Papers, Please!

The Identity Project

Oct 21 2009

Softball questions for TSA nominee

President Obama’s much-belated nominee to head the Transportation Security Administration, Erroll Southers — faced only softball questioning at a confirmation hearing last week before the Senate Committee on Commerce, Science, and Transportation.  None of the questions we’ve raised for the nominee about TSA policies and procedures, or about the philosophical or practical attitude of the nominee toward the right to travel, were asked by any of the Senators. Nor, despite the nominee’s background of as a policeman (L.A. airport police commander and former FBI agent), was there any exploration of the role of the TSA as the Federal police agency that most often interacts directly with people who are accused of no crime — literally the front lines of Federal policing of innocent citizens.

The nomination of Mr. Southers has also been referred to the Committee on Homeland Security, which plans to hold its own confirmation hearing after it receives further background information from Mr. Southers, probably in late November.

If you want to know whether the Obama Administration and its nominee plan to set a new course for the TSA, let your Senators and the members of the Homeland Security know that you want them to ask tough questions (“Do we have a right to travel? Should the obligations of travelers at TSA checkpoints be spelled out in publicly-disclosed regulations?  Should no-fly decisions be subject to judicial review? Should we have to show ID to fly? Should the government keep records of our travels?”) before they vote to approve any nominee for TSA Administrator.

Oct 01 2009

Should an invalid ticket make you a criminal?

During today’s markup by the Senate Judiciary Committee of S.1692, the “USA PATRIOT Act Sunset Extension Act of 2009” (note that there is no “USA PATRIOT Repeal Act”),  Senator Jon Kyl (R-AZ) introduced a truly bizarre and obviously ill-considered amendment to criminalize “Fraud and related activity in connection with identification documents, false travel documents, authentication features, and information.”

The amendment would amend 18 U.S. 1028 to add tickets and boarding passes for airlines or any form of mass transportation, making it a Federal felony knowlingly to “prduce”, “transfer”, traffic in, possess with intent to use, etc.:

a document issued for the use of a particular, identified individual and of a type intended or commonly accepted for the purposes of passage on a commercial aircraft or mass transportation vehicle, including a ticket or boarding pass, that —

(A) was not issued by or under the authority of a commercial airline or mass transportation provider, but appears to be issued by or under the authority of a commercial airline or mass transportation provider; or

(B) was issued by or under the authority of a commercial airline or mass transportation provider, and was subsequently altered for purposes of deceit.

The ostensible intent is apparently to stop the use of Photoshopped (or “gimped”?) boarding passes, which would be a pointless exercise anyway. But as written, Kyl’s amendment would in a far wider range of activity, such as mere possession of a ticket issued by a travel agent whose appointment had been revoked by the airline.  The main beneficiaries would be airlines and mass transit agencies, who would find what are currently either torts or minor state crimes by their customers converted into serious Federal felonies. A first offense of altering the expiration time on city bus transfers for a family of five people, or possession of five subway-token slugs, for example, would be punishable by up to 15 years in Federal prison.

The best-known of the print-your-own boarding pass generators was published by Christopher Soghoian, who was investigated by the FBI but charged with no crime, and who now works for the Federal Trade Commission’s Bureau of Consumer Protection in its division of privacy and identity protection. Soghoian reports from today’s markup session that presiding Judiciary Committee Chairman Leahy ruled Kyl’s amendment out of order as not germane to the USA PATRIOT Act bill under consideration, after which Kyl said he would introduce it as a separate bill.

Oct 01 2009

Do you need government ID to observe Federal government meetings?

With the public paying more attention ot Federal financial policy, more people might be interested in watching government meetings like those of the Federal Reserve Board.

But what if you don’t have  government-issued identity credentials, or don’t chose to show them? Are you still entitles to observe your tax dollars at work?

We recently came across this 2002 opinion from Office of Legal Counsel of the Department of Justice, advising the the Federal Reserve Board that notwithstanding the open meeting requirements of the Government in the Sunshine Act, the Fed can prevent people from watching its meetings if they don’t give advance notice of their intent to attend, don’t have or won’t reveal their Social Security Number or various other information, or if they don’t have or won’t show a photo ID.

