Jul 16 2012

Hasbrouck v. CBP dismissed. What have we learned?

We have stipulated to the dismissal of the remaining claims in Hasbrouck v. U.S. Customs and Border Protection, the Federal lawsuit in which the Identity Project had sought records of U.S. government surveillance and “targeting” of international travelers through the CBP “Automated Targeting System” (ATS).

The dismissal follows a ruling by U.S. District Court Judge Richard Seeborg in January of this year, dismissing some of our claims but ordering CBP to provide additional information about ATS records and to conduct additional searches to find more of the records we had requested or determine if they exist. (See our earlier analysis of the substance and significance of Judge Seeborg’s decision.)

Since January, as directed by Judge Seeborg, we have engaged in extensive negotiations with the government’s lawyers from CBP and the office of the local U.S. Attorney in San Francisco.

As a result of Judge Seeborg’s order:

  1. CBP provided us, in redacted form as shown on this supplemental Vaughn index, with several additional redacted documents which it had previously claimed didn’t exist or couldn’t be found, or which they had failed to search for despite our request for and entitlement to those records. These newly disclosed records include additional records related to Mr. Hasbrouck’s travels, in which his name was misspelled. The most recently-released of these are from 1997, and others released to Mr. Hasbrouck earlier in the case go back to 1992, long before any public disclosure of the existence of ATS. CBP had claimed that it was unlikely that a name in a Passenger Name Record (PNR) could be misspelled, but these new disclosures show that it can happen, that CBP is capable of “wildcard” searches for variant spellings, and that such a search is necessary for it to be reasonably likely to identify all records responsive to a request for PNR or other ATS data pertaining to an individual. All of these new records also cast doubt on CBP’s claims as to the completeness of its past responses. Prior CBP responses to requests for such records were likely incomplete, and should be renewed with a specific request to include possible misspellings in the search.
  2. After previously claiming that there were no records of the processing of Mr. Hasbrouck’s original Privacy Act requests and appeals, CBP provided us with “correspondence tracking sheets” showing that these Privacy Act requests (1) were logged and tracked solely as FOIA requests, not Privacy Act requests, (2) were logged as “closed” even while appeals were pending, and (3) do not mention some of the appeals, even when those appeals were received and signed for by CBP. Assuming that CBP is telling the truth, and these are the only records of Mr. Hasbrouck’s requests and appeals, they show that no record is kept of Privacy Act requests and that records of FOIA requests and appeals are incomplete and inaccurate. As a result, CBP’s records and reports cannot be relied on as accurate statements of how many such requests have been received; whether they have been granted, denied, or ignored; how long it has taken to process them; how many of them remain pending and unanswered; whether they have been appealed; or what, if any, action has been taken on those appeals.
  3. CBP provided two additional declarations purporting to explain why no other records responsive to our requests exist or could be found.  In part, these declarations are simply not credible, and would appear to be false and probably perjured. For example, CBP’s Shari Suzuki claims that it is impossible for CBP to search for PNR or other ATS data associated with a particular phone number without also supplying a name as part of the query. Although the software specifications and user guides were withheld from us pursuant to Judge Seeborg’s ruling that they are exempt  from disclosure, it’s unlikely that CBP would be using software that doesn’t permit that sort of query. And Assistant Secretary of Homeland Security testified to Congress on October 5, 2011, about exactly this sort of search: “Early in this investigation, the Federal Bureau of Investigation (FBI) learned of Shahzad’s cell phone number, but had little additional information…. [T]he FBI asked DHS if it had encountered any individual who reported this phone number during border crossings. DHS searched its PNR database for the phone number, identified Shahzad, and learned other information he had provided to DHS.”  We are confident that, if CBP were searching for records as part of an investigation rather than in response to a FOIA request, it could have, and would have, searched for all records containing phone numbers associated with Mr. Hasbrouck, regardless of whether his name appeared in those PNRs. Unfortunately, the extreme “deference” given by the Federal courts to the credibility of agency declarations in FOIA cases, and our lack of access to the software specifications, makes it almost impossible to challenge even such obviously incredible claims about why the records we have requested can’t be found. But let’s be clear: CBP lied about its data mining capabilities rather than actually search for records linking Mr. Hasbrouck to other individuals through phone numbers or other identifiers. What were they trying to hide? Presumably, they were trying to avoid calling attention to the primary function of ATS as a suspicion-generating and guilt-by-association system, designed and used primarily for “social network analysis”..
  4. After first claiming that it processed Mr. Hasbrouck’s requests and appeals only under FOIA and not the Privacy Act, CBP now claims that these requests were made only under the Privacy Act and not FOIA, on the basis of false declarations about what Mr. Hasbrouck said in telephone calls inquiring about the status of his requests and appeals. In light of the “deference” given to the agency declarations in which these false claims are made, it will be easier to make new requests under FOIA for this information than to try to disprove the false claims in the declarations that Mr. Hasbrouck had agreed to abandon or withdraw his FOIA requests. But here again, CBP officials were willing to lie in sworn  declarations made to Federal courts, in order to avoid or delay judicial review of their withholding of information.
  5. During our negotiations, CBP promulgated a new System Of Records Notice (SORN) for ATS, a Notice of Proposed Rulemaking (NPRM) to exempt even more ATS records from the Privacy Act, and an updated and expanded Privacy Impact Assessment for ATS. CBP would no doubt say that some of these documents provide “additional transparency” about ATS. But any transparency is offset, of course, by the broadening of exemptions. And under the interpretation of the Privacy Act adopted by Judge Seeborg’s ruling in our case, additional Privacy Act exemptions could be promulgated at any time in the future, and applied even to requests that had already been made. Nobody can rely on any “rights” under the Privacy Act that could be retroactively revoked at any time. In addition, the new notices fail to give any additional detail about the data-mining or search-and-retrieval capabilities of the software (which Judge Seeborg ruled that CBP does not have to disclose, notwithstanding the specific requirement of the Privacy Act law that a SORN include the “practices of the agency regarding … retrievability” of records) or the algorithms used for processing data and making “targeting” decisions. (In its comments on the new SORN, EPIC correctly points out that the use of secret algorithms makes it impossible for airlines or other travel companies subject to European Union jurisdiction, but which provide PNR or other data to CBP for ATS, to fulfill their duty under EU law to inform data subjects how their data is processed — a point we’ve made in complaints against airlines to European data protection authorities.) Perhaps most importantly, what these new filings provide is more transparency about the unprecedented scale, scope, and secrecy of ATS as a system of suspicionless surveillance and control of all international travelers and their associates.

