Archive for the ‘Secure Flight’ Category

TSA proposes arbitrarily individualized surveillance-based searches

Thursday, October 10th, 2013


In the latest version of TSA’s endless series of “trusted traveler” (or “less mistrusted traveler”) schemes, the agency is currently proposing to impose more intrusive searches on any traveler who doesn’t “voluntarily” enroll in the TSA Pre-Check program and authorize the TSA to create a new permanent file with everything from your fingerprints to any “other information provided by … government agencies or other entities”.

These files would be exempted from the normal requirements of the Privacy Act that records used as the basis for decisions about individuals’ exercise of our rights be made available to us and be limited to information that is sufficiently accurate, complete, and relevant to form a legitimate basis for such decisions.

The proposal is contained in a package of three regulatory filings (one new and one revised “System of Records Notice” and a “Notice of Proposed Rulemaking” proposing Privacy Act exemptions) published last month in the Federal Register.  All three have to be read in combination to appreciate their full implications.

The deadline for public comments on two of these proposals is today, and for the third is tomorrow. We filed consolidated comments today objecting to all three of these proposals:

Read in combination, this new and revised SORN and these proposed regulations describe a system in which an essentially unlimited range of personal information collected from an essentially unlimited range of sources, and known to include inaccurate and irrelevant information, would be (or perhaps already is being) compiled into the “TSA Pre-Check Application Program” system of records.

These records would be used – either according to criteria which are illegally being kept secret, or in an entirely arbitrary manner at the “discretion” of the TSA – to determine who is and who is not deemed “eligible” to exercise the right to travel without being subject to unreasonable searches.

The results of that decision-making would be incorporated into the “Secure Flight” system of records, and used as part of the basis (also either pursuant to secret rules or entirely arbitrarily) for deciding to issue or withhold the issuance of individualized “boarding pass printing results”, including instructions to TSA staff and contractors as to the degree of intrusiveness of the search to which each would-be traveler is to be subjected as a condition of exercising our right to travel.

Maintenance and use of these systems of records in the manner contemplated by these SORNs and the proposed exemptions would violate the 1st, 4th, and 5th Amendments to the U.S. Constitution, the presumption of innocence, due process, the Freedom Of Information Act (FOIA), the Privacy Act, and Article 12 (Freedom of Movement) of the International Covenant on Civil and Political Rights (ICCPR.

These records should be expunged, and the proposed regulations should be withdrawn….

We also point out that the TSA is only pretending to give the required consideration to public comments:

According to the “TSA Pre-Check Application Program” SORN published on September 10, 2013, “The Secretary of Homeland Security has exempted certain records from this system from the notification, access, and amendment procedures of the Privacy Act because it may contain records or information related to law enforcement or national security purposes.”

This claim was, and is, false. As of the date of the SORN, no such exemption had even been proposed: the NPRM proposing such an exemption, and requesting public comments (such as this one) concerning that proposed exemption for consideration by the DHS, was not published until a day later, on September 11, 2013. Even now, the Secretary has promulgated no final rule for such an exemption. Nor could he or she promulgate any such final rule, consistent with the Administrative Procedure Act, unless and until the current period for public comment on the proposed exemption rule has concluded and the comments submitted (including these comments) have been considered by the DHS.

The false claim that “The Secretary of Homeland Security has exempted certain records from this system from the notification, access, and amendment procedures of the Privacy Act”, when in fact the Secretary has not done so, appears to be intended to mislead individuals about what rights we have, and to dissuade us from attempting to exercise our rights.  In addition, by stating the outcome of the current exemption rulemaking as a fait accompli, it constitutes prima facie evidence of bad faith in the consideration of public comments. It is not enough for an agency to accept submissions of comments from the public to the circular file, after making a decision. An agency must give genuine consideration to public comments before deciding whether to finalize, modify, or withdraw a proposed rule.

You can read our complete comments here. You can submit comments at Regulations gov (here, here , and here) but your comments won’t be processed or visible online until after the DHS Privacy Office re-opens.

