Papers, Please!

The Identity Project

Aug 01 2025

Senate postpones hearing on TSA facial recognition and ID verification

Earlier this week the Senate Committee on Commerce, Science, and Transportation postponed  a scheduled hearing on a bill that would limit some uses of facial recognition by the  Transportation Security Administration (TSA), while authorizing the TSA to carry out “identity verification” of airline passengers and take mug shots of all those air travelers who don’t show an “approved identification document”.

The original version of the “Traveler Privacy Protection Act” as it was introduced in 2023 would have imposed a straightforward prohibition on use of facial recognition by the Transportation Security Administration (TSA) without explicit Congressional authorization: “The Administrator [of the TSA] may not, for any purpose, use facial recognition technology or facial matching software in any airport unless such use is expressly authorized by an Act of Congress enacted after the date of the enactment of this Act.”

It is, of course, a sign of how far beyond its legal authority the TSA has already gone that Congress would need to consider a bill to explicitly prohibit the TSA from exceeding the authority it has been granted by Congress. But that’s the situation we’re in.

The revised version of the bill put forward in 2024 as an amendment to the Federal Aviation Administration reauthorization act and reintroduced as a standalone bill in 2025 would authorize use of facial recognition by the TSA for “confirmation of the identity of a passenger before admittance to the sterile area of the airport,” provided travelers are given notice that being photographed is voluntary and that the TSA “does not subject passengers who choose the opt-out option to discriminatory treatment, additional screening requirements, less favorable screening conditions, or other unfavorable treatment.”

The revised bill would also mandate that the TSA, “for each passenger who chooses the opt-out option, performs identity verification using an approved identification document and without collecting any biometric information from such passenger… The [opt-out] option … does not apply with respect to a passenger— (i) who does not provide an acceptable form of identification at a security checkpoint; and (ii) whose identity the Administrator may need to verify through alternative measures to enter the sterile area.”

This bill would thus impose a new obligation on the TSA to carry out “identity verification”, leaving it ambiguous what (if anything) is required of travelers. But as we noted when this revised language was first introduced last year, despite the ambiguity in the bill,  it would for the first time create at least an arguable statutory basis for the TSA to claim — as it undoubtedly would claim, in a shift from its consistent admission to date in court that no law or regulation requires air travelers to show any ID — that airline passengers are required to identify themselves in some fashion, either through an approved ID document or facial recognition.

Read More

Jul 30 2025

Palantir breaks new ground in algorithmic surveillance and control

One of the biggest beneficiaries of the expansion of the homeland-security industrial complex since the second inauguration of Donald Trump has been Palantir.  Shares of Palantir stock have doubled in value since Trump’s re-election.

Both the Department of Defense and the Department of Homeland Security have expanded their contracts with Palantir for data aggregation, data mining, algorithmic profiling, predictive “pre-crime” policing and preemptive war, and automated decision-making.

But is Palantir just doing more of what it has been doing since at least the first Trump presidency? Or is it (also) doing something new? We think it’s doing both.

Palantir is one of the prime contractors being paid to carry out President Trump’s executive order for the integration, mining, and use for decision-making throughout the Federal government of information about individuals held by any Federal agency, regardless of what agency originally collected it or for what purpose. Trump’s executive order seeks to define “purpose limitation”  — one of the fundamental principles of fair information practices — out of existence, at least as applied to the Federal government.

Working with and for the Department of Government Efficiency, Palantir has been central to this Federal government-wide effort to abolish “data silos”. Palantir is reportedly building aggregated databases and platforms for analysis and decision-making about both immigrants and foreign visitors and US citizens.

The expansion of Palantir’s activities has, unsurprisingly, made Palantir a focus of renewed protest.

Some of Palantir’s expansion is just more of more of what it was already doing. In particular, Palantir pioneered natural-language queries for mining of complex datasets and complex algorithms for identification of patterns in data long before either of those processes came to be labeled “artificial intelligence”. Now it’s applying these tools to a wider range of data and decisions. But the fundamental dangers remain the same. As the algorithms and the volume of data ingested become sufficiently large and complex, it becomes impossible to attribute a decision to any specific item of data or rule, or to exercise human oversight or judicial review of that algorithmic decision.

