Automated Targeting System

Last updated

The Automated Targeting System (ATS) is a United States Department of Homeland Security computerized system that, for every person who crosses U.S. borders, scrutinizes a large volume of data related to that person (see below), and then automatically assigns a rating for which the expectation is that it helps gauge whether this person may be placed within a risk group of terrorists or other criminals. Similarly ATS analyzes data related to container cargo. [1]

Contents

These ratings take many details into account, such as country of origin, how travel to the U.S. was funded, and the visitor's driving record. Other more mundane details also factor in, such as where the person is sitting on the flight and what they ordered for their meal.

The existence of such a system was first discovered by the public in November 2006, when a mention of it appeared in the Federal Register. The system was first implemented in the late 1990s, and was significantly expanded shortly after the 9/11 Terrorist Attacks.

Exemption from Privacy Act

Following the controversial Passenger Name Record agreement signed with the European Union (EU) in 2007, the Bush administration proposed to exempt the Automated Targeting System from the requirements of the 1974 Privacy Act for access to records and for an accounting of disclosures. [2] Those proposed exemptions were finalized on February 3, 2010. [3]

Litigation

Lawsuits have been filed under both the Privacy Act and the Freedom of Information Act (FOIA) seeking disclosure of information about ATS as well as records from ATS dossiers about individuals.

EFF v. Department of Homeland Security

On December 19, 2006, the Electronic Frontier Foundation's FOIA Litigation for Accountable Government (FLAG) project filed suit against the Department of Homeland Security under FOIA, demanding "immediate answers about an invasive and unprecedented data-mining system deployed on American travelers." [4]

Shearson v. Department of Homeland Security

In June 2006, Julia Shearson, Executive Director of the Cleveland Chapter of the Council on American Islamic Relations (CAIR) filed suit pro se against the DHS under the Privacy Act, seeking disclosure of records about herself from ATS and the correction of erroneous records falsely characterizing her as a terrorist. [5]

In 't Veld v. Department of Homeland Security

On July 1, 2008, the EFF FLAG project filed suit against the DHS under FOIA on behalf of Sophie In 't Veld, a Member of the European Parliament from the Netherlands, seeking disclosure of records about herself from ATS and other systems of records. [6]

Hasbrouck v. U.S. Customs and Border Protection

On August 25, 2010, Edward Hasbrouck of the Identity Project (PapersPlease.org) filed suit against CBP under the Privacy Act and FOIA, seeking disclosure of records about himself from ATS, information about how ATS records are retrieved, and records related to the processing of his previous Privacy Act requests and appeals for ATS records. Mr. Hasb rouck was represented by the First Amendment Project. [7]

Gellman v. Department of Homeland Security et al.

On April 4, 2016, Pulitzer Prize-winning journalist Barton Gellman filed suit against DHS and other Federal agencies under the Privacy Act and FOIA, seeking disclosure of records about himself including "ticket and flight information, Passenger Name Records, records pertaining to inspections... [and] any other data collected and/or stored by ATS-P." Mr. Gellman was represented by the Reporters Committee for Freedom of the Press. [8]

Opposition

Organizations and security experts have expressed opposition to the system, citing concerns about reliability and undue scrutiny.

The American Civil Liberties Union had similar concerns:

"Never before in American history has our government gotten into the business of creating mass 'risk assessment' ratings of its own citizens," said Barry Steinhardt, Director of the ACLU's Technology and Liberty Project. "That is a radical new step with far-reaching implications – but one that has been taken almost thoughtlessly by expanding a cargo-tracking system to incorporate human beings, and with little public notice, discussion, or debate." [9]

The Association of Corporate Travel Executives (ACTE) requested an immediate suspension of the program, stating:

While ATS is undoubtedly raising red flags among privacy advocates and other groups that question the legality and intent of such programs, ACTE is primarily concerned with the economic impact this initiative will have on the business travel community. Delays, missed flights, canceled meetings, and potential arrests will generate staggering costs. In an ACTE survey dating to 2004, 97 percent of respondents stated that programs like this will have a negative impact on travel. This could very will be the impetus for businesses to fully explore alternatives to travel. [10]

Bruce Schneier, noted security specialist and writer, wrote about ATS:

There is something un-American about a government program that uses secret criteria to collect dossiers on innocent people and shares that information with various agencies, all without any oversight. It's the sort of thing you'd expect from the former Soviet Union or East Germany or China. And it doesn't make us any safer from terrorism. [11]

