Archive for the ‘Papers, Please’ Category

The human rights of migrants in transit

Monday, November 16th, 2015

Last year the UN Office of the High Commissioner for Human Rights (OHCHR) developed and promulgated a set of “Recommended Principles and Guidelines on Human Rights at International Borders”, including respect for the right to freedom of movement, on which we made recommendations at the invitation of the OHCHR.

As a follow-up, and in response to ongoing refugee crises in Europe and elsewhere, the OHCHR has been tasked by the UN Human Rights Council with preparing further recommendations in relation to the rights of migrants in transit, including, “[e]xit restrictions … and the externalisation of border controls which could have an impact on the human rights of migrants in transit.”

Our latest recommendations to the OHCHR focus on the human rights implications of restrictions on travel by common carrier:

As we discussed in our previous submission to the OHCHR concerning the human rights of migrants, refugees, and asylum seekers, the right to leave any country is routinely and systematically violated – even where there is no explicit requirement for an “exit permit” – through (1) requirements for identity credentials or other travel documents as a condition of travel by common carrier, without respect for the right to leave any country and to return to the country of one’s citizenship regardless of what, if any, credentials or documents one possesses, (2) requirements for “screening” and approval of common carrier passengers that amount to de facto exit visa, transit visa, and/or entry visa requirements, (3) sanctions imposed on common carriers to induce carriers not to transport certain would-be passengers, on the basis of decisions not made, and not subject to appeal, through effective judicial procedures, and (4) failure by governments to enforce the duties of common carriers to transport all would-be passengers, regardless of their legal status or possession of documents.

Some of the most important decision-makers for asylum seekers, refugees, and other migrants are airline and other common carrier ticket sellers and check-in staff. Many eligible asylum seekers are unable to reach places of refuge, and others die trying, as a direct result of improper denial of transportation by common carrier staff.

Many eligible asylum seekers could afford to purchase airline tickets or tickets on other common carriers (ferries, trains, buses, etc.) to travel to countries where, on arrival, they would be eligible for asylum. They risk their lives as “boat people”, and some of them die, not for financial reasons, but because airlines or other government-licensed common carriers improperly refuse to sell them tickets or deny them boarding.

When airlines or other common carriers deny passage, they often claim that they are doing so in compliance with government mandates or government-authorized carrier “discretion”. But decisions about these “mandates” and how to apply them, and about the scope of common carrier “discretion”, are enforced not by judicial or police personnel but by airline or other common carrier staff, or by contractors, at the points of ticket sales, check-in, or boarding. As a result, it is almost impossible for would-be passengers to obtain judicial review of carrier decisions to refuse ticket sales, check-in, or boarding.

Asylum seekers who are trying to leave a country where they are subject to persecution, and who are denied transport, are unlikely to have access to effective judicial review and redress through the courts of the country that is persecuting them. Airlines know that they can violate the rights of asylum seekers with de facto impunity.

Respect for the right to freedom of movement requires significant changes in the practices of carrier staff. To fulfill their human rights obligations, governments need to ensure that common carriers are aware of, and respect, the right to freedom of movement.


Accurint exposed as data broker behind TSA “ID verification”

Monday, November 9th, 2015

The most recent documents released in response to one of our Freedom of Information Act (FOIA) requests may have identified the data broker powering the TSA’s “ID verification” system as Accurint — the current incarnation of a component of the discredited and supposedly disbanded Total Information Awareness program — rather than Acxiom as we had speculated (and as had powered other TSA passenger-profiling schemes).

