11th Circuit Court of Appeals panel kowtows to TSA

September 25th, 2014

By a vote of two judges to one, a panel of the 11th Circuit Court of Appeals has declined to consider a petition by Jonathan Corbett for review of the TSA’s use of virtual strip search machines and “enhanced patdowns” (genital groping), and has opined that if the court were to consider Mr. Corbett’s petition, it would deny it.

If that sounds irregular, it should. Normally, once a court has found a reason it doesn’t need to decide a case on its “merits”, but can resolve it on procedural or jurisdictional grounds, judicial economy dictates that the court won’t issue any opinion on issues it doesn’t have to reach.

In this case, the two judges in the panel majority went out of their way to erect as many barriers as possible to future court challenges to TSA actions, in contravention of normal principles of appellate adjudication and over a cogent dissent, on exactly these grounds, by the third member of the panel.

The ruling on the “merits” of the petition, while bad, is not unprecedented: Every other petition for Court of Appeals review of the TSA’s virtual strip-search practices has already been dismissed.  That’s largely because Congress has directed the Courts of Appeals to limit their “review” of TSA orders to the “administrative record” supporting the TSA’s actions, as provided to the court by the TSA itself, and to treat any “findings of fact” by the TSA, “if supported by substantial evidence” (and even if controverted by more persuasive evidence) as “conclusive”.

Conclusory declarations by TSA employees, not subject to cross-examination and allegedly based on secrets not in the record (”if you knew the secrets we know but can’t reveal, you’d agree with us”) are almost always deemed sufficient to constitute “substantial” evidence for this purpose.

In other words, the TSA gets to tell the Court of Appeals which evidence to consider, and what factual conclusion to draw from it.  Given that the TSA is allowed to make up the facts to suit its own interests, and submit them to the court in secret, it’s scarcely surprising that the decisions made by the Courts of Appeal on the basis of those “conclusive” factual claims by the TSA are almost invariably in the TSA’s favor.

If you think that’s unjust, ask Congress to change this law and support those who argue to the courts, especially the Supreme Court, that this law is unconstitutional.

Read the rest of this entry »

TSA finalizes fine of “Naked American Hero”

September 23rd, 2014

The TSA has issued a final order assessing a $500 civil penalty (administrative fine) against John Brennan, the “Naked American Hero” who took off all his clothes at a TSA checkpoint at the Portland, Oregon airport.

The authority to make the TSA’s final decision in this weighty matter was delegated by the Administrator of the TSA to his second-in-command, Deputy Administrator Melvin Carraway.  Mr. Carraway agreed with lower-level TSA staff that Mr. Brennan’s nudity “interfered” with the ability of TSA staff to “screen” him.

Only now — after a kangaroo-court administrative hearing, a decision by a so-called Administrative Law Judge (not actually a judge), and an administrative appeal to the designated TSA decision-maker — is Mr. Brennan eligible to seek his day in court.

All of the proceedings to date have been purely administrative and internal to the TSA’s decision-making process.  TSA staff are not — at least according to TSA administrative rules — allowed to consider, in carrying out these administrative decision-making functions, whether the TSA rules and procedures they have been hired to carry out are unconstitutional or otherwise illegal.

In an effort to frustrate judicial review of TSA actions, Congress requires the victims of TSA orders to exhaust administrative remedies, as Mr. Brennan has now done, before they are eligible to seek review of the TSA’s final orders by judges who are allowed to consider the Constitutionality of the TSA’s actions.

Mr. Brennan has 60 days from the date of the TSA’s final order, September 19, 2014 (i.e. until November 18, 2014) to file a petition for review of the TSA’s decision in either, at Mr. Brennan’s choice, the 9th Circuit Court of Appeals or the District of Columbia Circuit Court of Appeals.

We’ve received no response to our May 2013 FOIA request for the TSA’s records of its administrative actions and proceedings against Mr. Brennan.   The most recent estimate provided by the TSA was that they didn’t expect to provide any response until February 2015.