The Electronic Frontier Foundation expressed their concerns:

The Automated Targeting System (ATS) will create and assign "risk assessments" to tens of millions of citizens as they enter and leave the country. Individuals will have no way to access information about their "risk assessment" scores or to correct any false information about them. But once the assessment is made, the government will retain the information for 40 years -- as well as make it available to untold numbers of federal, state, local, and foreign agencies in addition to contractors, grantees, consultants, and others. [12]

The Identity Project (Papersplease.org) filed a series of formal comments [13] objecting to the ATS:

The Identity Project has filed comments with the DHS, objecting to this proposal. Among other things, we’ve pointed out that Congress has expressly forbidden the DHS from spending a penny on any system like this to assign risk scores to airline passengers, and that the Privacy Act forbids any Federal agency form collecting information about how we exercise rights protected by the First Amendment — like our right to travel — except as expressly directed by Congress. [14]

See also

Related Research Articles

<span class="mw-page-title-main">United States Department of Homeland Security</span> United States federal department

The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terrorism, border security, immigration and customs, cyber security, and disaster prevention and management.

The Electronic Privacy Information Center (EPIC) is an independent nonprofit research center established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Based in Washington, D.C., their mission is to "secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation."

<span class="mw-page-title-main">Privacy Act of 1974</span>

The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent of the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency record-keeping requirements. Additionally, with people granted the right to review what was documented with their name, they are also able to find out if the "records have been disclosed" and are also given the right to make corrections.

<span class="mw-page-title-main">Freedom of Information Act (United States)</span> 1967 US statute regarding access to information held by the US government

The Freedom of Information Act, 5 U.S.C. § 552, is the United States federal freedom of information law that requires the full or partial disclosure of previously unreleased or uncirculated information and documents controlled by the U.S. government, state, or other public authority upon request. The act defines agency records subject to disclosure, outlines mandatory disclosure procedures, and includes nine exemptions that define categories of information not subject to disclosure. The act was intended to make U.S. government agencies' functions more transparent so that the American public could more easily identify problems in government functioning and put pressure on Congress, agency officials, and the president to address them. The FOIA has been changed repeatedly by both the legislative and executive branches.

The Computer-Assisted Passenger Prescreening System (CAPPS) is a counter-terrorism system in place in the United States air travel industry that matches passenger information with other data sources. The United States Transportation Security Administration (TSA) maintains a watchlist, pursuant to 49 USC § 114 (h)(2), of "individuals known to pose, or suspected of posing, a risk of air piracy or terrorism or a threat to airline or passenger safety." The list is used to pre-emptively identify terrorists attempting to buy airline tickets or board aircraft traveling in the United States, and to mitigate perceived threats.

<span class="mw-page-title-main">Securities Exchange Act of 1934</span> 1934 U.S. legislation establishing rules and regulatory bodies for financial markets

The Securities Exchange Act of 1934 is a law governing the secondary trading of securities in the United States of America. A landmark of wide-ranging legislation, the Act of '34 and related statutes form the basis of regulation of the financial markets and their participants in the United States. The 1934 Act also established the Securities and Exchange Commission (SEC), the agency primarily responsible for enforcement of United States federal securities law.

Public records are documents or pieces of information that are not considered confidential and generally pertain to the conduct of government.

Secure Flight is an airline passenger pre-screening program, implemented from August 2009 by the United States Transportation Security Administration (TSA). Secure Flight matches passenger information against watch lists maintained by the federal government. The initial implementation phase of Secure Flight resulted in the complete transfer of responsibility for passenger watch list matching to TSA from aircraft operators whose flights operate within the United States. The second phase of Secure Flight will result in the transfer of responsibility for passenger watch list matching to TSA for flights into, out of, and over the United States.

In the United States, fusion centers are designed to promote information sharing at the federal level between agencies such as the Federal Bureau of Investigation, the U.S. Department of Homeland Security, the U.S. Department of Justice, and state, local, and tribal law enforcement. As of February 2018, the U.S. Department of Homeland Security recognized 79 fusion centers. Fusion centers may also be affiliated with an emergency operations center that responds in the event of a disaster.

<span class="mw-page-title-main">Hugo Teufel III</span> American lawyer

Hugo Teufel III is an American lawyer and former government official.