Footnote 4 of the 2002 opinion points out a 1977 DoJ letter that states, “[o]f course, any person may attend a meeting without indicating his identity and/or the person, if any, whom he represents and no requirement of prior notification of intent to observe a meeting may be required.” However, the OLC “disagrees with” that letter.

This took place, ,of course, at a time when the OLC was also advising Federal agencies on the legality of torture, “extraordinary rendition”, and so forth.  But we can find no record of any action by the Obama Administration to rescind or update this advice.

All of which begs the Catch-22 question of what happens to people who want to enter government buildings where ID is required for entry — such as passport offices located in Federal office buildings — in order to apply for the ID credentials they don’t yet have.

Oct 01 2009

Congress, investors won’t let “Trusted Traveler” die

As a hearing yesterday before the Subcommittee on Transportation of the House Homeland Security Committee, Republicans and Democrats joined in urging a re-start of the all-but-bankrupt “Registered Traveler” or “Trusted Traveler” scheme that shut down this June.  Subcommittee members even went to so far as to criticize the TSA for having planned — until members of Congress and a temporary injunction in a customer lawsuit for refunds prevailed on them to hold off — to delete the fingerprints, iris scans, and other personal data collected for use by the TSA and the Registered/Trusted Traveler vendors.  If you think this data should be purged from government files sooner rather than later, let your representative know what you think.

Amazingly, there are even private equity investors who showed up at the hearing to proclaim their readiness to buy some of the assets (including the personal data bank, of course, but not the liability for refunds to no-longer-trusted travelers who now want out) of the largest of the former registered-traveler operator, “Clear” Verified Identity Pass, and to try to bring it back to life.

But the would-be investors made clear that their business model would depend on government support.  The TSA has admitted that the Registered Traveler program has no security value, and stopped conducting, or charging for, background checks on applicants.  That leaves the program as nothing more than a way for members to pay extra to go through a dedicated line at the TSA checkpoint, which is possible only if the TSA allows these private companies to control access to the government checkpoint people have to pass through to travel by common carrier.  Sort of like a government-facilitated scheme to allow you to bribe your way to the front of the line.  Except that it’s more like extortion than bribery, since the point is not to receive government services but to avoid (in part) government restrictions and costs imposed on the exercise of rights.

The government has no business collaborating with this racket, or helping private businesses shake down members of the public who can’t afford the delays imposed by TSA security theater.  “Trusted Traveler” is dead, and the government should leave it in its grave.

Sep 28 2009

Now that Ted Kennedy’s dead, the TSA’s found somebody else in Congress to harass

Senator Edward M. Kennedy (D-MA) used to have constant trouble at airports because a name similar to his was on the TSA’s “no-fly” list.  Even as a senior Senator he couldn’t find out why, and couldn’t get the harassment stopped (which he eventually mentioned publicly during a Senate hearing) for more than three weeks.  For ordinary mortals, “redress” takes months or years, if it ever happens at all.

Now it’s Representative Jason Chaffetz (R-UT) — sponsor of the amendment passed overwhelmingly by the House in June, despite opposition from the leadership of both major parties, to restrict the TSA’s use of virtual strip search (“Whole Body Imaging”) machines at checkpoints in airports — who’s gotten on the TSA’s VIP list for special treatment.

According to reports in the Salt Lake Tribune and Deseret News, frequent-flyer freshman Congressman Chaffetz — who has refused to move to Washington, sleeps on a cot in a back room of his Congressional office during the week, and flies home to Utah to be with his family every weekend — got into trouble at SLC last week after he (1) refused to “consent” to a virtual strip search (“Chaffetz had told the House, “You don’t have to look at my wife and 8-year-old daughter naked to secure an airplane.” He says he didn’t want the TSA looking at him naked either. He told the Deseret News the TSA has not lived up to promises to post signs about what the whole-body imaging machine does”) and then (2) tried to read the name on a TSA agent’s badge (which the agent only showed him after Chaffetz identified himself as a member of Congress, although the TSA agents said they already knew who he was).

Of course, Chaffetz was then “randomly” selected for extra groping (“secondary screening”).  But we’re sure that had nothing to do with his political opinions or attempts to hold the TSA accountable to the laws he helps make.

