DHS exempts dossiers used for “targeting” from the Privacy Act

In a final rule published last week at 75 Federal Register 5487-5481, the Customs and Border Protection (CBP) division of the Department of Homeland Security has exempted most of the data used by the illegal “Automated Targeting System - Passenger” (ATS-P) from the various requirements of the Privacy Act that information used to make decisions about individuals must be accessible to them on request, accurate, relevant, collected directly from the data subjects whenever possible, and so forth.

The proposal to exempt ATS records from the Privacy Act has been pending for more than two years. In the final rule, the Obama administration adopts, with no changes whatsoever, all of the exemptions proposed by the DHS under the previous administration.  The analysis accompanying the final rule acknowledges, but dismisses more or less out of hand, our comments from two years ago objecting to the proposed exemptions as illegal.  (These followed two sets of comments we filed in 2006, when the ATS itself was first disclosed, objecting to the entire system as illegal.)

On the same day last week, the DHS published a separate final rule similarly exempting from the Privacy Act portions of the “Border Crossing Information” (BCI) system, a log of each person’s entries to and exits from the U.S. which was first disclosed as a part of ATS before being declared a separate system of records. The final BCI exemption rule similarly adopted all of the proposals the previous administration has proposed in 2008, and dismissed our objections to its illegality out of hand.

You can still request your own ATS and other travel records from the DHS.  Even if the newly-promulgated exemptions are upheld, they leave you entitled to substantial portions of your ATS dossier.  We are continuing to pursue our own pending Privacy Act requests and appeals, some of which are themselves more than two years old and all of which were made before the new exemptions were finalized and thus are not subject to the “exemptions”.

The Privacy Act gives agencies the authority to exempt certain types of information, by rulemaking, from certain of the requirements of the Privacy Act.  The rules published last week are, however, the first time that the DHS has attempted to  exercise this authority with request to ATS records.

In the meantime, the CBP has simply ignored the Privacy Act and its lack of exemptions entirely: Every response we have seen to a request pursuant to the Privacy Act for PNR or other ATS data has been processed by the CBP under the Freedom of Information Act (FOIA) instead of the Privacy Act.  Information exempt from disclosure under FOIA has been withheld or redacted, citing specific FOIA exemptions, even when that same information was required by the Privacy Act to be disclosed. This has been in flagrant violation of the Privacy Act, which has different disclosure requirements and exemptions which only partially overlap with those of FOIA. So far as we know, however, CBP and DHS have never responded to a Privacy Act appeal of these wihtholdings and redactions at all — some of our Privacy Act appeals are more than two years old — and while there have been several lawsuits under FOIA concerning ATS data, there have been none yet under the Privacy Act.

Our primary objection is to the very existence of a system under which the government requires common carriers to identify each would-be traveler and get the government’s permission (”clearance”) before they can travel.  Such a scheme is made far worse, however, when those “fly/no-fly” or “cleared/inhibited/not cleared” decisions are made not only in secret by unknown bureaucrats, not judges, and on the basis of secret files about each citizen.

The new exemptions, applicable to future requests for ATS records, are sweeping.  But we are particularly disturbed that the exemption rules purport to authorize the DHS to collect and use an entirely undefined and open-ended category of commercial data obtained from airlines as part of their Passenger Name Records (PNR), and withhold that commercial data, on grounds of “business confidentiality”, from the would-be travelers against whom it is used.

That exemption for commercial data in PNRs creates a limitless loophole through which the DHS could secretly make use, in passenger profiling and “targeting” decisions, of commercial data of any sort.  As long as it is channeled to the DHS through inclusion in PNRs (which as commercial records are themselves subject to no U.S. privacy or disclosure requirements at all), the DHS could base passenger “targeting” decisions on derogatory free-text remarks by customer service representatives, commercial blacklists, credit scores, or records or ratings by data aggregators.  But those are not legal grounds to prevent travel by common carrier.

8 Responses to “DHS exempts dossiers used for “targeting” from the Privacy Act”

  1. Papers, Please! » Blog Archive » European Parliament rejects deal for US access to SWIFT financial data. Next on the agenda: PNR deal for access to travel data Says:

    [...] Papers, Please! Challenging ID Demands The Identity Project explores and defends the fundamental American right to move freely around our country and to live without constantly having to prove who we are or why we are here. Home The Issue Who We Are What We Do Secure Flight Featured Cases Policy Analysis Lawyer’s Corner Take Action Press Room Contact Us Friends « DHS exempts dossiers used for “targeting” from the Privacy Act [...]

  2. Papers, Please! » Blog Archive » DHS shifting from national origin to ID-based passenger profiling Says:

    [...] practice greatly increases the significance of the DHS’s decision in February of this year to exempt much of the information in PNRs, including derogatory personal information submitted by travel companies without travelers’ [...]

  3. Papers, Please! » Blog Archive » DHS “update” still misstates compliance with EU agreement on PNR data Says:

    [...] the final rule, as we’ve previously discussed and to which we formally objected when it was first proposed in 2008, this data — which the [...]

  4. Papers, Please! » Blog Archive » European Parliament hands DHS a setback on access to PNR data Says:

    [...] permission-based travel control, and secret “fly/no-fly” decision-making based on secret dossiers (including lifetime travel histories but also other data withheld from those against…, that both houses of Congress, and the DHS, have to date [...]

  5. Papers, Please! » Blog Archive » European Commission wants to immunize DHS collaborators in travel surveillance and control Says:

    [...] protection of personal data and information.” There is no basis for such a claim. The DHS has exempted its PNR database from the protections of the Privacy Act, even for U.S. citizens. No privacy or data protection laws [...]

  6. EU-US deal on passenger name records? | Orphans of Liberty Says:

    [...] and protection of personal data and information.” There is no basis for such a claim. The DHS has exempted its PNR database from the protections of the Privacy Act, even for U.S. citizens. No privacy or data protection laws [...]

  7. Papers, Please! » Blog Archive » Our reply to DHS claims that travel dossiers are exempt from the Privacy Act Says:

    [...] and his appeal of the government’s failure to respond — CBP had the right to issue new regulations retroactively exempting itself from any obligation to respond to the pending request or appeal, to [...]

  8. Papers, Please! » Blog Archive » More US lies to the European Parliament Says:

    [...] most obvious problem is that the US DHS has exempted its “Automated Targeting System”, which contains lifetime travel histories compiled [...]

Leave a Reply