[TSA Pre-Crime graphic from Leaksource]

“Travel Surveillance, Traveler Intrusion” at the Cato Institute

Saturday, March 30th, 2013

Edward Hasbrouck of the Identity Project will be speaking at a free, public forum on Travel Surveillance, Traveler Intrusion from noon-1 p.m. EDT next Tuesday, 2 April 2013, at the Cato Institute in Washington DC (with a live webcast):

Travel Surveillance, Traveler Intrusion

[photo by kind permission of Jeramie D. Scott]

Video from the Cato Institute (recommended)

Video from C-SPAN

C-SPAN video on Youtube

Audio podcast (listen while viewing the slides)

Slides and notes (PDF)

Featuring Edward Hasbrouck, Journalist, Consumer Advocate, Travel Expert, and Consultant, The Identity Project (, Author of the book and blog, The Practical Nomad; and Ginger McCall, Director, Open Government Program, Electronic Privacy Information Center; moderated by Jim Harper, Director of Information Policy Studies, Cato Institute.

The United States government practices surprisingly comprehensive surveillance of air travel, amassing data about the comings and goings of all Americans who fly. Travel expert Edward Hasbrouck has been researching travel surveillance for many years. His findings reveal a stunning level of government surveillance, control of the traveler, and intrusion into commercial travel IT systems.

By April 2, the Transportation Security Administration will have begun a public comment process on its policy of putting travelers through imaging machines that can see under their clothes. Ginger McCall of the Electronic Privacy Information Center has been handling the litigation that prompted the D.C. Circuit Court of Appeals ruling requiring it to do so, and she will assess the proposed regulation and her renewed efforts to bring the TSA within the law.

If you can’t make it to the Cato Institute, watch this event live online at

The Cato Institute asks that you pre-register if you plan to attend in person, but that’s just so they have an estimate of the expected attendance.

Hasbrouck will be presenting examples of what he found in his files when he sued the DHS for its records of his travels, what other travelers have found in theirs, and how the DHS obtains and uses this information to track us and to control who is allowed to travel.

As part of the same program, Ginger McCall of EPIC will be discussing the TSA’s proposed “rules” to require all air travelers to submit to virtual strip-searches. You have 90 days, until 24 June 2013, to tell them what you think of their proposal. (On the form to submit comments to the TSA, note that all of the fields except your comment itself are optional.) You can find some ideas for what to say in our previous article about the rulemaking.

There will be a live webcast, for those who aren’t in DC.

If you’d like to follow along, you can download the slides from Hasbrouck’s presentation as a PDF file.

[Update: C-SPAN broadcast the event live. Streaming video is available from the Cato Institute event archives (recommended), the C-SPAN archives, or on Youtube. The C-SPAN and Youtube camera angles don't show the slides which illustrate Hasbrouck's talk, so we recommend watching the Cato version and/or downloading the slides to follow along with the talk on C-SPAN. If you want to find out what's in the file about you in the DHS "Automated Targeting System", you can use the forms here. We would welcome a chance to review the government's response, if you get one, and help you interpret it.]

Travel blogger kicked off plane by pilot for taking photo of… seatback?

Saturday, March 2nd, 2013

Frequent flyer and travel blogger Matthew Klint was recently kicked off a United Airlines flight from Newark to Istanbul after a flight attendant saw him take a picture of the back of the seat in front of him, and reported him to the pilot. The pilot told Mr. Klint, “You are not flying on this flight…. We’ll call the police if we have to.”

Perhaps unfortunately, Mr. Klint didn’t insist that the police be called, or call them himself, leaving him dealing with United Airlines’ public relations department rather than with legal authorities.

As a frequent flyer and blogger, Mr. Klint at least able to get  the airline to talk to him, after the fact. But what can an ordinary traveler do in such a situation?

We talked about this last year in articles on Does an airline pilot have the right to refuse to let you fly? and  What can you do if an airline pilot won’t let you fly? But it bears repeating:

Under Federal law, as common carriers, airlines must transport all would-be passengers willing to pay the applicable fare in their published tariff and comply with their published conditions of carriage. Not to do so is a serious violation of their duties.

If an airline refuses to allow you to fly, for any reason other than a violation of published laws, regulations, or conditions of carriage, you can and should make a formal complaint against the airline to the Department of Transportation.