Sep 28 2009

FBI wants records from travel data aggregators

Ryan Singel of Wired News has reported that documents (see the links to some of them at the end of the Wired story) provided in response to requests under the Freedom of Information Act show that the FBI’s National Security Branch “National Security Analysis Center” (NSAC) has obtained a variety of commercial travel records from hotel chains and franchisers, car rental companies, and the operator of the financial clearinghouse for most airline tickets (and some other travel services) issued or sold by travel agents in the USA.

The numbers of these records Wired reports that the FBI has already obtained are small compared to the numbers of customers these companies have, but Wired also reports that the FBI documents they obtained also show that the FBI is seeking, as part of a lengthy “wish list” of data types and sources, to get greater and perhaps routine and comprehensive access to these travel records.

Given the lax rules for inter-agency data sharing, and the FBI’s lead role in the inter-agency “Terrorist Screening Center” where no-fly decisions enforced by the TSA are made, it’s less important which specific federal agency has or is seeking this data than what information they are after, and from whom.

Read More

Sep 09 2009

More travel records, more exemptions from the Privacy Act

An anonymous traveler has posted the records of their international travel that were provided by the Customs and Border Protection (CBP) division of the Department of Homeland Security, in response to a request under the Privacy act using these forms updated from those used by the Identity Project in our original investigation of the CBP “Automated Targeting System” (ATS).  As noted by philosecurity.org, which published the latest example of the government’s travel data vacuum cleaner, as provided by one of the site’s readers,

The document reveals that the DHS is storing the reader’s:

  • Credit card number and expiration (really)
  • IP address used to make web travel reservations
  • Hotel information and itinerary
  • Full Name, birth date and passport number
  • Full airline itinerary, including flight numbers and seat numbers
  • Cruise ship itinerary
  • Phone numbers, incl. business, home & cell
  • Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation

There are also the details of a reservation at a hotel the person didn’t end up staying at, but which they had a reservation for when the CBP pulled a snapshot of their PNR from the airline or CRS. Sadly, all this is typical of what’s in a PNR and what we found in our continuing investigation of CBP/DHS travel records.

Meanwhile, even as more travelers are finally getting portions of their travel records, the DHS published a new final rule on August 31, 2009 (74 Federal Register 45070-45072) exempting portions of those records from the Privacy Act. Read More

Aug 27 2009

Of course it’s not a national ID card

Whenever questions are raised about national ID schemes like REAL-ID or PASS-ID, their more public-relations savvy proponents are always quick to say, “But of course this isn’t a national ID card”.  The same goes for L-1 Identity Solutions, the prime drivers license, ID card, and ID and biometric database contractor, aggregator, and data miner for California and the majority of other states (and keynote presenter at ICAO’s upcoming Symposium on Machine Readable Travel Documents next month in Montreal).

So we were interested to see how L-1 describes its products to its customers in this full-page ad on the back cover of the latest issue of ICAO’s Machine Readable Travel Document Report:

But of course, this isn’t a national ID card.

Aug 24 2009

Travelers more worried about TSA than airline safety

Travelers are more concerned about TSA screening than airline safety, according to the results of the first poll conducted by the Consumer Travel Alliance.

“TSA screening” ranked sixth in the survey, with 44.1 percent of respondents saying it was of the highest priority among all possible travel issues (not limited to airlines). “Airline safety” was seventh, with 41.1 percent rating it among the “most important” consumer travel issues.

Congress, are you listening?

Aug 20 2009

“Clear” data temporarily enjoined from sale, but not yet safe

According to news reports today, Verified Identity Pass, Inc., (“VIP”) which operated the defunct Clear traveler registration scheme, has been temporarily enjoined by a Federal court from selling or transferring to any third party any data about its (former) customers.

That doesn’t mean that the personal data about “VIP” travelers — including fingerprints, iris scans, and data about their passage through “Clear” lanes at airports — is safe.  The injunction is only preliminary, and was issued in a case in which Clear customers have sued for refunds.  More importantly, VIP is not (yet) bankrupt and hasn’t yet been sold, although since the shutdown of the Clear service it has no revenue and no way to avoid bankruptcy except through a sale of all or part of its business or assets.

The terms of service and privacy policy for the Clear program contained an explicit provision authorizing the sale or transfer of customer data to another company providing a similar service, as part of a sale of the entire line of business. And if VIP goes bankrupt, the bankruptcy court would still be required to auction the personal data to the highest bidder, unless in the meantime Congress enacts new privacy protection for personal data in bankruptcy cases.