"Automated Targeting System" redux

In November 2006, the USA Department of Homeland Security (DHS) revealed the existence of a so-called Automated Targeting System (ATS) of lifetime government dossiers on millions of international travellers to and from the USA, including airline reservations obtained (by unspecified means) from international airlines, as well as a wide range of other commercial and government records. This system had already been in operation, secretly, for several years, in flagrant violation of specific prohibitions in Federal laws.

Eight months later, despite Congrssional hand-wringing, nothing has been done to shut this system down, terminate the creation of new personal dossiers and new entries in existing files, or destroy the massive existing government archive of travel records. The system continues to operate and the dossiers continue to grow.

The DHS provided a pro forma opportunity for the public to “comment” on this proposal. The Identity Project , among other individuals and organizations, submitted two sets of comments here and here pointing out that the ATS was and is expressly forbidden by law and that its operation is a Federal crime, and requesting that the system be shut down, the existing dossiers be destroyed, and the responsible government officials be procecuted for their crimes.

We aren’t surprised that none of this has happened.

Instead, this week the DHS published its official response to the public comments (including ours), along with proposals for minor changes to the ATS — the more significant of which changes would make the system even worse, and keep even more of the information in its records secret from the people against whom this derogatory information is being used.

The DHS response to comments, revised “System of Records Notice” (SORN), and notice of proposed changes and additonal exemptions from release of ATS records were published 6 August 2007 at 72 Federal Register 43567 and elsewhere in the same issue of the Federal Register, and are available at Regulations.gov under docket ID “DHS-2007-0043”, and with additional background documents (and a misleading press release) here on the DHS Web site.

The Discussion of Public Comments Received is perhaps the most disingenuous portion of Monday’s package of official publications related to the ATS. The DHS ignores many of the most significant comments (for example, those related to the criminal violations of the Privacy Act), and dismisses others out of hand, without meaningful analysis or response.

For example, the DHS responds to our specific complaints that the ATS violates the Airline Deregulation Act (which specifically recognizes “the public right of transit” by air and requires airlines to operate as common carriers) and Article 12 of the International Covenant on Civil and Political Rights by saying that “Neither of these purports to restrict or otherwise affect CBP’s use of ATS to carry out CBP’s mission to protect the United States against terrorism and enforce U.S. laws”. There’s no mention in the DHS “response” of the specific, detailed citations we made to specific sections of these laws and treaties and specific official interpretations of their meaning as applied to actions purportedly taken in the name of law enforcement and protection against terrorism.

The DHS does now admit, in response to our comments, that the ATS includes dossiers on travel agents, and not just on travellers. So travel agents can, and should, now request copies of what files about them are being kept in the ATS records — including every international PNR they have booked in the last several years that includes flights to or from the USA. But the DHS still fails to mention any of the other categories of people about whom recrods are being kept, such as those who pay for other people’s tickets. And, as I’ve already noted, the DHS fails to acknowledge or act on the fact that the initial lack of notice to travel agents was a crime under the Privacy Act.

The most significant of the latest proposals for changes in the ATS rules is that which would exempt from disclosure all information in reservation records (PNRs) except that information provided on travellers’ own behalf.

In other words, under the proposed new rules, travellers who request their ATS dossiers would receive only the information they provided themselves or are most likely to know already, and not any of the derogatory information about them entered into their PNRs by third parties, and which the DHS or other users of ATS may be relying on to make decisions against them, such as to subject them to more intrusive border searches or interrogation.

Of course, it’s the third-party derogatory information that it is most important to disclose to requesters. I’m already likely to know in what name my reservations were made, but I want to know what free-text “remarks” from a travel agent or airline customer service person might have been entered into my DHS permanent file. That won’t be possible if the proposed rules changes are put into effect.

It’s not clear if this proposed new and additional secrecy is the idea of the DHS or of the airlines, since the proposed new rule includes in the information to be withheld “business confidential information received in the PNR from the air and vessel carriers”. There’s no definition or criteria in the proposed rules for “business confidential information”, effectively allowing airlines not only to maintain their own secret private “no-fly lists” or watch lists (in violation of their legal obligations under the Airline Dergulation Act as common carriers) but also secretly to get them acted on by the government and other airlines by including them in remarks in PNRs entered into ATS dossiers.

Finally, the latest publications contradict themselves by including “risk asessments” in the records to be maintained in the ATS-P (passenger records) system and exempted from disclosure, while claiming elsewhere in the same set of documents that the ATS-P system does not create or maintain risk assessments (a claim made, presumably, to evade the clear mandate of Congress not to operate systems that assign risk assessments to passengers).

Comments on the latest set of notices and revisions can be submitted until 5 p.m. Washington time (GMT - 3) on 5 September 2007 through Regulations.gov under docket number DHS-2007-0043 (watch out for buggy browser-specific comment submission code on the Web site), or by fax or snail mail. You do not have to be a citizen or resident of the USA to submit comments, and you can submit comments anonymously.

[Update, 5 September 2007: Comments filed by the Identity Project.]

[Further update, 9 September 2007: Traveler Assessments Little Altered, by Michael J. Sniffen, Associated Press: “The passenger name records contain the passenger’s name and usually address and telephone number, but there is no fixed standard. Most of the records include payment data, baggage information, seat assignment and whether special meals for Hindus, Muslims or Jews were requested. Ed Hasbrouck, a travel agent and privacy advocate, said many travel agents, including Expedia or Travelocity online, can add to those records the names of traveling companions and hotel reservations, including the number of rooms and beds requested. A different section can include remarks by the ticket seller like “difficult customer - always changing his mind,’” Hasbrouck said”.]