Automated Targeting System
- FBI Exempts Massive Database from Privacy Act Protections: The Federal Bureau of Investigation has exempted the FBI Data Warehouse System, from important Privacy Act safeguards. The database ingests troves of personally identifiable information including race, birthdate, biometric information, social security numbers, and financial information from various government agencies. The database contains information on a surprisingly broad category of individuals, including "subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI’s missions; individuals whose information is collected and maintained for information system user auditing and security purposes." The Federal Bureau of Investigation has exempted these records from the notification, access, and amendment provisions of the Privacy Act. Earlier this year, EPIC opposed the Automated Targeting System, another massive government database that the Department of Homeland Security exempted from Privacy Act provisions. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System. (Oct. 10, 2012)
- Senate Committee Considers Updates to Federal Privacy Act: The Senate Oversight of Government Management Subcommittee held a hearing today on "The State of Federal Privacy and Data Security Law: Lagging Behind the Times?" The hearing focused on S.1732, the Privacy Act Modernization for the Information Age Act of 2011, and S.3414, an amendment to the Cybersecurity Act of 2012, introduced by Senator Daniel Akaka (D-HI). Both measures would strengthen privacy protections for personal information collected by government agencies. Senate witnesses agreed that after the Supreme Court decision in FAA v. Cooper, the Privacy Act should be amended to compensate individuals for provable, nonpecuniary harms. EPIC has made several recommendations to update the federal privacy law and also warned about the deployment of new agency profiling systems. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System. (Jul. 31, 2012)
- EPIC Calls for Suspension of Homeland Security's "Risk-based" Profiling System: EPIC submitted comments to Customs and Border Protection, a component of the Department of Homeland Security, urging the agency to suspend the Automated Targeting System. Although the System was initially created to screen shipping cargo, the agency now monitors individuals, and creates "risk-assessment" profiles on Americans who are not suspected of any crime. The agency makes determinations about individuals based on such factors as race, ethnicity, and gender. The agency even collects information on political opinions and religious beliefs. An unfavorable "risk-based" evaluation by ATS m can subject individuals to investigation, government surveillance, and denial of the right to travel. For more information, see EPIC: Automated Targeting System, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy. (Jun. 22, 2012)
- Homeland Security Seeks to Expand "Risk-Based" Profiles: The Department of Homeland Security has proposed to exempt its "Automated Targeting System" from certain Privacy Act provisions. The Automated Targeting System creates "risk-based" profiles of individuals traveling to, from, and throughout the United States. The profile contains a plethora of personal data, including, nationality, race, occupation, and biometrics. The System accesses and "ingests" this information from many sources, including government databases and commercial data aggregators. The DHS issued a Privacy Impact Assessment, which describes some of the privacy risks, including unauthorized access. In detailed comments to DHS in 2007, EPIC opposed the use of "risk-based" profiles. For more information, see EPIC: Automated Targeting System. (Jun. 6, 2012)
- Department of Homeland Security Expands Use of Watch Lists for "Known Traveler" Program: The Department of Homeland Security has published a Privacy Impact Assessment Update for Secure Flight, a DHS program that compares airline passenger records with various watch lists. The assessment describes the agency's plans to expand the Known Traveler program so as to expedite airline screening for certain categories of individuals. The DHS also intends to incorporate into Secure Flight the Automated Targeting System, a controversial program that allows the government to assign a risk assessment number to individual travelers. That number provides the basis for further screening. In 2007, EPIC urged DHS to either suspend the Automated Targeting System or to fully apply all Privacy Act safeguards to any individual subject to ATS. In 2010, EPIC advocated for stronger privacy protections of DHS trusted traveler programs that compare passenger names against watch lists. For more information, see EPIC: Secure Flight and EPIC: Automated Targeting Systems. (Apr. 23, 2012)
- EPIC Urges Increased Privacy for "Global Entry" Registered Traveler Program: On January 19, EPIC filed comments with the US Customs and Border Protection (CBP), urging the agency to “to revise its establishment of the Global Entry program and to reconsider the privacy and security implications of the program.” CBP proposed to make permanent the Global Entry program, under which pre-registered international travelers can bypass conventional security lines by scanning their passports and fingerprints at a kiosk, answering customs declaration questions, and then presenting a receipt to Customs officials. EPIC urged CBP to ensure that Global Entry complied with the Privacy Act and to conduct a separate Privacy Impact Assessment. Those measures are particularly pressing in light of recent problems, including data breaches and bankruptcy, experienced by “Clear,” a similar registered traveler program. In 2005, EPIC testified before Congress that the absence of Privacy Act safeguards for registered traveler programs would jeopardize air traveler privacy and security. For more information, see EPIC Global Entry, EPIC Air Travel Privacy, EPIC Biometric Identifiers, EPIC Automated Targeting System, and EPIC Whole Body Imaging. (Jan. 28, 2010)
