Archive for the ‘Surveillance State’ Category

Laura Poitras sues DHS et al. for records of her airport detentions and searches

Monday, July 27th, 2015

Documentary filmmaker Laura Poitras, represented by the Electronic Frontier Foundation, has filed a lawsuit under the Freedom of Information Act (FOIA) against the Department of Homeland Security (DHS), the Department of Justice (DHS), and the Office of the Director of National Intelligence (ODNI, which includes the NSA). The winner of an Oscar and a Pulitzer Prize for her independent journalism, Poitras is seeking the release of records kept by the government about her travels, and about why she has been detained for hours at a time, searched, and interrogated at airports whenever she entered or left the US.

We welcome Ms. Poitras’ lawsuit, and we wish her and EFF all success. But we’ve been down this road before, and the results aren’t encouraging:

  • In 2006, Ms. Julia Shearson, Executive Director of the Cleveland Chapter of the Council on American Islamic Relations (CAIR), filed suit pro se against the DHS under the Privacy Act, seeking disclosure of records about why she was detained at gunpoint at the US-Canada border and falsely labeled as a terrorist in government blacklists. Despite years of litigation, Ms. Shearson still hasn’t received any information about why or by whom she was blacklisted as a terrorist, or any confirmation that any of the blacklist entries about her have been corrected.
  • In 2008, Ms. Sophie In ‘t Veld, a Member of the European Parliament from the Netherlands, also represented by EFF, sued the DHS under FOIA for records about her travel from the DHS “Automated Targeting System” (ATS). Although Ms. In ‘t Veld eventually received some excerpts from the DHS dossier about her travels, the pre-crime “risk assessment” scores assigned to her each time she traveled to or from the US were redacted and withheld, as was all information about the algorithms and the information used as the basis for those scores.
  • In 2010, Mr. Edward Hasbrouck, an award-winning travel journalist and a consultant to the Identity Project, represented by our parent organization the First Amendment Project, sued the DHS under both the Privacy Act and FOIA, seeking disclosure of records about himself and his travels from ATS, including risk assessments and rules used for determining them, and information about ATS search and data-mining functionality. Like Ms. In ‘t Veld, Mr. Hasbrouck eventually received some excerpts from the ATS files about his travels, but with all information about risk assessments and risk assessment algorithms redacted and withheld.  While Mr. Hasbrouck’s requests were pending, DHS exempted ATS from all of the access and disclosure accounting requirements of the Privacy Act, and a US District Court judge upheld the retroactive application of those exemptions to unanswered requests that Mr. Hasbrouck had made three years previously.  The judge also upheld the withholding of all information about DHS data-mining capabilities for ATS travel records, without even looking at any of the requested records.
  • In 2011, Mr. David House, a computer programmer associated with the Chelsea Manning (then Bradley Manning) Support Network, represented by the ACLU of Massachusetts, sued the DHS for wrongly searching and seizing Mr. House’s electronic devices and data at the airport when he returned to the US from a vacation abroad.  As part of a settlement of the lawsuit, the government eventually turned over some records from its files about Mr. House and about how the government used its travel surveillance capabilities to target him for his work to publicize Ms. Manning’s case and raise funds for her legal defense.  The records released to Mr. House give a partial picture of how the DHS uses manually-created flags (”lookouts”) to target travelers, but still doesn’t give any information about the algorithms or data inputs used for automated pre-crime profiling and “risk assessment” scores.
  • In 2013, Messrs. C.J. Chivers and Mac William Bishop, two reporters for the New York Times represented by the Times’ in-house legal department, sued the DHS under both FOIA and the Privacy Act for records about why the two journalists were targeted for unusually intrusive searches and interrogations at airports while leaving and returning to the US on reporting assignments for the Times. The Times hasn’t (yet) reported on what, if any, records they have received in response to the lawsuit. We presume that means that the government has yet to disclose any significant new information about its targeting of journalists and their travels.

We’ve been involved as plaintiffs, attorneys, or consultants to plaintiffs and their counsel in all but one of these cases, and we support continued litigation on these issues.