Meanwhile, Palantir’s expanded work for the US government has broken new ground, or broken through barriers, in several ways:

  • Expansion from the Departments of Defense (DOD) and Homeland Security (DHS) to all components of the Federal government;
  • Expansion from people and activities with some foreigners or foreign travel or trade to all US citizens; and
  • Expansion from decisions about air travel and entry to the US to all types of Federal government decisions about what individuals are or aren’t allowed to do.

The impact of all of these changes is to normalize pervasive suspicionless surveillance — collection, retention, and integration of data about movements, activities, and transactions — and permission-based extrajudicial government control as the defaults.

While this is an expansion of previous government intrusions on individual freedom of movement and action,  it’s also a fundamental conceptual shift from the assumption of an “airport exception” to the US Constitution or a “non-US citizen exception” to Constitutional or human rights, to a permission-based regime of government surveillance and control applied to all individuals and all activities within reach of US government power.

In the conceptual framework that underlies Trump’s executive order on “data silos” and Palantir’s work to build an omniscient and omnipotent “artificial intelligence” platform, there are no limits to the scope of individuals or activities to which it is applied.

The DHS data lake is now a US government-wide data ocean in which we all swim, all the time, and in which Palantir is constantly monitoring and choosing which fish to corral or catch.

Jul 08 2025

The dangers of identity databases

After a white-supremacist hacker got access to digital records of old applications for admission to Columbia College and passed them on to the New York Times, the Times reported that in 2009 Zohran Mamdani checked boxes identifying his national origin and ancestry as African-American (he is a US citizen — an American — and was born in Uganda — the country in Africa where his paternal ancestors had lived for generations) and Asian (his mother was born in India, where her ancestors had lived for generations).

Questions have since been raised by Liam Scott in the Columbia Journalism Review and others as to the use in a news story of data obtained illegally by an unnamed third party with an unmentioned political bias, and by Dan Froomkin at Presswatchers.org and others as to whether these truthful factual 2009 statements by Mr. Mamdani are newsworthy. The Times has responded to some of these questions in a follow-up article.

But we have other questions that we haven’t seen asked elsewhere. These are questions not for Mr. Mamdani or the Times but for Columbia University:

  1. Why does Columbia still have this information about an unsucessful 2009 applicant for admission in its records?
  2. Even if there was some reason to retain these records, why were they accessible online, with or without whatever passwords or access restrictions were circumvented by a hacker to obtain them?
  3. Now that this incident has made the potential for misuse of records like this apparent, what are Columbia and other institutions and entities with similarly dangerous data doing to expunge it?

At a time when naturalized US citizens, including but not limited to Mr. Mamdani, are being threatened with denaturalization followed by detention and/or expulsion to overseas death camps,  and when pogroms are being carried out by masked armed gangs snatching people off the streets on the basis of perceptions of national origin, these are questions for anyone in charge of a database with a field for citizenship, race, or national origin.

Mr. Mamdani had good reason to apply to Columbia, even if his application may have been a long shot, since as the child of a tenured Columbia professor he would have been entitled to free tuition if admitted. But whatever purpose Columbia may have had in 2009 for asking applicants for admission to its colleges to categorize their national origin by continent, that purpose was completed when Mr. Mandani’s application was rejected.

The lesson of this teachable moment is that personally identified information, even information about attributes and activities that were lawful at the time and that were collected for innocent purposes, has the inherent potential for weaponization against innocent individuals — sometimes by unforseen actors in unforseen ways — as long as it is retained. It’s happened before in the US, as when census data on national origin was used to round up Japanese-Americans and send them to concentration camps, and could happen again as long as data like this is collected and retained.

Columbia may claim that it retained this data in case it might have needed it to defend agaisnt potential litigation by unsuccessful applicants. But the statute of limitations for any such litigation related to 2009 admission decisions would have passed years ago.

Columbia may claim that, having collected this data, it retained it for research purposes. But there’s been no indication that it made any attempt to even semi-anonymize this data. And would possible future research use justify retention of information that could endanger past applicants for admission?

Under Canadian or European data privacy law, retaining this data when it was no longer needed for the purposes for which it was collected would be illegal.

This data was collected for the purpose of making admissions decisions in 2009. If there was some adequate justification for retaining this data for possible future use when it was unquestionably no longer useful for that original purpose — which we doubt there was — it could have  been stored on an air-gapped device or media, such as a backup tape or disk locked in an archival vault.

But even that would pose the danger of government-compelled disclosure.

