COLLECTING OF DETAILS ON TRAVELERS DOCUMENTED
THE MINISTRY OF HOMELAND SECURITY; THE DEPARTMENT OF CITIZEN INSECURITY; RUN BY TECHNOLOGY AND SOFTWARE I WOULDN’T HAVE.
THE MINISTRY OF HOMELAND SECURITY; THE DEPARTMENT OF CITIZEN INSECURITY; RUN BY TECHNOLOGY AND SOFTWARE I WOULDN’T HAVE.
These People Do The Damndest Things Trying To Prove Thet Are Important And To Justify Their Existence!
U.S. Effort More Extensive Than Previously Known
By Ellen Nakashima
Washington Post Staff Writer Saturday, September 22, 2007; Page A01
The U.S. government is collecting electronic records on the travel habits of millions of Americans who fly, drive or take cruises abroad, retaining data on the persons with whom they travel or plan to stay, the personal items they carry during their journeys, and even the books that travelers have carried, according to documents obtained by a group of civil liberties advocates and statements by government officials.
The personal travel records are meant to be stored for as long as 15 years, as part of the Department of Homeland Security's effort to assess the security threat posed by all travelers entering the country. Officials say the records, which are analyzed by the department's Automated Targeting System, help border officials distinguish potential terrorists from innocent people entering the country.
But new details about the information being retained suggest that the government is monitoring the personal habits of travelers more closely than it has previously acknowledged. The details were learned when a group of activists requested copies of official records on their own travel. Those records included a description of a book on marijuana that one of them carried and small flashlights bearing the symbol of a marijuana leaf.
The Automated Targeting System has been used to screen passengers since the mid-1990s, but the collection of data for it has been greatly expanded and automated since 2002, according to former DHS officials.
Officials yesterday defended the retention of highly personal data on travelers not involved in or linked to any violations of the law. But civil liberties advocates have alleged that the type of information preserved by the department raises alarms about the government's ability to intrude into the lives of ordinary people. The millions of travelers whose records are kept by the government are generally unaware of what their records say, and the government has not created an effective mechanism for reviewing the data and correcting any errors, activists said.
The activists alleged that the data collection effort, as carried out now, violates the Privacy Act, which bars the gathering of data related to Americans' exercise of their First Amendment rights, such as their choice of reading material or persons with whom to associate. They also expressed concern that such personal data could one day be used to impede their right to travel.
"The federal government is trying to build a surveillance society," said John Gilmore, a civil liberties activist in San Francisco whose records were requested by the Identity Project, an ad-hoc group of privacy advocates in California and Alaska. The government, he said, "may be doing it with the best or worst of intentions. . . . But the job of building a surveillance database and populating it with information about us is happening largely without our awareness and without our consent."
Gilmore's file, which he provided to The Washington Post, included a note from a Customs and Border Patrol officer that he carried the marijuana-related book "Drugs and Your Rights." "My first reaction was I kind of expected it," Gilmore said. "My second reaction was, that's illegal."
DHS officials said this week that the government is not interested in passengers' reading habits, that the program is transparent, and that it affords redress for travelers who are inappropriately stymied. "I flatly reject the premise that the department is interested in what travelers are reading," DHS spokesman Russ Knocke said. "We are completely uninterested in the latest Tom Clancy novel that the traveler may be reading."
But, Knocke said, "if there is some indication based upon the behavior or an item in the traveler's possession that leads the inspection officer to conclude there could be a possible violation of the law, it is the front-line officer's duty to further scrutinize the traveler." Once that happens, Knocke said, "it is not uncommon for the officer to document interactions with a traveler that merited additional scrutiny."
He said that he is not familiar with the file that mentions Gilmore's book about drug rights, but that generally "front-line officers have a duty to enforce all laws within our authority, for example, the counter-narcotics mission." Officers making a decision to admit someone at a port of entry have a duty to apply extra scrutiny if there is some indication of a violation of the law, he said.
The retention of information about Gilmore's book was first disclosed this week in Wired News. Details of how the ATS works were disclosed in a Federal Register notice last November. Although the screening has been in effect for more than a decade, data for the system in recent years have been collected by the government from more border points, and also provided by airlines -- under U.S. government mandates -- through direct electronic links that did not previously exist.