We found this clue to the company behind the curtain in the daily reports on the operation of the TSA Identity Verification Call Center (IVCC) that gets the call whenever someone tries to fly without having, or without being willing to show,  government-issued ID satisfactory to the TSA or contractor staff at an airport checkpoint:

Over the past 48 hours the IVCC experienced on-going internet connectivity issues that caused IVCC operations to be disconnected from Accurint and WebEOC databases…. The interrupted service resulted in extended call times when either database conductivity was abruptly discontinued or unavailable. At approximately 1430, TSOC IT contacted the Accurint Customer Support who indicated the issue was internal to Accurint. At approximately 1615, service appeared to be restored. At 1900, the connectivity issue resurfaced but with limited impact to operations. The TSOC Network Engineer is monitoring the Accurint situation and EMOC Security is working to identify and resolve those issues separate to Accurint.

This report strongly suggests that it’s Accurint that provides the database and “verification” algorithms used by the IVCC, the TSA, and TSA contractors to decide who to allow to fly, and who not to allow to fly.  There’s no other apparent reason why the IVCC would need connectivity to Accurint, or why an outage in IVCC connectivity would would be significant.

Who are these guys? It’s a shell game of acronyms, acquisitions, and corporate restructuring.

Accurint is a service of the LexisNexis brand of the UK-incorporated RELX Group plc, which until June 2015 was named Reed Elsevier.  The aggregated “garbage in, garbage out” database and pre-crime profiling algorithms used by Accurint for “ID verification” were developed by a company called Seisint, under contracts (brokered in part by Rudy Giuliani’s influence-peddling consultancy) to the DHS and Department of Justice, for the MATRIX (Multistate Anti-Terrorism Information Exchange) component of Total Information Awareness (TIA).

In the midst of public controversy over MATRIX, TIA, and other aspects of Seisint and its operations, Seisint was acquired by Reed Elsevier for $775 million in 2004.  Seisint’s Accurint service was folded into LexisNexis, part of what is now RELX Group plc.

“Matrix reloaded”?

Here’s what Megan Kaushik of the Brennan Center for Justice found when she tried to find out what’s in Accurint’s files about herself:

After an exhaustive search, I ultimately received records from … LexisNexis’s Accurint…. The report[] listed every phone number and address I had ever been associated with, from my college mailbox to the relative’s home where I’d forwarded mail while abroad. Accurint listed the apartment I rented while interning in DC, along with the names and phone numbers of its current occupants. It even provided the sale price and mortgage on each home I’d lived in.

Surprisingly, much of the information was also inaccurate….

Accurint listed someone named Florinda as “Associated with Subject’s SSN” though it assured me this “doesn’t usually indicate fraud.”

Obtaining my data … was difficult. Amending incorrect information was impossible. Unlike Canada or the UK where data brokers must allow individuals to access and amend their data, American law lacks such requirements. Accurint’s report stated it “may not contain all personally identifiable information in our databases” and they “do not verify data, nor is it possible to change incorrect data.”

In addition, “LexisNexis does not suppress personal information from databases used by law enforcement customers,” regardless of whether LexisNexis knows it to be inaccurate or misleading. As we said earlier,  “garbage in, garbage out”. All the garbage, no matter how much it stinks.

Since its latest latest corporate restructuring in June 2015, Accurint has been operated by a UK corporation, RLEX Group plc. Stock in RLEX Group plc is owned partly by a UK-based and partly by a Netherlands-based parent corporation. But there’s no US-incorporated subsidiary to shield RLEX Group plc, as a UK corporation, from its obligation to comply with UK law in its worldwide operations, whether in the US or anywhere else.

Many of Accurint’s policies and practices with respect to its services for the TSA and other law enforcement agencies appear to violate both the LexisNexis privacy policy and, more importantly, the obligations of RLEX Group plc pursuant to UK and European Union data protection law. The governing factor under UK and EU law appears to be that the data controller for Accurint, RLEX Group plc, is legally domiciled in the UK.

It doesn’t help rescue RELX Group plc from liability under UK and EU law that it has relied on self-certification that it complies with the “safe harbor” framework, which has now been ruled legally inadequate, as the basis for transferring personal data to entities in the US such as the TSA.