Harassment of journalists and political activists and interference with their right to travel are only part of a bigger picture. Government surveillance and control of travel is a threat to everyone’s rights.  It’s important for the government to disclose what it’s been doing, but it’s equally important to expunge the government’s travel metadata surveillance archives and end the government’s pre-crime profiling and permission-based controls on who it “allows” to travel by common carrier or public right-of-way.

Expert critique of European travel surveillance and profiling plans

Monday, July 6th, 2015

Independent legal experts commissioned by the Council of Europe (COE) to assess proposals for surveillance and profiling of air travellers throughout the European Union have returned a detailed and perceptive critique of the proposed EU directive on government access to, and use of, Passenger Name Record (PNR) data from airline reservations.

Before the revelations by Edward Snowden and other whistleblowers about dragnet surveillance of telephone and Internet communications, few people appreciated the nature of the threat to freedom posed by government acquisition and use of PNR data for dragnet travel surveillance.

The expert report to the Council of Europe marks a breakthrough in the “post-Snowden” understanding of the nature and significance of government demands for PNR data. The report reframes the PNR debate from being an issue of privacy and data protection to being part of a larger debate about suspicionless surveillance and pre-crime profiling. The report also focuses the attention of European citizens, travellers, and policy-makers on the decisions made (in whole or in part) on the basis of PNR data: decisions to subject travellers to search, interrogation, or the total denial of transportation (”no-fly” orders).

The report specifically cites the Kafkaesque case of Dr. Rahinah Ibrahim as an example of the way that decisions made on such a basis tend to evade judicial review or effective redress.

The PNR directive under consideration by the European Union would require each EU member to establish a Passenger Analysis Unit (PAU), if it doesn’t already have one. These PAUs would function as new national surveillance and pre-crime policing agencies. Each PAU would be required to obtain PNR data for all air travellers on flights subject to its jurisdiction, “analyze” this data (i.e. carry out algorithmic pre-crime profiling of air travellers using PNR data as one of its inputs) and share the raw PNR data with its counterparts throughout the EU.

The United Kingdom already has such a Passenger Analysis Unit. It’s not clear which, if any, other EU members already have such units, although staff of the US Department of Homeland Security, based in Germany and elsewhere in Europe, already perform similar functions as “advisors” making “recommendations” to their European counterparts regarding the treatment of European travellers, based on US profiling of PNRs and other travel history and surveillance data.

The COE expert report on Passenger Name Records, Data Mining & Data Protection was commissioned by the COE Directorate General Human Rights and Rule of Law, and prepared by Douwe Korff (Emeritus Professor of International Law at London Metropolitan University, Associate at the Oxford Martin School of the University of Oxford, and currently Visiting Fellow at Yale University in the USA) and Marie Georges (independent expert formerly on the staff of the French national data protection authority, CNIL). The report was presented and discussed at a meeting last week of the “Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD)”.

According to the introduction to the report:

Much has been said and written about Passenger Name Records (PNR) in the last decade and a half. When we were asked to write a short report for the Consultative Committee about PNR, “in the wider contexts”, we therefore thought we could confine ourselves to a relatively straightforward overview of the literature and arguments.

However, the task turned out to be more complex than anticipated. In particular, the context has changed as a result of the Snowden revelations. Much of what was said and written about PNR before his exposés had looked at the issues narrowly, as only related to the “identification” of “known or [clearly 'identified'] suspected terrorists” (and perhaps other major international criminals). However, the most recent details of what US and European authorities are doing, or plan to do, with PNR data show that they are part of the global surveillance operations we now know about.

More specifically, it became clear to us that there is a (partly deliberate?) semantic confusion about this “identification”; that the whole surveillance schemes are not only to do with finding previously-identified individuals, but also (and perhaps even mainly) with “mining” the vast amounts of disparate data to create “profiles” that are used to single out from the vast data stores people “identified” as statistically more likely to be (or even to become?) a terrorist (or other serious criminal), or to be “involved” in some way in terrorism or major crime. That is a different kind of “identification” from the previous one, as we discuss in this report.

We show this relatively recent (although predicted) development with reference to the most recent developments in the USA, which we believe provide the model for what is being planned (or perhaps already begun to be implemented) also in Europe. In the USA, PNR data are now expressly permitted to be added to and combined with other data, to create the kinds of profiles just mentioned — and our analysis of Article 4 of the proposed EU PNR Directive shows that, on a close reading, exactly the same will be allowed in the EU if the proposal is adopted….