Imagine that you were the director of a business or institution in Germany in 1933. Imgaine that — at a time when it when German Jews still had all the rights of German citizens — you had compiled information about your employees’, students’, customers’, or suppliers’ “nationality” or “race” as indicated on their ID cards, including which Germans were identified as Jewish.

When the government began to redefine German Jews as not German citizens, deny them rights, and exclude them from more and more categories of employment, wouldn’t it have been your moral duty to expunge those records identifying Jews? Then you could truthfully say, if the government demanded to know which of your employees were (under Nazi laws) illegally employed non-citizens, that you had no records of who was a Jew.

The best way to avoid misuse of personal data is not to collect it. If it has been collected, and especially if it is no longer needed for the purpose for which it was collected, the best way to mitigate the risk to the individuals to whom it pertains is to expunge it.

Columbia has no excuse. Nor do other institutions in the same position. No law required Columbia to collect this information about Mr. Mamdani and an untold number of others. No law requires Columbia to retain it. Now Columbia knows, as it should have known all along, how this information can be weaponized.

Columbia and its peers in both the public and private sector should expunge these records — now, before even more damage is done to Mr. Mamdanai and millions of other naturalized US citizens and other immigrants.

Jun 27 2025

Supreme Court upholds Texas demand for ID for Web browsing

In its worst decision ever on demands for ID, the Supreme Court today upheld a Texas law that requires all visitors to some websites to provide the site operator with evidence of their identity and age.

In an opinion by Justice Thomas, six Justices found that requiring ID for age verification as a condition of viewing certain websites only “incidentally” burdens the rights of adults.

The majority reasons backward from the presumed legitimacy of ID requirements in other contexts, such as buying tobacco, that (A) weren’t at issue in this case, and (B) more importantly, don’t involve the exercise of First Amendment or any other rights:

Requiring proof of age is an ordinary and appropriate means of enforcing an age-based limit on obscenity to minors. Age verification is common when laws draw age-based lines, e.g., obtaining alcohol, a firearm, or a driver’s license…. Applying the more demanding standard of strict scrutiny would call into question all age-verification requirements, even longstanding in-person requirements.

As the dissent by Justice Kagan (on behalf of herself and Justices Sotomayor and Jackson) points out, this amounts to deciding on the desired outcome, and then adapting the criteria (in this case, the level of scrutiny applied to the law) to produce that result.

In rebuttal to the dissent on this point, the majority opinion wrongly claims that in-person demands for ID are “uncontroversial” and have never been challenged in court:

Finally, the dissent claims that we engage in “backwards,” results-oriented reasoning because we are unwilling to adopt a position that would call into question the constitutionality of longstanding in-person age-verification requirements. Not so. We appeal to these requirements because they embody a constitutional judgment—made by generations of legislators and by the American people as a whole—that commands our respect. A decision “contrary to long and unchallenged practice… should be approached with great caution,” “no less than an explicit overruling” of a precedent. Payne v. Tennessee, 501 U. S. 808, 835 (1991) (Scalia, J., concurring). It would be perverse if we showed less regard for in-person age-verification requirements simply because their legitimacy is so uncontroversial that the need for a judicial decision upholding them has never arisen.

But that’s not all that’s wrong with this law and this decision upholding it.

The decision and the dissent concern themselves primarily with what level of scrutiny should apply to age-verification laws. They don’t mention the distinction between “age” and “identity”, or the impact of the law on people who don’t have ID — a crucial issue raised in a friend-of-the-court brief by the Electronic Frontier Foundation and others.

For those without government-issued ID or a sufficiently detailed profile with a commercial data broker, “age-verification” amounts to a categorical bar to access to certain Web content.

As we’ve noted previously, “Regardless of whether it would be possible to set up a system by which individuals could provide evidence of age without individually identifying themselves, that’s not how any of the schemes currently being legislated or implemented will work in practice. In order to verify their age, each Internet user will be required to provide a unique digital personal identifier…. Age verification for adult content is a stalking horse for comprehensive content-based and personalized government control of Internet access.”

The Texas law applies to any “commercial entity that knowingly and intentionally publishes or distributes material on an Internet website”, which appears to include both the publisher and the hosting provider.

There’s no way for the publisher or provider of hosting services for a website to know which visitors to the site are located in Texas. To satisfy the Texas law, web publishers and hosting providers worldwide will either have to require ID from all visitors regardless of their location, or try to identify which visitors to the site are located in Texas, and block them or selectively require them to provide ID.