Contributions toward Mr. Brennan’s legal expenses, or offers of pro bono legal assistance, can be made directly to Mr. Brennan at NakedAmericanHero.com.

GAO audit confirms TSA shift to pre-crime profiling of all air travelers

September 22nd, 2014

A Congressional hearing last week on the so-called “Secure Flight” system for “screening” domestic air travelers confirmed that the TSA has completed a shift from blacklist and whitelist matching to a comprehensive real-time pre-crime profiling system that assigns each air traveler a  “risk assessment” score on the four-step scale we’ve previously described and which is illustrated above in the latest GAO report.

Redacted versions of three audit reports on Secure Flight by the Government Accountability Office (1, 2, 3) were made public in conjunction with GAO testimony at the hearing.  According to one of those reports, “Secure Flight” started out as a blacklist and whitelist matching system:

Since implementation began in January 2009, the Secure Flight system has identified high-risk passengers by matching SFPD [against the No Fly List and the Selectee List, subsets of the Terrorist Screening Database (TSDB), the U.S. government’s consolidated watchlist of known or suspected terrorists maintained by the Terrorist Screening Center, a multiagency organization administered by the Federal Bureau of Investigation (FBI)…. To carry out this matching, the Secure Flight system conducts automated matching of passenger and watchlist data to identify a pool of passengers who are potential matches to the No Fly and Selectee Lists. Next, the system compares all potential matches against the TSA Cleared List, a list of individuals who have applied to, and been cleared through, the DHS redress process.

But that’s not how it works any more. According to the same GAO report:

Since January 2009, the Secure Flight program has changed from one that identifies high-risk passengers by matching them against the No Fly and Selectee Lists to one that assigns passengers a risk category: high risk, low risk, or unknown risk. Specifically, Secure Flight now identifies passengers as high risk if they are matched to watchlists of known or suspected terrorists or other lists developed using certain high-risk criteria, as low risk if they are deemed eligible for expedited screening through TSA Pre-Check — a 2011 initiative to preapprove passengers for expedited screening — or through the application of low-risk rules, and as unknown risk if they do not fall within the other two risk categories. To separate passengers into these risk categories, TSA utilizes lists in addition to the No Fly and Selectee Lists, and TSA has adapted the Secure Flight system to perform risk assessments, a new system functionality that is distinct from both watchlist matching and matching against lists of known travelers.

We’ve said from the start that Secure Flight would not be limited to “list matching” and would assign risk scores to all travelers. Now that’s been confirmed by GAO auditors.  When the TSA talks about “risk-based screening”, what they mean is “pre-crime profiling” of all air travelers — part of a larger pattern of “predictive” pre-crime policing through surveillance and profiling.

The diagram at the top of this article shows what the GAO says the current “Secure Flight” profiling process, and its consequences, look like. Note the references to “risk assessments” and “rules-based lists”, although in fact these are real-time scoring systems and there are no publicly-disclosed “rules”.

Read the rest of this entry »

EFF: “Secret Law is Not Law”

September 19th, 2014

Our friend Cindy Cohn, legal director for the Electronic Frontier Foundation, has an important article this week on a theme that’s long been central to our work: “Secret Law is Not Law“:

One of the many ways that the NSA’s mass surveillance violates the human rights of both Americans and others around the world is that it teeters on a huge pile of secret law.

Let’s be clear. Under international human rights law, secret “law” doesn’t even qualify as “law” at all….

The Human Rights Committee confirms that law is only law if people know it exists and can act based on that knowledge.  Article 19 of the ICCPR, protecting the freedoms of opinion and expression, requires that “to be characterized as a “law,” [a law] must be formulated with sufficient precision to enable an individual to regulate his or her conduct accordingly and it must be made accessible to the public….”