Yet it is obvious (indeed, even from the information about PNR use that we describe) that these are used not only to “identify” known terrorists or people identified as suspects in the traditional sense, but that these data mountains are also being “mined” to label people as “suspected terrorist” on the basis of profiles and algorithms. We believe that that in fact is the more insidious aspect of the operations.

The report develops these key points about government access to and use of PNR data as a suspicionless dragnet surveillance system and as part of predictive pre-crime policing (outside of normal mechanisms for penal sanctions or for review and redress for police action) in detail.

In addition, the report endorses and highlights the point we have been making for many years that because most PNR data for flights worldwide is hosted by, and communicated through, reservation databases accessible from the USA and worldwide without purpose or geographic access limitations or access logs, the USA and other governments can already obtain and use this data, entirely bypassing putative controls on access to PNRs directly from airlines.

The report specifically directs the attention of European officials to testimony by Edward Hasbrouck of the Identity Project at a European Parliament hearing in 2010 (hearing agenda and witness list, slides, video):

“Europe” must also examine the highly credible claims by Edward Hasbrouck … that the USA has been systematically violating previous agreements, and is still systematically by-passing European data protection law, by accessing the CRSs used in global airline reservation systems hosted in the USA to obtain full PNR data on most flights, including most European flights (including even entirely intra-European ones), outside of any international agreements….

[W]e believe that the supposed safeguards against such further — dangerous — uses of the data are weak and effectively meaningless, both in their own terms and because, as Edward Hasbrouck has shown, the USA can in any case obtain access to essentially all (full) PNRs, through the Computerized Reservation Systems used by all the main airlines, as described next.

(more…)

Supreme Court finds L.A. hotel guest surveillance law unconstitutional

Tuesday, June 23rd, 2015

The Supreme Court has found unconstitutional on its face a Los Angeles ordinance requiring operators of hotels and motels to demand specified personal information from and about each guest and their behavior (date and time of arrival and departure, license plate number of the vehicle in which they arrived, etc.), log this travel metadata, and make this log (”guest register”) available for warrantless, suspicionless inspection by police at any time, under penalty of immediate arrest and imprisonment of the hotelier, without possibility of judicial review before complying with a demand for inspection.

The Supreme Court rejected the contention that hotels are so instrinsically dangerous as to justify their treatment as a “closely regulated industry” subject to inspection (i.e. search) without probable cause: “[N]othing inherent in the operation of hotels poses a clear and significant risk to the public welfare.”  By implication, this is a significant rebuff to post-9/11 (and pre-9/11) arguments that travel or travelers are per se suspicious, and to claims that there is or should be some sort of travel (or travel industry) exception to the Fourth Amendment.

And lest anyone be tempted to say that travel services providers with legally-imposed duties to accommodate the public are somehow different when it comes to the applicability of the Fourth Amendment, the Supreme Court also found that, “laws obligating inns to provide suitable lodging to all paying guests are not the same as laws subjecting inns to warrantless searches.”  The same logic, of course, would appear to apply to common carriers, who are obligated by law to provide transportation to all paying passengers.

The ruling by the Supreme Court in Los Angeles v. Patel upholds an en banc decision last year by the 9th Circuit Court of Appeals in a lawsuit first brought seven years ago by hotel owners Naranjibhai Patel and Ramilaben Patel and by the Los Angeles Lodging Association, an association of Indian-American proprietors of the sort of budget hotels that might, if allowed to do so by the government, provide accommodations of last resort to people without government-issued ID credentials who would otherwise have to sleep on the streets or under bridges.

We again commend Messrs. Patel and the LA Lodging Association for doing the right thing and standing up for their customers, even as small business owners highly vulnerable to police harassment and retaliation for questioning authority.

The Supreme Court ruling addresses only the rights of hotel owners, not those of hotel guests, and does noting in itself to establish a right to obtain lodging without having or showing government-issued permission papers. Nor does it address the requirement for hotels to monitor and log their guests’ identities and activities — only the requirement to make those logs available to the government without any possibility of prior judicial review of government demands for access.