A pilot can order you off the plane only if the pilot genuinely believes that you pose a hazard to the safe operation of the flight, in which case the pilot is required to log and report this safety incident.

If a pilot orders you off the flight for some other reason, or without logging and reporting his or her action as a safety incident, you can and should report the pilot to the FAA.

We’ve offered our support to Mr. Klint, should he wish to pursue a legal challenge to the actions of the airline and pilot against him.

TSA updates its “notice” of Secure Flight records

Sunday, December 2nd, 2012

The TSA published a revised System of Records Notice in the Federal Register on November 19th, updating its disclosures of what information about our “travel histories” it collects, retains, and uses through its Secure Flight program for airline passenger surveillance and control.

The new notice is both better and worse than it might appear at first glance. The new “Secure Flight” SORN describes some disturbing TSA practices that were not explicitly disclosed in the previous “Secure Flight” SORN published in 2008.

In particular, the new SORN discloses that if you are turned down or predetermined to be ineligible for the TSA’s “Pre-Check” or other “Registered Traveler” (a/k/a “Possibly Slightly Less Mistrusted Traveler”) programs, you can be placed on a new watchlist, as a result of which logs of your air travel will be retained by the TSA for 99 years. That’s especially problematic because applicants for the Pre-Check program aren’t told that being turned down could leave them worse off than if they had never applied, and subject to lifetime TSA air travel monitoring and itinerary logging.

Bad as this is, however, it isn’t really a change in what data TSA claims the right to collect, or how long it claims the right to retain and use it. These practices were already covered under “catch-all” clauses of the prior SORN, which are retained in the revised SORN, and that actually purport to authorize a much wider range of even worse practices.

Specifically, the “Secure Flight” SORN already disclosed that “Secure Flight” records might contain:

Records obtained from the TSC [Terrorist Screening Center] of known or suspected terrorists in the TSDB [Terrorist Screening Database] and records regarding individuals identified on classified and unclassified governmental watch lists

There’s no definition or limitation on the sources or purposes of these additional “watch lists”. But it’s clear from the description quoted above that these are watch lists other than those of suspected terrorists: lists of people who are to be watched, and whose air travel itineraries are to be logged for life, for (secret, unrestricted) reasons other than that they are suspected of terrorism. (more…)

How Australia profiles travelers: A look inside the “black box”

Tuesday, November 13th, 2012

At a “Big Data” conference in Sydney earlier this month, the head of Australia’s traveler tracking and profiling office (his actual title — we are not making this up — is “Director Intent Management & Analytics“) gave an  unusually revealing presentation (PDF) [also here] about the nature of the government’s travel data warehouse and how it is used to predict the “intent” of travelers to and from Australia.

Klaus Felsche of the Australian Department of Immigration and Citizenship (DIAC) didn’t mince words, referring explicitly to “data mining”, “risk scoring”, and “profiling” systems and algorithms, although lamenting that DIAC doesn’t (yet) have access to social media profiles or some data from other Australian  government agencies.

The US government has rarely used the words “scoring, “profiling”, or “data mining” with respect to its warehousing and use of Passenger Name Records (PNRs) and other travel data.  Most of the architecture, as well as all of the rules and algorithms, have been withheld from public disclosure, even when we have requested this information under the Privacy Act, FOIA, and/or through foreign governments and airlines that have allowed PNR data subject to their jurisdiction to be fed into these data warehouses and data-mining systems.

The “threat analysis” component of US travel control systems like Secure Flight has remained an unexplained “black box” whose operations are part of the magical secret sauce that justifies the government in enforcing  whatever its oracle decrees.  In this diagram — the most detailed yet provided by the TSA — it’s the red box at right center.