This is a basic and old legal requirement: it can be found in all of the founding human rights documents….  It avoids the Kafkaesque situations in which people, like Joseph K in The Trial and the thousands of people on the secret No Fly Lists, cannot figure out what they did that resulted in government scrutiny, much less clear their names….

Just how far has the US strayed from this basic principle in its mass surveillance practices? Very far.

Read the whole article here.

The Constitutionality of secret law is precisely the issue the Supreme Court declined to consider in 2006 in Gilmore v. Gonzales. EFF’s longstanding opposition to secret law is clearly visible in the brief submitted by EFF and other friends of the court in support of the petition for certiorari in that case.

EFF’s latest commentary on this issue is part of a group of articles by a coalition human rights organizations around the world on the first anniversary of the issuance of a joint statement of principles on the application of international human rights law to mass surveillance.  EFF and other members of this coalition joined us in Geneva this March at the UN Human Rights Committee’s review of US (non)compliance with the ICCPR.

The coalition’s principles of necessity and proportionality refer explicitly to communications surveillance. But as we’ve pointed out before, the same principles apply to metadata about the movement of our bodies (i.e. travel metadata) as to metadata about the movement of our messages.  And as the comments from Ms. Cohn of EFF about the No-Fly List quoted above make clear, the same principles also apply to government decisions based, in whole or in part, on the fruits of that metadata surveillance.

We agree wholeheartedly with EFF: Secret law is not “law”.

LA police lie about whether you have to show them ID

September 18th, 2014

Last week a Los Angeles police officer detained the movie actress Danielle Watts and told her, “I have every right to ask for you ID…. You do not have a right to say ‘No’…. Somebody called, which gives me the right to be here, so it gives me the right to identify you by law.”

In the aftermath, the Los Angeles Police Protective League (LAPPL) has posted a false and misleading so-called “public service announcement” on the subject of Providing ID To Police Officers.

What happened to Ms. Watts, and what is our reading of the case law on these issues?

Read the rest of this entry »

Congress investigates TSA treatment of whistleblowers

September 8th, 2014

Former TSA “Air Marshall” Robert MacLean will be one of the witnesses testifying at a hearing tomorrow before the House Oversight Committee, “Examining the Administration’s Treatment of Whistleblowers“.

As we’ve previously reported, Mr. Maclean is the respondent in a case to be argued this term before the US Supreme Court, DHS v. MacLean.  Mr. Maclean was fired for disclosing “secret” but unclassified “Sensitive Security Information” (SSI) that was only designated as SSI by the TSA three years after Mr. Maclean shared it with the DHS Office of the Inspector General,  members of Congress, and journalists.

[CORRECTION: We apologize for incorrectly referring to Mr. MacLean as the "petitioner" in the original version of this article, and thank Mr. MacLean for the comment correcting our error. The Court of Appeals ruled in Mr. MacLean's favor, and it was the government that petitioned the Supreme Court to review that decision .]

DHS regulations prohibit the designation of information as SSI to conceal official misconduct, but that appears to have been a common practice, and to be ongoing (although under challenge) in other cases.

The House Oversight Committee has sometimes been accused of partisan witch-hunting. That doesn’t appear to be the case with this issue, however. A recent bipartisan report by the committee staff — itself the result of whistleblowing by the former head of the TSA’s Office of SSI – focuses on the political use of SSI designation decisions, in Mr. Maclean’s case in particular, to block the release of information that might embarrass the TSA, regardless of whether it fits the definition SSI in the law and regulations.

Government asks for “do-overs” and delays in no-fly lawsuits

September 2nd, 2014

Faced with a series of Federal court rulings upholding challenges to “no-fly” orders, or allowing them to proceed toward trial, the US government agencies responsible for “no-fly” orders have responded by pretending that they don’t understand what the courts have ordered them to do.

Instead of complying with court orders, the responsible agencies are asking for months of additional time.

In one case, the request for delay is to get “clarification” of a straightforward court order — and to prepare and submit a different set of pleadings than the exhibits and summaries of testimony the court had demanded.

