Papers, Please! – Page 80 – The Identity Project

Mar 18 2009

NPR parrots the government line on RFID passports

Today’s edition of “All Things Considered” includes a puff piece on e-passports with embedded RFID chips, based entirely on propaganda statements by government spokespeople. For the other side of the story that NPR didn’t bother to cover, see the listener comments in NPRs blog, our previous articles on RFID chips in government-issued identity documents, and reports elsewhere on how RFID passports facilitate ID theft, how the globally unique ID numbers on the RFID chips facilitate surveillance, how the encryption used for the rest of the data on the RFID chip has already been cracked, and how space has already been reserved in the data structure on the chip for logs of travelers’ movements.

Mar 11 2009

European court invalidates secret carry-on baggage blacklist

In a judgment announced yesterday, the European Court of Justice has ruled that a secret list promulgated by the European Commission, specifying items to be prohibited from airline carry-on baggage, cannot be enforced against individual airline passengers because it was not made public:

The annex to Commission Regulation (EC) No 622/2003 of 4 April 2003 laying down measures for the implementation of the common basic standards on aviation security, as amended by Commission Regulation (EC) No 68/2004 of 15 January 2004, which was not published in the Official Journal of the European Union, has no binding force in so far as it seeks to impose obligations on individuals.

The decison means that the original plaintiff, Gottfried Heinrich, who was ordered off a plane before it departed from Vienna Airport because he had carried on an item on the secret list (to wit, a tennis racket), is now free to sue the airline and/or the airport operator in an Austrian court for damages.

DHS considering hackable long-range RFID as “alternative” to REAL-ID

Chris Strohm of the National Journal’s CongressDaily reports:

Homeland Security Secretary Janet Napolitano, a former governor of Arizona, said Monday that her office is participating in a working group established by the National Governors Association to review the so-called Real ID law, which Congress passed in 2005 while under Republican control.

“What they’re looking at is whether statutory changes need to be made to Real ID,” Napolitano said after a speech to Homeland Security employees marking the sixth anniversary of the department’s creation.

“They are looking at whether some version of an enhanced driver’s license that perhaps creates options for states would be feasible. They’re looking at what the fiscal impact would be particularly given that states have no money right now,” she added.

“I would expect that over the course of the spring we’ll be rolling something out,” she said.

So-called “enhanced” drivers licenses, already being issued in Washington and Vermont, contain a remotely-readable long-range (“vicinity”) RFID chip, in violation of ICAO international standards for only shorter-range RFID chips in travel documents, with a globally unique identification number to permit anyone within range to track the card or the movements of the person carrying it. Hackers have already demonstrated, in on-camera real-world tests on the streets of San Francisco, that these enhanced drivers licences and the passport cards that use the same type of RFID chips have succeeded in their design goal of being readable from inside or outside a moving car as it passes by.

This is no “solution” to the problems of the REAL-ID Act, and no improvement.

As we’ve argued in our proposals to the administration and Congress, the only solution to REAL-ID is repeal. Until Congress takes that essential action, states and citizens should continue their refusal to comply with REAL-ID.

Feb 20 2009

“Homeland Security USA” shows how to travel without ID

The new “reality” television show Homeland Security USA has prompted a Facebook group calling for it to be taken off the air, and protests against its bigotry outside the ABC-TV / Walt Disney Corp. offices in Burbank, even while ratings and viewership have been falling steadily since the first episode.

This week, though, the show gave us a useful lesson: how to fly (within the U.S.) without showing ID.

You can watch Benjamin fly without showing ID in the first half of Episode 5 here on the ABC.com website. (The player won’t work unless it thinks you are running Windows XP or Vista, but it’s possible — sometimes — to get it to work in Linux by using the Windows version of Firefox in the “wine” environment.) Read More →

Feb 11 2009

ID checks and government logs of hotel guests

Demands for ID credentials from hotel guests are once again in the public eye, with commenters in travel journalist Christopher Elliott’s blog weighing in with opinions on his recent article about an Orlando hotel, Hotel shows customer the door after he refuses to show ID — can it do that?