So we are grateful to Mr. Felsche of the Australian DIAC for providing a clearer picture of what data governments are archiving about us and our travels, and how they are using it.  Just remember, as you study his presentation, that:

  1. “Targeting” — the one euphemism that still permeates Mr. Felshe’s presentation — means search, seizure, interrogation, and prohibition of travel. In other words, deprivation of fundamental rights, to a greater or lesser degree depending on whether it means mere delay and intrusion or whether it means being confined by a no-fly order to the island of Australia for the remainder of one’s natural life.
  2. Australia is a relatively small country in population and (as his presentation makes clear) computing resources available to this component of the government.  Presumably, what’s being done with travel data by DIAC is only a subset of what is being done by the DHS, and perhaps in the European Union.

DHS Scrooge says U.S. citizen can’t come home for the holidays to see his ailing mother

Tuesday, November 6th, 2012

In the latest episode in the increasingly bizarre but all too real saga of standardless secret administrative no-fly orders from the DHS to airlines, prohibiting the transportation back to their home country of US citizens,  Oklahoma native Saadiq Long is being prevented from returning home to the US to spend the holiday season with his terminally ill mother.

Long is a US citizen and an honorably discharged veteran of the US Air Force, never charged with any crime in the US or any other country, who has been living and working as an English teacher in Qatar for the last several years.  He’s also a convert to Islam, which shouldn’t be relevant but probably is.

When he learned of his mother’s illness back home in Oklahoma, he made reservations and bought tickets from KLM for flights from Qatar to the US for what might be a last visit with his mother.

Less than 24 hours before his scheduled departure from Qatar in May, KLM told Mr. Long that the airline (and all others serving the US) had been forbidden from allowing him to board any flight to the US.

Mr. Long has been trying ever since to find out why the government of his country has forbidden all airlines from transporting him, or to find a way to get those orders rescinded. But to date, the DHS has maintained its position that it will neither confirm nor deny whether it has issued any no-fly orders with respect to any specific person, much less the basis (if any) for such orders.

KLM explicitly informed Mr. Long that it had received a no-fly order from the DHS. So in theory, KLM would be required by Dutch data protection law to disclose that order to Mr. Long on request. That wouldn’t tell Mr. Long why he had been banned form returning to his country (the DHS probably didn’t share the reasons for its order with the airline), but would prevent the DHS from claiming in court that whether Mr. Long has been prohibited form flying is a state secret.

Given KLM’s poor track record when individuals have requested KLM’s records of its communications with governments, and the Dutch data protection authority’s poor track record of enforcing the law, it’s hard to predict whether KLM would comply with a request from Mr. Long for all orders or communications pertaining to him between KLM and the US government.

Mr. Long is being assisted by the Council on American-Islamic Relations (CAIR), which has led the struggle for judicial review of no-fly orders. CAIR staff attorney Gadeir Abbas, the leading advocate for US citizens exiled by no-fly orders, told Glenn Greenwald that, “Every few weeks I hear of another Muslim citizen who cannot return to the country of which he is a citizen.”

[Update: Mr. Long was again denied boarding by KLM in Qatar on November 8, 2012.]

Government Surveillance of Travelers

Wednesday, October 3rd, 2012

For those attending today’s discussion of Government Survelliance of Travellers and the DHS “Automated Targeting System” (ATS) at the Brennan Center for Justice at NYU School of Law, or those who can’t make it but are interested in the topic, here are the slides from the presentation by Edward Hasbrouck of the Identity Project (, and links to additional references:

Today’s event is open to the public, so please join us if you are in New York and free at mid-day.

“Automated Targeting System” briefing 10/3 at the Brennan Center

Saturday, September 22nd, 2012

Identity Project consultant and policy analyst Edward Hasbrouck will give a brown-bag lunch presentation on the DHS “Automated Targeting System” and government surveillance and control of travelers on Wednesday, October 3, 2012, 12:30 - 2 p.m., at the Brennan Center for Justice, New York University School of Law, 161 Avenue of the Americas (6th Ave.), 12th Floor, New York (in SoHo, 1/2 block from the Spring St. station on the C and E subway lines).

Hasbrouck will give an introduction to the DHS “Automated Targeting System” (including examples of data from ATS records obtained through Privacy Act and FOIA litigation), its role in US government surveillance and control of travelers, and the civil liberties and human rights issues it raises.