In another case, the government has asked the court — which has already found that the defendants’ secret no-fly decision-making process unconstitutionally denied the plaintiffs due process of law — to remand the case to the defendants themselves, and give them six months to devise and subject the plaintiffs to yet another extra-judicial “review” of the no-fly list by the defendants, before the court even considers whether that (yet to be devised) new-and-improved administrative no-fly listing and internal kangaroo-court “review” system would be Constitutional.

The first court ruling that the no-fly system or a specific no-fly decision was unconstitutional came in January 2014, following the trial last December in San Francisco in Ibrahim v. DHS.  But Dr. Rahinah Ibrahim is not a US citizen, the US government won’t give her a visa to return to the US, and under US law visa denials are generally not subject to judicial review.  So Judge William Alsup’s ruling in that case has had little practical effect either on Dr. Ibrahim or on no-fly listing and decision-making practices affecting other would-be travelers.

Two other pending cases, however, involve US citizens (and in one of the cases some permanent residents or  green-card holders as well) who would be able to travel freely if they weren’t on the no-fly list.

Read the rest of this entry »

“I don’t want a unitary, unfakeable identity.”

August 27th, 2014

Dan Geer’s keynote speech at the Blackhat security conference earlier this month (video, transcript) included an important discussion of the often-misunderstood “right to be forgotten” and the larger context of why it matters: the threat posed by compelled identification, and how we can defend ourselves against that threat:

Privacy used to be proportional to that which it is impossible to observe or that which can be observed but not identified.  No more — what is today observable and identifiable kills both privacy as impossible-to-observe and privacy as impossible-to-identify, so what might be an alternative?  If you are an optimist or an apparatchik, then your answer will tend toward rules of data procedure administered by a government you trust or control.  If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be my definition: the effective capacity to misrepresent yourself…

The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace [NSTIC] is a case in point; it “calls for the development of interoperable technology standards and policies — an ‘Identity Ecosystem’ — where individuals, organizations, and underlying infrastructure — such as routers and servers — can be authoritatively authenticated.”  If you can trust a digital identity, that is because it can’t be faked…. Is having a non-fake-able digital identity for government services worth the registration of your remaining secrets with that government?  Is there any real difference between a system that permits easy, secure, identity-based services and a surveillance system? Do you trust those who hold surveillance data on you over the long haul, by which I mean the indefinite retention of transactional data between government services and you, the individual required to proffer a non-fake-able identity to engage in those transactions?  Assuming this spreads well beyond the public sector, which is its designers’ intent, do you want this everywhere?…

I conclude that a unitary, unfakeable digital identity is no bargain and that I don’t want one.  I want to choose whether to misrepresent myself.  I may rarely use that, but it is my right to do so.  If that right vanishes into the panopticon, I have lost something and, in my view, gained next to nothing. In that regard, and acknowledging that it is a baby step, I conclude that the EU’s “Right to be Forgotten” is both appropriate and advantageous though it does not go far enough.  Being forgotten is consistent with moving to a new town to start over, to changing your name, to a definition of privacy that turns on whether you do or do not retain the effective capacity to misrepresent yourself…. A right to be forgotten is the only check on the tidal wave of observability that a ubiquitous sensor fabric is birthing now, observability that changes the very quality of what “in public” means….

There’s more: video, transcript.

Mr. Geer’s comments help answer one of the questions we are most frequently asked: What’s Wrong With Showing ID?

Read the rest of this entry »

Passenger tracking = “Happy Flow” at Aruba Airport

August 22nd, 2014
(Vendor's vision of "Happy Flow". Click image for larger version.)

(Vendor's vision of "Happy Flow". Click image for larger version.)

Later this year, passengers traveling on KLM Royal Dutch Airlines between Aruba and Amsterdam will begin to be subjected to what airlines, airports, governments, and their vendors and suppliers envision as the “passenger experience” of the future: an integrated biometric panopticon in which travelers are identified and tracked  at each stage of their passage through the airport by surveillance cameras and automated facial recognition.