Accurint also integrates social media data from “Twitter, Tumblr, Disqus, Foursquare, WordPress, Instagram, Facebook, Google+, YouTube and more,”  monitored and mined by Digital Stakeout, Inc. This confirms what we have long feared: that (privatized but government-funded) surveillance of social media and other Internet activity is being used as one of the inputs to the black box that decides whether to allow us to exercise our rights. As we said five years ago in conjunction with the first “Social Network Users’ Bill of Rights”:

In such a world, your “identity” is what these companies say it is. Where do these private companies think you lived, and with whom, in a certain year, for example? An identity thief who has gotten your files may be more likely than you are to to know the “correct” answer.  And each time such a commercial service is used to verify your ID for government purposes, the service provider has a record of the transaction to add to its dossier about you, and use for whatever purposes it chooses.

We’ll be posting more details and statistics as the TSA releases more of its records about what happens to people who try to fly without ID. But the records we’ve received to date show that people are already being prevented from traveling by air, despite having valid tickets on common carrier airlines, because the private data broker(s) consulted by the TSA don’t have enough data to profile them, or their answers don’t correspond to the garbage in the aggregators’ data warehouses about things such as who Accurint thinks they live with or thinks who their neighbors are.

Airline and TSA insecurity

Friday, October 9th, 2015

Recent news stories have called new attention to longstanding vulnerabilities in the security of travelers’ luggage and personal information created by TSA and airline practices.

Exhibit A: TSA-mandated “key escrow” for luggage locks:

Before the creation of the TSA, airline passengers were encouraged by airlines to secure their suitcases with locks against pilferage in transit. Some airlines’ rules provided that unless passengers locked their luggage, they would not be reimbursed for items that went missing from their luggage.

The TSA, in its infinite wisdom, initially decided that everyone would be more secure if travelers were forbidden to lock our luggage, so as to make it as easy as possible for anyone (especially, of course, TSA staff and baggage handlers) to introduce dangerous items into luggage, or remove valuables from luggage.

The predictable result was a wave of organized theft from checked luggage by groups of TSA staff and baggage handlers at airports throughout the country who used “security” x-rays of luggage to identify which bags contained things worth stealing.  400 TSA employees have been fired for stealing from luggage since 2003.  As for airline and airport staff, 37 have been arrested in multiple cases of organized luggage theft at the Miami airport alone just since 2012.

In response, the TSA proposed a fig leaf of pseudo-security: Starting in 2003, air travelers were once again allowed to lock our bags — but only with TSA-approved “Travel Sentry” locks which could all be opened with one of a small set of master keys provided to all TSA baggage screeners.

That makes no sense, of course, in terms of any rational threat model: Almost the only people who have access to checked luggage in transit are airline, airport, and TSA staff. Unsurprisingly, allowing the use of locks to which all of the likely thieves were given master keys did little or nothing to deter or decrease theft.

But that’s not all.  Any “key escrow” system is only as secure as the controls on access to the master keys or the information needed to replicate them. The other shoe has now dropped: Specifications for the TSA master keys (obtained from photos accurate enough to make working keys) have been made public. Anyone with a 3D printer can use these files to make their own complete set of keys to open any Travel Sentry lock.

For what it’s worth, while you aren’t allowed to use physical measures to secure your luggage, you still have some legal protection, at least in theory. Up to a liability limit fixed by law, the airline is strictly liable for loss, theft, or damage to luggage or contents between the time the passenger is given a claim check and the time the passenger reclaims their luggage. The TSA and the airlines both want to divert passengers into an arduous claims process against the TSA, but it’s actually the airline that is liable to the passenger for any damage to luggage while it is checked, even if the damage is caused by the TSA or any other third party.  You can sue the airline in small claims court for any damage between check-in and baggage claim. The airline can pursue a claim against the TSA, but that’s not your problem and has no affect on the liability of the airline to the passenger. If airlines have to absorb some of these losses, maybe they’ll get motivated to rein in TSA thievery.