The “Automated Targeting System” (ATS) is one of the largest of post-9/11 warrantless dragnet surveillance programs.  Built at a cost of more than $2 billion in government-mandated changes to commercial travel IT systems, to which DHS now has root access, ATS “ingests,”  archives, and mines complete mirror copies of all international airline reservations (”passenger name record“) data for travel to, from, or via the US. ATS records include where, when, and with whom you traveled; your IP address; what credit card was used; whether you asked for a kosher or halal meal; and whether you and your traveling companion asked for one bed or two in your shared hotel room.

While little known or debated in the US, ATS has been at the center of intense disputes with the European Union and Canada over US demands for access to travel reservation data from other countries.

Edward Hasbrouck works with the Identity Project on travel-related civil liberties and human rights issues. An award-winning travel journalist, blogger, and author, he also has 15 years of travel industry experience in airline reservations technology and travel agency  operations. Hasbrouck has testified before the TSA as well as the European and Canadian Parliaments on issues related to government access to airline reservations, and was the plaintiff in a recently-concluded Privacy Act and FOIA lawsuit seeking ATS records about himself as well as information about ATS data-mining capabilities.

The event is free and open to the press and the public.

European Parliament approves PNR agreement with the US. What’s next?

Wednesday, April 25th, 2012

MEPs picket outside the plenary chamber to ask their colleagues to say "No" to the PNR agreement with the US. (Photo by greensefa, some rights reserved under Creative Commons license, CC BY 2.0)

Last week — despite the demonstration shown above (more photos here) by Members of the European Parliament as their colleagues entered the plenary chamber for the vote — the European Parliament acquiesced, reluctantly, to an agreement with the US Department of Homeland Security to allow airlines that do business in the EU to give the DHS access to PNR (Passenger Name Record) data contained in their customers’ reservations for flights to or from the USA. (See our FAQ: Transfers of PNR Data from the European Union to the USA.)

The vote is a setback for civil liberties and the the fundamental right to freedom of movement, in both the US and Europe.

But the vote in the European Parliament is neither the definitive authorization for travel surveillance and control, nor the full grant of retroactive immunity for travel companies that have been violating EU data protection rules, that the DHS and its European allies had hoped for.

Many MEPs voted for the agreement only reluctantly, in the belief (mistaken, we believe), that it was “better than nothing” and represented an attempt to bring the illegal US surveillance of European travelers under some semblance of legal control.

Whatever MEPs intended, the vote in Strasbourg will not put an end to challenges to government access to airline reservations and other travel records, whether in European courts, European legislatures, or — most importantly — through public defiance, noncooperation, and other protests and direct action.

By its own explicit terms, and because it is not a treaty and is not enforceable in US courts, the “executive agreement” on access to PNR data provides no protection for travelers’ rights.

The intent of the US government in negotiating and lobbying for approval of the agreement was not to protect travelers or prevent terrorism, but to provide legal immunity for airlines and other travel companies — both US and European — that have been violating EU laws by transferring PNR data from the EU to countries like the US.  The DHS made this explicit in testimony to Congress in October 2011:

To protect U.S. industry partners from unreasonable lawsuits, as well as to reassure our allies, DHS has entered into these negotiations.

But because of the nature of the PNR data ecosystem and the pathways by which the DHS (and other government agencies and third parties outside the EU) can obtain access to PNR data, the agreement does not provide travel companies with the full immunity they had sought.

Most of the the routine practices of airlines and travel companies in handling PNR data collected in the EU remain in violation of EU data protection law and subject to enforcement action by EU data protection authorities and private lawsuits by travelers against airlines, travel agencies, tour operators, and CRS companies in European courts.

Why is that?


Google is now in the PNR hosting business

Thursday, March 1st, 2012

Today Google and Cape Air announced that Cape Air has migrated its reservations and Passenger Name Records (PNRs) to a new computerized reservation system (CRS) provided by Google’s ITA Software division.

ITA Software was working on a CRS even before it was acquired by Google last year, but had appeared to lack a launch customer to fund the project after its original partner, Air Canada, backed out. In his first public statement last November after the Google acquisition was completed, Google Vice President and former ITA Software CEO Jeremy Wertheimer anticipated today’s announcement and said that with Google’s new backing, his division was “burning the midnight oil” to complete the project.