The DHS database generally includes "passenger name record" (PNR) information, as well as notes taken during secondary screenings of travelers. PNR data -- often provided to airlines and other companies when reservations are made -- routinely include names, addresses and credit-card information, as well as telephone and e-mail contact details, itineraries, hotel and rental car reservations, and even the type of bed requested in a hotel.
The records the Identity Project obtained confirmed that the government is receiving data directly from commercial reservation systems, such as Galileo and Sabre, but also showed that the data, in some cases, are more detailed than the information to which the airlines have access.
Ann Harrison, the communications director for a technology firm in Silicon Valley who was among those who obtained their personal files and provided them to The Post, said she was taken aback to see that her dossier contained data on her race and on a European flight that did not begin or end in the United States or connect to a U.S.-bound flight.
"It was surprising that they were gathering so much information without my knowledge on my travel activities, and it was distressing to me that this information was being gathered in violation of the law," she said.
James P. Harrison, director of the Identity Project and Ann Harrison's brother, obtained government records that contained another sister's phone number in Tokyo as an emergency contact. "So my sister's phone number ends up being in a government database," he said. "This is a lot more than just saying who you are, your date of birth."
Edward Hasbrouck, a civil liberties activist who was a travel agent for more than 15 years, said that his file contained coding that reflected his plan to fly with another individual. In fact, Hasbrouck wound up not flying with that person, but the record, which can be linked to the other passenger's name, remained in the system. "The Automated Targeting System," Hasbrouck alleged, "is the largest system of government dossiers of individual Americans' personal activities that the government has ever created."
He said that travel records are among the most potentially invasive of records because they can suggest links: They show who a traveler sat next to, where they stayed, when they left. "It's that lifetime log of everywhere you go that can be correlated with other people's movements that's most dangerous," he said. "If you sat next to someone once, that's a coincidence. If you sat next to them twice, that's a relationship."
Stewart Verdery, former first assistant secretary for policy and planning at DHS, said the data collected for ATS should be considered "an investigative tool, just the way we do with law enforcement, who take records of things for future purposes when they need to figure out where people came from, what they were carrying and who they are associated with. That type of information is extremely valuable when you're trying to thread together a plot or you're trying to clean up after an attack."
Homeland Security Secretary Michael Chertoff in August 2006 said that "if we learned anything from Sept. 11, 2001, it is that we need to be better at connecting the dots of terrorist-related information. After Sept. 11, we used credit-card and telephone records to identify those linked with the hijackers. But wouldn't it be better to identify such connections before a hijacker boards a plane?" Chertoff said that comparing PNR data with intelligence on terrorists lets the government "identify unknown threats for additional screening" and helps avoid "inconvenient screening of low-risk travelers."
Knocke, the DHS spokesman, added that the program is not used to determine "guilt by association." He said the DHS has created a program called DHS Trip to provide redress for travelers who faced screening problems at ports of entry.
But DHS Trip does not allow a traveler to challenge an agency decision in court, said David Sobel, senior counsel with the Electronic Frontier Foundation, which has sued the DHS over information concerning the policy underlying the ATS. Because the system is exempted from certain Privacy Act requirements, including the right to "contest the content of the record," a traveler has no ability to correct erroneous information, Sobel said.
Zakariya Reed, a Toledo firefighter, said in an interview that he has been detained at least seven times at the Michigan border since fall 2006. Twice, he said, he was questioned by border officials about "politically charged" opinion pieces he had published in his local newspaper. The essays were critical of U.S. policy in the Middle East, he said. Once, during a secondary interview, he said, "they had them printed out on the table in front of me."
Researcher Julie Tate contributed to this report.
http://www.unsecureflight.com/
The Department of Homeland Security (DHS) has quietly perfected and begun to implement their scheme that will require Americans to seek and get permission from DHS in order to travel both domestically and abroad.
The results of an investigation by the Identity Project show that DHS is actively collecting information on what Americans read, with whom they associate, and the ethnicity of individual American travelers. DHS is also actively acquiring the travel records of Americans that document non-US travel, e.g., intra-European flights.
Almost one hundred pages of travel records were turned-over by DHS to the Identity Project in response to Privacy Act requests. These documents – many heavily redacted – make clear that DHS is not being honest and forthright with the American public.
>> Read More...
