Archive for the ‘Surveillance State’ Category

Amtrak formats for passenger ID data dumps to governments

Thursday, April 23rd, 2015

Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.

The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (”passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).

Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.

Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.

Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.

CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs

The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.

We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.

DHS expands mining of travel data while reducing logging and controls

Wednesday, April 22nd, 2015

The US Department of Homeland Security has announced plans to expand its data mining and “sharing”of DHS files about travelers, while removing some of the limited access controls and audit logging that it had only recently claimed to be putting in place for its Department-wide surveillance data framework:

Privacy Impact Assessment for the DHS Data Framework — Interim Process to Address an Emergent Threat (DHS/ALL/PIA-051, April 15, 2015)

DHS has a critical mission need to perform classified queries on its unclassified data in order to identify individuals supporting the terrorist activities of: (1) the Islamic State of Iraq and the Levant (ISIL), (2) al-Qa’ida in the Arabian Peninsula (AQAP), (3) al-Nusrah Front, (4) affiliated offshoots of these groups, or (5) individuals seeking to join the Syria-Iraq conflict. (These individuals are often referred to as “foreign fighters” by the media and in public discourse.) The ability to perform classified searches of unclassified data for this uniquely time sensitive purpose will allow DHS to better identify and track foreign fighters who may seek to travel from, to, or through the United States. This type of comparison is a long-standing mission need; however, the specific threat has shortened the timeframe in which DHS must meet the need.

To meet this critical mission need, DHS will adopt an interim process that foregoes many of the automated protections of the DHS Data Framework, such as the tagging of necessary data sets in the unclassified data lake. By foregoing these automated protections, DHS will be able to expedite transfers of information from the Electronic System for Travel Authorization (ESTA), the Advance Passenger Information System (APIS), Form I-94 records, and Passenger Name Records (PNR) directly from the unclassified DHS domain to the classified DHS domain through a manual process….

The previously announced “protections”  on DHS use and sharing of personal data are fig leaves of little value to the subjects of DHS travel surveillance. But the DHS decision to “forego” those protections is significant for what it shows about how the DHS carries out its activities.

(more…)

DHS continues and expands use of commercial vehicle tracking databases

Tuesday, April 7th, 2015

Barely more than a year after publicly cancelling a request for bids on the construction of a national database of vehicle location data compiled from commercial and government-operated license-plate reader (LPR) cameras, the DHS has quietly revealed that it is once again seeking to buy access to commercially-aggregated LPR data, and that some DHS component field offices are already doing so.

Cameras combined with optical character recognition software allow for automated logging of the license-plate number (and of course the associated time, date, plate, and direction of travel) of every passing vehicle. “Some LPR systems also capture within the image the environment surrounding a vehicle, which may include drivers and passengers,” the DHS acknowledges in its latest Privacy Impact Assessment for DHS use of commercial LPR data.

The only apparent difference between the proposal supposedly nixed in February 2014 and the plans revealed in the March 2015 PIA is that the DHS’s own LPR vehicle, driver, and passenger tracking data won’t be completely merged with LPR data from commercial sources and aggregators — at least not by the DHS itself.  The PIA describes a scheme in which the DHS will pay for query-based access to commercially-aggregated LPR data and the ability to set flags that will generate real-time alerts to the DHS whenever license-plate numbers of interest are observed.

(more…)

You can’t tell the travelers without a scorecard

Tuesday, March 31st, 2015
The TSA uses appearance profiles to decide whether to search you and/or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from GAO report.)

Point scores assigned by TSA "Behavior Detection Officers" are used to decide whether to search you or your luggage, interrogate you, call the police, or allow you to fly. (Diagram from 2013 GAO report. Click image for larger version.)

The Intercept has published the scorecard used by TSA “Behavior Detection” precogs to assign points to travelers, as part of the TSA’s “SPOT” pre-crime scheme for deciding which travelers to subject more intrusive search and/or interrogation or “refer” to local police:

Whether you call SPOT and the TSA’s other pre-crime profiling programs “junk science”, “culturally biased”, or simply “unconstitutional”, it’s clear that the TSA can’t tell the terrorist travelers with or without a scorecard.

