Homeland Security's Automated Program of Risk Assessments for Travelers: Why It Fails to Sufficiently Protect Individual Privacy

On November 2, the Department of Homeland Security (DHS) revealed that it is currently assigning a "terrorist risk assessment" to every traveler in a huge database it maintains. The database, according to DHS, encompasses not only every single person who travels by plane, train, ship, car, truck or other vehicle to or from the U.S., but also operators and crew, and anyone engaged in any cargo import/export business dealing with the U.S.

It remains unclear exactly when the program - originally designed for screening cargo - began to be used to screen passengers, as well. News reports indicate this may have been going on for over four years.

Known as the Automated Targeting (ATS) system, the program stores its data for 40 years, during which it is accessible to a wide variety of international, national, and state agencies and contractors. Prominent among these is the Department of Customs and Border Protection (CBP).

Some of the risk assessment factors are, by themselves, quite innocent: traveling on a one-way ticket, sitting on the aisle, ordering a special meal, or visiting the Middle East. But when these factors are combined and plugged into the ATS system, innocent travelers may find themselves labeled as terrorist risks. Unsurprisingly, innocent business travelers and academics have already found themselves singled out for extra scrutiny, perhaps because they fit one or more of these factors.

Importantly, it is not yet known whether the program has a racial or ethic profiling component: Does having a Muslim- or Arabic-sounding surname increase one's risk assessment? Does travel that correlates with days and celebrations important to Arabs and Muslims, or the dates of key pilgrimages or ceremonies, increase one's risk assessment?

Under current law, even American citizens and legal permanent residents have no right to see ATS data, and no ability to correct it if it is erroneous. Nor can we see the risk assessments the government has generated. In addition, it seems that ATS is not in compliance with the federal Privacy Act. These serious problems of due process and privacy must be rectified as soon as possible.

Where Does the ATS Data Come From, What Is Its Content, and Who Can See It?

The ATS data comes from multiple sources including federal and commercial databases, data provided by people themselves, motor vehicle records and airlines' Passenger Name Record (PNR) data. A PNR may contain a passenger's name, address, telephone number, email addresses, itinerary, frequent-flier information, special meal requests, seat preferences, and the names of his or her traveling companions and travel agent.

According to the Electronic Privacy Information Center, hundreds of millions of persons' records are in the database. After all, in Fiscal 2005 alone, Customs and Border Protection "processed 431 million pedestrians and passengers, 121 million privately owned vehicles, and processed and cleared 25.3 million sea, rail, and truck containers."

Who can see these records? According to the Privacy Act notice, a very broad range of people and agencies - including not only federal and state governments, but also " local, tribal, or foreign governmental agencies or multilateral governmental organizations." That's right: Anyone from your deputy sheriff, to the government of Kazakhstan, to the United Nations can be given your records if they meet some very broad conditions.

There are many reasons why third parties can have access to ATS data. Here are some of the circumstances under which data can be shared: First, CBP can simply cite "a need to utilize relevant data for purposes of testing new technology and systems designed to enhance border security or identify other violations of law." Second, if CBP deems the relevant organization "responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, or license," it can simply cite a belief "that information would assist enforcement of civil or criminal laws."

And that's not all: DHS can also disclose travelers' data to courts, administrative tribunals; contractors, grantees, experts, consultants, and others performing or working on a government contract, service, or grant; any organization or person who might be a target of terrorist activity or conspiracy; the United States Department of Justice; and agencies or people when it appears that the security or confidentiality of their information has been compromised. And the list is longer than this.

The Problem with the ATS System: No Chance to Correct Errors and No Privacy Protections

A high risk assessment can mean invasive searches of one's person or personal belongings, or even being forbidden from traveling altogether. Yet the basis for that assessment is kept entirely secret, and immune from any attempt at error-correction.

Supposedly, individuals can write to the CBP Customer Satisfaction Unit if they believe there is an error in their records. But they may not even know their risk assessment is high until they are detained. Moreover, unless they can see their own profile, they may not be able to correct the errors it may contain that are leading them to wrongly be flagged as dangerous. This is not an issue of "Customer Satisfaction" - a trivializing name. It is an issue of individual privacy and, possibly, of racial, religious, and ethnic discrimination as well. It is also a Due Process issue: An issue about the basic right to have notice and a hearing when the government takes an action that affects you adversely.

DHS says that travelers can always simply correct underlying records. But this is only a partial, and potentially ineffective solution. Again, travelers may not even know that errors have been made, until they fall victim to them - or even that their data has been transferred by one entity to DHS . Moreover, corrections may take a long time to sift through into the DHS database.

Readers may be reminded of the now-defunct Total Information Awareness (TIA) program -- about which I wrote a previous column - and for good reason. TIA's objective was to collect as much information about individuals as possible and by using computer algorithms and human analysis detect potential terrorist activity. According to EPIC, "a key part of the design, as described by John Poindexter, was the ability of the government to assign a secret terrorist rating to each individual."

Sound familiar? Now, in yet another end run around Congress, the Administration, it turns out, has been using a TIA-like system, even though even the Republican-led Congress rejected TIA itself.

The Solution: No Exemption from Privacy Act Safeguards

The icing on the cake here is that DHS believes ATS is exempt from certain provisions of the Privacy Act, which requires that an individual be permitted access to personal information, and be permitted to correct and amend such information, and that an agency ensure that personal information is sufficiently reliable for its intended use.

The Privacy Act requires agencies to correct identified inaccuracies promptly, and to handle disputes between the agency and an individual as to the accuracy of the records. Error correction is an important cornerstone of Privacy Act safeguards. It also provides for judicial review. Individuals can sue to enforce its provisions.

Provisions 552a (j)(2) and (k)(2) of US Code Title 5 do allow Privacy Act exemptions when the data in question involves law enforcement or intelligence information. But these risk assessments should not be deemed to fall under these categories - after all, the whole point here is that innocent people are being wrongly targeted based on inaccurate information.

Moreover, even if risk assessments are deemed to fall under these categories, Congress should separately create Privacy-Act-like protections in this area. The chance of errors is too high, and their cost - blacklisting for at least forty years - is too high. Innocent people with incorrect risk assessments may also lose out on jobs in shipping and travel, lose licenses, and be shut out of certain government contracts and other opportunities.

Last year, by comparison, the TSA revealed that more than 30,000 people had asked the TSA to delete their names from no-fly or watch the lists since September 11, on the ground that they had been placed on such lists in error. Surely, a large proportion of these many requests have merit, and are based on genuine errors. But thus far, the TSA has not taken effective action to correct its lists. With this problem still lingering, it's no time for DHS to compound the problem by both admitting it has expanded the secret profiling of Americans, and refusing to do anything to ensure that its profiles are accurate and reliable.