EPIC v. CBP (Analytical Framework for Intelligence)


This case arises out of an EPIC Freedom of Information Act ("FOIA") request for records relating to the U.S. Customs and Border Protection’s (“CBP”) Analytical Framework for Intelligence ("AFI"). CBP uses AFI to analyze personally identifiable information from a variety of sources, including government databases, commercial data brokers, and other Internet sources. These databases contain detailed personal information, subject to the Privacy Act, that are combined with secret, analytic tools to assign “risk assessments” to travelers, including U.S. citizens traveling solely within the United States.

EPIC pursued this FOIA request to make public the agency's use of personal information for automated profiling as well as the chilling effect of First Amendment protected activities. Both activities may violate the Federal Privacy Act; the disclosure of the documents sought by EPIC is of utmost importance to the public and Congressional oversight committees.

Top News


According to the AFI Privacy Impact Assessment, the Agency maintains six categories of data, each of which contains personally identifiable information: DHS-owned data, other government agency data, information from commercial data aggregators, analyst-created data, analyst-provided data, and index information. AFI further “collects identity and imagery data from several commercial data aggregators. . . [to] cross-reference that information with the information contained in DHS-owned systems.” AFI contains personally identifiable information including full name, address, age, gender, race, physical characteristics, marital status, residency status, country of citizenship, city and country of birth, date of birth, Social Security number, vehicle information, travel information, document information, passport information, law enforcement records, and familial and other contact information. AFI became operational in August 2012.

Some of the “DHS-owned” data within AFI comes from the Automated Targeting System (“ATS”). According to a 2012 Federal Register notice, in addition to the data amassed from ATS, CBP uses AFI to “provide AFI analysts with different tools that assist in detecting trends, patterns, and emerging threats, and in identifying non-obvious relationships.” According to the agencies, DHS and CBP use individual information within ATS to make “risk assessments” on individuals that travel to, through, and from the United States or “other locations where CBP maintains an enforcement or operational presence by land, air, or sea.” These risk assessments are assigned to U.S. citizens. CBP uses “Automated Targeting System” risk assessments to “signal to CBP officers that further inspection of a person, shipment, or conveyance may be warranted, even though an individual may not have been previously associated with a law enforcement action or otherwise be noted as a person of concern to law enforcement.” CBP uses initial “risk-based” assessment matches and subsequent matches “to confirm continued official interest in the identified person.”

CBP uses a variety of personally identifiable information within ATS to perform risk assessments, including name, address, Social Security number, gender, nationality, race, and biometric information. ATS also contains information generated by CBP, including “law enforcement or intelligence information regarding an individual” and “risk-based rules developed by analysts to assess and identify high-risk cargo, conveyances, or travelers that should be subject to further scrutiny or examination.”

Individuals having information within ATS are not notified of their risk assessment because DHS has exempted ATS from the “notification, access, amendment, and certain accounting procedures of the Privacy Act[.]”

EPIC's Interest in AFI

EPIC has highlighted the problems inherent in passenger profiling systems like ATS and AFI in previous testimony and comments. In testimony before the National Commission on Terrorist Attacks Upon the United States (more commonly known as "the 9/11 Commission"), EPIC President Marc Rotenberg explained, "there are specific problems with information technologies for monitoring, tracking, and profiling. The techniques are imprecise, they are subject to abuse, and they are invariably applied to purposes other than those originally intended."

The Automated Targeting System mines a vast amount of data to create a "risk assessment" on hundreds of millions of people per year, a label that will follow them for the rest of their lives.

EPIC has urged the suspension of the risk assessment system, arguing that the use of such factors as race and nationality in a government database is unconstitutional.

EPIC has a longstanding interest in algorithmic transparency and ending secret profiling of individuals.

EPIC's Freedom of Information Act Request

On April 8, 2014, EPIC submitted a FOIA request asking for:

(1) All AFI training modules, request forms, and similar final guidance documents that are used in, or will be used in, the operation of the program;

(2) Any records, memos, opinions, communications, or other documents that discuss potential or actual sources of information not currently held in DHS databases, or potential or actual uses of information not currently held in DHS databases;

(3) Any records, contracts, or other communications with commercial data aggregators regarding the AFI program; and

(4) The Privacy Compliance Report initiated in August 2013 by the DHS Privacy Office.

FOIA Documents

Legal Documents

EPIC v. Customs and Border Protection, No. 14-cv-01217 (D.D.C. filed July, 18, 2014)

EPIC v. CBP, No. 17-5078 (D.C. Cir. filed Apr. 18, 2017)


News Reports

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency