Toll payment devices used to track vehicles on toll-free roads

April 28th, 2015

Public records obtained by the ACLU from New York City and State agencies have confirmed the extensive use of RFID readers to track RFID toll payment devices on streets and roads where there are no tolls.

The ACLU’s report on the responses to its public records requests speaks for itself, but raises more questions about where else, by which government agencies, and for what purposes motor vehicle movements are being tracked, and whether vehicles without these RFID toll payment devices are also being tracked.

In New York, toll-tag RFID readers were systematically deployed on toll-free city streets for traffic monitoring. By logging the time and a unique vehicle identifier (broadcast by the RFID toll tag) for each vehicle passing each set of sensors, the system can calculate the most recent travel times between any tow sets of sensors.  That’s what’s used (at least in New York City) to generate the travel times displayed on road signs, and for other traffic management and traffic signal control optimization purposes.

The problem is that measuring the time required for an individual vehicle to travel between any two points in the road network requires uniquely identifying each vehicle and logging the time it passes each sensor.  It’s unclear from the documents obtained by the ACLU how long these logs are retained, to whom they are accessible, or how they are used.

The E-ZPass toll tags used in New York and other states in the Northeast and Midwest use the same long-range RFID technology, with the same potential for surveillance use, as FasTrak in California, SunPass in Florida, and RFID toll payment systems in many other states including (we are not making this up) Freedom Pass for toll roads in Alabama.

The RFID transponders in these toll payment devices are designed, of course, to be read from above or alongside the road, even when the device is inside the vehicle.  These RFID transponders are promiscuous: they will respond with their unique ID number to a query from any RFID reader.  In general, no license, permit, or consent is required to operate an RFID reader.  Anyone can legally buy an off-the-shelf RFID reader, install it wherever they want — near a road, or in a vehicle — and start logging the time, location, and unique ID of each toll tag that comes within range. They can use or sell these logs without restriction.

Most motorists, of course, have no idea how the travel times on highway signs are estimated, and these vary from place to place. The state of Washington, for example, has experimented with a homebrewed system for tracking vehicles through the unique MAC addresses broadcast by in-vehicle Bluetooth systems.

Most toll-collection agencies provide foil bags in which RFID toll tags can be kept when they aren’t in use. But it’s a nuisance at best, and potentially dangerous for someone driving alone, to remove the toll tag from the foil bag while driving, and replace it in the bag after passing each toll payment point. Most people leave these ID-broadcasting devices permanently mounted and exposed on the sun visor, windshield, or dashboard of their vehicle.

What about those motorists who don’t carry these RFID-based toll payment and tracking devices in their vehicles?  Many toll roads are moving to “all electronic tolling” (AET) in order to eliminate toll booths and any possibility of on-the-spot payment of tolls.  At least as currently being deployed in the US, most if not all of these AET systems use automated license plate readers in each lane to identify each motor vehicle without an RFID toll payment device. A bill for the toll is then mailed to the registered owner of the vehicle.  One way or another, either by RFID tag serial number or license plate number, every vehicle is uniquely identified and the time, location, and direction of its passage is logged by the toll agency or its contractors.  These all electronic tolling and vehicle tracking systems are already in use on bridges, tunnels, and toll roads from the Mystic/Tobin Bridge in Boston to the Golden Gate Bridge in San Francisco.

License plate readers are increasingly widely deployed, but RFID readers are a cheaper and more versatile technology for vehicle tracking than LPRs, at least at present.  A separate, properly positioned LPR camera is typically required for each lane, and optical character recognition software is needed to extract license plate numbers from raw imagery.  A single, cheaper, RFID reader can cover multiple lanes, from a wider range of placement locations.

Vehicles without toll payment devices have other promiscuous RFID chips that broadcast unencrypted unique identifiers. New motor vehicles sold in the US are required to have automated tire pressure monitoring systems (TPMS), most of which rely on sensors and transponders attached to, or embedded in, new tires.  There are no legal controls on tracking or logging of vehicle movements by means of these tire tags, and no way for ordinary motorists to know when, where, or by whom their position has been recorded, who has logs of past vehicle movements, or how those logs might be used in the future. Similar (and similarly uncontrolled) but shorter-range unique-numbered RFID chips are used as stored-value transit fare payment devices in many major metropolitan areas, so even non-drivers are at risk of being covertly tracked.