The SPOT scorecard includes pairs of, “Damned if you do, damned if you don’t,” point categories. “Avoids eye contact with security personnel or LEO [Law Enforcement Officer]“? +1 point. On the other hand, “Cold penetrating stare” or “Widely open staring eyes”? +2 points.

Disturbingly, some of the largest point values are assigned for the exercise of First Amendment rights to express opinions, ask questions, and observe what is in plain sight: “Asks the BDO [Behavior Detection Officer] security-related questions”? +3 points. “Shows arrogance and verbally expresses contempt for the screening process”? +2 points. “Scans area, appearing to look for security personnel or LEO”? +2 points.

In what appears to be flagrant discrimination against people with disabilities, anyone attempting to communicate in sign language is severely penalized: “Exhibiting hand gestures to others”? +3 points.

Part of the scorecard is broken down into “Stress”, “Fear”, and “Deception” categories. Stress and fear would seem to be natural responses to being profiled, judged, interrogated, and groped by government agents in cop-like uniforms who claim discretionary and deliberately unpredictable power to stop us from exercising our rights.  What traveler anywhere in the world doesn’t tense up when they are stopped at a checkpoint, and breathe a sigh of relief when they have made it through?

Points are also assigned for attributes having nothing to do with these factors, and which cannot lawfully be construed as constituting a reasonable basis for suspicion sufficient to justify search or detention.

Are you one of a party of, “Males traveling together who are NOT part of a family”? +1 point. Take that, pairs of traveling salesmen, and pairs of Mormon Elders on a mission! Do you appear to be a “Member of a family”?  -2 points. What’s a “family”? And how can the TSA tell?

Possession of duct tape “which the passenger has no apparent reason to possess”? +1 point. Isn’t the reason to carry duct tape that you never know for what purpose you will need it?

Cash is considered presumptively and for outbound international travelers conclusively suspicious. Possession of, “Large sum of monies leaving U.S.”, or “Large sum of monies with no apparent reason to possess”? Automatically notify a law enforcement officer.

Some of the scoring categories appear to be purely cultural or fashion bigotry: “Face pale from recent shaving of beard”? +1 point.  Others show age and/or gender bias: “Facial flushing while undergoing screening”? +1 point. So much for any woman who happens to have a hot flash at a checkpoint. “Apparent married couple with both spouses over 55 years old”? -2 points.

The Intercept quotes two unnamed former TSA “Behavior Detection Officer” managers. One says the scorecard is, “designed in such a way that virtually every passenger will exhibit multiple ‘behaviors’ that can … justify BDO interaction with a passenger. A license to harass.” Another describes the SPOT porgram as, “Bullshit. Complete bullshit.”  We couldn’t have said it better.

Smile for the camera, citizen!

Monday, March 23rd, 2015

The Department of Homeland Security is extending its photography of travelers at US border crossings, ports, and international airports from foreign nationals to US citizens entering and leaving our own country.

On January 5, 2004, under an “interim final rule” for the “US-VISIT” program effective the same day it was published in the Federal Register, agents of US Customs and Border Protection (CBP) began fingerprinting and photographing foreign visitors on their arrival and again on their departure from the US.

At first, only those foreign citizens who required visas to enter the US were given this treatment.  A few countries. starting with Brazil, took this as a sign of their “least favored nation” status with the US government, and reciprocated by photographing and fingerprinting US citizens arriving in and departing from their countries. Many other countries didn’t take things quite so far, but partially reciprocated to the extent of increasing their visa or entry fees for US visitors, or imposing new fees where entry for US tourists had been free, to match the US$135 minimum fee for a tourist or transit visa to the US for citizens of most other countries.

On August 31, 2004, under yet another “interim” rule effective the same day it was published, fingerprinting and photography at US airports and borders was extended to citizens of countries in the US “visa waiver program”.

For the third phase of expansion of US-VISIT fingerprinting and photography of border crossers, the DHS published a notice of proposed rulemaking in 2006, giving organizations and individuals a chance to object before the rules were finalized. But the numerous objections, including ours, were ignored. In December 2008, the DHS promulgated a final rule extending the fingerprinting and photography of visitors to all non-US citizens, including permanent US residents (green-card holders).