As others have noted, and as we discussed in relation to the 9th Circuit’s decision and the Supreme Court’s decision to review it, much of the logic of this decision is equally applicable to other dragnet travel surveillance schemes involving compelled compilation, retention, and government access to travel metadata held by third parties (in this case, hotels) rather than by travelers themselves.

But as we have also noted before, this remains the only case we are aware of in which any of those travel companies — not just hotels but also airlines and other types of travel companies– have gone to court to challenge government demands for information about their customers.

Especially in light of this decision by the Supreme Court, it should be apparent that there’s an Achilles heel for the government to the “third-party” doctrine that individuals have no standing to challenge government demands for information  provided to and held by third parties, because that information is owned by those third parties and not by the individuals to whom it pertains:  As this case makes clear, those third parties — not just hotels but also airlines and others — do have standing to challenge these demands, and have a good chance of success if they persevere.

The shame is on larger travel companies with deeper pockets for going along with government surveillance of their customers and guests without question, and leaving it to highly vulnerable small businesses with fewer resources to challenge this dragnet travel surveillance scheme.

In the wake of the Supreme Court’s decision in L.A. vs. Patel, there’s more reason than ever for travelers to demand that all travel companies make public, contractually binding commitments, in their tariffs or terms of service, not to disclose information about their customers to the government without challenging those demands and without seeking to notify their customers of those demands.

If your travel history is “suspicious”, is that cause for search?

Friday, June 12th, 2015

If the file about you the DHS has compiled from airline reservations, license-plate readers, and other travel surveillance data sources is deemed “suspicious”, does that constitute probable cause for a search of your home and business or seizure of your possessions?

That question has arisen in  the case of Albuquerque antique gun collector and dealer Bob Adams, argued in May 2015 and currently awaiting a decision by the 10th Circuit Court of Appeals in Denver.

On January 23, 2013, Mr. Adams’ home and business was raided by a SWAT team including DHS and other Federal and state agencies.  Various of his possessions, including his collection and inventory of firearms, were seized, damaged, and/or destroyed in the raid. On November 4, 2013, after Mr. Adams had filed suit to recover his property, he was indicted for various technical violations of Federal laws relating to firearms imports and dealer licensing and reporting.

Both the search warrant and the indictment were based, in part, on allegations by Federal law enforcement officers regarding the records of Mr. Adams’ international travel history in the DHS Automated Targeting System (ATS). In an affidavit supporting the application to a Federal magistrate for the search of Mr. Adams’ home and business, “Special Agent” Frank Ortiz of the New Mexico Attorney General’s Office claimed that ATS records showed that Mr. Adams had repeatedly flown to Canada without having return flight reservations to the US, and had subsequently re-entered the US as a passenger in a private car.  This, agent Ortiz opined (based on his purported “expertise” in interpreting such data) was evidence of a pattern of suspicious behaviour characteristic of Mr. Adams’ alleged modus operandi for unlawful firearms imports.

The Federal judge to which the criminal case against Mr. Adams was assigned first upheld the search warrant but then, on reconsideration, ordered all the evidence obtained from the search suppressed, on the basis of other materially false statements, made in apparent bad faith, in Agent Ortiz’s affidavit. The government, which would have no case against Mr. Adams without that evidence, has appealed that ruling to the 10th Circuit Court of Appeals.

The ruling by the District Court, the arguments to the Court of Appeals, and most of the publicity about the case have focused on questions related to firearms.  But what concerns us are the issues related to ATS and its use as a surveillance and suspicion-generating system.

First, ATS data is neither accurate nor complete, and should not be relied on. For example, even experts may be unable to tell, from a particular PNR, whether or not it corresponds to actual travel or issuance of a ticket. (Mr. Adams says some of the DHS records of flights he allegedly took to Canada don’t correspond to flights he actually took, which is an inevitable consequence of the DHS orders to airlines to transmit copies to DHS of all reservations for such flights, including reservations that were unticketed and/or cancelled.) And license plate readers and the associated optical character recognition systems are, of course, subject to an unknown but substantial percentage of errors. (Mr. Adams says he has never traveled in some of the private vehicles in which ATS records that he crossed the US-Canada border.) Most importantly, the DHS has itself exempted ATS from the requirements of the Privacy Act for accuracy and completeness, on the basis of a claim that it is necessary to include inaccurate and incomplete data. Having done so, the government should be “estopped” from suggesting that any court or jury rely on this data.