- EPIC Recommends Suspension of Secret Traveler Profiling Program. In comments (pdf) to the Department of Homeland Security, EPIC urged the agency to either suspend the Automated Targeting System or to fully apply all Privacy Act safeguards to any individual subject to ATS. The system creates secret, terrorist "risk assessments" on tens of millions of U.S. citizens and foreign visitors. This new rulemaking was in response to public criticism that arose from DHS's November 2006 rulemaking, where EPIC led a coalition (pdf) in condemning the terrorist "scoring" of US travelers. Though DHS has made some positive changes, the Automated Targeting System still assigns terrorist risk assessments that are secret and unreviewable and the agency is still seeking broad exemptions from the federal Privacy Act. (Sept. 6, 2007)
- DHS Announces New Rulemaking for Automated Targeting System. In response to a November rulemaking, DHS has made changes to the Automated Targeting System, a federal database that created secret, terrorist ratings on tens of millions of American citizens. Some positive changes include a significant reduction in the data retention period and the elimination of a routine use that was unnecessary and far too broad. However, there remain many of the security and privacy risks outlined in comments (pdf) previously filed by EPIC, 29 organizations and 16 privacy and technology experts that urged the agency to suspend the program and to fully enforce Privacy Act obligations. Comments on this new rulemaking are due on September 5. (Aug. 7, 2007)
- Board Member Resigns Over White House Changes to Privacy Report. Lanny J. Davis, one of five members of the White House Privacy and Civil Liberties Oversight Board, resigned (pdf) yesterday in protest of the Bush administration's changes to the board's first annual report. The White House made more than 200 revisions to the report, including the deletion of a passage on anti-terrorism programs where intelligence officials said the programs had "potentially problematic" intrusions on civil liberties. Another change concerned the controversial Automated Targeting System. EPIC has published a detailed report (pdf) on the need to reform the Board. For more information, see EPIC's 9/11 Commission page. (May 15, 2007)
The Automated Targeting System, part of the Department of Homeland Security's Customs and Border Protection, was originally established to assess cargo that may pose a threat to the United States. Now the Department of Homeland Security proposes to use the system to establish a secret terrorism risk profile for millions of people, most of whom will be U.S. citizens. Simultaneously, it is seeking to remove Privacy Act safeguards for the database.
The Department of Homeland Security recently published a "Notice of Privacy Act system of records" for the Automated Targeting System ("ATS"), which it says "performs screening of both inbound and outbound cargo, travelers, and conveyances." ATS is associated with the Treasury Enforcement Communications System ("TECS"), a database containing "every possible type of information from a variety of Federal, state and local source."] The new description of the database differs significantly from an earlier one. As recently as March, ATS was described as "a computerized model that [Customs and Border Protection] officers use as a decision support tool to help them target oceangoing cargo containers for inspection." It is unknown when ATS expanded from merely screening shipping cargo to scrutinizing land and sea travelers. On the same day as the Homeland Security notice about the proposal to use ATS to target individuals, the Senate Homeland Security and Governmental Affairs Committee asked the department for a briefing about ATS.
According to the Department of Homeland Security, ATS assigns a "risk assessment," which is essentially a terrorist risk rating, to all people "seeking to enter or exit the United States," "engag[ing] in any form of trade or other commercial transaction related to the importation or exportation of merchandise," "employed in any capacity related to the transit of merchandise intended to cross the United States border," and "serv[ing] as operators, crew, or passengers on any vessel, vehicle, aircraft, or train who enters or exits the United States." This numbers in the hundreds of millions. In Fiscal Year 2005, Customs and Border Protection "processed 431 million pedestrians and passengers, 121 million privately owned vehicles, and processed and cleared 25.3 million sea, rail, and truck containers."
The Automated Targeting System's terrorist risk profiles will be secret, unreviewable, and maintained by the government for 40 years. The profiles will determine whether individuals will be subject to invasive searches of their persons or belongings, and whether U.S. citizens will be permitted to enter or exit the country. Individuals will not have judicially enforceable rights to access information about them contained in the system, nor to request correction of information that is inaccurate, irrelevant, untimely or incomplete.
The Automated Targeting System was created to screen shipping cargo, but it has many problems even completing that mission. An August 2006 report from the Democratic Staff of the House Committee on Homeland Security gave both port and border security low marks. For port security, the department's grade is a C-/D+. "There are many gaps remaining in our port security. As some experts have noted, the current port security regime is a 'house of cards,' in which containers are often not inspected and the government does not truly know which containers are 'high risk.'" More resources are needed. "Current staffing shortages at foreign seaports participating in CSI are resulting in thirty-five percent of 'high risk' containers not being inspected before they are shipped to the U.S." In fact, 75 percent "of our ports do not have the ability to screen a container for dirty bombs or nuclear weapons," according to the report.