Exhibit B: Airlines’ use of non-secrets printed on boarding pass stubs and checked-baggage tags as “passwords” for access to the details of airline reservations and personal profiles:

Airlines store “passenger name records” (PNRs) in “computerized reservation systems” (CRSs) that were developed for purely internal use by airline and travel agency staff. Access to reservations and passenger profiles was controlled by physical controls on access to networked terminals, and by user IDs and passwords for system access. Once a CRS user was logged in, they could retrieve any PNR by “record locator”.  There’s never been an individual password in the CRS for each PNR or each passenger profile.

Record locators and passenger names were and are printed on boarding passes, baggage tags and claim checks, and itineraries.  At first they were machine-printed in text. More recently they have also been incorporated into barcodes with standard and publicly-disclosed encoding.

Nothing changed when CRSs were connected to Web gateways for self-service booking, ticketing, itinerary review, check-in, and so forth.  Once a user is “signed in” to a CRS, all they need is a record locator and name to retrieve all or part of the data in a PNR of interest. But now every Web user in the world is, in effect, already signed in to the CRSs through these Web gateways provided by airlines and directly by each major CRS. Not all of these sites display the same subset of data, but even the most basic information available at any itinerary-viewing or check-in site (Where is this passenger going? When are they coming back?) can pose a major threat in the hands of house-burglars, stalkers, domestic abusers, or kidnappers.

Airlines and CRSs have been alerted and aware for years of the vulnerability created by the lack of passwords for access to PNR data, but have chosen to do nothing.  Do they think it wouldn’t be worth the cost?  Or do they think that if travelers had to remember and use a password to check in online, they would check in at the airport instead, taking up more airline staff time? Your guess is as good as ours.

The latest report this week from IT security expert Brian Krebs is that some airlines have expanded the information accessible with only the data on a discarded boarding pass (or, we suspect, a baggage tag) from the PNR for a single journey to the passenger’s entire travel history and profile from their frequent flyer record.  Krebs found that he could even hijack the password on a frequent flyer account using the information encoded using a public algorithm on a boarding pass barcode. That, in turn, would allow ID thieves to have “free” tickets issued for themselves or other criminals, using the target’s mileage points.

What’s the takeaway? Neither the TSA nor the airlines have paid the least attention to rational risk assessment, risk-based security, or even the most elementary norms of physical and data security. Yet these are the entities to which the government wants to compel us to turn over even more personal information.

Does CBP have access to domestic Amtrak reservations?

Wednesday, September 23rd, 2015

Documents released to us by Amtrak suggest that since 2012, US Customs and Border Protection (CBP) has had direct access to Amtrak’s reservation system, possibly including access to reservations for Amtrak passengers traveling entirely within the USA.

What do these documents show? And why would an immigration and border patrol agency want access to records of travel by US citizens and other residents within the borders of the US?


California Dreamin’

Tuesday, September 15th, 2015

Stumbling into the embrace of the homeland-security state, California’s state legislature has sent to Governor Jerry Brown a bill which, unless the Governor vetoes it by October 11th, will require that:

[T]he Department [of Motor Vehicles] shall require an applicant for an original driver’s license or identification card to submit satisfactory proof of California residency and that the applicant’s presence in the United States is authorized under federal law.

A.B. 1465 is unnecessary, would create severe problems for many Californians, and would discourage both immigrants to the US and residents of other states from moving to California.

As our friend Jim Harper of the Cato Institute has noted, the intent of  A.B. 1465 appears to be to make it easier for the DHS to claim that California is making “progress” toward compliance with the REAL-ID Act.

Why would Californians want that?

The DHS has repeatedly threatened that if states don’t comply with the REAL-ID Act, including connecting their state drivers license and ID databases to the outsourced REAL-ID “hub” operated by the AAMVA, residents of those states won’t be allowed through Federal checkpoints at airports and at entrances to Federal facilities.