Investigative Data Warehouse (IDW) is a searchable database operated by the FBI. It was created in 2004. Much of the nature and scope of the database is classified. The database is a centralization of multiple federal and state databases, including criminal records from various law enforcement agencies, the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), and public records databases. According to Michael Morehart's testimony before the House Committee on Financial Services in 2006, the "IDW is a centralized, web-enabled, closed system repository for intelligence and investigative data. This system, maintained by the FBI, allows appropriately trained and authorized personnel throughout the country to query for information of relevance to investigative and intelligence matters."

<span class="mw-page-title-main">Sensitive security information</span>

Sensitive security information (SSI) is a category of United States sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not a security classification for national security information. The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations (CFR) parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons.

Chief Privacy Officer, Department of Homeland Security is an appointed position within the United States Department of Homeland Security, which is part of the federal government of the United States. The chief privacy officer also serves as the chief Freedom of Information Act (FOIA) officer at the Privacy Office of the U.S. Department of Homeland Security.

The EINSTEIN System is an network intrusion detection and prevention system that monitors the networks of US federal government departments and agencies. The system is developed and managed by the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security (DHS).

In the United States, border security includes the protection of ports, airports, and the country's 3,017-mile (4,855 km) land border with Canada and 1,933-mile (3,111 km) border with Mexico. The U.S. concept of border security is deeply entwined with the persistent actual or perceived threat of terrorism, as well as more universal concerns such as immigration control, smuggling, and human trafficking. As such, the U.S. federal government is constantly reevaluating and adjusting its border security policies to reflect the perceived threats posed to the United States.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

<span class="mw-page-title-main">Risk Management Framework</span>

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

Presidential Policy Directive 20 (PPD-20), provides a framework for U.S. cybersecurity by establishing principles and processes. Signed by President Barack Obama in October 2012, this directive supersedes National Security Presidential Directive NSPD-38. Integrating cyber tools with those of national security, the directive complements NSPD-54/Homeland Security Presidential Directive HSPD-23.

<span class="mw-page-title-main">Cybersecurity Information Sharing Act</span>

The Cybersecurity Information Sharing Act is a United States federal law designed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate on October 27, 2015. Opponents question CISA's value, believing it will move responsibility from private businesses to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the NSA and local police.

A Privacy Impact Assessment (PIA) is a process which assists organizations in identifying and managing the privacy risks arising from new projects, initiatives, systems, processes, strategies, policies, business relationships etc. It benefits various stakeholders, including the organization itself and the customers, in many ways. In the United States and Europe, policies have been issued to mandate and standardize privacy impact assessments.

References

  1. James Giermanski (June 25, 2008). "Container Security: Is the Layered Approach Working?" (PDF). CSO online.com.{{cite journal}}: Cite journal requires |journal= (help)
  2. Statewatch, US changes the privacy rules to exemption access to personal data September 2007
  3. PapersPlease.org, DHS exempts dossiers used for "targeting" from the Privacy Act February 2010
  4. Press Releases: December, 2006 | Electronic Frontier Foundation Archived December 31, 2006, at the Wayback Machine
  5. DHS can't opt out of liability for violating the Privacy Act | PapersPlease.org: April 21, 2011
  6. European Lawmaker Sues U.S. Agencies to Obtain Travel-Related and Other Personal Information: Lawsuit Tests U.S. Assurances of Access Rights for EU Citizens | Electronic Frontier Foundation: July 1, 2008
  7. Edward Hasbrouck v. U.S. Customs and Border Protection | PapersPlease.org [ permanent dead link ]
  8. "Complaint for Declaratory and Injunctive relief". Barton Gellman v. Department of Homeland Security et al. April 4, 2016. p. 58 (Exhibit C). Retrieved 12 April 2016.
  9. American Civil Liberties Union : ACLU Calls on DHS to Withdraw Plan For Tagging Americans With 40-Year "Risk Assessments"
  10. ACTE.org Archived September 27, 2007, at the Wayback Machine
  11. Schneier on Security: Automated Targeting System
  12. Press Releases: November, 2006 | Electronic Frontier Foundation Archived December 2, 2006, at the Wayback Machine
  13. Policy Analysis: ATS | PapersPlease.org
  14. Every traveler is a target: December 5, 2006 | PapersPlease.org