Second, if the purpose of the ATS dragnet of warantless, suspicionless travel surveillance is to develop or support suspicions of criminal activity, that is a general law-enforcement purpose that goes far beyond the scope of permissible administrative searches or seizures of personal information incident to air travel or for purposes of aviation security.

Third, the evidence presented to the court in support of the application for a search warrant, to the grand jury in support of the indictment, and to Mr. Adams as part of pre-trial discovery, appears to have included only excerpts from TECS records (entry/exit logs which are one of the components of ATS), but not the complete TECS records, and none of the Passenger Name Record (PNR) data also included in ATS.  Full TECS records would include indications of the source of the data, and PNRs might well have made clear whether airline reservations had actually been ticketed and used, or had been cancelled as Mr. Adams claims.

It seems likely that the complete contents of the ATS records about Mr. Adams’ travel, including full TECS records and all PNR data, constituted potentially exculpatory evidence known to, and in the possession of, the government, which it was required to disclose to the defense pursuant to the decision of the Supreme Court in Brady v. Maryland.

More generally, it would seem that a complete ATS file for any involved individual, including complete TECS and PNR data, would constitute potentially exculpatory evidence in virtually any prosecution in which international travel might be relevant: smuggling, facilitating unlawful immigration, etc. It would be almost impossible for the government to know in which cases such data might support an alibi, support or undermine the credibility of a witness, or support or refute some other testimony or claim. If the government doesn’t proactively produce this material (as it is required to do), defense attorneys should object to this as a violation of the Brady doctrine, and/or specifically include it in routine discovery motions.  (We are available to assist defense counsel in interpreting such disclosures, and/or in explaining to courts how they could be exculpatory.)

Having carried out this extensive (although unreliable) surveillance of travelers, DHS appears to be using it selectively, introducing only those excerpts, in those cases, which it thinks it can spin as suspicious — and not mentioning other portions of these files that might refute these or other government allegations.  We wonder how many other criminal prosecutions this has tainted.

Toll payment devices used to track vehicles on toll-free roads

Tuesday, April 28th, 2015

Public records obtained by the ACLU from New York City and State agencies have confirmed the extensive use of RFID readers to track RFID toll payment devices on streets and roads where there are no tolls.

The ACLU’s report on the responses to its public records requests speaks for itself, but raises more questions about where else, by which government agencies, and for what purposes motor vehicle movements are being tracked, and whether vehicles without these RFID toll payment devices are also being tracked.

In New York, toll-tag RFID readers were systematically deployed on toll-free city streets for traffic monitoring. By logging the time and a unique vehicle identifier (broadcast by the RFID toll tag) for each vehicle passing each set of sensors, the system can calculate the most recent travel times between any tow sets of sensors.  That’s what’s used (at least in New York City) to generate the travel times displayed on road signs, and for other traffic management and traffic signal control optimization purposes.

The problem is that measuring the time required for an individual vehicle to travel between any two points in the road network requires uniquely identifying each vehicle and logging the time it passes each sensor.  It’s unclear from the documents obtained by the ACLU how long these logs are retained, to whom they are accessible, or how they are used.

The E-ZPass toll tags used in New York and other states in the Northeast and Midwest use the same long-range RFID technology, with the same potential for surveillance use, as FasTrak in California, SunPass in Florida, and RFID toll payment systems in many other states including (we are not making this up) Freedom Pass for toll roads in Alabama.

The RFID transponders in these toll payment devices are designed, of course, to be read from above or alongside the road, even when the device is inside the vehicle.  These RFID transponders are promiscuous: they will respond with their unique ID number to a query from any RFID reader.  In general, no license, permit, or consent is required to operate an RFID reader.  Anyone can legally buy an off-the-shelf RFID reader, install it wherever they want — near a road, or in a vehicle — and start logging the time, location, and unique ID of each toll tag that comes within range. They can use or sell these logs without restriction.