But as we discussed here and here and in this presentation at Cato earlier this year, these threats are hollow.

The TSA allows people to fly without ID every day, despite false notices in airports that ID is required.

As for access to federal buildings, the DHS says that “REAL-ID does not apply to … applying for or receiving Federal benefits, … accessing hospitals and health clinics…, or constitutionally protected activities.”

We’re not sure why else ordinary people would want to access most Federal facilities.


Supreme Court finds L.A. hotel guest surveillance law unconstitutional

Tuesday, June 23rd, 2015

The Supreme Court has found unconstitutional on its face a Los Angeles ordinance requiring operators of hotels and motels to demand specified personal information from and about each guest and their behavior (date and time of arrival and departure, license plate number of the vehicle in which they arrived, etc.), log this travel metadata, and make this log (”guest register”) available for warrantless, suspicionless inspection by police at any time, under penalty of immediate arrest and imprisonment of the hotelier, without possibility of judicial review before complying with a demand for inspection.

The Supreme Court rejected the contention that hotels are so instrinsically dangerous as to justify their treatment as a “closely regulated industry” subject to inspection (i.e. search) without probable cause: “[N]othing inherent in the operation of hotels poses a clear and significant risk to the public welfare.”  By implication, this is a significant rebuff to post-9/11 (and pre-9/11) arguments that travel or travelers are per se suspicious, and to claims that there is or should be some sort of travel (or travel industry) exception to the Fourth Amendment.

And lest anyone be tempted to say that travel services providers with legally-imposed duties to accommodate the public are somehow different when it comes to the applicability of the Fourth Amendment, the Supreme Court also found that, “laws obligating inns to provide suitable lodging to all paying guests are not the same as laws subjecting inns to warrantless searches.”  The same logic, of course, would appear to apply to common carriers, who are obligated by law to provide transportation to all paying passengers.

The ruling by the Supreme Court in Los Angeles v. Patel upholds an en banc decision last year by the 9th Circuit Court of Appeals in a lawsuit first brought seven years ago by hotel owners Naranjibhai Patel and Ramilaben Patel and by the Los Angeles Lodging Association, an association of Indian-American proprietors of the sort of budget hotels that might, if allowed to do so by the government, provide accommodations of last resort to people without government-issued ID credentials who would otherwise have to sleep on the streets or under bridges.

We again commend Messrs. Patel and the LA Lodging Association for doing the right thing and standing up for their customers, even as small business owners highly vulnerable to police harassment and retaliation for questioning authority.

The Supreme Court ruling addresses only the rights of hotel owners, not those of hotel guests, and does noting in itself to establish a right to obtain lodging without having or showing government-issued permission papers. Nor does it address the requirement for hotels to monitor and log their guests’ identities and activities — only the requirement to make those logs available to the government without any possibility of prior judicial review of government demands for access.

As others have noted, and as we discussed in relation to the 9th Circuit’s decision and the Supreme Court’s decision to review it, much of the logic of this decision is equally applicable to other dragnet travel surveillance schemes involving compelled compilation, retention, and government access to travel metadata held by third parties (in this case, hotels) rather than by travelers themselves.

But as we have also noted before, this remains the only case we are aware of in which any of those travel companies — not just hotels but also airlines and other types of travel companies– have gone to court to challenge government demands for information about their customers.

Especially in light of this decision by the Supreme Court, it should be apparent that there’s an Achilles heel for the government to the “third-party” doctrine that individuals have no standing to challenge government demands for information  provided to and held by third parties, because that information is owned by those third parties and not by the individuals to whom it pertains:  As this case makes clear, those third parties — not just hotels but also airlines and others — do have standing to challenge these demands, and have a good chance of success if they persevere.

The shame is on larger travel companies with deeper pockets for going along with government surveillance of their customers and guests without question, and leaving it to highly vulnerable small businesses with fewer resources to challenge this dragnet travel surveillance scheme.

