EPIC v. Customs and Border Protection-Analytical Framework for Intelligence
On April 8, 2014, EPIC filed a FOIA request with U.S. Customs and Border Protection (CBP) for records related to a centralized data query program called the Analytical Framework for Intelligence (AFI). CBP began using AFI in August 2012. U.S. Dep't of Homeland Security, 2013 Data Mining Report to Congress 30 (Feb. 2014).
AFI gives analysts a single platform from which to search for and access "information collected and maintained in other systems, including information from both government owned sources and commercial data aggregators." U.S. Dep't of Homeland Security, Privacy Impact Assessment for the Analytical Framework for Intelligence 9. (June 1, 2012). The AFI program combines six categories of data: DHS-owned data, other government agency data, information from commercial data aggregators, analyst-created data, analyst-provided data, and index information. Id. at 9-10. Of particular concern, AFI "collects identity and imagery data from several commercial data aggregators. . . [to] cross-reference that information with the information contained in DHS-owned systems." Id. at 10. Analysts can also upload and share information gleaned from Internet or traditional news media. Id. at 3.
Personally identifiable information contained in AFI includes full name, address, age, gender, race, physical characteristics, marital status, residency status, country of citizenship, city and country of birth, date of birth, Social Security Number, vehicle information, travel information, document information, passport information, enforcement records, and familial and other contact information. Id. at 9, 27-28.
CBP uses AFI to identify individuals, associations, relationships, and cargo "that may pose a potential law enforcement or security risk"; to prevent "the illegal entry of people and goods"; to conduct "additional research on persons and/or cargo" for patterns that indicate law enforcement or security risks; and to share final intelligence projects within DHS. Id. at 1. In 2013, AFI initiated a pilot program to "enable analysts to view secret and [Sensitive But Unclassified] data on the same screens." 2013 Data Mining Report at 25.
EPIC has long worked to bring transparency and accountability to efforts by law enforcement to aggregate massive databases of personal information about citizens. In 2003, EPIC organized a coalition letter joined by over 80 organizations, urging the Office of Budget and Management to restore statutory oversight to the FBI's National Crime Information Center (NCIC) database. The Justice Department had exempted the NCIC program from obligations under the Privacy Act to maintain accurate records if they are the basis for any determination.
EPIC has also worked to shed light on the FBI's biometric database program, Next Generation Identification (NGI). This database will contain the fingerprints, iris scans, DNA profiles, voice identification profiles, palm prints, and photographs of U.S. citizens. In 2012, EPIC submitted several FOIA requests to the FBI for contracts, privacy analyses and technical specifications. EPIC obtained documents evidencing the level of state law enforcement cooperation with the FBI and concerning technical aspects, such as that the FBI considered an error rate of 20% for facial recognition acceptable. In June 2014, EPIC organized a coalition letter to the Attorney General opposing the expansion of NGI and urging the Justice Department to conduct a Privacy Impact Assessment on the program before moving forward.
AFI is an invasive database that aggregates data on individuals regardless of suspicion or consent. Government officials will use AFI to make determinations about U.S. citizens without adequate review. EPIC's FOIA litigation is designed to reveal the structure of AFI and provide the public with details about the scope and capabilities of this program.
EPIC's Freedom of Information Act Request
On April 8, 2014, EPIC submitted a FOIA request asking for:
(1) All AFI training modules, request forms, and similar final guidance documents that are used in, or will be used in, the operation of the program;
(2) Any records, memos, opinions, communications, or other documents that discuss potential or actual sources of information not currently held in DHS databases, or potential or actual uses of information not currently held in DHS databases;
(3) Any records, contracts, or other communications with commercial data aggregators regarding the AFI program; and
(4) The Privacy Compliance Report initiated in August 2013 by the DHS Privacy Office.
EPIC v. Customs and Border Protection, Case No. 14-cv-01217 (D.D.C. filed July, 18, 2014)
- Privacy Impact Assessment for the Analytical Framework for Intelligence (June 1, 2012)
- Karen Neuman, 2013 Data Mining Report to Congress, Dep't of Homeland Security, Privacy Office (Feb. 2014).