Most motorists, of course, have no idea how the travel times on highway signs are estimated, and these vary from place to place. The state of Washington, for example, has experimented with a homebrewed system for tracking vehicles through the unique MAC addresses broadcast by in-vehicle Bluetooth systems.

Most toll-collection agencies provide foil bags in which RFID toll tags can be kept when they aren’t in use. But it’s a nuisance at best, and potentially dangerous for someone driving alone, to remove the toll tag from the foil bag while driving, and replace it in the bag after passing each toll payment point. Most people leave these ID-broadcasting devices permanently mounted and exposed on the sun visor, windshield, or dashboard of their vehicle.

What about those motorists who don’t carry these RFID-based toll payment and tracking devices in their vehicles?  Many toll roads are moving to “all electronic tolling” (AET) in order to eliminate toll booths and any possibility of on-the-spot payment of tolls.  At least as currently being deployed in the US, most if not all of these AET systems use automated license plate readers in each lane to identify each motor vehicle without an RFID toll payment device. A bill for the toll is then mailed to the registered owner of the vehicle.  One way or another, either by RFID tag serial number or license plate number, every vehicle is uniquely identified and the time, location, and direction of its passage is logged by the toll agency or its contractors.  These all electronic tolling and vehicle tracking systems are already in use on bridges, tunnels, and toll roads from the Mystic/Tobin Bridge in Boston to the Golden Gate Bridge in San Francisco.

License plate readers are increasingly widely deployed, but RFID readers are a cheaper and more versatile technology for vehicle tracking than LPRs, at least at present.  A separate, properly positioned LPR camera is typically required for each lane, and optical character recognition software is needed to extract license plate numbers from raw imagery.  A single, cheaper, RFID reader can cover multiple lanes, from a wider range of placement locations.

Vehicles without toll payment devices have other promiscuous RFID chips that broadcast unencrypted unique identifiers. New motor vehicles sold in the US are required to have automated tire pressure monitoring systems (TPMS), most of which rely on sensors and transponders attached to, or embedded in, new tires.  There are no legal controls on tracking or logging of vehicle movements by means of these tire tags, and no way for ordinary motorists to know when, where, or by whom their position has been recorded, who has logs of past vehicle movements, or how those logs might be used in the future. Similar (and similarly uncontrolled) but shorter-range unique-numbered RFID chips are used as stored-value transit fare payment devices in many major metropolitan areas, so even non-drivers are at risk of being covertly tracked.

Amtrak formats for passenger ID data dumps to governments

Thursday, April 23rd, 2015

Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.

The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (”passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).

Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.

Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.

Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.

CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs

The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.

We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.

DHS expands mining of travel data while reducing logging and controls

Wednesday, April 22nd, 2015

The US Department of Homeland Security has announced plans to expand its data mining and “sharing”of DHS files about travelers, while removing some of the limited access controls and audit logging that it had only recently claimed to be putting in place for its Department-wide surveillance data framework:

Privacy Impact Assessment for the DHS Data Framework — Interim Process to Address an Emergent Threat (DHS/ALL/PIA-051, April 15, 2015)

DHS has a critical mission need to perform classified queries on its unclassified data in order to identify individuals supporting the terrorist activities of: (1) the Islamic State of Iraq and the Levant (ISIL), (2) al-Qa’ida in the Arabian Peninsula (AQAP), (3) al-Nusrah Front, (4) affiliated offshoots of these groups, or (5) individuals seeking to join the Syria-Iraq conflict. (These individuals are often referred to as “foreign fighters” by the media and in public discourse.) The ability to perform classified searches of unclassified data for this uniquely time sensitive purpose will allow DHS to better identify and track foreign fighters who may seek to travel from, to, or through the United States. This type of comparison is a long-standing mission need; however, the specific threat has shortened the timeframe in which DHS must meet the need.

To meet this critical mission need, DHS will adopt an interim process that foregoes many of the automated protections of the DHS Data Framework, such as the tagging of necessary data sets in the unclassified data lake. By foregoing these automated protections, DHS will be able to expedite transfers of information from the Electronic System for Travel Authorization (ESTA), the Advance Passenger Information System (APIS), Form I-94 records, and Passenger Name Records (PNR) directly from the unclassified DHS domain to the classified DHS domain through a manual process….