Because the law applies to both publishers and “distributors” (web hosting providers), hosting providers will be not only allowed but required to pass on identifying and location-tracking information about all visitors to site publishers, with no restrictions on how publishers or hosting providers can use, disclose, or or sell this data. The law could, but doesn’t, restrict use of this data to age verification, or restrict its disclosure or sale. Nor does the law restrict the ability of these companies to share this data with governments or to keep secret from individuals how or with whom data about them has been shared.

Some companies will welcome this as a pretext for commercial surveillance they already carry out and would love an excuse to universalize. If anyone objects to publishers’ or hosting providers’ commercial exploitation of visitor identity and location information, they now have the perfect excuses: “Everybody does it” and “The government made us do it.”

Jun 26 2025

Asymmetric demands for ID

Recent events have focused attention on the asymmetry of police demands for ID:

Government agents demand that ordinary citizens provide evidence of our identity, even when we are exercising rights — such as traveling by common carrier — that don’t depend on our identity. But those same government agents typically refuse to provide the same sort of evidence of their identity, even when they are asserting claims to authority that depend on their identity and status as law enforcement officers.

Masked, armed gangs dressed in the mismatched assortment of military-surplus clothing that characterizes “militias” in failed states are snatching people off the streets of US cities and towns and taking them away in unmarked vehicles, some with no license plates.

Meanwhile, elected politicians and their family members were recently assassinated in their homes by a masked individual in a police-like costume who arrived in a police-like vehicle with flashing blue lights.

The law doesn’t require us to obey the orders, or refrain from defending ourselves or others against, anyone who claims to be an officer of the law. But as the law stands, whether we submit or resist, we do so at our own peril.

Any kidnapper or home invader could, and some do, stencil “POLICE” on their body armor and  shout “Police!” before breaking down doors or dragging people away. Rent-a-cops often dress and carry gear designed to make them appear as much like police as possible. Convincing movie-prop badges are available online or in costume and fetish shops.

In these circumstances, verifying the identity and claim to authority of people who might or might not be police can be a matter of life or death. If they aren’t police, and we go along, we could lose our chance at self-defense or escape. But if they are police, they might shoot us if we try to resist, escape, or help others to do so. If we survive the initial encounter, we might be charged with assaulting an officer — a charge that often leads to beatings or worse by police and jailers, even before a defendant makes it to trial.

18 US Code § 111 makes it a Federal felony to “forcibly assault, resist, oppose, impede, intimidate, or interfere with” any Federal law enforcement officer. But what if you can’t tell if an apparent kidnapper or home invader is a Federal law enforcement officer? And what evidence of their identity and status is sufficient to establish their authority and your duty not to resist or impede them?

Read More

Jun 18 2025

Closing the escape route from the USA to Canada

The governments of both Canada and the US are threatening or testing measures to further close off the Canadian border as the escape route of last resort for those fleeing the US.

Representatives of a coalition of more than 300 refugee rights, civil liberties, gender justice, and migrant advocacy groups came to Parliament Hill in Ottawa today to speak out against Bill C-2, the “Strong Borders Act” introduced by the new Liberal government of Canada. They called for withdrawal of Bill C-2 as a “dangerous shift toward Trump-style anti-immigrant policies and attacks on the rights and freedoms of all residents” of Canada.

Despite its name, Bill C-2 is predominantly a surveillance bill, not a border bill. It would authorize a wide range of seizures of digital devices and data, location tracking, compelled assistance of communications and cloud services providers in extracting and providing the government with data from and about their customers and users, and conversion of requests from the US and other foreign governments into orders legally enforceable in Canada, among a wide range of other Big Brother tactics. Bill C-2 appears to be inspired by, but goes well beyond, the most invasive surveillance practices of the US government.

Bill C-2 is first and foremost a threat to Canadians’ freedom and an attack on the Canadian Charter of Rights and Freedoms. But it’s also a dire threat to the right to leave the US and to the ability of people in the US to exercise, if need be, their right to asylum.

As it pertains to the border, the most significant changes that Bill C-2 would make in Canadian law would be to close most of the few remaining legal pathways for refugees or asylum seekers, especially those fleeing the US, to enter or remain in Canada.

