Privacy advice to the Department of Homeland Security

Although most of the nine slots for “public” comments were taken by industry and corporate spokespeople, I did arrive early enough to get three minutes to deliver my extremely condensed and telegraphic testimony at Wednesday’s hearing before the USA Department of Homeland Security’s Data Privacy and Integrity [Advisory] Committee.

For those interested in a more detailed discussion of these issues, see:

• My discussion of the right to travel as an aspect of the right to assemble, and other Constitutional and statutory objections to at least one particular privacy-invasive travel-related DHS program (but which exemplifies similar problems with others) in my formal comments to the DHS on its Secure Flight testing proposal
  
  
• My overview of the threat to privacy posed by travel-related programs undertaken in the name of “homeland security”, in the chapter on Travel Privacy of which I was the principal author, from Privacy International and EPIC’s 2004 “Privacy and Human Rights” yearbook
  
  
• My analysis of the social context of the attack on travellers’ privacy, in the notes to my talk at the 2005 Computers, Freedom, and Privacy Conference on Travel ID and the Travel Panopticon
  
  
• My recent comments on the National Strategy To Combat Terrorist Travel
  
  
• My introduction to the contents and privacy significance of travel reservation data: What’s In A Passenger Name Record?
  
  
• My introduction to the personal information architecture and data flows of the air travel industry, in the slides from my presentation on CAPPS-II at CFP in 2003
  
  
• Interviews with National Public Radio (4 minutes, Real Audio) and Business Week on the need for Federal privacy law for travel data

Much of the discussion at Wednesday’s hearing concerned the use of RFID, and the draft report from a subcommittee of the advisory committee on the use of RFID by the DHS.

Neville Pattinson, Director of Business Development, Technology, and Government Affairs for Axalto , the prime contractor for the production of USA passports with RFID chips , testified that Axalto is using RFID chips that generate a “random” session initiation code each time they are read, rather than a persistent unique chip ID code.That’s quite significant, if true and verifiable. [Addendum, 13 June 2006: Even a truly random session key doesn’t eliminate the threats of cracking the encryption key and man-in-the-middle interception of the transmissions between the RFID chip and a legitimate reader.]

But none of the members of the committee questioned Pattinson about his claim. When I asked him about it, Pattinson conceded that the allegedly “random” session key isn’t required by the ICAO standards or the USA State Department’s publicly-disclosed procurement specifications, that he isn’t allowed by the State Department to provide any sample passports for independent testing of the “randomness”, and that there’s no way anyone can verify his claim. One insidious possibility John Gilmore pointed out, and that can’t be ruled out, is that a pseudo-random session key actually has a “back door” in the algorithm by which it is generated, permitting those in the know to identify the chips.

Interestingly, Adam Laurie’s “RFIDIOt.org” has just published the first report of testing of a UK passport with an RFID chip (not necessarily the same as the chips in USA passports) in the wild, showing that the session key in the UK passport varies from read to read. RFIDIOt.org also posts the responses to a series of read requests, for those who may be interested in investigating the “randomness” of the series. Further research is obviously called for.

The drama of the day came with John Gilmore’s gentle-mannered, soft-spoken articulation of the first principles of freedom underlying the right to travel, and the threat posed by the powers the DHS seems to take for granted. John Gilmore’s testimony was an apt challenge to the DHS advisory committee to inquire not just into how the DHS is exercising its presumed powers, but whether it has those powers at all — or can have them in a free society.

Nowhere was that DHS presumption of extra-judicial authority more apparent than in the DHS Privacy Office Report Assessing the Impact of the Automatic Selectee and No Fly Lists which was passed out at the meeting. It’s worth reading for the details it reveals, but it entirely avoids the central question of the authority (if any) of the government to bar citizens form travel by common carrier.

According to the report, “The No-Fly list is a list of individuals who are prohibited [by whom is not specified] form boarding an aircraft.” There’s nothing in itself wrong with keeping a list of those who have, in fact, been prohibited from boarding an aircraft by injunction or “restraining order” from a court of competent jurisdiction, subject to adversarial fact-finding proceedings and due process. But that’s not what’s happening, as the report makes clear.