Cape Air, Google’s CRS launch customer, is a very small US airline that mainly flies 9-seat piston-engined propeller planes to small resort islands. Most of what might look like “international” destinations on their route map are actually US colonies. But Cape Air does serve some British colonies in the Caribbean, including Anguilla and Tortola. All reservations for those flights, as well as any reservations for Cape Air’s domestic US and other flights made through travel agencies, tour operators, or “interline” airline partners in the European Union, are subject to EU data protection laws.

So as of today Google should have in place an airline reservation system, including PNR hosting functionality, which fully complies with EU laws including in particular UK data protection law and the EU Code of Conduct for Computerized Reservation Systems.

We’re doubtful that Google (or Cape Air) have complied with these requirements of EU law. Cape Air’s privacy policy says, “CapeAir does not fly routes within Europe, so this Privacy Policy is not adapted to European laws.” It appears to be true that Cape Air doesn’t fly within Europe, but it does operate flights to and from UK territories that are legally part of the EU. Cape Air also says, “By agreeing to Cape Air’s Privacy Policy, you consent to Cape Air applying its Privacy Policy in place of data protections under your country’s law.” It’s not clear whether such a waiver of rights is valid. The “Privacy Policy” link  on goes directly to Google’s new global privacy policy, which appears to say that Google may merge information from all Google services, presumably including Google’s new PNR-hosting service.

At the same time, in accordance with the Advance Passenger Information System (APIS) and PNR regulations of US Customs and Border Protection (CBP, a division of the DHS), that also means that Google has connected its system to CBP’s Automated Targeting System (ATS).  Whether Google has given CBP logins to “pull” data whenever CBP likes (as the other CRSs have done), or whether Google “pushes” PNR data to CBP, remains unknown until some Cape Air passenger requests their PNR data under EU law.

In accordance with the US Secure Flight rules, the Google CRS for Cape Air must also have a bi-directional connection to the US Transportation Security Administration to send passenger data to the TSA and receive permission-to-board (”cleared”) fly/no-fly messages in response.

This is, so far as we can tell, an unprecedented level of direct connection between Google’s databases and any government agency.  Has Google complied with EU law? Probably not, but we can’t tell. We invite Google to allow independent verification of how it handles PNR data, and whether its CRS system and its connections to the US government comply with EU rules.

[It's also important to note that the privacy and data protection practices of CRSs, including Google's "ITA Software" division, are outside the jurisdiction of the Federal Trade Commission and subject to policing only by the do-nothing Department of Transportation.]

There are also interesting questions about what profiling and data mining capabilities are built into Google’s CRS system. “Legacy” CRSs store PNRs in flat files in which PNRs for different trips by the same traveler can be difficult to link. But a report on the new Google CRS in the online trade journal Tnooz says it “enables … call center agents ‘to see customers’ history,’ including past trips and upcoming flights, ‘right in front of them’.” Greater designed-in profiling and data mining capabilities are selling points of Google’s CRS compared to its “legacy” competitors.

EU oversight and enforcement bodies should have demanded answers as well. Last May the European Parliament approved a resolution calling on the European Commission to carry out, “an analysis of … PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” In November, shortly after Google’s announcment that they were moving forward with their CRS project, a Member of the European Parliament submitted written follow-up questions to the Commission as to whether the EC has conducted such an analysis, as well as whether the EC has “considered the technical or policy implications of potential new CRS providers such as Google, which may use different technology platforms from those of legacy CRS vendors?”

As we’ve noted, the “response” to these questions by Commission Cecilia Malmström said nothing about Google or other new CRS providers, contradicted the statements that have been made by European airlines, and largely ignored the issues raised by the European Parliament.

Cape Air is a small first step into the CRS industry by Google, but it won’t be the last.  Everyone concerned with how PNR data is stored and processed, including data protection authorities in countries that (unlike the US) have such entities, should carefully scrutinize and demand satisfactory, verifiable answers as to what this means about Google’s relationship to US government agencies and the need for oversight and enforcement of privacy data protection rules applicable to all CRS companies.