This case arises out of an EPIC Freedom of Information Act (“FOIA”) request for records relating to the U.S. Customs and Border Protection’s (“CBP”) Analytical Framework for Intelligence (“AFI”). CBP uses AFI to analyze personally identifiable information from a variety of sources, including government databases, commercial data brokers, and other Internet sources. These databases contain detailed personal information, subject to the Privacy Act, that are combined with secret, analytic tools to assign “risk assessments” to travelers, including U.S. citizens traveling solely within the United States.
EPIC pursued this FOIA request to make public the agency’s use of personal information for automated profiling as well as the chilling effect of First Amendment protected activities. Both activities may violate the Federal Privacy Act; the disclosure of the documents sought by EPIC is of utmost importance to the public and Congressional oversight committees.
According to the AFI Privacy Impact Assessment, the Agency maintains six categories of data, each of which contains personally identifiable information: DHS-owned data, other government agency data, information from commercial data aggregators, analyst-created data, analyst-provided data, and index information. AFI further “collects identity and imagery data from several commercial data aggregators. . . [to] cross-reference that information with the information contained in DHS-owned systems.” AFI contains personally identifiable information including full name, address, age, gender, race, physical characteristics, marital status, residency status, country of citizenship, city and country of birth, date of birth, Social Security number, vehicle information, travel information, document information, passport information, law enforcement records, and familial and other contact information. AFI became operational in August 2012.
Some of the “DHS-owned” data within AFI comes from the Automated Targeting System (“ATS”). According to a 2012 Federal Register notice, in addition to the data amassed from ATS, CBP uses AFI to “provide AFI analysts with different tools that assist in detecting trends, patterns, and emerging threats, and in identifying non-obvious relationships.” According to the agencies, DHS and CBP use individual information within ATS to make “risk assessments” on individuals that travel to, through, and from the United States or “other locations where CBP maintains an enforcement or operational presence by land, air, or sea.” These risk assessments are assigned to U.S. citizens. CBP uses “Automated Targeting System” risk assessments to “signal to CBP officers that further inspection of a person, shipment, or conveyance may be warranted, even though an individual may not have been previously associated with a law enforcement action or otherwise be noted as a person of concern to law enforcement.” CBP uses initial “risk-based” assessment matches and subsequent matches “to confirm continued official interest in the identified person.”
CBP uses a variety of personally identifiable information within ATS to perform risk assessments, including name, address, Social Security number, gender, nationality, race, and biometric information. ATS also contains information generated by CBP, including “law enforcement or intelligence information regarding an individual” and “risk-based rules developed by analysts to assess and identify high-risk cargo, conveyances, or travelers that should be subject to further scrutiny or examination.”
Individuals having information within ATS are not notified of their risk assessment because DHS has exempted ATS from the “notification, access, amendment, and certain accounting procedures of the Privacy Act[.]”
EPIC has highlighted the problems inherent in passenger profiling systems like ATS and AFI in previous testimony and comments. In testimony before the National Commission on Terrorist Attacks Upon the United States (more commonly known as “the 9/11 Commission”), EPIC President Marc Rotenberg explained, “there are specific problems with information technologies for monitoring, tracking, and profiling. The techniques are imprecise, they are subject to abuse, and they are invariably applied to purposes other than those originally intended.”
The Automated Targeting System mines a vast amount of data to create a “risk assessment” on hundreds of millions of people per year, a label that will follow them for the rest of their lives.
EPIC has urged the suspension of the risk assessment system, arguing that the use of such factors as race and nationality in a government database is unconstitutional.
EPIC has a longstanding interest in algorithmic transparency and ending secret profiling of individuals.
EPIC’s Freedom of Information Act Request
On April 8, 2014, EPIC submitted a FOIA request asking for:
(1) All AFI training modules, request forms, and similar final guidance documents that are used in, or will be used in, the operation of the program;
(2) Any records, memos, opinions, communications, or other documents that discuss potential or actual sources of information not currently held in DHS databases, or potential or actual uses of information not currently held in DHS databases;
(3) Any records, contracts, or other communications with commercial data aggregators regarding the AFI program; and
(4) The Privacy Compliance Report initiated in August 2013 by the DHS Privacy Office.
EPIC v. Customs and Border Protection, No. 14-cv-01217 (D.D.C. filed July, 18, 2014)
- Court’s First Memorandum Opinion on Summary Judgment Motions (Feb. 17, 2017)
- Court’s Second Memorandum Opinion on Summary Judgment Motions (Mar. 24, 2017)
- EPIC’s Complaint (July 18, 2014)
- CBP’s Answer (Oct. 6, 2014)
- Status Report (Nov. 16, 2014)
- Status Report (Feb. 26, 2015)
- CBP Motion for Extension (May 15, 2015)
- EPIC Opposition to CBP’s Motion for Extension (May 16, 2015)
- CBP Cross-Motion for Summary Judgment (May 28, 2015)
- EPIC Cross-Motion and Opposition for Summary Judgment (June 29, 2015)
- CPB Combined Opposition and Reply (July 27, 2015)
- EPIC Reply (Aug. 10, 2015)
- Memorandum Opinion (Feb. 17, 2016)
- CBP Supplemental Motion for Summary Judgment (May 5, 2016)
- EPIC Motion for Summary Judgment and Opposition (June 3, 2016)
- CBP Reply (June 30, 2016)
- EPIC’s Notice of Appeal (Apr. 6, 2017)
- Notice of Settlement and Stipulation of Dismissal (Dec. 19, 2017)
- EPIC’s Statement of Issues (May 18, 2017)
- CBP Motion for Summary Affirmance (June 2, 2017)
- EPIC Opposition to Motion for Summary Affirmance (June 12, 2017)
- CBP Summary Affirmance Reply (June 29, 2017)
- Order (Aug. 1, 2017)
- Privacy Compliance Review of the U.S. Customs and Border Protection (CBP) Analytical Framework for Intelligence (AFI) (Dec. 19, 2014)
- Karen Neuman, 2013 Data Mining Report to Congress, Dep’t of Homeland Security, Privacy Office (Feb. 2014)
- Privacy Impact Assessment for the Analytical Framework for Intelligence (June 1, 2012)
- Spencer Woodman, Documents suggest Palantir could help power Trump’s ‘extreme vetting’ of immigrants, The Verge (Dec. 21, 2016)
- CBP – Analytical Framework for Intelligence, IT Dashboard.
- Mickey McCarter, Nebraska Ave.: Looking ahead in DHS IT, Homeland Security Today (Aug. 20, 2012),
- 2011 DHS Data Mining Report Review, PrivacyCast (Mar. 19, 2012)