In the wake of the Supreme Court’s decision in L.A. vs. Patel, there’s more reason than ever for travelers to demand that all travel companies make public, contractually binding commitments, in their tariffs or terms of service, not to disclose information about their customers to the government without challenging those demands and without seeking to notify their customers of those demands.

Will the REAL-ID Act deny you access to Federal facilities?

Monday, June 22nd, 2015

As we’ve noted in our previous commentaries on the REAL-ACT in this blog and in our recent presentation at the Cato Institute, there are two components to the threats against individual residents of “noncompliant” states (and territories and the District of Columbia) that are being used by the DHS to try to induce reluctant state governments to incorporate their state drivers license and ID databases to the distributed national REAL-ID database by connecting them to the contractor-operated REAL-ID hub:

  1. Threatened denial of common carrier airline transportation to individuals who present drivers licenses or other ID credentials issued by noncompliant states; and
  2. Threatened denial of access to (certain) Federal facilities to these individuals.

The first of these threats appears to be hollow. The TSA has consistently argued, when demands for ID from air travelers have been challenged in court, that no ID credentials at all are required to fly.

The TSA claims the right to subject any traveler to more intrusive search and interrogation, without probable cause, and may use this arbitrary power against residents of states that don’t comply with the REAL-ID Act. But the TSA appears to realize that it has no legal authority for outright denial of air travel to people who don’t have, or decline to carry or show to the TSA or its contractors, government-issued ID credentials, REAL-ID Act compliant or not.

With respect to its threat to deny access to Federal facilities, the DHS (in its usual fashion of rulemaking by press release) has posted an announcement on its website that this will be implemented in phases determined by the “Federal Security Level” (FSL) assigned to individual facilities.

But what are the facilities, if any, to which these levels have been assigned, and to which individuals with ID from noncompliant states will therefore be denied access? We’ve filed a series of Freedom of Information Act requests to find out.

The responses to our FOIA requests suggest that this prong of the REAL-ID Act enforcement cattle prod is, to mix metaphors, a paper tiger. We’ve been unable to find any Federal facility to which such an FSL has actually been assigned.


More on Amtrak passenger data requirements

Sunday, June 21st, 2015

Amtrak has released a third batch of records (1st interim response, 2nd interim response) in response to our Freedom of Information Act (FOIA) request for information about Amtrak’s collection and “sharing” with the US and Canadian governments of information about Amtrak travelers on international routes between the US and Canada:

  1. Amtrak-FOIA-29OCT2014-signed.pdf (note that this file is actually in .doc format, and is not a copy of our request, as the filename might imply, but a collection of responsive records)
  2. date of birthAM.doc
  3. Function summary.doc
  4. IDPFOIARequest.pdf (another collection of responsive records, beginning with a list of all of Amtrak’s cross-border routes including both trains and Amtrak feeder buses)
  5. Regression User testing 9222305 (4).doc
  6. TheIdentityProject_InterimResponse3.pdf (cover letter from Amtrak’s FOIA office accompanying the interim response)
  7. wspBORDER.doc

The files with “.doc” filenames all appear to be from Amtrak’s IT department, and relate to the implementation by Amtrak of requirements for inclusion of passenger ID data desired by the US government in each Amtrak reservation for travel across the US-Canada border. As we have noted previously, this “requirement” was imposed internally and “voluntarily” by Amtrak, and was not a requirement of any law, regulation, or order from any other US or Canadian government agency.  It remains unclear from the records released to date whether anyone in Amtrak’s IT department was aware that this was solely an Amtrak requirement and not an externally imposed obligation.

According to these records, Amtrak began requiring a date of birth in the reservation, before a ticket could be issued, for each passenger on any international route, including infant passengers, beginning in November or December of 2000. (There are some inconsistencies in the dates in different records.)  Beginning in July or August 2005, Amtrak began also requiring a nationality and passport or other ID number in each such reservation, as part of Amtrak’s “voluntary” participation in the DHS “Advanced Passenger Information System” (APIS) also used by airlines.

