Auditors from the Government Accountability Office who reviewed the “Automated Targeting System” (who’s a target? anyone who travels) concluded that the DHS Customs and Burder Protection division “has not fully disclosed or assessed the privacy impacts of its use of personal information during international passenger prescreening as required by law.”
CBP has published public notices and reports that describe certain elements of its international prescreening process, but these documents do not fully or accurately describe CBP’s use of personal data throughout the passenger prescreening process. It is important for CBP’s documentation to describe all of the steps of the prescreening process because the interrelationship of various steps of the process allows data to be transferred and used in ways that have not been fully disclosed.
CBP’s international prescreening process involves a wide range of procedures and data sources that CBP utilizes to determine passenger risk levels. According to a CBP official, to help make these prescreening decisions, CBP collects personal data from multiple sources (including passengers and government databases), and uses the data for several purposes, including identity matching against the government watch list, risk targeting, and passenger document validation. According to CBP, its officers also use commercial data, to a limited degree, to assist them in confirming a passenger’s identity when needed. CBP’s public disclosures about APIS and ATS do not describe all of the data inputs or the extent to which the data are combined and used in making prescreening decisions.
That’s one of the specific complaint the Identity Project made in our original and supplementary comments to the DHS in response to its (late and legally inadequate) notices about the targeting system. The GAO report on airline passenger “screening” was submitted to Congress, and to the DHS, in November 2006, but a censored (“redacted”) version wasn’t made public until this week.
As we pointed out in our comments, it’s a crime under the Privacy Act for a Federal official to operate a system of records — to keep dossiers on U.S. citizens or residents — without legal authority and proper notice. Now the government’s own auditors have confirmed that those running this system to target travelers are, indeed, criminals.
Are the DHS’s “Privacy Officers” capable of policing their own colleagues’ criminal violations of the Privacy Act? If not, will anyone else step in to hold them accountable? Or will the public have to take matters into our own hands, by refusing to comply with unlawful, unconstitutional demands to surrender our human rights and freedom of movement?