Massive Surveillance Net Keeps Track of Americans' Travel -- Even ...AlterNet, CA - 7 hours agoThe Bush Administration has been collecting detailed records on the travel habits of Americans headed overseas and the luggage they bring with them,
Personal data on travelers being loggedSeattle Times, United States - Sep 22, 2007By Ellen Nakashima WASHINGTON — The federal government is collecting electronic records on the travel habits of millions of Americans who fly, drive or take ...
US govt collects data on Americans overseas: Washington PostAFP - Sep 21, 2007WASHINGTON (AFP) — The US government is compiling electronic files on the travel habits of millions of Americans who take trips overseas, The Washington ...
Greater traveler scrutiny revealedTheNewsTribune.com (subscription), WA - Sep 22, 2007WASHINGTON – The US government is collecting electronic records on the travel habits of millions of Americans who fly, drive or take cruises abroad, ...
They’re watching what you read at US airportsDaily News & Analysis, India - Sep 20, 2007NEW YORK: International travellers concerned about being branded a terrorist by secret US Homeland Security department computers may want to be careful ...
But Hey, If You Don’t Have Anything To Hide…Donklephant - Sep 22, 2007That’s the BS argument I hear from a lot of people who excuse our government’s behavior for, well, nearly anything they want to do post 9/11.
US government tracking travel habitsUnited Press International - Sep 22, 2007WASHINGTON, 22 (UPI) -- The US government is looking into the lives of ordinary travelers to a far greater extent than most people know, say civil liberties ...
In collecting data on traveling Americans 'we the people' have ...OpEdNews, PA - Sep 22, 2007The only presidential candidate that has openly stated he will do away with Homeland Security is Congressman Ron Paul. When will the rest of them get on ...
"Terrorism Watch List Is Faulted For Errors" covered an audit made public by the office of the Justice Department's Inspector General on the accuracy and therefore the usefulness of the list to prevent a repetition of 9/11. Created in 2004, the list now holds some 800,000 records and is expanding at a rate of 20,000 new records every month. But the IG's audit notes that the mistakes that permeate the list may actually hamper efforts to identify and capture terrorists -- not to mention the inconvenience caused to innocent people trying to travel.
A random sampling by the IG auditors of 105 records found errors in 38%. Worse, the list manager, the Terrorist Screening Center (TSC) which is run jointly by the FBI and the Department of Homeland Security, was maintaining two dissimilar versions of the list. Obviously, this constitutes a gaping hole in the government's "anti-terror" efforts, attested by the discovery that records on 20 alleged terrorists were not accessible to "front-line" screeners at border crossings or other entry points. But it also means that a person incorrectly barred from flying and who protests, can (after waiting for two months, the average processing time for citizen complaints) be cleared on one version but not the other and not know how to get the second record eliminated since the government doesn't tell people what the news article called "their watch list status."
But there was one more story on this page -- one that actually gave some hope that Congress would not continue to roll over civil liberties in pursuit of "national security" and "protecting the homeland." Entitled "Lawmakers Challenge Plan to Expand Spying," this article describes a request by House Democrats for the Administration's legal justification for expanding access by law enforcement agencies (federal, state, and local) to data derived from the domestic use of military spy satellites and aircraft.
According to Department of Homeland Security (DHS) officials, satellite imagery has been used for scientific and law enforcement purposes in the past and therefore the administration does not require new congressional action to implement this expanded use. The officials contend that wider availability of the information gathered will help counter both human and natural "threats" (e.g., illegal immigration and terrorism, and forest fires, respectively) in real time. DHS officials have assured House leaders that the expanded program will be intensely monitored and reviewed by a number of offices to ensure it is not misused. House leaders understandably are wary after revelations of massive abuse of other "national security" and other "anti-terror" programs by the Bush administration.
What runs through all of these articles are three themes. One, the Bush administration remains over-obsessed with secrecy in conjunction with "defending the homeland" to the detriment of civil liberties and constitutional guarantees. Two, it remains intent on spying on citizens and residents and totally disregarding privacy laws without justification in the form of judicial authorization based on probable cause of potential or actual criminal activity. Three, the administration insists that Congress, the courts, and the public passively accept its "trust me" assurances despite the innumerable instances in which the administration has violated the rights and personal freedoms of the public.