Now, without bothering to propose or finalize any new regulations, DHS has announced through a non-binding “Privacy Impact Assessment” (PIA) posted on its website that CBP is already conducting a “Facial Recognition Air Entry Pilot” program under which some unspecified fraction of US citizens entering the US by air are being required to submit to facial photography by CBP agents:

U.S. citizens with U.S. e-passports arriving at air ports of entry testing the technology may be selected to participate in the pilot at port discretion. Individuals that are selected do not have the option to opt out of this process.

Facial recognition software is being used to compare the photos to the digital photos stored on the RFID chips in US citizens’ passports, and to assign a score indicating the robot’s “confidence” that the photo in the passport and the photo taken at the airport depict the same person. “The facial recognition system is a tool to assist CBPOs [CBP officers] in the inspection process.”

The selection is supposedly random, but there is no specified limit on how large the percentage of US citizens subjected to this requirement might be:

Supervisory CBPOs (SCBPO) will set the standard for the random selection criteria and have discretion to change the criteria as needed. For example, the SCBPO may choose to select every fifth traveler but may change to every third or every seventh traveler at his or her discretion.

DHS has a history of prolonging and expanding “tests” as cover for de facto full implementation of controversial requirements. There’s nothing in this PIA to rule out the extension of the “pilot” program to nine out of ten arriving US citizens, or 99 out of 100.

Disturbingly but characteristically, DHS suggests that US citizens returning to our own country can be required to do whatever is necessary to “satisfy” CBP officers:

A person claiming U.S. citizenship must establish that fact to the examining [CBP] officer’s satisfaction [emphasis added] and must present a U.S. passport or alternative documentation as required by 22 CFR part 53. If such applicant for admission fails to satisfy the examining immigration officer that he or she is a U.S. citizen, he or she shall thereafter be inspected as an alien.

(more…)

Amtrak lies about police use of passenger data

Friday, March 20th, 2015

Passenger Name Record (PNR) view from Amtrak "Police GUI". (Click image for larger version.)

The first “interim” release of documents responsive to our FOIA request for records of police and other government access to Amtrak reservation data show that Amtrak is not only giving police root access and a dedicated user interface to mine passenger data for general state and local law enforcement purposes, but also lying to passengers about this, misleading Amtrak’s own IT and planning staff about the legal basis for these actions, and violating Canadian if not necessarily US law.

Our FOIA request was prompted by Amtrak’s obviously incomplete response to an earlier FOIA request from the ACLU.  That response omitted any mention  of government access to Amtrak reservation data, even though we’ve seen records of Amtrak travel in DHS files about individual  citizens obtained in response to previous Privacy Act and FOIA requests. The documents we have just received were clearly responsive to the ACLU’s request, and should have been, but weren’t, included in Amtrak’s response to that request.

Amtrak is still working on our request, but has begun providing us with responsive records as it completes “processing” of them: search, retrieval, and redaction. (Amtrak is even further behind in responding to some other FOIA requests, such as this one for certain disciplinary records related to misconduct by Amtrak Police.)

The first “interim” release to us by Amtrak includes just a few documents: a 2004 letter from US Customs and Border Potection (CBP) to the Amtrak Police legal department, requesting “voluntary” provision by Amtrak to CBP of Advanced Passenger Information System (APIS) identification data about all passengers on international Amtrak trains, and a 2004-2005 project summary and scoping document for the work that would be required by Amtrak’s IT department to automate the collection, maintenance in Amtrak’s “ARROW” passenger reservation database, and delivery to CBP of this data.

(more…)

US government veterans call for curbs on surveillance

Monday, March 9th, 2015

Citing our research and analysis on NSA surveillance of travelers as part of the basis for their recommendations, an organization of veterans of US intelligence agencies has called for curbs on mass surveillance of innocent individuals, in order to “preserve privacy and increase security”.

These recommendations to the Privacy and Civil Liberties Oversight Board (PCLOB) are the latest in a series of statements issued by the Veteran Intelligence Professionals for Sanity (VIPS), a group which includes prominent NSA, CIA, State Department, FBI, and other whistleblowers. (More from former FBI agent Coleen Rowley, one of the members of VIPS and a signatory of the statement.)