This sort of thing doesn’t happen only in the land of Disney World, though. Coincidentally, one of the final public acts of the outgoing Chief Privacy Officer of the DHS last month was to release a lengthy analysis of European laws and practices for requiring hotel guests to identify themselves, and for government access to those records: Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data. Read More →

Feb 09 2009

Exit permits, ESTA, APIS, and asylum seekers

According to a recently-released European Commission staff working document, the U.S. Electronic System for Travel Authorization (ESTA) is not “tantamount to the … visa … process” required for admission to the European “Schengen Zone”, and therefore does not give cause for the imposition of reciprocal visa requirements for US citizens seeking to enter Schengen countries.

That’s may be correct. But the EC appears to have asked the wrong question: the ESTA is not an entry permit but an exit permit scheme — which is a much more fundamental violation of human rights, U.S. treaty obligations, and the sovereignty of European and other countries from which people might wish to travel to the U.S.

The same is true of other U.S. travel control schemes (including the APIS and Secure Flight regulations), the proposed European PNR regulations, and the “carrier responsibility” rules in both the U.S. and the E.U. Regardless of whether it is referred to as “travel authorization”, “pre-departure clearance”, or “permission to transport”, the only meaningful way to construe a “travel authorization” that isn’t an entry visa is as a de facto exit visa. Read More →

Feb 04 2009

Amtrak police arrest participant in Amtrak photo contest

On December 21, 2008, Amtrak police arrested a photographer taking pictures on a public platform at Penn Station in New York … in response to an Amtrak photo contest calling for the public to submit photos of Amtrak trains.

We had heard about this story before, but now the Colbert Report has the story including an interview with the photographer, Duane Kerzic, and a reenactment of the incident, in the form of a great parody of the new Homeland Security USA “reality” show. Kerzic’s own Web site includes his own description of what happened and actual photos before and after his arrest (including his injuries from the police).

Full episodes of the “real” Homeland Security USA are available in a peculiar streaming video format on the ABC television Web site. (The player will only work if it thinks you are running Windows XP or Vista, but you can get it to work in Linux by using Firefox for Windows in the Wine environment.)

Episodes of the show broadcast to date, and available online, include such incidents as the warrantlesss “dump” of the data in a cell phone carried by a person trying to enter the U.S. from Canada, and their (and their companions’) being refused entry to the US based on a phone number in the cell phone believed to match a number associated with an entry for a different person on the no-fly list. All without any hearing or involvement by a judge, of course, and without their being told anything about the data in the no-fly list entry used as the basis for refusing to allow them into the U.S.

Feb 03 2009

Drive-by reader for RFID drivers licenses and passport cards

Hacker and researcher Chris Paget has demonstrated the ability to read the globally unique serial numbers on RFID chips in passport cards and electronic drivers licenses in the purses and pockets of pedestians on the street from a passing car, at least 30 feet (9 m) away, and to make cloned copies that broadcast the same ID numbers, using a laptop computer and commercial surplus hardware bought on eBay for $250.

Recent developments in the USA in travel data

(Comments of the Identity Project at a workshop on “What’s on the agenda in the USA and Canada?” at the annual conference on Computers, Privacy, and Data Protection, Brussels, 16-17 January 2009)

Two major issues have emerged in the last year in relation to personal data about travel: (1) The overall goal of the government of the USA in its various policy initiatives on “travel security” has become increasingly clear. The USA is seeking to establish a global norm that:

Government-issued identity credentials should be required for all forms of travel, domestic and international.
All travel transactions should be recorded in a lifetime “travel history”.
Pre-departure government permission should be required for all travel (based on the identity credential and the associated historical dossier), particularly for air travel or international travel.

“We Will Not Be Silent” on JetBlue Airlines

Showing that they haven’t lost their ability to waste their stockholders’ and the taxpayers money by violating travelers’ rights, JetBlue Airlines and two TSA officials have paid $240,000 to a JetBlue passenger who they forced to cover up the message on his t-shirt as a condition of allowing him to fly home from New York to California.

Raed Jarrar, an Iraqi-American who works for the Nobel Peace prize-winning American Friends Service Committee, was prevented by both JetBlue and the TSA from boarding the plane until he covered up his shirt, which said “We will not be silent” in both English and Arabic.

JetBlue previously had to apologize to its customers for turning over its entire historical PNR database of records about everyone who had ever taken a JetBlue flight to a military contractor working on a profiling scheme linked to the Total Information Awareness program, prompting lawsuits by several groups of passengers.

Perhaps now that the TSA has settled with Mr. Jarrar, we can once again safely wear the “Suspected Terrorist” buttons that got John Gilmore and his traveling companion kicked off a British Airways flight in San Francisco.