Focusing public attention on emerging privacy and civil liberties issues

EPIC v. Customs and Border Protection-Analytical Framework for Intelligence

Top News

  • EPIC Files Lawsuit For Details of Government Profiling System: EPIC has filed a Freedom of Information Act lawsuit about a controversial government data mining program, operated by the Department of Homeland Security. The "Analytical Framework for Intelligence" contains a vast amount of sensitive personal information obtained from government agencies and the private sector. The system is used by the DHS for link analysis, anomaly detection, pattern analysis, and predictive modeling. The system also incorporates "risk assessment" scores from the Automated Targeting System also operated by the DHS. EPIC has urged the suspension of the risk assessment system, arguing that the use of such factors as race and nationality in a government database is unconstitutional. The case is EPIC v. Customs and Border Protection, No 14-1217 (D.D.C. filed 7/18/2014). For more information see: EPIC: Automated Targeting System, EPIC: Open Government and EPIC: EPIC v. Customs and Border Protection (Analytical Framework for Intelligence). (Jul. 18, 2014)
  • EPIC Uncovers Complaints from Education Department about Misuse of Education Records: EPIC has obtained documents from the Department of Education detailing parent and student complaints about the misuse of educational records. The Department released the documents in response to an EPIC Freedom of Information Act request. The documents reveal that schools and districts have disclosed students' personal records without consent, possibly in violation of the Family Educational Rights and Privacy Act. The documents also reveal that the Department failed to investigate many FERPA complaints. EPIC is expecting to receive more documents about the agency’s enforcement of the federal student privacy law. For more information, see EPIC: Student Privacy and EPIC: Open Government. (Jul. 18, 2014)
  • EPIC Seeks Government Report about Security of Internet Voting: EPIC has filed a Freedom of Information Act request with the Department of Defense for records detailing the security of online voting. The agency administers the Federal Voting Assistance Program, which has promoted online voting and provided funding to states for internet voting technology. Computer scientists have expressed concern about the reliability of these systems and privacy risks for voters. At a Congressional hearing in 2012, the agency promised to release the results of security tests it had conducted on voting software by December 2012. Because the agency has failed to make the test results public, EPIC has demanded these results, as well as related documents, be disclosed. For more information see: EPIC: Open Government and EPIC: Voting Privacy. (Jul. 18, 2014)
  • Defense Agency Adopts Favorable Open Government Rules After EPIC Comments: The Defense Logistics Agency, an agency component within Department of Defense, has amended its Freedom of Information Act rules. EPIC submitted extensive comments on the initial proposal. EPIC said that several of the proposals are contrary to law, exceed the scope of the agency's authority, and should be withdrawn. The final rule incorporates many of EPIC's recommendations. For example, DLA revised several key definitions, including "administrative appeal," "adverse determination, and "consultation," and modified its general FOIA policy to promote agency transparency. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. The Privacy and Civil Liberties Oversight Board, the Federal Trade Commission, and the Interior Department have adopted EPIC's recommendations on proposed FOIA rule changes. For more information, see EPIC: Open Government. (Jun. 25, 2014)
  • EPIC, Partners Draft Model FOIA Regulations: EPIC, together with Citizens for Responsibility and Ethics in Government, the National Security Archive, and Openthegovernment.org, has drafted model Freedom of Information Act regulations. Under the National Action Plan, the Department of Justice has been tasked with creating a uniform set of FOIA regulations that would apply across the government. EPIC’s model FOIA regulations are designed to make it easier for FOIA requesters to obtain agency documents, favorable fee status, and expedited processing. They would also create a balancing test that agencies would need to satisfy before asserting Exemption 5 for internal agency memos. The model FOIA regulations have received the endorsement of more than 25 transparency and accountability groups. For more information, see ModelFOIAregs.org and EPIC: Open Government. (Jun. 6, 2014)
