By Shana Dines, EFF Legal Intern, Summer 2009
In December 2006, the Electronic Frontier Foundation (EFF) sued the Department of Homeland Security (DHS), pursuant to the Freedom of Information Act (FOIA), requesting documents that would reveal undisclosed details about the Automated Targeting System (ATS). ATS is the program the DHS and Customs and Border Protection (CBP) have been using to monitor international travelers and assign risk assessment scores to determine potential terrorist threats. The EFF was specifically concerned about the inordinately long data retention period, as well as the lack of a system of redress for travelers to find out the specific information about them on file, how that information was being used, and if there was any way to correct inaccurate information.
Following a public comment period and publication of the first Privacy Impact Assessment (PIA) for ATS, the DHS made some slight changes to the system and published a second PIA on August 3, 2007. Some of the EFF's concerns were addressed, though not fully remedied, and our overarching concern about the government’s collection and storage and hidden use of mass amounts of information about innocent travelers remains. During the year and a half following the filing of the EFF's lawsuit, the DHS released over 2000 pages of emails, memos, letters, presentations, and other correspondences related to the developing changes of ATS. Much of the documentation obtained through the EFF's FOIA request is redacted for claimed security purposes, however, so the actual amount of information was far less than the 2,000 pages might indicate. Additionally, the vast majority of the information that was disclosed was previously known from the PIA and System of Records Notice (SORN). A year after the last of the initial document releases, the DHS began making some minor discretionary document releases in July 2009, apparently in response to the Obama administration’s new FOIA policies, but the substantive content remains limited.
Putting together the various fragments of disclosed information, here's what we do know: ATS processes queries, gathers data, and stores a tremendous amount of information about anyone who travels across a U.S. border. This data is stored for 15 years, even for individuals who have not been flagged as a threat or potential risk, and an individual’s access to the information is limited to the portion they themselves provided – it seems that no other information about them received from third parties can be accessed. The data reviewed under the ATS system includes seven large government databases, plus the Passenger Name Record data from the airlines (which includes data like whether you’ve ordered a Muslim or Hindu or Jewish special meal). Effectively, if you travel internationally, ATS creates an instant, personal and detailed dossier on you that CBP officers use to decide whether you get to enter the country, or will be subject to an enhanced (and potentially invasive) search.
And what don’t we know is a lot. The most important thing we don’t know is how the government is using this information. Specifically, we don’t know whether these vast databases are being used to track terrorists, as we’ve been led to believe, or whether they are being used to block entry into this country for other reasons. We don’t know if these vast storehouses of information are actually keeping us safer. Indeed, the more we learn about the amount of information being gathered and stored about innocent travelers, the more troubling we find the lack of information about how it is being used.
But here are the specifics of what we’ve learned:
- ATS-Passenger (ATS-P) is a decision-support tool for Customs and Border Patrol (CBP) officers. It collects Passenger Name Record (PNR) data and compares it to information from various (some unidentified) government databases to devise risk assessments for passengers traveling in and out of the U.S. Those risk assessments are communicated to CBP officers to determine which passengers to flag for additional screening and secondary inspection. Ultimately, decisions for denying entry into the U.S. are made by CBP officers, and not based solely on the ATS-P risk assessment.1
- While the DHS resolutely denies using numerical “scores” to assign risk assessments to passengers, there is evidence in certain documents released pursuant to our FOIA request that suggest otherwise. In a letter from the Executive Director of National Targeting and Security to the Directors of Field Operations and Preclearance Operations (agency unknown) regarding the "Requirements for Access to the Automated Targeting System - Passenger" dated Jan. 28, 2005, it is stated that, "Authorized CBP employees can access risk-scored passenger information . . . ." In a CBP training presentation, titled "Targeting in the Passenger Environment" and dated Mar. 4, 2004, a redacted slide reveals the heading "ATS Passenger Examples (cont.): Passenger Arriving Flights - Risk Scored."