Feds pay $40K to settle claim for false arrest at airport

April 24th, 2015

The US government has paid $40,000 as part of the settlement of a lawsuit by a traveler who was falsely arrested by Federal agents and local police when a Frontier Airlines flight she was on arrived at the Detroit airport in 2011, arrive, taken off the plane in handcuffs, locked in a cell for four hours, and strip searched (in a cell with a video camera).

All of this happened without probable cause for an arrest, before any attempt was made to question her, and before any attempt was made by any of the police, airline, airport, or TSA staff to determine whether there was any basis for any of their actions. No criminal or administrative charges were ever filed against her.

The traveler, Ms. Shoshana Hebshi, sued the Federal government, the airline, and named and unknown Federal law enforcement agents, TSA employees, and Wayne County Airport Authority police.

Ms. Hebshi’s lawsuit was dismissed earlier this week on the basis of a settlement, after the Federal judge hearing the case rejected the defendants’ claims of “qualified immunity” with respect to Ms. Hebshi’s complaints of both discrimination and false arrest. “There is no ’suspected terrorist activity exception’ to the probable cause requirement of the Fourth Amendment,” the judge had ruled.

The details of the settlement were not included in court filings, but the ACLU, which represented Ms. Hebshi, disclosed the $40K payment by the Feds in a public statement about the settlement.

No specific Federal agency or individual took responsibility. The lawsuit named “the United States of America” as a defendant, rather than any specific Federal agency or agencies, and multiple Federal agencies (TSA, FBI, ICE, CBP, etc.) were named in the complaint as having been involved in mistreating Ms. Hebshi.  We don’t know whether others of the defendants (the airport, the airline, or any of the individual defendants) paid money to Ms. Hebshi as part of the settlement, in additional to the $40K from the US Treasury.

The dollar value of the settlement is obviously inadequate to deter similar misconduct by government, airline, and airport personnel in the future. But we are pleased by several aspects of the preliminary rulings by US District Court Judge Terrence G. Berg which led to the settlement.

First, Judge Berg was willing to let the case against the airline, airport, and Federal government, and their employees, go to trial. We’ve talked before about how difficult it can be to overcome claims of “qualified immunity” if the court’s sympathies lean toward the defendants in a case like this — or, to put it another way, how easy it is for  a judge to let government defendants and their private accomplices off the hook.

Read the rest of this entry »

Amtrak formats for passenger ID data dumps to governments

April 23rd, 2015

Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.

The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (”passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).

Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.

Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.

Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.

CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs

The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.

We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.

DHS expands mining of travel data while reducing logging and controls

April 22nd, 2015

The US Department of Homeland Security has announced plans to expand its data mining and “sharing”of DHS files about travelers, while removing some of the limited access controls and audit logging that it had only recently claimed to be putting in place for its Department-wide surveillance data framework:

Privacy Impact Assessment for the DHS Data Framework — Interim Process to Address an Emergent Threat (DHS/ALL/PIA-051, April 15, 2015)

DHS has a critical mission need to perform classified queries on its unclassified data in order to identify individuals supporting the terrorist activities of: (1) the Islamic State of Iraq and the Levant (ISIL), (2) al-Qa’ida in the Arabian Peninsula (AQAP), (3) al-Nusrah Front, (4) affiliated offshoots of these groups, or (5) individuals seeking to join the Syria-Iraq conflict. (These individuals are often referred to as “foreign fighters” by the media and in public discourse.) The ability to perform classified searches of unclassified data for this uniquely time sensitive purpose will allow DHS to better identify and track foreign fighters who may seek to travel from, to, or through the United States. This type of comparison is a long-standing mission need; however, the specific threat has shortened the timeframe in which DHS must meet the need.

To meet this critical mission need, DHS will adopt an interim process that foregoes many of the automated protections of the DHS Data Framework, such as the tagging of necessary data sets in the unclassified data lake. By foregoing these automated protections, DHS will be able to expedite transfers of information from the Electronic System for Travel Authorization (ESTA), the Advance Passenger Information System (APIS), Form I-94 records, and Passenger Name Records (PNR) directly from the unclassified DHS domain to the classified DHS domain through a manual process….

The previously announced “protections”  on DHS use and sharing of personal data are fig leaves of little value to the subjects of DHS travel surveillance. But the DHS decision to “forego” those protections is significant for what it shows about how the DHS carries out its activities.

Read the rest of this entry »

Does an airline have the “right” to refuse service to anyone?