Two lessons emerge from all this. One, the people assuredly risk their rights and freedoms by not keeping well informed about what the government tries to cloak in secrecy. Two, voters must stay informed -- hence they need to read more and more thoroughly -- of what their representatives in Congress are doing and not allow them to simply cave in to administration fantasies that "keeping America safe" requires sacrificing fundamental liberties. It is time to wake up and reassert the premise of our social compact -- that an informed public is the best safeguard for maintaining both our security and our freedoms.
Society Of Friends Legislative Report
http://www.fcnl.org/issues/issue.php?issue_id=80
Official And Family Pinched For Three Peaches
State Treasurer Timothy P. Cahill and his family, returning from an Italian vacation last month, were pulled aside and detained by customs agents at Logan International Airport after one of his four daughters was caught with contraband - three peaches.
http://www.boston.com/news/local/articles/2007/09/07/cahill_voices_anger_after_customs_detains_his_family_over_fruit
U.S. Airport Screeners Are Watching What You Read
By Ryan Singel 09.20.07 2:00 AM
International travelers concerned about being labeled a terrorist or drug runner by secret Homeland Security algorithms may want to be careful what books they read on the plane. Newly revealed records show the government is storing such information for years.
Privacy advocates obtained database records showing that the government routinely records the race of people pulled aside for extra screening as they enter the country, along with cursory answers given to U.S. border inspectors about their purpose in traveling. In one case, the records note Electronic Frontier Foundation co-founder John Gilmore's choice of reading material, and worry over the number of small flashlights he'd packed for the trip.
The breadth of the information obtained by the Gilmore-funded Identity Project (using a Privacy Act request) shows the government's screening program at the border is actually a "surveillance dragnet," according to the group's spokesman Bill Scannell.
"There is so much sensitive information in the documents that it is clear that Homeland Security is not playing straight with the American people," Scannell said.
The documents show a tiny slice of the massive airline-record collection stored by the government, as well as the screening records mined for the controversial Department of Homeland Security passenger-rating system that assigns terrorist scores to travelers entering and leaving the country, including U.S. citizens.
The so-called Automated Targeting System scrutinizes every airline passenger entering or leaving the country using classified rules that tell agents which passengers to give extra screening to and which to deny entry or exit from the country.
The system relies on data ranging from the government's 700,000-name terrorism watchlist to data included in airline-travel database entries, known as Passenger Name Records, which airlines are required to submit to the government.
According to government descriptions, ATS mines data from intelligence, law enforcement and regulatory databases, looking for linkages in order to identify "high-risk" targets who may not already be on terrorist watch lists.
ATS was started in the late 1990s, but was little known until the government issued a notice about the system last fall. The government has subsequently modified the proposed rules for the system, shortening the length of time data is collected and allowing individuals to request some information used by the scoring system.
The government stores the PNRs for years and typically includes destinations, phone and e-mail contact information, meal requests, special health requests, payment information and frequent-flier numbers.
The Identity Project filed Privacy Act requests for five individuals to see the data stored on them by the government.
The requests revealed that the PNRs also included information on one requester's race, the phone numbers of overseas family members given to the airlines as emergency contact information, and a record of a purely European flight that had been booked overseas separately from an international itinerary, according to snippets of the documents shown to Wired News.
The request also revealed the screening system includes inspection notes from earlier border inspections.
One report about Gilmore notes: "PAX (passenger) has many small flashlights with pot leaves on them. He had a book entitled 'Drugs and Your Rights.'" Gilmore is an advocate for marijuana legalization.
Another inspection entry noted that Gilmore had "attended computer conference in Berlin and then traveled around Europe and Asia to visit friends. 100% baggage exam negative.... PAX is self employed 'Entrepreneur' in computer software business."
"They are noting people's race and they are writing down what people read," Scannell said.
It doesn't matter that Gilmore was reading a book about drugs, rather than Catcher in the Rye, according to Scannell. "A book is a book," Scannell said. "This is just plain wrong."
The documents have also turned Scannell against the Department of Homeland Security's proposal for screening airline passengers inside the United States.
That project, known as Secure Flight, will take watchlist screening out of the hands of airlines, by having the airlines send PNR data to the government ahead of each flight. While earlier versions included plans to rate passenger's threat level using data purchased from private companies, DHS now proposes only to compare data in the PNR against names on the watchlist, which largely disarmed civil libertarians' opposition to the program.
