Papers, Please! – Page 72 – The Identity Project

May 20 2010

Is “SPOT” a reasonable basis for suspicion or surveillance?

Today the Government Accountability Office released a detailed report on the TSA’s “Screening Passengers by Observation Techniques” (SPOT) program, providing considerably more detail than the TSA itself has ever provided, confirming the lack of any evidence that the program has spotted any terrorists, and suggesting implicitly that the DHS has been keeping yet another set of illegal records about innocent travelers.

We’ve followed the SPOT program since its existence was first revealed in 2004, and we’ve been detained, interrogated, and subjected to more intrusive search ourselves after being picked out by SPOT “Behavior Detection Officers”. (Fancy language for, “They didn’t like our looks, so they harassed us and gave us a thorough shakedown.”)

The SPOT program is the TSA’s attempt to adopt Israeli-style passenger profiling based on appearance and behavior (isn’t that supposed to be un-American, or at least illegal?), and now has a budget of more than $200 million a year. As shown in the diagram above from the GAO report, more than 150,000 people have been subjected to more intrusive search or interrogation as a result of being fingered by BDOs as “suspicious” or allegedly fitting the (secret, of course, this being the TSA) SPOT appearance and behavior profile. In 14,000 cases, police were called and passengers detained for “investigation”, typically including a police demand for, and logging of, their ID.

The GAO report serves mainly to confirm the obvious: There is no scientific evidence that the SPOT program has identified any actual would-be terrorists, or provides any legitimate basis for suspicion of those it singles out: Read More →

May 20 2010

Statistics on UK travel surveillance and control

It’s tempting to think that ID and PNR-based travel control systems don’t “work” as anti-terrorist measures (they obviously work as surveillance measures and as general law enforcement dragnets, as do house-to-house searches) solely because of the incompetence of the TSA and DHS. Could they be more effective elsewhere, if better implemented? That seems to be the view of some sectors of center-right opinion in Europe, where the EU continues to consider a mandate for members states to set up their own “Passenger Analysis Units” to decide who to allow to fly, even while the the European Parliament has defined strict standards that they would have to meet.

Newly-reported data from the UK, however, suggests the UK PNR scheme — the most developed and extensive in the EU to date — has all the same problems as the US one. This suggests that the defcst are in the concept, not the details of its execution, and calls in question whether any PNR scheme is likely to likely to be able to meet the Europarl’s criteria for acceptability.

USA presses travel surveillance and control agenda at ICAO

The International Civil Aviation Organization (ICAO) has been holding another round of meetings this week at its headquarters in Montreal. As we predicted, the US delegation has been pressing its vision of an integrated and standardized global system of surveillance and control of air travel, in which government access would be built into airline reservation systems (think, “CALEA for CRSs and PNR data”, worldwide) and government permission would be a prerequisite to boarding any flight on what used to be considered a “common carrier” required to transport all comers.

It’s hard to know what’s going on at ICAO meetings if you aren’t there (think of other international bodies like the WTO and WIPO), and no privacy or civil liberties group was in attendance. But outsiders can get some sense what’s in ICAO’s pipeline from its own recently-published Vision 2020 10-year plan and from the working papers submitted by participants in last week’s sessions of the facilitation panel, including these:
Read More →

May 18 2010

TSA still has no answers to key questions about “Secure Flight”

The procedures and timeline for implementation of the TSA’s Secure Flight scheme for identity-based surveillance and control of airline passengers are spelled out not in laws or published regulations but in secret Security Directives to airlines. So we noted with considerable interest this report today by travel journalist Charlie Leocha of a relatively rare public appearance by the head of the Secure Flight program (emphasis added below):

Paul Leyh, TSA Director Secure Flight Program, claimed that all U.S. airlines will be enrolled in Secure Flight within a month and that all foreign carriers will be working in the program by the end of 2010.

Speaking at U.S. Travel Association’s Pow Wow conference to encourage foreign tourism, Leyh noted that TSA is about to complete their mission of … performing the [watchlist] matches prior to allowing passengers to board….

The system sounds simple, however, there were significant IT hurdles to be overcome. Expanded data field requirements for online travel agents such as Expedia, Travelocity, Orbitz and Priceline were more complex than originally thought. The new data collection by brick and mortar travel agents meant internal profile systems to accommodate the storage of this very valuable and confidential information had to be developed…

Foreign journalists attending the press conference asked whether there is a judicial process to use should the normal DHS TRIP process not result in having your name cleared. Leyh didn’t have an answer for that question….

Leyh didn’t have an answer about privacy issues regarding the GDS [Global Distribution Systems, also known as Computerized Reservation Systems], airline reservation systems or travel agents who are allowed to keep all passenger information indefinitely and who fall under no privacy legislation.