Read More

Jun 05 2025

New travel blacklist aims to expand US travel surveillance

Late yesterday President Trump proclaimed a new ban on entry to the US or issuance of new US visas to citizens of twelve countries, and ordered drastic restrictions on entry or issuance of visas to citizens of seven others.

The US has long sought to globalize its surveillance and control of travelers.

In the past, the US has held out the carrot of possible admission to the US Visa Waiver Program (VWP) to induce governments of favored countries to share information about their citizens with the US. Citizens of countries in the VWP are eligible to enter the US for limited stays and purposes with a simpler, cheaper ESTA rather than a full US visa.

Now the US is using the stick of a travel ban to induce governments of disfavored countries similarly to cooperate, under duress, with US demands that they serve as foreign agents of the US government in identifying, tracking, and collecting and sharing information about their citizens. The countries subject to this new form of transactional, sanctions-based “diplomacy” are those which are unlikely ever be admitted to the VWP.

This latest US travel ban isn’t exclusively limited to countries with mostly-Muslim populations like the series of travel bans proclaimed by  President Trump during his first administration, but was immediately denounced as “transparently racist”.

In addition to its direct effects on the right to travel, freedom of association, and the rights of asylum seekers, the new travel ban appears to be intended as a tool to pressure foreign governments to collaborate with the US in surveillance of their citizens, thereby weaponizing US travel controls to expand extraterritorial US surveillance outsourced to foreign governments.

Read More

May 30 2025

US State Dept. says silence or anonymity on social media is suspicious

A cable yesterday from Secretary of State Marco Rubio, first reported by  Nahal Toosi and Eric Bazail-Eimil of Politico, directs US embassies and consulates to “conduct a complete screening of the online presence of any nonimmigrant visa applicant seeking to travel to Harvard University for any purpose.”

The cable implies that the main although not the exclusive focus of this special scrutiny of each Harvard-associated visa applicant’s “online presence” will be the content of their social media accounts.

In the cable, Rubio told US consular officers who decide whether to grant or deny visa applications that “the lack of any online presence, or having social media accounts restricted to ‘private’ or with limited visibility, may be reflective of evasiveness and call into question the applicant’s credibility.” In such cases, consular officers are instructed to:

Inform the applicant that his case is subject to review of his online presence, request that the applicant set all of his social media accounts to “public,” and remind him that limited access to or visibility of social media activity could be construed as an effort to evade or hide certain activity. Consular officers must then refer the cases to the Fraud Prevention Unit (FPU).

Neither silence on social media, nor choosing to speak and associate anonymously, pseudonymously, or privately on social media, can Constitutionally or consistent with international human rights treaties be considered “suspicious” or “evasive”.

This directive was issued by Secretary of State Rubio without completing the ongoing process  to obtain approval for the collection of social media account information on visa application forms, as required by the Paperwork Reduction Act. That multi-step approval process was initiated  in early March of this year with a Federal Register notice announcing a 60-day public comment period that closed in early May.

The Identity Project, joined by Privacy Times and Government Information Watch, was among more than a thousand organizations and individuals who submitted comments, almost all of which opposed the proposed collection of social media identifiers.

The government has not yet completed its review of these comments, or taken the next step of submitting its request for approval of the collection of social media identifiers to the Office of Management and Budget (OMB).

In our comments, we noted some of the reasons visa applicants might reasonably fear that revealing acts of speech and association on social media that are legally protected in the US might place them in grave jeopardy in the countries in which they reside:

We cannot overstate the significance of anonymity or pseudonymity as a potentially life-or-death matter for social media users, most especially for dissidents, victims of discrimination, and those living under the jurisdiction of repressive regimes or otherwise in fear of persecution. Anonymous or pseudonymous speech, publication, and assembly are the only forms of dissident speech, publication, or assembly that are possible under some repressive regimes.

Activities which are protected by the First Amendment, including some which advance U.S. interests in freedom and democracy, are subject to legal sanctions in many other countries.

Capital crimes in Saudi Arabia, for example, include blasphemy against the state religion, disparagement of members of the royal family or the institution of hereditary absolute monarchy, trafficking in prohibited mind-altering substances including alcoholic beverages, and private sexual activity between consenting adults of the same gender in their home.