The previously announced “protections”  on DHS use and sharing of personal data are fig leaves of little value to the subjects of DHS travel surveillance. But the DHS decision to “forego” those protections is significant for what it shows about how the DHS carries out its activities.

(more…)

DHS continues and expands use of commercial vehicle tracking databases

Tuesday, April 7th, 2015

Barely more than a year after publicly cancelling a request for bids on the construction of a national database of vehicle location data compiled from commercial and government-operated license-plate reader (LPR) cameras, the DHS has quietly revealed that it is once again seeking to buy access to commercially-aggregated LPR data, and that some DHS component field offices are already doing so.

Cameras combined with optical character recognition software allow for automated logging of the license-plate number (and of course the associated time, date, plate, and direction of travel) of every passing vehicle. “Some LPR systems also capture within the image the environment surrounding a vehicle, which may include drivers and passengers,” the DHS acknowledges in its latest Privacy Impact Assessment for DHS use of commercial LPR data.

The only apparent difference between the proposal supposedly nixed in February 2014 and the plans revealed in the March 2015 PIA is that the DHS’s own LPR vehicle, driver, and passenger tracking data won’t be completely merged with LPR data from commercial sources and aggregators — at least not by the DHS itself.  The PIA describes a scheme in which the DHS will pay for query-based access to commercially-aggregated LPR data and the ability to set flags that will generate real-time alerts to the DHS whenever license-plate numbers of interest are observed.

(more…)

You can’t tell the travelers without a scorecard

Tuesday, March 31st, 2015
The TSA uses appearance profiles to decide whether to search you and/or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from GAO report.)

Point scores assigned by TSA "Behavior Detection Officers" are used to decide whether to search you or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from 2013 GAO report. Click image for larger version.)

The Intercept has published the scorecard used by TSA “Behavior Detection” precogs to assign points to travelers, as part of the TSA’s “SPOT” pre-crime scheme for deciding which travelers to subject more intrusive search and/or interrogation or “refer” to local police:

Whether you call SPOT and the TSA’s other pre-crime profiling programs “junk science”, “culturally biased”, or simply “unconstitutional”, it’s clear that the TSA can’t tell the terrorist travelers with or without a scorecard.

The SPOT scorecard includes pairs of, “Damned if you do, damned if you don’t,” point categories. “Avoids eye contact with security personnel or LEO [Law Enforcement Officer]“? +1 point. On the other hand, “Cold penetrating stare” or “Widely open staring eyes”? +2 points.

Disturbingly, some of the largest point values are assigned for the exercise of First Amendment rights to express opinions, ask questions, and observe what is in plain sight: “Asks the BDO [Behavior Detection Officer] security-related questions”? +3 points. “Shows arrogance and verbally expresses contempt for the screening process”? +2 points. “Scans area, appearing to look for security personnel or LEO”? +2 points.

In what appears to be flagrant discrimination against people with disabilities, anyone attempting to communicate in sign language is severely penalized: “Exhibiting hand gestures to others”? +3 points.

Part of the scorecard is broken down into “Stress”, “Fear”, and “Deception” categories. Stress and fear would seem to be natural responses to being profiled, judged, interrogated, and groped by government agents in cop-like uniforms who claim discretionary and deliberately unpredictable power to stop us from exercising our rights.  What traveler anywhere in the world doesn’t tense up when they are stopped at a checkpoint, and breathe a sigh of relief when they have made it through?

Points are also assigned for attributes having nothing to do with these factors, and which cannot lawfully be construed as constituting a reasonable basis for suspicion sufficient to justify search or detention.

Are you one of a party of, “Males traveling together who are NOT part of a family”? +1 point. Take that, pairs of traveling salesmen, and pairs of Mormon Elders on a mission! Do you appear to be a “Member of a family”?  -2 points. What’s a “family”? And how can the TSA tell?

Possession of duct tape “which the passenger has no apparent reason to possess”? +1 point. Isn’t the reason to carry duct tape that you never know for what purpose you will need it?

