EPIC v. CBP (Analytical Framework for Intelligence)
This case arises out of an EPIC Freedom of Information Act ("FOIA") request for records relating to the U.S. Customs and Border Protection’s (“CBP”) Analytical Framework for Intelligence ("AFI"). CBP uses AFI to analyze personally identifiable information from a variety of sources, including government databases, commercial data brokers, and other Internet sources. These databases contain detailed personal information, subject to the Privacy Act, that are combined with secret, analytic tools to assign “risk assessments” to travelers, including U.S. citizens traveling solely within the United States.
EPIC pursued this FOIA request to make public the agency's use of personal information for automated profiling as well as the chilling effect of First Amendment protected activities. Both activities may violate the Federal Privacy Act; the disclosure of the documents sought by EPIC is of utmost importance to the public and Congressional oversight committees.
- EPIC Appeals Passenger Profiling Case to DC Circuit: EPIC has appealed the ruling in EPIC v. CBP, case involving a controversial passenger screening program that combines detailed personal information with secret algorithms to assign "risk assessments" to travelers—including US citizens. EPIC sued the agency for information about the "Analytic Framework for Intelligence" under the Freedom of Information Act. As a consequence of the EPIC FOIA lawsuit, EPIC obtained important documents and prevailed in an earlier phase of the case. However, the federal court in Washington, DC declined last month to order the release of certain additional materials. EPIC is now asking the DC Circuit Court of Appeals to overrule the lower court's decision and compel the release of documents sought by EPIC. (Apr. 7, 2017)
- Congress to Examine Artificial Intelligence: Today the Senate Commerce Committee will hold a hearing on "The Dawn of Artificial Intelligence." Experts from industry and academia will provide "a broad overview of the state of artificial intelligence, including policy implications and effects on commerce." In a prepared statement, EPIC urged the Committee to support "Algorithmic Transparency," an essential public policy strategy to make AI accountable. The hearing follows two White House reports -Preparing for the Future of Artificial Intelligence and the National Artificial Intelligence Research and Development Strategic Plan. EPIC is currently litigating several "AI" cases including EPIC v. FAA (drone surveillance), Cahen v. Toyota (autonomous vehicles), EPIC v. CPB (U.S. traveler "risk assessments"), and Secret DNA Forensic Source Code. (Nov. 30, 2016) More top news »
According to the AFI Privacy Impact Assessment, the Agency maintains six categories of data, each of which contains personally identifiable information: DHS-owned data, other government agency data, information from commercial data aggregators, analyst-created data, analyst-provided data, and index information. AFI further “collects identity and imagery data from several commercial data aggregators. . . [to] cross-reference that information with the information contained in DHS-owned systems.” AFI contains personally identifiable information including full name, address, age, gender, race, physical characteristics, marital status, residency status, country of citizenship, city and country of birth, date of birth, Social Security number, vehicle information, travel information, document information, passport information, law enforcement records, and familial and other contact information. AFI became operational in August 2012.
Some of the “DHS-owned” data within AFI comes from the Automated Targeting System (“ATS”). According to a 2012 Federal Register notice, in addition to the data amassed from ATS, CBP uses AFI to “provide AFI analysts with different tools that assist in detecting trends, patterns, and emerging threats, and in identifying non-obvious relationships.” According to the agencies, DHS and CBP use individual information within ATS to make “risk assessments” on individuals that travel to, through, and from the United States or “other locations where CBP maintains an enforcement or operational presence by land, air, or sea.” These risk assessments are assigned to U.S. citizens. CBP uses “Automated Targeting System” risk assessments to “signal to CBP officers that further inspection of a person, shipment, or conveyance may be warranted, even though an individual may not have been previously associated with a law enforcement action or otherwise be noted as a person of concern to law enforcement.” CBP uses initial “risk-based” assessment matches and subsequent matches “to confirm continued official interest in the identified person.”
