Dec 21 2016

“AFI” is the latest DHS name for “extreme vetting”

We’ve heard a lot of talk in recent months about “extreme vetting” of immigrants, Muslims, and foreign visitors to the US. But what does “extreme vetting” really mean?

“Vetting” of both domestic and international travelers — making predictive pre-crime decisions as to whether or not to allow them to travel — is already extreme, and already routine.

“Vetting” means examining people and deciding who to allow, and who not to allow, to do something.

Under DHS procedures that have been in place for a decade, no airline operating to, from, or within the US is allowed to issue a boarding pass or let you on a plane unless and until it has sent your personal information to DHS and received an individualized, per-passenger, per-flight “Boarding Pass Printing Result” (BPPR) message giving the airline “permission” to “allow” you to exercise your right to travel by common carrier. The default if DHS doesn’t respond is “no”, and both the algorithms used for the decision and the data put into that algorithmic black box are secret.

What could be more “extreme”? Manual strip searches for all travelers, instead of just virtual strip searches using as-though-naked imaging machines?

But as President-Elect Trump’s “extreme” rhetoric suggests, the government’s desire for surveillance and control of our movements is insatiable. It’s always possible to make yet another mirror copy of the government’s warehouse of metadada about our movements, disseminate it more widely, and pile on another layer of pre-crime profiling algorithms. More is always better, right — especially if you call it “intelligence”?

The latest replication and propagation of travel data, and the latest layer of traveler “vetting” tools, is the so-called “Analytical Framework for Intelligence” (AFI) operated by, or under contract to, US Customs and Border Protection (CBP).  As we told Spencer Woodman of The Verge for his story today about AFI:

“When Trump uses the term ‘extreme vetting’, AFI is the black-box system of profiling algorithms that he’s talking about,” says Edward Hasbrouck of the Identity Project, a civil liberties initiative that focuses on the rights of travelers. “This is what extreme vetting means.”

DHS in general, and CBP in particular, have been playing a shell game for many years with their travel surveillance and control systems.

Government copies of airline reservations (Passenger Name Records) were first claimed to be part of a system of records called TECS, then declared to be part of a “new” system of records called the Automated Targeting System (ATS), although still stored in the TECS database. (Huh?)  Now an additional mirror copy of all this PNR data (still stored in TECS and still also deemed part of ATS) is being created as part of another “newer” system of records known as AFI.

AFI is one several new user interfaces and front-ends to TECS data being developed for use by multiple DHS components including US Customs and Border Protection (CBP) and Immigration and Customs Enforcement  (ICE) as part of a long-term “TECS modernization” project.

If you’re confused by all the acronyms and name changes, and don’t know which government files you should ask for or worry about, that’s exactly what DHS wants.

AFI itself has changed fundamentally and for the worse in the last few months, at least if we can believe what DHS says. It’s always been a suspicion-generating and guilt-by-association machine, but now it’s a much more powerful one. More powerful, to be clear, does not mean “better” or “more accurate”. It means, “capable of placing more people under suspicion” based on more intrusive data aggregation, data mining, and profiling. Here’s how:

The existence of AFI was disclosed in 2012 in a “System of Records Notice” in the Federal Register and an announcement that DHS intended to exempt AFI, as much as possible, from the requirements of the Privacy Act, as it did just a few months later.  As described at that time by the DHS, AFI was a tool for mining and analyzing an index file of pointers to (a) government databases about individuals, including PNR data and other records in TECS and ATS, and (b) records held by (unnamed) commercial data brokers.  As of 2012, AFI contained only index files, so it was limited to search, referral, profiling, and suspicion-generation based on only those fields and data items that were included in the AFI index files.

In September of 2016, however, DHS posted an update on AFI disclosing that the architecture of AFI had been, or was being, changed. Whether the notice was posted before or after the fact wasn’t clear. Instead of indexing records from government and commercial sources, AFI now imports and makes complete copies of the underlying records, merges the commercial and government files, and maintains and replicates an unspecified and unlimited number of copies of these aggregated files in some sort of DHS “cloud”.

What this means — in addition to wider distribution and vulnerability of this data  to unauthorized access or official abuse — is that DHS and other government agencies can now use AFI to mine, search, link, score, and profile the full text of the underlying records, not just indexes. So, for example, they could search for information in free-text comments entered by CBP inspectors at airports and borders (such as the title of the book you were carrying) or entered in PNRs by airline staff at the airport or travel agency contractors in a call center (“irate customer” — maybe that indicates a would-be terrorist).  And all this is Hoovered up into another garbage-in, garbage-out file that is used, along with secret algorithms, as the basis for government decisions about what you can and can’t do.

As discussed in today’s article in The Verge (also reprinted by CNBC), documents about AFI obtained by the Electronic Privacy Information Center through a Freedom Of Information Act lawsuit show that many of the functions of AFI have been outsourced to Palantir, a data-mining company funded by venture capitalist and Trump advisor Peter Thiel.  It’s unclear from those documents whether Palantir provides the data-mining and profiling (“analysis”) tools, the underlying commercial data, or both. [Follow-up: More on Palantir, Peter Thiel, Big Data, and the DHS.]

We think this is “extreme” enough. AFI should be shut down and its data store expunged, not expanded.

12 thoughts on ““AFI” is the latest DHS name for “extreme vetting”

  1. Pingback: Papers, Please! » Blog Archive » Carrier sanctions kill. Airlines collaborate.

  2. “Palantir Provides the Engine for Donald Trump’s Deportation Machine” (by Spencer Woodman, The Intercept, March 2 2017):

    “Notably, two of the primary intelligence systems that ICM relies upon have also been also built or supported by Peter Thiel’s firm, according to the funding documents. One of these is ICE’s FALCON system, a database and analytical platform built by Palantir that HSI agents can use to track immigrants and crunch data on forms of cross-border criminal activity. According to the documents, ICM also provides its users access to U.S. Customs and Border Protection’s “Analytical Framework for Intelligence,” or AFI, a vast yet little-understood data system that Palantir played a largely secret-role in supporting. Some privacy advocates believe that AFI could be used to fuel Trump’s “extreme vetting” of those seeking to enter the country.”

    Immigration and Customs Enforcement (ICE) TECS Investigative Case Management (ICM) Statement of Objective:

  3. Pingback: Papers, Please! » Blog Archive » Palantir, Peter Thiel, Big Data, and the DHS

  4. Pingback: FOIA request for information about DHS “Extreme Vetting” | Papers, Please!

  5. Pingback: Icebreaker Pt 7: ICE Case Management Handbook Based on Federal Law Enforcement "System of Systems" - UNICORN RIOT

  6. Pingback: CBP to buy license-plate reader data to track vehicles away from borders – Papers, Please!

Leave a Reply

Your email address will not be published. Required fields are marked *