Leyh may not have had answers today, but the TSA can’t avoid those questions forever, especially when they are being raised from abroad. Last month, the European Parliament voted to include both judicial review of no-fly orders and a review of US government access to CRS/GDS data in its conditions for any agreement to give the DHS access to data about passengers on flights between the EU and the US.

May 17 2010

Three Strikes?

Having been passed over for appointment to head the Drug Enforcement Administration, Deputy FBI Director John S. Pistole today got the booby prize as President Obama’s third-choice nominee to head the Transportation Security Administration.

For those who haven’t been keeping score, retired spymaster and Army General Robert A. Harding withdrew his name from nomination in response to questions about overbilling and cronyism in contracts between his security consulting firm and his former military comrades. Obama’s first choice, former Las Angeles airport cop Erroll Southers, withdrew earlier after apparently lying to Congress about his having used his police connections improperly to get derogatory information from supposedly restricted police files about his estranged wife’s lover.

We have the same questions for Mr. Pistole as we’ve had for the previous nominees for TSA administrator.

As of now, the TSA is still being run on auto-pilot by caretakers from the previous administration. Unfortunately, we don’t see anything in Mr. Pistole’s official biography as a career cop, or the President’s statement about his nomination (which mentions only a desire to “stengthen” screening at airports, and says nothing about strengthening civil liberties or human rights) to suggest any likelihood of improvement in TSA policies.

May 17 2010

What happens when you “show” ID?

It’s tempting to think that when you show a business or government agency your identity credentials, all that happens is an ID “check”. They verify that your ID is genuine, and that it shows that you are in a category of people who are authorized to cross a border, buy alcohol, operate a motor vehicle, or whatever. And then you’re on your way.

What’s wrong with this? Demands for ID are wrong, but what’s also wrong with this picture is that, increasingly often, this isn’t all that’s happening.

A new product announcement shows how much more than “verification” is sometimes going on behind the scenes. A press release from Uveritech announces their new North American franchise to distribute a document authenticator made by L-1 Identity Solutions, the prime contractor for producing US drivers licenses as well as many countries’ passports.

L-1’s website describes the desktop device as, “A combined hardware and software product that automatically authenticates a wide range of documents, including passports, visas, immigration cards, driver’s licenses and military ID cards.” But the product description shows that it performs much more than mere “authentication”, including scanning, optical character recognition (conversion of the image of the document to text), and reading of RFID chips in passports, enhanced drivers’ licenses, and other documents, as well as:

“Automatically Cross Reference Smartchip data in the MRZ [Machine Readable Zone].
“Collect and organize data and images from document transactions through the configurable options in the embedded relational database….
“Print and/or send … executable files with the images….
“Seamlessly integrate with any existing government or commercial network infrastructure, (i.e. Australian Customs, ABN AMRO, Brazilian Border Police.)”

So what’s being advertised under the rubric of “authentication” is actually automated capture of information about you (not just the visible data but also the machine-readable data in the magnetic stripe, lines of OCR type, and/or RFID chip, using L-1’s expertise in document and data formats derived from its role as government contractor ), conversion of this information about you to standardized digital format, loading of this data into an embedded relational databases, and “seamless[] integrat[ion]” of that database “with any existing government or commercial network infrastructure”.

Still feeling sanguine that it’s “just a quick check” of your ID, after which you can be on your way without further concern for future repercussions as long as you’ve been allowed to pass?

Canadian privacy office questions US surveillance of Canadian travelers

In testimony before a Canadian parliamentary hearing last week by Assistant Commissioner Chantal Bernier, the office of the Privacy Commissioner of Canada raised questions (previously asked in the Canadian press) about the implications for Canadian travelers of the US Secure Flight program — questions that travelers in the US and other countries should share.

Asst. Privacy Commissioner Bernier noted that despite Canadian objections, the US continues to insist on applying the Secure Flight requirements (transmission of passenger data to the DHS, and receipt by the airline of affirmative DHS permission before each prospective passenger is allowed to board a flight) to flights that pass through US airspace to and from Canada, even if they never land in the USA. This includes most flights between Canada and Central America, South America, and the Caribbean. As Bernier pointed out to Members of Parliament, “This means that DHS will collect personal information of Canadian travelers. This is not without risk.”

It’s worth noting, although it wasn’t reported to have been mentioned at the hearing, that Canada imposes no comparable requirement for the vastly larger number of flights to and form the USA that pass through Canadian airspace. These include virtually all transatlantic flights to and from the USA, and transpacific flights to and from all points in the USA east of the West Coast. Nor does any other country through which flights routinely pass en route to and from the USA. Most flights between Miami and Latin America, for example, pass over Cuba. But American Airlines is required neither to provide the Cuban government with detailed information about each passenger on those flights, nor to obtain Cuban government permission before allowing them to board.

