Traveling in today’s America is becoming more and more constrained. Every year, there are more checks, more searches, and more guards. If you go by car, ALPR systems will track you. If you go by plane, you and your belongings can be legally searched, groped, mocked, impounded or vandalized. If you stay in a motel, your information may be shared up front with law enforcement. And now, even the trains are getting on the act.
The aptly-named PapersPlease.org filed a Freedom of Information Act request last October asking how Amtrak handled sharing of information with the Department of Homeland Security. While Amtrak is regularly subsidized, it is legally a private company, and as such should not share information on passengers unless the police provide them with a valid, individualized probable-cause warrant. You know, that old Fourth Amendment thing?
The response shows that not only is Amtrak providing Customs and Border Patrol officers with “pre-arrival and departure manifest data on all passengers and crew members”, but that since at least 2004, it has also been, as PapersPlease.org puts it, “giving police root access and a dedicated user interface to mine passenger data for general state and local law enforcement purposes, lying to passengers about this, misleading Amtrak’s own IT and planning staff about the legal basis for these actions”, and thereby going far beyond what US law actually requires them to do.
We may be used to an exceeedingly intrusive system for airports, but what’s legally required for air travel is not the same as what’s legally required for train travel. Nothing in US law – though it’s been discussed – requires Amtrak to share data like this. But that hasn’t stopped Amtrak PD from telling its IT department falsely that “Information pertaining to passengers and crewmembers traveling across the U.S./Canadian border is required by the U.S. Department of Homeland Security (DHS).” Of course, when it comes to the actual data sharing, it includes all passengers, not just those crossing borders.
This is emblematic of the age of mass digital surveillance: Partnerships between private industry and the homeland-security-intelligence complex wherein the companies whose products we use every day — from Google to Verizon to Facebook and, apparently, private companies that run public transportation — share customers’ data in bulk with intelligence agencies, often on an entirely voluntary basis. This is the kind of seamless data sharing arrangement that is likely to be further formalized into law if either the USA FREEDOM Act or the Cybersecurity Information Sharing Act (CISA) passes.
CISA would set up voluntary partnerships in which companies provide customer data to the intelligence community on everything from exploits and attacks perpetrated by hackers to violent crimes in general. Companies which agree to enter into the partnership will then be required to report various information to intelligence agencies, likely facing serious consequences if they fail to do so. The bill, much like the arrangement between Amtrak and the DHS, involves the warrantless sharing of customer data in bulk. Unlike the more limited authority granted under Section 215 of the PATRIOT Act — mass collection of data that may at some point potentially be relevant to a crime — CISA would ensure that the information is shared by default.
The aim here is not to head off specific cybersecurity or terrorism threats. The aim is to share information by default, to deploy algorithms to search for crimes that they would not otherwise know about. The problem is, this method doesn’t work.
We need to return to the model whereby private data is divulged only in circumstances in which there exists an individualized warrant. The current system produces an avalanche of false positives, diverts resources away from managing more probable threats, and leaves privacy-conscious Americans with no way to travel around their own country. Except, of course, on foot.