EPIC v. CBP (Analytical Framework for Intelligence)
This case arises out of an EPIC Freedom of Information Act ("FOIA") request for records relating to the U.S. Customs and Border Protection’s (“CBP”) Analytical Framework for Intelligence ("AFI"). CBP uses AFI to analyze personally identifiable information from a variety of sources, including government databases, commercial data brokers, and other Internet sources. These databases contain detailed personal information, subject to the Privacy Act, that are combined with secret, analytic tools to assign “risk assessments” to travelers, including U.S. citizens traveling solely within the United States.
EPIC pursued this FOIA request to make public the agency's use of personal information for automated profiling as well as the chilling effect of First Amendment protected activities. Both activities may violate the Federal Privacy Act; the disclosure of the documents sought by EPIC is of utmost importance to the public and Congressional oversight committees.
- EPIC Prevails in Passenger Screening Lawsuit Against DHS: EPIC has prevailed in EPIC v. DHS, a case involving a controversial passenger screening program operated by Customs and Border Protection. The agency combines detailed personal information with secret algorithms to assign "risk assessments" to travelers, including US citizens. EPIC sued the DHS and argued that the agency unlawfully withheld records under the Freedom of Information Act. Today, a federal judge concluded that EPIC "has the more convincing argument" and that the agency failed to disclose information about the "Analytic Framework for Intelligence" program. (Feb. 17, 2016)
- EPIC Pursues Lawsuit about Secret Government Profiling Program: EPIC has filed a reply brief in federal court, rebutting the government's claim that it can withhold information about automated profiling. In EPIC v. CBP, a Freedom of Information Act case, EPIC seeks documents about the "Analytical Framework for Intelligence," which incorporates personal information from government agencies, commercial data brokers, and the Internet. The agency then uses secret, analytic tools to assign "risk assessments" to travelers, including U.S. citizens traveling solely within the United States. EPIC submitted a FOIA request in 2014 for documents relating the framework. EPIC has called for "algorithmic transparency" in automated decisions concerning individuals. (Aug. 11, 2015) More top news »
According to the AFI Privacy Impact Assessment, the Agency maintains six categories of data, each of which contains personally identifiable information: DHS-owned data, other government agency data, information from commercial data aggregators, analyst-created data, analyst-provided data, and index information. AFI further “collects identity and imagery data from several commercial data aggregators. . . [to] cross-reference that information with the information contained in DHS-owned systems.” AFI contains personally identifiable information including full name, address, age, gender, race, physical characteristics, marital status, residency status, country of citizenship, city and country of birth, date of birth, Social Security number, vehicle information, travel information, document information, passport information, law enforcement records, and familial and other contact information. AFI became operational in August 2012.
Some of the “DHS-owned” data within AFI comes from the Automated Targeting System (“ATS”). According to a 2012 Federal Register notice, in addition to the data amassed from ATS, CBP uses AFI to “provide AFI analysts with different tools that assist in detecting trends, patterns, and emerging threats, and in identifying non-obvious relationships.” According to the agencies, DHS and CBP use individual information within ATS to make “risk assessments” on individuals that travel to, through, and from the United States or “other locations where CBP maintains an enforcement or operational presence by land, air, or sea.” These risk assessments are assigned to U.S. citizens. CBP uses “Automated Targeting System” risk assessments to “signal to CBP officers that further inspection of a person, shipment, or conveyance may be warranted, even though an individual may not have been previously associated with a law enforcement action or otherwise be noted as a person of concern to law enforcement.” CBP uses initial “risk-based” assessment matches and subsequent matches “to confirm continued official interest in the identified person.”
CBP uses a variety of personally identifiable information within ATS to perform risk assessments, including name, address, Social Security number, gender, nationality, race, and biometric information. ATS also contains information generated by CBP, including “law enforcement or intelligence information regarding an individual” and “risk-based rules developed by analysts to assess and identify high-risk cargo, conveyances, or travelers that should be subject to further scrutiny or examination.”
Individuals having information within ATS are not notified of their risk assessment because DHS has exempted ATS from the “notification, access, amendment, and certain accounting procedures of the Privacy Act[.]”
EPIC has highlighted the problems inherent in passenger profiling systems like ATS and AFI in previous testimony and comments. In testimony before the National Commission on Terrorist Attacks Upon the United States (more commonly known as "the 9/11 Commission"), EPIC President Marc Rotenberg explained, "there are specific problems with information technologies for monitoring, tracking, and profiling. The techniques are imprecise, they are subject to abuse, and they are invariably applied to purposes other than those originally intended."
The Automated Targeting System mines a vast amount of data to create a "risk assessment" on hundreds of millions of people per year, a label that will follow them for the rest of their lives.
EPIC has urged the suspension of the risk assessment system, arguing that the use of such factors as race and nationality in a government database is unconstitutional.
EPIC has a longstanding interest in algorithmic transparency and ending secret profiling of individuals.
EPIC's Freedom of Information Act Request
On April 8, 2014, EPIC submitted a FOIA request asking for:
(1) All AFI training modules, request forms, and similar final guidance documents that are used in, or will be used in, the operation of the program;
(2) Any records, memos, opinions, communications, or other documents that discuss potential or actual sources of information not currently held in DHS databases, or potential or actual uses of information not currently held in DHS databases;
(3) Any records, contracts, or other communications with commercial data aggregators regarding the AFI program; and
(4) The Privacy Compliance Report initiated in August 2013 by the DHS Privacy Office.
EPIC v. Customs and Border Protection, Case No. 14-cv-01217 (D.D.C. filed July, 18, 2014)
- EPIC's Complaint (July 18, 2014)
- CBP's Answer (Oct. 6, 2014)
- Status Report (Nov. 16, 2014)
- Status Report (Feb. 26, 2015)
- CBP Motion for Extension (May 15, 2015)
- EPIC Opposition to CBP's Motion for Extension (May 16, 2015)
- CBP Cross-Motion for Summary Judgment (May 28, 2015)
- EPIC Cross-Motion and Opposition for Summary Judgment (June 29, 2015)
- CPB Combined Opposition and Reply (July 27, 2015)
- EPIC Reply (Aug. 10, 2015)
- Memorandum Opinion (Feb. 17, 2016)
- CPB Supplemental Motion for Summary Judgment (May 5, 2016)
- EPIC Motion for Summary Judgment and Opposition (June 3, 2016)
- CBP Reply (June 30, 2016)
- Karen Neuman, 2013 Data Mining Report to Congress, Dep't of Homeland Security, Privacy Office (Feb. 2014).
- Privacy Impact Assessment for the Analytical Framework for Intelligence (June 1, 2012)
Privacy Compliance Review of the U.S. Customs and Border Protection (CBP) Analytical Framework for Intelligence (AFI) (Dec. 19, 2014)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Communications Law and Policy
Jerry Kang and Alan Butler