Thel letter from VIPS  to the PCLOB is worth reading in full, but we found these portions among the most trenchant:

The Fear Factor

If Americans want to actively protest U.S. Government policies, but are aware that their communications are being monitored, some individuals will be fearful, inclined toward self-censorship and less likely to speak out – with the chilling effect of being denied their First Amendment rights to free speech and association.

With the Government’s surveillance resources devoted to electronic communications, facial image capture, retina scans, GPS and E-ZPass tracking, license plate readers, banking transactions, and air travel reservations, those with access to the data will be free to develop their own “threat” profiles to target people with tragic consequences for citizens’ freedom of speech, press, religion, and association.

Is this the state of freedom Americans choose to live under? It was achieved through a cooperative Congress and an anxious news media that reacted on the basis of a fear-mongering Intelligence and Law Enforcement Community backed by profiteers from the private sector eager to come to the rescue with all manners of big data analytics solutions. Over the ensuing years, public malaise seems to have set in yielding a general sense of resignation over the loss of privacy wherein it’s viewed to be a small price to pay for the convenience of having perpetual electronic access within reach 24/7.

(more…)

Must we choose between the right to travel and the right to remain silent?

Tuesday, February 24th, 2015

When US citizen Jonathan Corbett checked in at Heathrow Airport in London for an American Airlines flight to New York last December, he was questioned by an airline employee or contractor (it’s often impossible to tell which are which) about his travel outside the US:

When questions changed from, “Where are you flying?” to “Was your trip for personal or business purposes,” and “Where were you since you left America,” I asked if the questions were necessary, and was told yes.

Mr. Corbett was eventually allowed to board his flight without answering these questions. But he followed up first with the airline, which referred him to the TSA, and then with the TSA itself.

Both AA and the TSA said that the questioning is part of a TSA-mandated “security program”. While AA and the TSA both claimed that most details of this program are secret, the TSA “Office of Global Strategies Communications Desk” (OGSCommunications@tsa.dhs.gov) told Mr. Corbett that answering the questions is a condition of boarding a flight to the US:

As part of its Transportation Security Administration (TSA)-approved security program, American Airlines is required to conduct a security interview of passengers prior to departure to the United States… If a passenger declines the security inteview, American Airlines will deny the passenger boarding. The contents of the security program and the security interview are considered Sensitive Security Information (SSI) … and its contents are not for public disclosure. Any security procedure performed by the airline would be because of a requirement in their program.

Yesterday, Mr. Corbett filed suit against the TSA in both the U.S. District Court for the Eastern District of New York (which has jurisdiction over Kennedy Airport in Queens, where his flight arrived in the US) and in the 11th Circuit Court of Appeals (which has jurisdiction over Florida, where Mr. Corbett resides).  Perverse judicial precedents including those in Mr. Corbett’s own previous lawsuits require most lawsuits against TSA practices to be filed simultaneously in both District and Circuit Courts, to avoid a risk of being dismissed on jurisdictional grounds.

Mr. Corbett’s lawsuit directly challenges the requirement for a traveler to answer questions (i.e. to waive his or her Firth Amendment right to remain silent) as a condition of the exercise of the rifght to travel, specifically the right of a US citizen to return to the US.

(more…)

Feds aggregating license-plate scans to track vehicles and people in real time

Friday, February 6th, 2015

We’ve talked a lot about government surveillance and control of air travelers, and occasionally about its extension to bus and train travel.  (Our FOIA request about this to Amtrak remains unanswered and several months overdue for a response.)

But can you avoid being tracked and watched by the government if you travel by private car? No:

A year ago, when the Department of Homeland Security cancelled a request for bids from commercial vendors to supply vehicle location logs compiled from automated (optical character recognition) license-plate readers, we pointed out that the DHS didn’t need to buy this information from commercial data aggregators, since it already had it available from government sources.  In fact, as we noted then, the DHS had already given official notice of the inclusion of license-plate location logs in DHS databases about both US and foreign citizens (while claiming that a license plate number isn’t a “personal identifier”).