  • EPIC to Commerce Department: Uphold the Public's Right to Know: In comments to the Commerce Department about proposed changes to the agency's Freedom of Information Act regulations, EPIC urged the agency not to prematurely close requests. EPIC supported several changes that will make it easier for the public to obtain information from the government agency, but objected to a specific proposal that would allow the agency to terminate pending FOIA requests if requesters do not "reasonably describe the records sought." EPIC said the change was contrary to the purpose of the open government law. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. The Privacy and Civil Liberties Oversight Board, the Federal Trade Commission, and the Interior Department have adopted EPIC's recommendations on proposed FOIA rule changes. For more information, see EPIC: Open Government. (Apr. 1, 2014)
  • FTC Adopts EPIC's Recommendations on Improved FOIA Processing: The Federal Trade Commission has issued a final rule updating its Freedom of Information Act fee provisions. EPIC submitted extensive comments to the agency, supporting proposed fee reductions but also recommending changes to strengthen open government. The FTC adopted nearly all of EPIC's proposals. The FTC announced that all "Commission decisions, orders, and other public materials" will be electronically available to all requesters without charge. The FTC also said it would grant requesters additional time to assess fees associated with FOIA requests rather than simply terminate processing. The FTC agreed to be more lenient in resolving unpaid FOIA fees. The Commission also adopted EPIC's recommendation to disclose private sector contract rates for FOIA processing. EPIC routinely comments on agency proposals that impact FOIA requesters' rights. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission. (Mar. 21, 2014)
  • EPIC Publishes 2014 FOIA Gallery, Highlights Documents Obtained Under Open Government Law: In celebration of Sunshine Week, EPIC has published the 2014 EPIC FOIA Gallery. The gallery highlights documents obtained by EPIC in the past year, such as previously secret records about government surveillance of telephone calls, FBI facial recognition technologies, DHS drones that identify human targets on the ground, the CIA's collaboration with the New York Police Department, and student debt-collectors' lax data security systems. In many of these cases, EPIC "substantially prevailed" and obtained attorneys fees. EPIC routinely pursues Freedom of Information Act matters to promote government accountability. EPIC published the first FOIA Gallery in 2001. EPIC also publishes an authoritative FOIA litigation manual. For more information, see EPIC: Open Government and EPIC Bookstore: FOIA. (Mar. 17, 2014)
  • House Passes FOIA Reform Bill: The House of Representatives has passed the FOIA Oversight and Implementation Act of 2014. The bill would strengthen the Office of Government Information Services, require agencies to update their FOIA regulations, and mandate the use of a single, free website for submitting FOIA requests and appeals and receiving information about the status of the FOIA request. The bill would also require that agencies seeking to withhold information under one of the FOIA's exemptions demonstrate that there would be a "specific identifiable harm," tied to the purpose of the exemption, if disclosure occurred. The bill does not address several key transparency community proposals, including recommendations to limit the use of exemptions and to make it easier to track legislative proposals for new FOIA exemptions. The Senate is currently considering a similar bill. For more information see: EPIC: Open Government. (Feb. 28, 2014)
  • Senate Confirms Judge Wald for Privacy Oversight Board: The Senate confirmed the reappointment of Judge Patricia M. Wald to the Privacy and Civil Liberties Oversight Board. Judge Wald's current term was set to expire next month, but President Obama re-nominated her on March 21, 2013. Last year, EPIC recommended that the Oversight Board, consistent with its mandate, pursue a broad agenda, including (1) suspension of the Fusion Center Program ; (2) limiting closed-circuit television surveillance; (3) eliminating the use of body scanners; (4) establishing privacy regulations for drones; (5) improving Information Sharing Environment (ISE) and Suspicious Activity Reporting (SARS) Standards; and (6) Privacy Act adherence. More recently, EPIC addressed the Board at a workshop on NSA Surveillance. And in response to a public rulemaking, EPIC also provided extensive comments on a proposed rule governing the Board's Freedom of Information Act practices. The Board adopted nearly all of EPIC's recommendations on transparency. For more information, See EPIC: Foreign Intelligence Surveillance Act and EPIC: Open Government. (Dec. 13, 2013)

Background

On April 8, 2014, EPIC filed a FOIA request with U.S. Customs and Border Protection (CBP) for records related to a centralized data query program called the Analytical Framework for Intelligence (AFI). CBP began using AFI in August 2012. U.S. Dep't of Homeland Security, 2013 Data Mining Report to Congress 30 (Feb. 2014).