April 20th, 2015

This week cyber-security and threat modeling expert Chris Roberts of One World Labs was detained and interrogated for four hours and had his laptop and other electronic devices seized without warrant by the FBI, and later was denied boarding by United Airlines for a flight on which he had a valid ticket, for posting this Tweet questioning the security of IP-based networks on aircraft that commingle in-flight entertainment (IFE) data with data from navigation flight control sensors and avionics systems such as Engine Indication and Crew Alerting System (EICAS) data.

The incident raises important questions about the legality of Mr. Roberts’ detention, the search and seizure of his electronic devices, and the decision by United Airlines to refuse to transport him.

Read the rest of this entry »

Bill C-51 would match Canadian no-fly scheme to the US — and go further

April 17th, 2015

This week is Stop C-51 Week, marked by events throughout Canada and elsewhere in opposition to Bill C-51, currently under consideration by the Parliament of Canada, “An Act to enact the Security of Canada Information Sharing Act and the Secure Air Travel Act, to amend the Criminal Code, the Canadian Security Intelligence Service Act and the Immigration and Refugee Protection Act and to make related and consequential amendments to other Acts.”

We’ve joined a who’s who of civil liberties and human rights organizations, activists, and experts from Canada and around the world who have co-signed a letter to Prime Minister Stephen Harper opposing Bill C-51.

It’s only a slight oversimplification to say that Bill C-51 is Canada’s version of the USA Patriot Act, 13 years later but on steroids.  It appears to violate the Canadian Charter of Rights and Freedoms and Canadian obligations pursuant to several human rights treaties including the International Covenant on Civil and Political Rights (ICCPR).  But if enacted, and if not voided on constitutional grounds by Canadian courts, it would purport to authorize a wide range of government spying, “pre-crime” policing (profiling), and preemptive interference with the exercise of fundamental rights.

Read the rest of this entry »

Feds change no-fly procedures to evade judicial review

April 16th, 2015

In updates filed with Federal courts in at least two pending challenges to US government “no-fly” orders, lawyers for the government have revealed plans for changes to the internal procedures administrative agencies use in deciding who they “allow” to fly — and who they don’t.

While these changes look like cosmetic but inadequate improvements, they actually include an obscure but much more significant change designed to make it harder for people on the no-fly list to get the factual basis (if any) for the decision to put them on the list reviewed by a judge.

By shifting official responsibility for administrative no-fly decisions from the FBI to the TSA, the government hopes to bring those decisions fully within the scope of a special Federal jurisdictional law, 49 U.S.C. § 46110, which is designed to preclude any effective judicial review of TSA decisions.

This law allows TSA administrative orders to be reviewed only by Courts of Appeal (which have no ability to conduct trials or fact-finding), on the basis of the “administrative record” supplied to the Court of Appeals by the TSA itself.  The Court of Appeals is forbidden to second-guess the TSA’s fact-finding, even if it was made through a secret and one-sided internal process: “Findings of fact by the Secretary, Under Secretary, or Administrator, if supported by substantial evidence, are conclusive.”  As long as there is substantial evidence in the record constructed by the TSA to justify its actions, the Court of Appeals is forbidden to consider the weight of contrary evidence, even if it is also in the record.  And the TSA is free to decide that evidence submitted by anyone on the no-fly list is, for that very reason, not credible.

No-fly cases have been considered by District Courts, and one of them has gone to trial, only because the FBI (as the agency nominally responsible for the inter-agency Terrorist Screening Center) has been declared by both TSA and FBI to be the agency officially responsible for no-fly decisions.  When FBI decisions are challenged by people who claim their rights have been violated, those decisions are reviewed in the normal manner by District Courts that can conduct trials, hear testimony, receive evidence, and make their own findings of fact — without being required to rely exclusively on self-serving submissions by the FBI itself.

Read the rest of this entry »

Why did the TSA prevent these people from flying?

April 9th, 2015

Documents newly released to us by the TSA strongly suggest that the TSA has been lying about whether people are “allowed” by the TSA to fly without showing ID, and that decisions about whether to allow travelers to fly without ID are being made arbitrarily, on the basis of irrelevant and unreliable commercial data and/or at the “discretion” of individual field-level TSA staff.  The TSA documents also show that, at least for the limited sample of data initially released, the “false-positive” rate of watch-list matches is 100%.

The TSA has for many years been contradicting itself, both in word and in deed, as to whether travelers are required show government-issued (or any other) ID credentials in order to fly, or whether it is possible to fly without ID.