These records include the formats used by Amtrak sales agents working directly in Amtrak’s own “ARROW” reservation system, as well as the formats used by travel agents making Amtrak reservations through each of the four major CRSs/GDSs: Amadeus, Galileo, Sabre, and Worldspan.  Amtrak’s software testing staff noted the complexity of these formats (which is indicative of how burdensome they are for the travel agents who have to learn and use them) and the likelihood of errors by travel agents. The Amtrak records include information provided to travel agents and travelers, describing these “requirements” but giving no clue that these requirements were voluntarily self-imposed by Amtrak itself.

The files linked above are posted here exactly as we received them by email from Amtrak’s FOIA office. The filenames are not indicative of the actual file contents, and some of the filename extensions don’t correspond to the file formats. One of the “.pdf” files, for example, is actually in MS-Word “.doc” format (also readable in Libre Office among other programs) rather than in PDF format.

We requested that all records found in digital form be released as bitwise copies of the files as found in Amtrak’s filesystems, but some of the files we received appear to be derivative, modified versions of copies of the original files, in some cases in completely different formats.

Most of the the records responsive to our request that we believe are likely to exist have not yet been released. Amtrak is continuing to process our request, and we expect further responses.

Amtrak formats for passenger ID data dumps to governments

Thursday, April 23rd, 2015

Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.

The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (”passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).

Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.

Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.

Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.

CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs

The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.

We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.

Why did the TSA prevent these people from flying?

Thursday, April 9th, 2015

Documents newly released to us by the TSA strongly suggest that the TSA has been lying about whether people are “allowed” by the TSA to fly without showing ID, and that decisions about whether to allow travelers to fly without ID are being made arbitrarily, on the basis of irrelevant and unreliable commercial data and/or at the “discretion” of individual field-level TSA staff.  The TSA documents also show that, at least for the limited sample of data initially released, the “false-positive” rate of watch-list matches is 100%.

The TSA has for many years been contradicting itself, both in word and in deed, as to whether travelers are required show government-issued (or any other) ID credentials in order to fly, or whether it is possible to fly without ID.

TSA signs at airports say that passengers are “required” to show ID. But the TSA has repeatedly told courts at all levels — from in camera (secret) submissions to the 9th Circuit Court of Appeals in Gilmore v. Gonzales in 2006 to public testimony of the TSA’s witness in the (unsuccessful) state court frame-up of Phil Mocek in Albuquerque in 2011 — that these and other official TSA notices to passengers are false, that ID is not required to fly, and that the TSA does have (secret) “procedures” that allow people to fly without having or showing ID.

The TSA’s actions are equally bipolar.  People who say they have lost their ID cards or had them stolen are “allowed” to fly every day.  But people who the TSA deems (for secret or not-so-secret reasons, or completely arbitrarily) to  be”suspicious” or “uncooperative” are routinely subjected to retaliation and summary sanctions including denial of  their right to travel.  Mr. Mocek, for example, was both prevented from boarding the flight for which he had a valid ticket, and falsely arrested by local police at the behest of TSA staff, when he tried to fly without ID and to document the process that the TSA claimed would have allowed him to do so.

What’s the real story? From our close reading of the available evidence, it appears that:

  1. There are no publicly-disclosed “rules” (and probably not even any unambiguous secret rules) defining what is or is not permitted or required of travelers at TSA checkpoints, or what conditions the TSA imposes on the exercise of the right to travel by air.
  2. The TSA claims to have the legal authority, and in practice exercises actual power, to determine who to allow to fly, and who not to allow to fly, in an entirely secret, standardless, and arbitrary manner, at its sole discretion, which discretion is often delegated to front-line TSA staff.

How does this work in practice? We are just beginning to find out.