That's changed for Scannell now, who sees Secure Flight as just another version of ATS.
"They want people to get permission to travel," Scannell said. "They already instituted it for leaving and entering the country and now they want to do it to visit your Aunt Patty in Cleveland."
The Department of Homeland Security did not respond to a request for comment.
A Morocco-born computer virus that crashed the Department of Homeland Security's US-VISIT border screening system last year first passed though the backbone network of the Immigrations and Customs Enforcement bureau, according to newly released documents on the incident.
The documents were released by court order, following a yearlong battle by Wired News to obtain the pages under the Freedom of Information Act. They provide the first official acknowledgement that DHS erred by deliberately leaving more than 1,300 sensitive US-VISIT workstations vulnerable to attack, even as it mounted an all-out effort to patch routine desktop computers against the virulent Zotob worm.
US-VISIT is a hodgepodge of older databases maintained by various government agencies, tied to a national network of workstations with biometric readers installed at airports and other U.S. points of entry. The $400 million program was launched in January 2004 in an effort to secure the border from terrorists by thoroughly screening visiting foreign nationals against scores of government watch lists.
Story Extras
Click here for full-sized diagram
Bugs on the Border
US-VISIT consists of a hodgepodge of older mainframe databases, fronted by Windows 2000 workstations installed at nearly 300 airports, seaports and border crossings around the country. Government investigators have found the mainframes pretty secure, but confirm that security holes are present on the PC end of the system. Click here (.jpg) for the complete diagram.
Click for an interactive document
Behind the Black
DHS officials made heavy redactions to five pages of internal documents released under the Freedom of Information Act, citing security needs. A judge didn't buy it, and ordered some of the text revealed. Here's the before and after.
While the idea of US-VISIT is universally lauded within government, the program's implementation has faced a steady barrage of criticism from congressional auditors concerned over management issues and cybersecurity problems. When Zotob began to spread last year, DHS' inspector general had just finished a six-month audit of US-VISIT's security; the resulting 42-page report, released in December, would conclude that the system suffered "security related issues (that) could compromise the confidentiality, integrity and availability of sensitive US-VISIT data if they are not remediated."
Zotob was destined to make those theoretical issues real.
The worm had its roots in a critical vulnerability in Windows 2000's plug-and-play feature that allowed attackers to take complete control of a computer over a network. Microsoft announced the hole Aug. 9, and it took only four days for a teenage virus writer in Morocco to launch Zotob, which spread through the security hole.
The workstations at the front end of US-VISIT run Windows 2000 Professional, so they were vulnerable to attack. Those computers are administered by the DHS' Bureau of Customs and Border Protection, which learned of the plug-and-play vulnerability Aug. 11, according to the new documents. The agency's security team began testing Microsoft's patch Aug. 12, with an eye to installing it on more than 40,000 desktop computers in use in the agency.
But as CBP started pushing the patch to its internal desktop machines Aug. 17, it made the fateful decision not to patch the 1,313 US-VISIT workstations.
Because of the array of peripherals hanging off the US-VISIT computers -- fingerprint readers, digital cameras and passport scanners -- officials believed additional testing was needed to ensure the patch wouldn't cause more problems than it cured. The agency was testing the patch at a US-VISIT station at a border crossing with Mexico in Nogales, Arizona.
By that time, Zotob was already flooding DHS compartments like water filling a sinking battleship. Four CBP Border Patrol stations in Texas were "experiencing issues related to this worm," reads one report. More ominously, the virus had made itself at home on the network of an interconnected DHS agency -- the Immigrations and Customs Enforcement bureau, or ICE. The ICE network serves as the hub for traffic between the US-VISIT workstations and sensitive law enforcement and intelligence databases, and US-VISIT visibly slowed as traffic slogged over ICE's compromised backbone.
On Aug. 18, Zotob finally hit the US-VISIT workstations, rapidly spreading from one to another. Phone logs offer a glimpse of the mayhem that ensued. Calls flooded the CBP help desk, with callers complaining that their workstations were rebooting every five minutes. Most are explained in the "status" line of the log with the single word "zotob."
Though accounting for only 3 percent of its Windows 2000 machines, the US-VISIT computers quickly became "the largest impacted population within (the CBP) environment," reads a summary of the incident.