EPIC has highlighted the problems inherent in passenger profiling systems in previous testimony and comments. In testimony before the National Commission on Terrorist Attacks Upon the United States (more commonly known as "the 9/11 Commission"), EPIC President Marc Rotenberg explained, "there are specific problems with information technologies for monitoring, tracking, and profiling. The techniques are imprecise, they are subject to abuse, and they are invariably applied to purposes other than those originally intended."
The Automated Targeting System mines a vast amount of data to create a "risk assessment" on hundreds of millions of people per year, a label that will follow them for the rest of their lives, as the data will be retained for 40 years. Yet the system is deeply flawed, and the funds spent turning ATS into a citizen profiling program would be better spent in perfecting its cargo screening process, so that port security can be stronger than a "house of cards."
- Collecting of Details on Travelers Documented. Washington Post, Sept. 22, 2007.
- U.S. government tracking travel habits. UPI, Sept. 21, 2007.
- U.S. Airport Screeners Are Watching What You Read. Wired News, Sept. 20, 2007.
- Department of Homeland Security, Press Release: Statement by Homeland Security Chief Privacy Officer Hugo Teufel III on the Privacy Act System of Records Notice for the Automated Targeting System, Aug. 3, 2007.
- White House Edits to Privacy Board's Report Spur Resignation. Washington Post, May 15, 2007.
- Closing the Door at the Ports. US News & World Report, Dec. 31, 2006.
- DHS defends border terror scoring system. United Press International, Dec. 27, 2006.
- Homeland Security official: Travelers don't get terror 'scores.' Reuters, Dec. 21, 2006.
- Remarks of Stewart Baker, Assistant Secretary for Policy, Department of Homeland Security, at the Center for Strategic and International Studies, Washington, D.C. Dec. 19, 2006.
- Travel groups oppose U.S. risk assessment system. Associated Press, Dec. 14, 2006.
- EU questions US over new air data system. EU Observer, Dec. 14, 2006.
- Press release, Franco Frattini, European Commissioner responsible for Justice, Freedom and Security, "Data protection and transfer of PNR data," Dec. 13, 2006.
- European officials seek answers on use of passenger data. Congress Daily, Dec. 13, 2006.
- Opinion: Improper 'risk assessments.' Macon Telegraph, Dec. 11, 2006.
- Opposition to DHS traveler screening program mounts. National Journal's Technology Daily, Dec. 11, 2006.
- Travelers assigned terrorism risk rating. Associated Press, Dec. 10, 2006.
- Homeland Security said to defy ban. United Press International, Dec. 9, 2006.
- Traveler Data Program Defied Ban, Critics Say. Washington Post, Dec. 9, 2006.
- Chertoff: Traveler screening program wasn't a secret. National Journal, Dec. 8, 2006.
- Airline "Risk Assessment": Defending the Right to Snoop. Time, Dec. 8, 2006.
- Traveler Risk System May Violate Ban. Associated Press, Dec. 8, 2006.
- DHS Passenger Scoring Illegal? Wired News, Dec. 7, 2006.
- Press Release, Sen. Patrick Leahy (D-Vt.), Reaction To Report That The Government Is Assigning Terror Scores To Travelers, Dec. 1, 2006.
- U.S. Plans to Screen All Who Enter, Leave Country. Washington Post, Nov. 3, 2006.