Individuals and governments abroad should also take due note of the U.S. government’s claims in this case, and judge their collaboration with ATS accordingly. Individuals — even U.S. citizens — have no right under U.S law to see what ATS records are being kept about them, and no right to know how or according to what algorithms data about themselves is mined, processed, or otherwise used.  No records are kept of requests for access to records, and no logs are kept of who retrieves records.

Clearly, the Automated Targeting System is exactly what the Privacy Act was intended to prohibit: a system of persistent secret government dossiers about the legal activities of people who are not suspected of any crime. The reason for the enactment of the Privacy Act was the recognition that such surveillance systems, regardless of their purposes or the benign intentions of their creators, are inherently likely to be be misused.

At the end of the day, the (unsurprising) lesson of Hasbrouck v. CBP is that U.S. courts continue to place the “airport exception to the First Amendment” above our right to travel and our right as citizens, presumed innocent until guilty, to be free from dragnet surveillance.

If the courts won’t upheld the intent of the Privacy Act by ruling against the maintenance of systems such as ATS, it’s up to the public to say, “No”, and to demand that Congress enact legislation explicitly mandating that ATS be shut down and all ATS records about innocent individuals be destroyed.

We are not surprised by the outcome of this lawsuit, which revealed more than we had expected about the contents of ATS records and the the nature and functioning of the ATS system. We are pleased and proud of whatever role this lawsuit may have played in exposing the lack of respect by the executive and judicial branches of the U.S. government for our fundamental rights.

We are grateful to attorneys David Greene, Lowell Chow, Jim Wheaton, and Geoff King; to the staff and interns of the First Amendment Project (our parent organization) and Bryan Cave; and to John Gilmore and the other supporters who made possible this challenge to the secrecy of DHS surveillance of international travelers.