AFI gives analysts a single platform from which to search for and access "information collected and maintained in other systems, including information from both government owned sources and commercial data aggregators." U.S. Dep't of Homeland Security, Privacy Impact Assessment for the Analytical Framework for Intelligence 9. (June 1, 2012). The AFI program combines six categories of data: DHS-owned data, other government agency data, information from commercial data aggregators, analyst-created data, analyst-provided data, and index information. Id. at 9-10. Of particular concern, AFI "collects identity and imagery data from several commercial data aggregators. . . [to] cross-reference that information with the information contained in DHS-owned systems." Id. at 10. Analysts can also upload and share information gleaned from Internet or traditional news media. Id. at 3.

Personally identifiable information contained in AFI includes full name, address, age, gender, race, physical characteristics, marital status, residency status, country of citizenship, city and country of birth, date of birth, Social Security Number, vehicle information, travel information, document information, passport information,  enforcement records, and familial and other contact information. Id. at 9, 27-28.

CBP uses AFI to identify individuals, associations, relationships, and cargo "that may pose a potential law enforcement or security risk"; to prevent "the illegal entry of people and goods"; to conduct "additional research on persons and/or cargo" for patterns that indicate law enforcement or security risks; and to share final intelligence projects within DHS. Id. at 1. In 2013, AFI initiated a pilot program to "enable analysts to view secret and [Sensitive But Unclassified] data on the same screens." 2013 Data Mining Report at 25.

To support the development of this program, CBP allocated $51.5 million between 2011 and 2013. Since January 1, 2013, CBP has awarded contracts related to AFI totaling $178.2 million.

EPIC's Interest in AFI

EPIC has long worked to bring transparency and accountability to efforts by law enforcement to aggregate massive databases of personal information about citizens. In 2003, EPIC organized a coalition letter joined by over 80 organizations, urging the Office of Budget and Management to restore statutory oversight to the FBI's National Crime Information Center (NCIC) database. The Justice Department had exempted the NCIC program from obligations under the Privacy Act to maintain accurate records if they are the basis for any determination.

EPIC has also worked to shed light on the FBI's biometric database program, Next Generation Identification (NGI). This database will contain the fingerprints, iris scans, DNA profiles, voice identification profiles, palm prints, and photographs of U.S. citizens. In 2012, EPIC submitted several FOIA requests to the FBI for contracts, privacy analyses and technical specifications. EPIC obtained documents evidencing the level of state law enforcement cooperation with the FBI and concerning technical aspects, such as that the FBI considered an error rate of 20% for facial recognition acceptable. In June 2014, EPIC organized a coalition letter to the Attorney General opposing the expansion of NGI and urging the Justice Department to conduct a Privacy Impact Assessment on the program before moving forward.

AFI is an invasive database that aggregates data on individuals regardless of suspicion or consent. Government officials will use AFI to make determinations about U.S. citizens without adequate review. EPIC's FOIA litigation is designed to reveal the structure of AFI and provide the public with details about the scope and capabilities of this program.

EPIC's Freedom of Information Act Request

On April 8, 2014, EPIC submitted a FOIA request asking for:

(1) All AFI training modules, request forms, and similar final guidance documents that are used in, or will be used in, the operation of the program;

(2) Any records, memos, opinions, communications, or other documents that discuss potential or actual sources of information not currently held in DHS databases, or potential or actual uses of information not currently held in DHS databases;

(3) Any records, contracts, or other communications with commercial data aggregators regarding the AFI program; and

(4) The Privacy Compliance Report initiated in August 2013 by the DHS Privacy Office.

Resources

News Reports