- Department of Homeland Security, Notice of Privacy Act system of records (Aug. 6, 2007)
- Department of Homeland Security, Notice of proposed rulemaking (Aug. 6, 2007)
- Department of Homeland Security, Response to Public Comments to the November 2006 Rulemaking (pdf) (Aug. 3, 2007)
- Department of Homeland Security, Privacy Impact Assessment for the Automated Targeting System (ATS) (pdf) (Aug. 3, 2007)
- Department of Homeland Security, Press Release: Statement by Homeland Security Chief Privacy Officer Hugo Teufel III on the Privacy Act System of Records Notice for the Automated Targeting System (Aug. 3, 2007)
- The Identity Project
- Cato Institute, Policy Analysis: Effective Counterterrorism and the Limited Role of Predictive Data Mining (Dec. 11, 2006)
- Professor Anita Ramasastry, Homeland Security's Automated Program of Risk Assessments for Travelers: Why It Fails to Sufficiently Protect Individual Privacy (Dec. 7, 2006)
- Security Expert Bruce Schneier, American Authorities Secretly Give International Travellers Terrorist "Risk" Score (Dec. 1, 2006)
- Department of Homeland Security, Notice of Privacy Act system of records (Nov. 2, 2006)
- H.R. 5441, the "Department of Homeland Security Appropriations Act, 2007" (Oct. 4, 2006)
- EPIC Spotlight on Surveillance "Customs and Border Protection's Automated System Targets U.S. Citizens" (Oct. 2006)
- EPIC's page on Passenger Profiling
- EPIC's page on EU-US Airline Passenger Data Disclosure
- EPIC's page on Air Travel Privacy
- EPIC's page on Secure Flight
- EPIC, In Response to August 2007 Rulemaking (PDF) (Sept. 5, 2007)
- Miss. Rep. Bennie G. Thompson, Chairman-Designate of the U.S. House of Representatives Homeland Security Committee (PDF) (Dec. 29, 2006)
- EPIC, 29 organizations and 16 privacy and technology experts (PDF) (Dec. 4, 2006)
- Identity Project (PDF) (Dec. 4, 2006), supplemental comments (PDF) (Dec. 29, 2006)
- ACLU (HTML) (Dec. 1, 2006)
- Electronic Frontier Foundation (PDF) (Nov. 30, 2006)
- Incoming House Homeland Security Chairman Criticizes ATS. Rep. Bennie Thompson (D-MS) has filed comments (pdf) questioning the constitutionality of the "Automated Targeting System," a federal database that creates secret terrorist ratings on tens of millions of U.S. citizens and foreign nationals. The Chairman-Designate of the House Homeland Security Committee said that even though he received a detailed briefing from Customs and Border Protection about ATS, he believed the program "may constitute violations of the privacy and civil liberties of U.S. citizens and lawful permanent residents." He also said there was a risk that the database "could be used as a warrantless well of evidence from which any law enforcement, regulatory or intelligence agency could dip at will -- without any probable cause, reasonable suspicion, or judicial oversight." (Jan. 3, 2007)
- Homeland Security Official Call ATS Critics 'Paranoid.' In a speech, Stewart Baker, Assistant Secretary for Policy at the Department of Homeland Security, denied that the "Automated Targeting System" posed a threat to privacy and called the program's critics "paranoid." The Automated Targeting System is a federal database that creates secret terrorist ratings on all people crossing U.S. borders. Critics, including members of Congress, the EU and civil liberties groups (pdf), have questioned the legality of the system's secret and unreviewable terrorism risk profiles. (Dec. 19, 2006)
- European Union Questions U.S. About Automated Targeting System. The European Union has asked the United States to clarify the "Automated Targeting System," a federal database that creates secret, terrorist ratings on all people crossing U.S. borders. The European Union asked how ATS is using and protecting the personal information on European citizens. "The information published by the DHS reveals significant differences between the way in which PNR data are handled within the Automated Targeting System on the one hand and the stricter regime for European PNR data according to" agreements between the U.S. and E.U. governments, the EU said. (Dec. 13, 2006)
- Homeland Security Extends Comment Period on Citizen Profiling System. The Department of Homeland Security has extended until Friday, December 29 the deadline for public comments for the "Automated Targeting System," a federal database that creates secret terrorist ratings on tens of millions of American citizens. EPIC, 29 organizations and 16 privacy and technology experts filed comments (pdf) urging the agency to suspend the program and to fully enforce Privacy Act obligations. Rep. Bennie Thompson (D-MS) said that "serious concerns have arisen that, with respect to U.S. citizens and possibly lawful permanent aliens, some elements of ATS as practiced may constitute violations of privacy or civil rights." The problems of the Automated Targeting System are described in the current EPIC Spotlight on Surveillance. The public may submit comments here (docket = DHS-2006-0060). (Dec. 8, 2006)
- ATS May Violate Section of Homeland Security Appropriations Act. In comments (pdf) to the Department of Homeland Security, the Identity Project contends that ATS is prohibited by Section 514(e) of the 2007 Homeland Security Appropriations Act. The section states, "None of the funds provided in this or previous appropriations Acts may be utilized to develop or test algorithms assigning risk to passengers whose names are not on Government watch lists." Previous DHS appropriations acts have similar provisions. Congress's intent to prohibit traveler profiling seems clear. An agency spokesman said the language in the appropriations bill does not cover ATS and insisted the program is legal. (Dec. 4, 2006)
- Coalition, Experts Urge End to Government Database that Assigns Terrorist Ratings to U.S. Citizens. In comments (pdf) filed with the Department of Homeland Security on Monday, a coalition of organizations and experts in technology and privacy urged the federal agency to curtail the "Automated Targeting System," a federal database that creates secret terrorist ratings on tens of millions of American citizens. The problems of the Automated Targeting System are described in the current EPIC Spotlight on Surveillance "Customs and Border Protection's Automated System Targets U.S. Citizens." (Dec. 4. 2006)