Saudi Arabia is a U.S. ally with which… U.S. agencies might be expected to share information obtained through this collection of information – including information that could identity Saudi Arabian citizens or residents who have perpetrated these “crimes”. As a result, this collection of information could subject these individuals, including pro-democracy activists, to sanctions in Saudi Arabia ranging from public whipping to beheading.

Even if this compelled disclosure of information were lawful – which we believe it isn’t – it would be bad public policy. The possibility of anonymous and pseudonymous discourse is an essential element of an open marketplace of ideas, and plays a particularly important role in the places where identifiable speakers and speech are subject to the greatest repression.

Anonymous and pseudonymous speech and publication have a long and honorable tradition in the U.S., going back to the anonymous authors and publishers of anti-monarchist handbills in the British colonies of North America and the pseudonymous authors of the Federalist Papers. Today, these works would probably be published on social media, and “Publius” – the pseudonym used by the authors of the Federalist – would probably be a social media identifier rather than a name printed on the title pages of a series of pamphlets.

Anonymity and pseudonymity are especially critical for social media users, whose speech can be, and sometimes is, held not only against themselves but against any or all of their social media “friends”, friends-of-friends, associates, contacts, and/or commenters.

The “special vetting” of visa applicants identified as intending to visit Harvard — students, faculty, staff, guest speakers, patients coming to the US for treatment at Harvard hospitals, attendees at Harvard conferences and symposia, etc. — is described as “a pilot for expanded screening and vetting of visa applicants. This pilot will be expanded over time.”

Rather than being expanded, this directive should be rescinded and the “pilot” ended.

May 28 2025

200,000 people a day fly without REAL-ID

The real story of REAL-ID is that more people than ever are flying in the US without REAL-ID, with ID the TSA considers “unacceptable”, or with no ID at all.

In a show of massive passive resistance to baseless threats by the Transportation Security Administration (TSA) to prevent people without REAL-ID from traveling by air, more than 200,000 flyers without REAL-ID passed through TSA checkpoints and boarded scheduled airline flights in the US last Friday, setting a new record for people flying with no ID or with ID the TSA deems “unacceptable” because it isn’t considered compliant with the REAL-ID Act of 2005.

Despite twenty years of false claims that airline passengers without REAL-ID would be  turned away at TSA checkpoints after the REAL-ID deadline, we’ve been unable to confirm any report of a traveler blocked by the TSA for lack of REAL-ID in the three weeks since the TSA claimed that it would start enforcing the REAL-ID Act at airports.

The continued flow of millions of air travelers without REAL-ID through TSA checkpoints since the TSA’s self-imposed enforcement deadline confirms what we’ve said all along: no law requires airline passengers on domestic flights in the US to have or show any ID, and the REAL-ID Act hasn’t changed that. You can still fly without ID, and you shouldn’t be worried that you won’t be able to fly without REAL-ID.

The TSA says that since the REAL-ID enforcement deadline on May 7, 2025, 93% of travelers arriving at TSA checkpoints have shown REAL-IDs. That leaves 7% who have not. Last Friday, the busiest air travel day of the Memorial Day weekend at the start of the summer vacation season, the TSA screened more than three million air travelers. That means more than 200,000 flyers passed through TSA checkpoints without REAL-ID on Friday.

Despite the record number of travelers passing through TSA checkpoints over the holiday weekend, there were few if any delays, and none attributable to REAL-ID noncompliance. Travelers without REAL-ID reported little or no additional questioning, search, or delay.

So far as we can tell, none of the TSA’s procedures for travelers without ID or with “unacceptable” ID, including calls to the TSA’s ID Verification Call Center or demands for travelers to fill out and sign the illegal TSA Form 415 (“Certification of Identity”), have been applied to  those with “noncompliant” driver’s licenses or state IDs.

The bottom line, at least for now, is that TSA hasn’t tried to enforce a nonexistent requirement for ID to fly. We’re pleased that so many travelers have seen through the TSA’s lies and ignored its false threats.

These threats continue, and many people continue to struggle to obtain the compliant ID they’ve been told they will “need” to fly or for other purposes. See for example, this poignant story of the travails  of elders in Alaska who need to fly to get to medical care. Women who’ve changed their name through marriage or divorce, and trans or non-binary people who’ve changed the gender marker on some or all of their documents, are also among those having particular trouble assembling the documentation needed for REAL-ID. Congress still needs to repeal the REAL-ID Act. That’s most likely if the public continues to resist or simply to ignore both the REAL-ID Act and the TSA’s empty threats.