Important as they are, however, the concerns raised in last week’s testimony suggest that even the Office of the Privacy Commissioner of Canada still doesn’t fully appreciate the scope of the problem or of the violations of Canadian law.

Asst. Comm. Bernier’s statement was limited to flights to, from, or overflying the USA. We suspect that her office is unaware that the DHS already has ways to get access — without the knowledge or consent of anyone in Canada, including airlines and travel agencies — to information about passengers and reservations for flights within Canada and between Canada and other countries, regardless of whether they pass though US airspace.

Two-faced Biden speech on “privacy” and surveillance

US Vice President Joe Biden gave a remarkable speech today at the European Parliament, devoting substantial time to professions of personal and institutional US commitment to “privacy” while focusing his policy agenda on lobbying the EP to approve warrantless, suspicious US government access to European financial (SWIFT/TFTP) and travel (PNR) data. If you don’t have time to watch it all, the discussion of privacy and surveillance starts at around 21:15.

Swedish libertarian blogger Hendrik Alexandersson’s comments about Biden’s tightrope act are, perhaps, indicative of the lack of persuasive power of such obviously hypocritical arguments for those genuinely committed to civil liberties.

Biden’s speech was a day late, following Europarl votes yesterday not to approve proposed SWIFT and PNR agreements with the DHS, but instead to set strict new condiitions any such agreements will have to meet.

Biden’s focus on “privacy” also indicates a lack of appreciation for what the EP resolution on PNR data actually says. It’s not limited to privacy or data protection, but makes explicit that the fundamental rights at stake include the right to travel, as guaranteed by Article 12 of the International Covenant on Civil and Political Rights. The new terms of reference for any PNR agreement that will be acceptable to the EP are the criteria established by the U.N. Human Rights Committee for evaluating whether measures that implicate freedom of movement are consistent with that treaty. That right to freedom of movement, and those standards for it — entirely ignored by V.P. Biden and, to date, by the DHS, which has entirely ignored our formal complaint that their use of PNR data violates the ICCPR as well as the Privacy Act — are what both US and EU negotiators should be studying closely as the starting point for new negotiations on PNR data.

May 05 2010

European Parliament hands DHS a setback on access to PNR data

Today the Department of Homeland Security received its most significant rebuff from any democratically elected body since the DHS was created after September 11, 2001.

In response to a recommendation from the Council of the European Union (the EU member national governments) for approval of the “interim” agreement under which the DHS obtains all airline reservations (PNRs) for flights between the USA and the EU, the European Parliament instead voted to send the European Commission back to the negotiating table, and set strict conditions (which the DHS will likely be in part unable and in part unwilling to meet) that must be satisfied before Parliament will approve any such agreement in the future.

The motion for a resolution was jointly sponsored by representatives of all seven political groups in the Parliament. The votes by show of hands — including votes in favor of several amendment to strengthen the resolution — were overwhelming, with insufficient opposition to necessitate recorded votes. And that was in spite of what our sources in the Parliament tell us was an unprecedented and heavy-handed US government lobbying campaign.

The vote today in Brussels follows a Parliamentary hearing (at which we testified) and a debate last month in Strasbourg on travel surveillance and control, the likes of either of which the US Congress has yet to hold — despite the leading role of the US since September 11, 2001 (and even before then) in implementing a system of mandatory retention of travel data, using it as the basis for a permission-based travel control regime, and attempting to get these schemes adopted as global norms.

The ability of the Parliament to dictate conditions for negotiations to be conducted by the European Commission, with the implicit threat to veto any agreement that fails to meet those conditions, is one of the first expressions (the first was Europarl rejection of DHS access to European inter-bank wire transfer data) of the new veto power that the Parliament acquired in December 2009 when the Lisbon Treaty came into effect.

What has the European Parliament done? What happens next? And what else remains to be done, outside the negotiating room? Read More →

Apr 30 2010

Arizona radio call-in discussion on S.B. 1070

We’ll be on the Jay Lawrence Show on KTAR (92.3 FM) in Phoenix this Sunday, May 2nd, from 7-8 p.m. Arizona time (7-8 p.m. PDT, 10-11 p.m. EDT) to discuss and take calls on the new Arizona “immigration enforcement” law, S.B. 1070, its implications for ID demands, and the amendments to the new law already being proposed in Arizona H.B. 2162.

KTAR-FM (live audio stream) has the largest listenership of any talk-radio station in the state. Last week in this same time slot they interviewed the sponsor of S.B. 1070, and we’re happy to have a chance to represent the other side of the debate.

[Update: Our appearance on KTAR has been preempted by an interview with a Congressional candidate. “This issue isn’t going to go away,” though, says Jay Lawrence, and we are working to reschedule.]