CBP uses a variety of personally identifiable information within ATS to perform risk assessments, including name, address, Social Security number, gender, nationality, race, and biometric information. ATS also contains information generated by CBP, including “law enforcement or intelligence information regarding an individual” and “risk-based rules developed by analysts to assess and identify high-risk cargo, conveyances, or travelers that should be subject to further scrutiny or examination.”
Individuals having information within ATS are not notified of their risk assessment because DHS has exempted ATS from the “notification, access, amendment, and certain accounting procedures of the Privacy Act[.]”
EPIC has highlighted the problems inherent in passenger profiling systems like ATS and AFI in previous testimony and comments. In testimony before the National Commission on Terrorist Attacks Upon the United States (more commonly known as "the 9/11 Commission"), EPIC President Marc Rotenberg explained, "there are specific problems with information technologies for monitoring, tracking, and profiling. The techniques are imprecise, they are subject to abuse, and they are invariably applied to purposes other than those originally intended."
The Automated Targeting System mines a vast amount of data to create a "risk assessment" on hundreds of millions of people per year, a label that will follow them for the rest of their lives.
EPIC has urged the suspension of the risk assessment system, arguing that the use of such factors as race and nationality in a government database is unconstitutional.
EPIC has a longstanding interest in algorithmic transparency and ending secret profiling of individuals.
EPIC's Freedom of Information Act Request
On April 8, 2014, EPIC submitted a FOIA request asking for:
(1) All AFI training modules, request forms, and similar final guidance documents that are used in, or will be used in, the operation of the program;
(2) Any records, memos, opinions, communications, or other documents that discuss potential or actual sources of information not currently held in DHS databases, or potential or actual uses of information not currently held in DHS databases;
(3) Any records, contracts, or other communications with commercial data aggregators regarding the AFI program; and
(4) The Privacy Compliance Report initiated in August 2013 by the DHS Privacy Office.
EPIC v. Customs and Border Protection, Case No. 14-cv-01217 (D.D.C. filed July, 18, 2014)
- EPIC's Complaint (July 18, 2014)
- CBP's Answer (Oct. 6, 2014)
- Status Report (Nov. 16, 2014)
- Status Report (Feb. 26, 2015)
- CBP Motion for Extension (May 15, 2015)
- EPIC Opposition to CBP's Motion for Extension (May 16, 2015)
- CBP Cross-Motion for Summary Judgment (May 28, 2015)
- EPIC Cross-Motion and Opposition for Summary Judgment (June 29, 2015)
- CPB Combined Opposition and Reply (July 27, 2015)
- EPIC Reply (Aug. 10, 2015)
- Memorandum Opinion (Feb. 17, 2016)
- CPB Supplemental Motion for Summary Judgment (May 5, 2016)
- EPIC Motion for Summary Judgment and Opposition (June 3, 2016)
- CBP Reply (June 30, 2016)
- Court's First Memorandum Opinion on Summary Judgment Motions (Feb. 17, 2017)
- Court's Second Memorandum Opinion on Summary Judgment Motions (Mar. 24, 2017)
- EPIC's Notice of Appeal (Apr. 6, 2017)
- Karen Neuman, 2013 Data Mining Report to Congress, Dep't of Homeland Security, Privacy Office (Feb. 2014).
- Privacy Impact Assessment for the Analytical Framework for Intelligence (June 1, 2012)
Privacy Compliance Review of the U.S. Customs and Border Protection (CBP) Analytical Framework for Intelligence (AFI) (Dec. 19, 2014)
- Spencer Woodman, Documents suggest Palantir could help power Trump's ‘extreme vetting’ of immigrants, The Verge (Dec. 21, 2016)
- CBP - Analytical Framework for Intelligence, IT Dashboard.
- Mickey McCarter, Nebraska Ave.: Looking ahead in DHS IT, Homeland Security Today (Aug. 20, 2012),
- 2011 DHS Data Mining Report Review, PrivacyCast (Mar. 19, 2012),
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,