress for the TSA’s Secure Flight passenger surveillance and control scheme — for the airlines’ own marketing and other purposes.

“Could it be that the information we give airlines doesn’t belong to anyone or, worse, isn’t regulated by anyone?” Elliott asks.

A good question — and “privacy” may be the least of the problems with Secure Flight, as discussed in our testimony (quoted from, in part, in the Post story) at the TSA’s only public hearing on Secure Flight, our more detailed written comments submitted to the TSA, and our FAQ about Secure Flight.

Jul 30 2010

DHS plays politics with FOIA requests

The Associated Press reports that the Department of Homeland Security has been delaying responses to Freedom of Information Act (FOIA) requests — possibly including ours — while they are “reviewed’ by top political advisors:

[T]he Homeland Security Department detoured hundreds of requests for federal records to senior political advisers for highly unusual scrutiny, probing for information about the requesters and delaying disclosures deemed too politically sensitive….

The special reviews at times delayed the release of information to Congress, watchdog groups and the news media for weeks beyond the usual wait….

Political staffers reviewed information requests submitted by reporters and other citizens as a way to anticipate troublesome scrutiny. Days after the nearly catastrophic Christmas Day bombing attempt aboard a Detroit-bound airliner, they asked whether news media or other organizations had filed records requests about the attack.

[To confirm whether our requests were among those improperly delayed or subjected to political scrutiny, we’ve filed new FOIA requests for the documents released to the AP and for all records of the processing of our previous FOIA requests and appeals.]

Jul 27 2010

US but not UK gives travel “permission” for Iroquois lacrosse team

The good news: In one of the first tests of US rules purporting to forbid US citizens from crossing US borders without first obtaining US passports (issued at the government’s apparently standardless discretion), the US Department of State issued “one-time waivers” authorizing the “Iroquois Nationals” lacrosse team to leave the US (and presumably to return, although that’s not entirely clear from news reports) without carrying US passports.

The dispute arose because some Iroquois, like other Native Americans, have for many years used passports issued by their own tribes or nations.  Whether those passports were “passports” within the meaning of US law was largely irrelevant as long as passports were merely a convenience, not a requirement, for international travel.  Lacrosse was an Iroquois invention (for an introduction to the sport, see John McPhee’s essay last year in the New Yorker, “Spin Right and Shoot Left”, included in his latest anthology, “Silk Parachute”), and travel on Iroquois passports was and is especially significant for the Iroquois Nationals team, who compete on behalf of their own nation in international lacrosse tournaments.

While it was framed as a dispute over the sovereignty of the iroquois Confederations and/or the validity of Iroquois-issued passports, the US appears to have seen it purely as a question of whether native Americans who are also US citizens may leave or return to the US without US passports.

At first, the US had threatened to prevent the team from boarding flights to the UK for the international lacrosse championships. But without admitting either the “validity” of Iroquois passports (i.e. not whether they are genuine but whether they satisfy US requirement for exit or entry permits), or the invalidity of the passport requirements for US citizens, the US effectively backed down by granting the team “waivers” and, more importantly, saying that they would not interfere with their departure from the US.

This continues the pattern we have sen to date: We have yet to hear of a case in which the US government has actually prevented a US citizen from leaving or returning to the country on the basis of their not having, or declining to carry or display, a US passport. In every incident that has been brought to our attention, the US government has eventually indicated its willingness to stand aside from interference with departure from or return to the country without passports — although travel has sometimes been frustrated in other ways, such as refusal to give airlines permission to transport them. Presumably, the US government realizes that preventing its own citizens form leaving or returning to the country would be such a flagrant violation of international human rights law as to lead to diplomatic complications, even if it would be difficult to challenge on those grounds in US courts.

The bad news: After finally obtaining “permission” to leave the US without US passports, the Iroquois Nationals lacrosse team was denied visas by the UK — not on the grounds that their passports were invalid, or weren’t issued by a sovereign entity, but on the grounds that their passports don’t contain ICAO-standard “security” features required by the UK for visitors from the US.  It is, again, unclear from news reports what absent “features” were at issue, but they might have included machine-readability (OCR or RFID) or other aspects of formatting or data content.