By conflating the authority to keep the list with the authority to issue the restraining orders, the DHS has usurped from the courts the power to make judicial determinations of dangerousness and threat sufficient to warrant injunctions restricting the exercise of First Amendment rights to assemble. It’s as though the FBI had interpreted its authority to maintain the NCIC “wanted” list (of people for whose arrest there are warrants) as transferring from the courts to the FBI the authority to decide whether, and against whom, warrants should issue, and the FBI were causing people to be arrested by putting their names on the NCIC “wanted” list without regard for whether they were wanted by any court order. Neither the source nor the holder of the implicitly claimed authority to prohibit people from travel by air, nor what procedural due process would apply to a petition to a court for such an injunction, is even mentioned in the DHS Privacy Office report.

John Gilmore also challenged each of the members of the committee to see for themselves whether airlines and the DHS are already enforcing an illegal and unconstitutional requirement for a “domestic passport” for air travel, in violation of the (lying) claims on which the courts relied in rejecting John’s lawsuit against the TSA and the airlines for refusing to allow him to fly, even if he submitted to a more intrusive search for weapons and explosives, unless he produced and displayed government-issued identification credentials.

The TSA, and the court, claimed (falsely) that John would have been allowed to fly without showing credentials if he had been willing to submit to more intrusive search. John encouraged the members of the committee to see for themselves if that is really true, by trying to fly home from the meeting without ID. (John’s “lovely assistant” Peter Neumann gave out stamped envelopes for them to use to mail their ID home.)

Only one of the 15 people on the committee took up John’s suggestion, and only partially. Jim Harper of the Cato Institute and Privacilla.org offered to give his drivers license to a reporter, if one would go to the airport with him, to hold while he tried to go through the security checkpoint without it. Ryan Singel of Wired News took him up on the offer, and reports what happened in an article today.

Ryan Singel’s published story begins when Jim Harper approached the checkpoint line, i.e. when he had already checked in. I checked with Ryan, and he confirmed my suspicion that Jim had an electronic ticket and no checked baggage, checked in at a kiosk, and got his boarding pass without being asked for ID. But the airlines’ contractual conditions of carriage for domestic flights within the USA all now include a clause that claims the airline has the right but not the obligation to require would-be passengers to show ID credentials to the airline.

In John Gilmore’s case, questions arose at check-in, since he had a paper ticket and was asked for ID by the airline before they would issue him a boarding pass. But none of the defendants tried to raise the conditions of carriage as a defense (i.e. to argue that John had consented to them when he purchased the ticket), which suggests that they thought the airline’s claim of authority was less likely to withstand legal challenge than the claim that they don’t really require ID.

The airline didn’t choose to assert this claim of contractual “right” yesterday, and so Jim Harper didn’t get a chance to test the legality or Constitutionality of the clause in the conditions of carriage requiring passengers to show ID to the airline — as distinct from the authority of the TSA, or the nebulous third force I encountered last month, to require display of credentials. Jim says he’s inclined to try it again, so maybe we’ll find out next time. Or maybe we won’t: There seems to be a significant difference in the treatment of those like Jim Harper yesterday who say they don’t have ID credentials, and those who have them but decline to display them. In my case my passport was plainly visible in my hand, but closed. And SFO is one of very few airports, and by far the largest one, where the screening itself is performed by private contractors (“Team SFO”), rather than TSA employees.

At the end of the day, I ran into the TSA’s new Director of Privacy Policy and Compliance, Peter Pietra . He promised to “look into” what happened to me last month at Dulles Airport . I’ll let you know what he comes back with.

[Follow-up, 16 July 2006: Dialogue with the TSA Privacy Officer ]

[Follow-up, 21 July 2006: Why was I detained by police at Dulles Airport? ]

[Follow-up, 28 July 2006: TSA report on what happened to me at Dulles Airport ]

[Follow-up, 28 September 2006: Kip Hawley is an idiot. ]

[Follow-up, 27 October 2006: TSA says their press releases are secret ]