TSA signs at airports say that passengers are “required” to show ID. But the TSA has repeatedly told courts at all levels — from in camera (secret) submissions to the 9th Circuit Court of Appeals in Gilmore v. Gonzales in 2006 to public testimony of the TSA’s witness in the (unsuccessful) state court frame-up of Phil Mocek in Albuquerque in 2011 — that these and other official TSA notices to passengers are false, that ID is not required to fly, and that the TSA does have (secret) “procedures” that allow people to fly without having or showing ID.

The TSA’s actions are equally bipolar.  People who say they have lost their ID cards or had them stolen are “allowed” to fly every day.  But people who the TSA deems (for secret or not-so-secret reasons, or completely arbitrarily) to  be”suspicious” or “uncooperative” are routinely subjected to retaliation and summary sanctions including denial of  their right to travel.  Mr. Mocek, for example, was both prevented from boarding the flight for which he had a valid ticket, and falsely arrested by local police at the behest of TSA staff, when he tried to fly without ID and to document the process that the TSA claimed would have allowed him to do so.

What’s the real story? From our close reading of the available evidence, it appears that:

  1. There are no publicly-disclosed “rules” (and probably not even any unambiguous secret rules) defining what is or is not permitted or required of travelers at TSA checkpoints, or what conditions the TSA imposes on the exercise of the right to travel by air.
  2. The TSA claims to have the legal authority, and in practice exercises actual power, to determine who to allow to fly, and who not to allow to fly, in an entirely secret, standardless, and arbitrary manner, at its sole discretion, which discretion is often delegated to front-line TSA staff.

How does this work in practice? We are just beginning to find out.

Read the rest of this entry »

Where can you complain if your human rights are violated?

April 8th, 2015

As we’ve been pointing out for years, the right to travel is not just a right under the First Amendment to the US Constitution (”the right of the people… peaceably to assemble”) but a human right guaranteed by an international treaty ratified by the US (”the right to freedom of movement”).

But what good is a “human right” guaranteed by international treaty if there is no independent entity to which you can complain, and which has the authority to enforce your rights?

At a minimum, what’s needed is the ability of people whose human rights have been violated by the US government to seek redress through US courts, and the ability of those courts to order the government to comply with its treaty obligations.

Given the US government’s current interpretation of many human rights treaties as not being “self-effectuating”, that would require legislation by Congress to effectuate those treaties by creating a cause of action for treaty violations and give US courts jurisdiction to hear such complaints.

That’s exactly what the UN Human Rights Committee concluded a year ago, following its periodic review of US implementation of the International Covenant on Civil and Political Rights (ICCPR):

The State party [i.e. the US] should … Taking into account its declaration that provisions of the Covenant are non-self-executing, ensure that effective remedies are available for violations of the Covenant, including those that do not, at the same time, constitute violations of U.S. domestic law, and undertake a review of such areas with a view to proposing to the Congress implementing legislation to fill any legislative gaps.

In the year since this recommendation from the UNHRC, neither the Administration nor any member of Congress has proposed such effectuating legislation for the ICCPR or any other human rights treaty.

So in the meantime, where can you turn if your human rights are violated by the US government?

Read the rest of this entry »

DHS continues and expands use of commercial vehicle tracking databases

April 7th, 2015

Barely more than a year after publicly cancelling a request for bids on the construction of a national database of vehicle location data compiled from commercial and government-operated license-plate reader (LPR) cameras, the DHS has quietly revealed that it is once again seeking to buy access to commercially-aggregated LPR data, and that some DHS component field offices are already doing so.

Cameras combined with optical character recognition software allow for automated logging of the license-plate number (and of course the associated time, date, plate, and direction of travel) of every passing vehicle. “Some LPR systems also capture within the image the environment surrounding a vehicle, which may include drivers and passengers,” the DHS acknowledges in its latest Privacy Impact Assessment for DHS use of commercial LPR data.

The only apparent difference between the proposal supposedly nixed in February 2014 and the plans revealed in the March 2015 PIA is that the DHS’s own LPR vehicle, driver, and passenger tracking data won’t be completely merged with LPR data from commercial sources and aggregators — at least not by the DHS itself.  The PIA describes a scheme in which the DHS will pay for query-based access to commercially-aggregated LPR data and the ability to set flags that will generate real-time alerts to the DHS whenever license-plate numbers of interest are observed.

Read the rest of this entry »