- PNR data is obtained from carriers, such as airlines and cruise ship operators, about all international travel, but may also be obtained about domestic flights, if they are one leg of an international itinerary. PNR may include some or all of the following types of information:2
- PNR record locator code
- Date of reservation/ issue of ticket
- Date(s) of intended travel
- Name(s)
- Available frequent flier and benefit information (i.e., free tickets, upgrades, etc)
- Other names on PNR, including number of travelers on PNR
- All available contact information (including originator of reservation)
- All available payment/billing information
- Travel itinerary for specific PNR
- Travel agency/travel agent
- Code share information
- Split/divided information
- Travel status of passenger (including confirmations and check-in status) and relevant travel history
- Ticketing information, including ticket number, one way tickets and Automated Ticket Fare Quote (ATFQ) fields
- Baggage information
- Seat information, including seat number
- Open text fields
- Any collected APIS information
- All historical changes to the PNR listed in numbers 1 to 18
- ATS-P compiles information from the following databases, in addition to its PNR data:3
- CBP's law enforcement databases
- FBI Terrorist Screening Center's Terrorist Screening Database (TSDB)
- DHS Advance Passenger Information System (APIS)
- Nonimmigrant Information System (NIIS)
- Suspect and Violator Indices (SAVI)
- Department of State visa databases
- Treasury Enforcement Communications System (TECS) crossing data and seizure data
- The information from the databases is compared against information on watch lists, outstanding “wants” or warrants, criminal records, and information from other government agencies regarding high-risk parties by applying "name matching" rules. Additional risk-based rules are used, which were developed by analysts based on law enforcement data, intelligence, and patterns of suspicious activity identified through past investigations.4
- The retention period for data maintained by ATS-P is not to exceed fifteen years, a reduction from the previous forty-year standard. After seven years of inactivity, all data is flagged as dormant and, for the following eight years, can only be accessed by a senior DHS officer.5
- Any U.S. or non-U.S. citizen can seek access to her personally identifiable information and records maintained in ATS-P by submitting a request to the CBP FOIA Division (see the CBP FOIA Reference Guidefor help). However this information will not contain “certain business confidential information of the air carrier that is also contained in the record” or information obtained from “official sources,” leaving it unclear whether any information that did not originate with the traveler herself would be revealed.
- FOIA requests should be mailed to U.S. Customs and Border Protection, FOIA Division, 799 9th Street NW, Mint Annex, Washington, DC 20229-1177. The phone number for the FOIA office is (202) 325-0150.
- Requests must conform to the rules laid out in 6 C.F.R. Part 5 for requesting access to Freedom of Information Act and Privacy Act records. The House Committee on Government Reform has published a Citizen's Guide to FOIA and Privacy Act requests, which also includes form request letters. The DHS also provides an online guideto submitting document requests.
- Requests must include your name and mailing address, while phone number and email address are suggested so that officers will be able to contact you with questions and help expedite request processing.
- Requests must provide as much information as possible regarding the subject matter and should describe the desired documents. Other privacy advocates have provided additional help in drafting a FOIA request letter.
- The CBP charges fees for processing re quests and photocopying documents. If you do no specify the maximum amount you are willing to pay in fees, the CBP will assume you are willing to pay up to $25 and will notify you if your request is estimated to exceed that amount. You may request a fee waiver under certain circumstances.
- Because ATS-P only maintains PNR data and compares it to data from other databases, some passengers may not know where certain data originates. These passengers can seek redress through the DHS Traveler Redress Program (TRIP), a single point of contact for individuals who have inquiries or seek resolution regarding difficulties they experienced during their travel screening at transportation hubs, such as being improperly denied entry, refused boarding for transportation, or identified for additional screening by CBP. Through TRIP, a traveler can request correction of erroneous PNR data stored in ATS and other data stored in other DHS databases through one application. Redress requests can be filed online from the DHS TRIP webpage.
- DHS claims that it only discloses information to those authorities who have a legal purpose to use the data, intend to use the information consistent with the purpose for which CBP collects it or for another legally required function, such as GAO oversight and ongoing IT maintenance, and has sufficient capability to protect and safeguard it.6
- All records are required to be protected from unauthorized access through various administrative, physical, and technical safeguards, including: restricting access to those with "need to know" status; using locks, alarm devices, and passwords; compartmentalizing databases; auditing software; and encrypting data communications.7
- A large number of rules are included in the ATS modules, which “encapsulate sophisticated concepts of business activity that help identify suspicious or unusual behavior.” The ATS rules are constantly evolving to both meet new threats and refine existing rules. ATS applies the same methodology to all individuals to preclude any possibility of disparate treatment of individuals or groups. ATS is consistent in its evaluation of risk associated with individuals and is used to support the overall CBP law enforcement mission.8 The actual content of the rules has never been publicly disclosed.
- 1. U.S. Dept. of Homeland Security, Privacy Impact Assessment for the Automated Targeting System 5 (Aug. 3, 2007).
- 2. Id. at 7, 33.
- 3. Id. at 5.
- 4. Id. at 3, 5, 12.
- 5. Id. at 13; Notice of Privacy Act System of Records for the Automated Targeting System, 72 Fed. Reg. 43655 (Aug. 6, 2007).
- 6. Notice of Privacy Act System of Records at 43654.
- 7. Id.
- 8. Privacy Impact Assessment at 4.