At international airports in Los Angeles, San Francisco, Miami and elsewhere, long lines formed while CBP screeners processed foreign visitors by hand, or in some cases used backup computers, according to press reports at the time. At CBP's data center in Newington, Virginia, officials scrambled overnight to distribute the tardy patch. By 8:30 p.m. EST on Aug. 18, a third of the workstations had been fixed. By 1 a.m., Aug. 19, 72 percent were patched. At 5 a.m., 220 US-VISIT machines were still vulnerable.
"In retrospect," reads an executive summary of the incident, "CBP should have proceeded with deploying the patch to the US-VISIT workstations during the initial push."
A spokeswoman for DHS' US-VISIT program office refused to comment on the incident this week. ICE declined to speak to the virus' infiltration of its backbone network, referring inquiries back to DHS.
While DHS and its agencies are taciturn about discussing security issues, they couldn't hide the travelers stranded on the wrong side of Customs at airports across the country. The day after the infection, DHS publicly acknowledged a worm was responsible. But by December, a different story emerged; a department spokesman speaking to CNET News.com claimed there was no evidence that a virus caused the August incident. Instead, the problem was merely one of the routine "computer glitches" one expects in any complex system, he said.
By then, Wired News had already filed a Freedom of Information Act request with CBP seeking documents about the incident. The request received a cool response. An agency representative phoned us and asked that we withdraw it, while refusing to answer any questions about the outage. When we declined, CBP misplaced the FOIA request. We refiled it, and it was officially denied, in total, a month later. After an administrative appeal went unanswered, we filed a federal lawsuit in U.S. District Court in San Francisco, represented by the Stanford Law School Cyberlaw Clinic.
After we sued, CBP released three internal documents, totaling five pages, and a copy of Microsoft's security bulletin on the plug-and-play vulnerability. Though heavily redacted, the documents were enough to establish that Zotob had infiltrated US-VISIT after CBP made the strategic decision to leave the workstations unpatched. Virtually every other detail was blacked out. In the ensuing court proceedings, CBP claimed the redactions were necessary to protect the security of its computers, and acknowledged it had an additional 12 documents, totaling hundreds of pages, which it withheld entirely on the same grounds.
U.S. District Judge Susan Illston reviewed all the documents in chambers, and ordered an additional four documents to be released last month. The court also directed DHS to reveal much of what it had previously hidden beneath thick black pen strokes in the original five pages.
"Although defendant repeatedly asserts that this information would render the CBP computer system vulnerable, defendant has not articulated how this general information would do so," Illston wrote in her ruling (emphasis is lllston's).
A before-and-after comparison of those documents offers little to support CBP's security claims. Most of the now-revealed redactions document errors officials made handling the vulnerability, and the severity of the consequences, with no technical information about CBP's systems. (Decide for yourself with our interactive un-redaction tool.)
That comes as no surprise to Steven Aftergood, who directs the Federation of American Scientists' Project on Government Secrecy. In the wake of Sept. 11, the Bush administration has been keen to expand its ability to withhold information from the public under the FOIA, and most commonly offers security concerns as the explanation.
"The Justice Department more or less explicitly told agencies to do so," says Aftergood. "Many requests yield greater disclosure on appeal, and time and again FOIA lawsuits succeed in shaking loose records that an agency wanted to withhold."
Despite the outward silence, it's clear Zotob left a lasting mark on DHS.
An inspector general report released a month after the US-VISIT outage recommended CBP reform its patch-management procedures; a scan found systems still vulnerable to security holes dating from 2003. And in the aftermath of the attack, CBP resolved to "(i)nitiate timely distributions of software and application elements for testing and pre-staging events," according to one of the internal documents.
Phone logs released under the court order show that Zotob lurked on CBP's networks as late as Oct. 6, 2005 -- nearly two months after Microsoft released its patch.
The call logs also show a lingering presence of Zotob in the agency's collective memory.
On Oct. 12, 2005, a user phoned the help desk to advise it of a new critical Microsoft vulnerability that had not been patched on the caller's machine. "The workarounds require administrator access," the caller is reported as saying. "I do not have admin rights."
"Please open a ticket to update my CBP laptop with the latest security patches from Microsoft," the caller says. "It is vulnerable, just like it was during the Zotob outbreak."
No comments:
Post a Comment