New documents released to the ACLU in response to FOIA requests and reported by the Wall Street Journal (paywalled article; NPR interview with the WSJ reporter on the story) confirm our suspicions: As early as 2009, a “National LPR Initiative” was compiling data from license-plate readers operated by the DHS and other Federal, state, and local government agencies to track both vehicles and their occupants in real time. (More background and additional documents from the ACLU’s previous FOIA requests regardign license-plate readers; related documents released to EPIC and to EFF.)

Many of the Federal government’s license-plate readers are operated by the Customs and Border Protection (CBP) division of the DHS, under its assertion of authority to conduct unlimited “border” searches anywhere within 100 miles of a US land border or seacoast. But the master database is being compiled and maintained by the Drug Enforcement Agency (DEA), and used primarily to intercept domestic commerce in drugs and to target vehicles, cash, and other property that can be seized under “civil forfeiture” laws.

This isn’t, of course, the first time we’ve seen CBP’s assertion of a “Constitution-free zone” in coastal and border regions where the majority of the US population lives misused as the basis for surveillance of, and interference with, domestic travel.  Sadly, we don’t expect that this will be the last such instance, either.

Is the attack on Charlie Hebdo a reason for air travel surveillance?

Tuesday, January 13th, 2015

In a speech today in Strasbourg opening the current session of the European Parliament, the President of the European Council (the executive branch of the European Union, comprised of national governments) invoked the attack on the satirical cartoonists of Charlie Hebdo as a reason for popularly-elected EU legislators to put aside their previous objections and enact a comprehensive EU-wide mandate for surveillance and profiling of airline passengers on the basis of Passenger Name Record (PNR) data from airline reservations.

Today’s speech by Council President Donald Tusk of Poland echoed similar statements by “security” (policing and surveillance) officials of other EU governments in conjunction with a summit meeting of EU ministers. The summit is also being attended by senior US officials from the DHS and other agencies that have been lobbying the EU for years to set up a PNR-based surveillance and profiling scheme modeled on the one used by the US.

Tusk and other EU officials have made PNR-based profiling of air travelers a priority as a “response” to the Charlie Hebdo attack in Paris, claiming that it “can help in detecting the travel of dangerous people.”

Is this true? And does the attack on Charlie Hebdo provide any reason for Members of the European Parliament, or the European Court of Justice, to change their opinion that mandatory root access by governments to airline reservation databases is unjustified and violates fundamental rights?

No, and no.

The attack on Charlie Hebdo was an act of domestic terrorism carried out within France by French citizens.  They didn’t travel by air or cross international borders.  Their means of transportation to and from the scene of the crime in Paris was a car stolen elsewhere in the Paris metropolitan area. Airline reservations or border controls would have given no indication of the impending attack, and could not have been used to prevent it.

After the fact, police pursuing the perpetrators could have obtained search warrants, including warrants for PNR data or other airline records if there was a likelihood that they would be relevant, through normal judicial procedures.

(And as Wikileaks recently revealed, European governments are already obtaining PNR data “informally” from airlines, and using it to profile travelers, without legal authority.)

Nothing about the attack on Charlie Hebdo provides any reason to give governments more power to engage in warrantless surveillance or profiling of travelers who aren’t suspected of any crime.

Comprehensive PNR surveillance is like the NSA’s dragnet interception and mining of Internet and telephone records — except that metadata about the movements of our physical bodies (PNR data) can be far more intimate that metadata about the movement of our messages. Which is more intrusive: For the NSA to know that  you talked on the telephone or exchanged email messages or were in the same mobile phone “cell” with someone, or for the DHS or a European “Passenger Analysis Unit” to know from a hotel reservation passed on to the government as part of your PNR data that you slept in the same bed with that person?

The purpose of PNR-based surveillance is neither to investigate past crimes nor to track people who are already suspected of crimes.  Those activities require neither new procedures nor new police powers.  The only reason for governments to obtain the entire rich and intimately revealing PNR dataset for all air travelers is to identify new potential suspects, based on profiles and associations. Profiling and suspicion-by-association are the central purposes of a PNR system, not side effects or aberrations.

We’ll be in Brussels next week to discuss these issues with our European colleagues at a Privacy Camp on “Big Data & Ever Increasing State Surveillance“, and at the Computers, Privacy & Data Protection (CPDP) conference.