Cash is considered presumptively and for outbound international travelers conclusively suspicious. Possession of, “Large sum of monies leaving U.S.”, or “Large sum of monies with no apparent reason to possess”? Automatically notify a law enforcement officer.

Some of the scoring categories appear to be purely cultural or fashion bigotry: “Face pale from recent shaving of beard”? +1 point.  Others show age and/or gender bias: “Facial flushing while undergoing screening”? +1 point. So much for any woman who happens to have a hot flash at a checkpoint. “Apparent married couple with both spouses over 55 years old”? -2 points.

The Intercept quotes two unnamed former TSA “Behavior Detection Officer” managers. One says the scorecard is, “designed in such a way that virtually every passenger will exhibit multiple ‘behaviors’ that can … justify BDO interaction with a passenger. A license to harass.” Another describes the SPOT porgram as, “Bullshit. Complete bullshit.”  We couldn’t have said it better.

Smile for the camera, citizen!

Monday, March 23rd, 2015

The Department of Homeland Security is extending its photography of travelers at US border crossings, ports, and international airports from foreign nationals to US citizens entering and leaving our own country.

On January 5, 2004, under an “interim final rule” for the “US-VISIT” program effective the same day it was published in the Federal Register, agents of US Customs and Border Protection (CBP) began fingerprinting and photographing foreign visitors on their arrival and again on their departure from the US.

At first, only those foreign citizens who required visas to enter the US were given this treatment.  A few countries. starting with Brazil, took this as a sign of their “least favored nation” status with the US government, and reciprocated by photographing and fingerprinting US citizens arriving in and departing from their countries. Many other countries didn’t take things quite so far, but partially reciprocated to the extent of increasing their visa or entry fees for US visitors, or imposing new fees where entry for US tourists had been free, to match the US$135 minimum fee for a tourist or transit visa to the US for citizens of most other countries.

On August 31, 2004, under yet another “interim” rule effective the same day it was published, fingerprinting and photography at US airports and borders was extended to citizens of countries in the US “visa waiver program”.

For the third phase of expansion of US-VISIT fingerprinting and photography of border crossers, the DHS published a notice of proposed rulemaking in 2006, giving organizations and individuals a chance to object before the rules were finalized. But the numerous objections, including ours, were ignored. In December 2008, the DHS promulgated a final rule extending the fingerprinting and photography of visitors to all non-US citizens, including permanent US residents (green-card holders).

Now, without bothering to propose or finalize any new regulations, DHS has announced through a non-binding “Privacy Impact Assessment” (PIA) posted on its website that CBP is already conducting a “Facial Recognition Air Entry Pilot” program under which some unspecified fraction of US citizens entering the US by air are being required to submit to facial photography by CBP agents:

U.S. citizens with U.S. e-passports arriving at air ports of entry testing the technology may be selected to participate in the pilot at port discretion. Individuals that are selected do not have the option to opt out of this process.

Facial recognition software is being used to compare the photos to the digital photos stored on the RFID chips in US citizens’ passports, and to assign a score indicating the robot’s “confidence” that the photo in the passport and the photo taken at the airport depict the same person. “The facial recognition system is a tool to assist CBPOs [CBP officers] in the inspection process.”

The selection is supposedly random, but there is no specified limit on how large the percentage of US citizens subjected to this requirement might be:

Supervisory CBPOs (SCBPO) will set the standard for the random selection criteria and have discretion to change the criteria as needed. For example, the SCBPO may choose to select every fifth traveler but may change to every third or every seventh traveler at his or her discretion.

DHS has a history of prolonging and expanding “tests” as cover for de facto full implementation of controversial requirements. There’s nothing in this PIA to rule out the extension of the “pilot” program to nine out of ten arriving US citizens, or 99 out of 100.

Disturbingly but characteristically, DHS suggests that US citizens returning to our own country can be required to do whatever is necessary to “satisfy” CBP officers:

A person claiming U.S. citizenship must establish that fact to the examining [CBP] officer’s satisfaction [emphasis added] and must present a U.S. passport or alternative documentation as required by 22 CFR part 53. If such applicant for admission fails to satisfy the examining immigration officer that he or she is a U.S. citizen, he or she shall thereafter be inspected as an alien.

(more…)