KLM's vision of "Happy Flow". Click image for larger version.

(KLM's vision for "Happy Flow". Click image for larger version.)

The vendor and the airline call this touchless total tracking, “Happy Flow”.  We call it Orwell’s airport.

Travelers won’t have to identify themselves: They will be identified in spite of themselves. Travelers won’t have to worry about whether they are dealing with, or providing information to, the airline or the airport or a government agency or a third party: Biometric identifiers and and surveillance data will be seamlessly shared for multiple purposes between the airline, the airport operator, government agencies, and their contractors.

Aruba is part of the Kingdom of the Netherlands, and the Aruba Airport (IATA code AUA) is managed by the company that operates Amsterdam’s Schipol Airport.  That creates unusual opportunities for collaboration between the airline, both airports, and government agencies concerned with flights between AUA and AMS.

The system is scheduled to go live by the end of 2014, according to recent conference presentations and press releases. But nothing has been made public by any of the partners in the joint venture (KLM, the operator of the Aruba and Amsterdam airports, the government of the Netherlands, and their contractors) regarding the data to be collected about travelers’ movements or any technical measures or policies controlling biometric, identification, or movement data storage, transmission, access, or retention.

Don’t worry. Be happy!

FOIA appeals reveal problems with PNR data

August 21st, 2014

We’ve noticed a disturbing pattern in how the DHS, and specifically US Customs and Border Protection (CBP), has responded to people who have asked the DHS for its files about themselves.

Eventually — typically months later than the statutory deadline for responding to a FOIA request — CBP has sent the requester a file of information about their international travel, including a log of entries, exits, and borders crossings.

But even when the requester has explicitly asked for the Passenger Name Record (PNR) data that CBP has obtained from their airline reservations, or has asked CBP for “all” its records about their travel, or for all data about themselves from the CBP “Automated Targeting System” (most of which consist of CBP copies of PNRs), CBP has completely omitted PNR data — or any mention of it — from its response.

People who don’t work in the air travel industry typically don’t know what PNRs look like. So it isn’t obvious to most recipients of these incomplete responses that what they’ve been given doesn’t include any PNR data. Only when these people showed us copies of the responses they received from CBP have we been able to point out, or confirm, that PNR data was completely absent from the initial CBP response.

When these people have filed administrative appeals, specifically pointing out that their requests included PNR data, CBP has responded to their appeals by sending them redacted copies of CBPs mirror archive of airline PNRs, as contained in ATS.  But there’s been no apology, and explanation in any of these responses to appeals of why the PNR data wasn’t included in the initial response. It seems likely that CBP didn’t even bother to search its PNR database in response to the initial requests, either out of gross negligence, gross incompetence, malice, and/or bad faith. (CBP has refused to disclose how PNR data and other information in ATS is indexed, queried, or retrieved. Even though the Privacy Act requires this information to be published in the Federal Register, the judge hearing our lawsuit ruled that it was exempt from disclosure.)

We’ve seen this pattern even in responses to requests from journalist and public figures which, according to DHS policy, would have been subject to pre-release review and approval by the DHS “front office”.  The DHS front office has been intimately involved in international disputes related to PNR data, and is fully aware of the existence of this component of DHS dossiers about innocent travelers. So the incomplete responses to FOIA requests can’t be blamed on low-level staff or a lack of oversight or awareness by senior officials.

One of those high-profile cases was that of Cyrus Farivar, Senior Business Editor at Ars Technica.  As Mr. Farivar reported earlier this year, CBP’s initial response included no PNR data, even though he specifically included PNR data in his request.  After Mr. Farivar appealed, CBP gave him the PNR data he had originally requested.

There was nothing Mr. Farivar’s DHS file that we haven’t seen in other DHS copies of PNRs.  But his report about what he received highlights some of the problems with the contents of these DHS records.

Read the rest of this entry »