We’ll continue to monitor the situation. We welcome your firsthand reports. Have you flown since May 7th without REAL-ID, or with no ID? How did it go?

May 08 2025

ARC sells airline ticket records to ICE and others

Contracts by Federal agencies with the Airlines Reporting Corporation for access to reports of airline tickets issued by US travel agencies, from USAspending.gov.

A company you’ve probably never heard of is selling copies of every airline ticket issued by a travel agency in the US to the US Department of Homeland Security (DHS) and a plethora of other Federal law enforcement and immigration agencies — and who knows who else.

Records of all airline tickets issued by travel agencies in the US are being sold to US Immigration and Customs Enforcement (ICE) and other Federal law enforcement agencies, according to an ICE procurement document posted yesterday on a US government contract website and uncovered in a major scoop today by Katya Schwenk of Lever News.

According to the document found by Ms. Schwenk on SAM.gov, ICE is entering into a no-bid contract with the Airlines Reporting Corporation (ARC) “to procure, on a sole source basis, licenses for Travel Intelligence Program (TIP)… The vendor listed is the only company that can provide the required software licenses.”

ARC is the financial clearinghouse through which travel agencies in the US (from mom-and-pop agencies to online mega-agencies like Expedia) pay airlines (including both US and foreign airlines) for the tickets those agencies have sold. Its role is similar to that of VISA and MasterCard for credit card merchant  transactions, except that VISA and MasterCard compete with each other, while ARC has no competitor in  the US. A few travel agencies have special arrangements to pay certain airlines directly, bypassing ARC for tickets those agencies issue on those airlines only, but that’s the exception.

Ticket sales by travel agencies in the US are reported daily to ARC through links to computerized reservation systems. Every week, each travel agency in the US submits a report to ARC with a copy of every ticket it has issued, the amount paid, the fare calculation and tax breakdown, and the form of payment. ARC takes the total for the week’s sales on all airlines out of the agency’s bank account, and pays each airline a weekly total for its tickets issued by all agencies accredited through ARC. (The amount transferred to or from the agency is the net total, taking into account ticket sales, refunds, any commissions to the agency from airlines, “debit memos” when an airline disputes the fare originally collected by the agency, and whether credit card charges have been processed by the agency or the airline as the merchant.) Copies of tickets are included with agencies’ reports to ARC so that airlines can audit that agents have charged the correct fare. ARC is a joint venture owned by just a few airlines, but provides settlement services to more than 200 other airlines.

(ARC only handles payments from travel agencies in the US. Payments and credits to airlines from travel agencies in countries other than the US are settled through other regional financial clearinghouses under IATA’s Billing and Settlement Plan, BSP.)

The amounts paid to ARC by Federal agencies aren’t large enough to make selling data to the Feds a significant line of business for ARC.  But the amounts are large enough to indicate that Federal law enforcement and immigration agencies are using information about airline tickets obtained from ARC in a significant and growing number of cases, for unknown purposes and on an unknown legal basis.

We’ve never heard of the “Travel Intelligence Portal” through which ARC offers access to ticket records before now. TIP isn’t mentioned anywhere on ARC’s website, in ARC’s privacy policy, or in the privacy policy of any airline or travel agency we’ve reviewed.  Travelers and ticket purchasers who don’t know that ARC exists aren’t likely to ask what it has done with their data. We don’t know whether TIP is a service offered by ARC exclusively to Federal agencies, or if it has other government or commercial users in the US and/or abroad.

The previously unnoticed ARC contracts with ICE and other US government agencies also raise substantial doubt as to whether travel agencies or airlines — including foreign airlines that process payments for their ticket sales in the US through ARC, and travel agencies that act as their agents in the US — are complying with foreign laws including PIPEDA in Canada and the GDPR in Europe.

If ARC is selling ticket data to the US government without reporting those disclosures to the travel agencies and airlines involved, those agencies and airlines  will be unable to provide data subjects with an accurate or complete accounting of the disclosures of their personal data, as required by PIPEDA and the GDPR.

On the other hand, if travel agencies and/or airlines have authorized ARC to make this data available to the US government, or have continued to transmit data to ARC after learning that ARC was making it available to the US government, those travel agencies and/or airlines have likely violated their duty not to transmit personal data to entities that can’t not assure adequate protection of that data against onward disclosure.

Read More