This case arises out of an EPIC Freedom of Information Act (“FOIA”) request for records relating to the U.S. Customs and Border Protection’s (“CBP”) Analytical Framework for Intelligence (“AFI”). CBP uses AFI to analyze personally identifiable information from a variety of sources, including government databases, commercial data brokers, and other Internet sources. These databases contain detailed personal information, subject to the Privacy Act, that are combined with secret, analytic tools to assign “risk assessments” to travelers, including U.S. citizens traveling solely within the United States.
EPIC pursued this FOIA request to make public the agency’s use of personal information for automated profiling as well as the chilling effect of First Amendment protected activities. Both activities may violate the Federal Privacy Act; the disclosure of the documents sought by EPIC is of utmost importance to the public and Congressional oversight committees.
According to the AFI Privacy Impact Assessment, the Agency maintains six categories of data, each of which contains personally identifiable information: DHS-owned data, other government agency data, information from commercial data aggregators, analyst-created data, analyst-provided data, and index information. AFI further “collects identity and imagery data from several commercial data aggregators. . . [to] cross-reference that information with the information contained in DHS-owned systems.” AFI contains personally identifiable information including full name, address, age, gender, race, physical characteristics, marital status, residency status, country of citizenship, city and country of birth, date of birth, Social Security number, vehicle information, travel information, document information, passport information, law enforcement records, and familial and other contact information. AFI became operational in August 2012.
Some of the “DHS-owned” data within AFI comes from the Automated Targeting System (“ATS”). According to a 2012 Federal Register notice, in addition to the data amassed from ATS, CBP uses AFI to “provide AFI analysts with different tools that assist in detecting trends, patterns, and emerging threats, and in identifying non-obvious relationships.” According to the agencies, DHS and CBP use individual information within ATS to make “risk assessments” on individuals that travel to, through, and from the United States or “other locations where CBP maintains an enforcement or operational presence by land, air, or sea.” These risk assessments are assigned to U.S. citizens. CBP uses “Automated Targeting System” risk assessments to “signal to CBP officers that further inspection of a person, shipment, or conveyance may be warranted, even though an individual may not have been previously associated with a law enforcement action or otherwise be noted as a person of concern to law enforcement.” CBP uses initial “risk-based” assessment matches and subsequent matches “to confirm continued official interest in the identified person.”
CBP uses a variety of personally identifiable information within ATS to perform risk assessments, including name, address, Social Security number, gender, nationality, race, and biometric information. ATS also contains information generated by CBP, including “law enforcement or intelligence information regarding an individual” and “risk-based rules developed by analysts to assess and identify high-risk cargo, conveyances, or travelers that should be subject to further scrutiny or examination.”
Individuals having information within ATS are not notified of their risk assessment because DHS has exempted ATS from the “notification, access, amendment, and certain accounting procedures of the Privacy Act[.]”
EPIC’s Interest in AFI
EPIC has highlighted the problems inherent in passenger profiling systems like ATS and AFI in previous testimony and comments. In testimony before the National Commission on Terrorist Attacks Upon the United States (more commonly known as “the 9/11 Commission”), EPIC President Marc Rotenberg explained, “there are specific problems with information technologies for monitoring, tracking, and profiling. The techniques are imprecise, they are subject to abuse, and they are invariably applied to purposes other than those originally intended.”
The Automated Targeting System mines a vast amount of data to create a “risk assessment” on hundreds of millions of people per year, a label that will follow them for the rest of their lives.
On April 8, 2014, EPIC submitted a FOIA request asking for:
(1) All AFI training modules, request forms, and similar final guidance documents that are used in, or will be used in, the operation of the program;
(2) Any records, memos, opinions, communications, or other documents that discuss potential or actual sources of information not currently held in DHS databases, or potential or actual uses of information not currently held in DHS databases;
(3) Any records, contracts, or other communications with commercial data aggregators regarding the AFI program; and
(4) The Privacy Compliance Report initiated in August 2013 by the DHS Privacy Office.