The latest so-called “Privacy Impact Assessment ” (PIA) made public by the US Department of Homeland Security, “CBP License Plate Reader Technology“, provides unsurprising but disturbing details about how the US government’s phobias about foreigners and drugs are driving (pun intended) the convergence of border surveillance and dragnet surveillance of the movements of private vehicles within the USA.

The main reason for the publication of the CBP License Plate Reader Technology PIA is to provide the public with “notice that CBP is partnering with the Drug Enforcement Administration (DEA) to leverage each other’s .. LPR [License Plate Reader] systems.”

Since at least 2007, US Customs and Border Protection (CBP) has had a network of license plate readers continuously monitoring and recording the license plate numbers and locations of vehicles near US borders. “Near” and “border” in this context are euphemisms: Federal regulations define the “border” zone for purposes of CBP authority as including anywhere within 100 miles of any US border or seacoast,  which puts roughly two-thirds of the US population within “border” regions.

Meanwhile, the DEA has compiled an aggregated database of geotagged and timestamped license plate records purchased from commercial sources, including records of vehicle locations far from what even the DHS considers the “border zone”.

CBP and DEA are already able to query and retrieve data from each other’s LPR databases. A DEA agent can also set a “TECS alert” flag in the DHS database for a specific license plate number, the same way they  can for a specific passport number, so that they will be notified automatically whenever that plate is spotted by a DHS camera.

What’s changing is that instead of providing LPR information to each other only in response to specific targeting requests, CBP and DEA plan to “stream” all of the data from their LPR networks to each other in real time. “CBP intends to provide DEA access to CBP LPR information… through a real-time streaming service.”  Each agency will have a complete copy of the data collected by the other, so that they can merge and mine it and use it for “pre-crime” profiling.

As is the trend with all DHS surveillance systems, the goal is to convert a targeted system for investigating suspects into a dragnet system that treats everyone as a suspect subject to continuous surveillance and “continuous screening” or “continuous vetting”.

“Notice” of systems of records about US citizens maintained by Federal agencies is, pursuant to the Privacy Act, supposed to be provided in a different form, earlier in the process. The Privacy Act requires a notice to be published in the Federal Register (instead, PIAs are quietly posted on inside pages of the DHS website) before an agency creates such a  system.

Maintaining data about individuals without proper prior notice is a crime, 5 U.S. Code § 552a (i)(2). But the DHS doesn’t let the law stand in its way. CBP and other DHS components have routinely created and kept new types of records about  individuals for years before publishing the required notices in the Federal Register. None of the CBP and other DHS officials responsible for these crimes have ever been prosecuted, and our complaints about these crimes have been ignored.

DHS has also played a “shell game” with border crossing records, classifying them first as part of TECS, then as part of the Automated Targeting System (ATS), then as a separate Border Crossing Information (BCI) system, and now, supposedly, as part of TECS again (even though TECS is in the process of being replaced by a new DHS “Data Lake”). If you want to find out what records DHS has kept about your travels, you need to include all of these systems of records, and several others, in your request, as on our request templates.

It’s worth reading  self-serving government publications for clues about what might be going on behind the curtain of government “transparency”. But like most PIA’s, the CBP License Plate Reader Technology PIA is a mix of statements and claims some of which are probably true, some of which are certainly false, and most of which are unverifiable.

For example, the License Plate Reader PIA claims that, “In certain instances, CBP may receive voluntary submission of passenger manifests for rail… traffic across the U.S. border.”

The DHS Privacy Office, which overseas PIAs, avoids dealing with the privacy implications of having train operators hand over details about their passengers to the government by claiming that providing passenger manifests to the government is “voluntary” for the operators of cross-border passenger trains, Amtrak and VIA Rail Canada.

But we know that this isn’t true. Amtrak has reported to Congress that it is required to provide information about passengers to CBP.  According to records disclosed by Amtrak in response to one of our FOIA requests, Amtrak told its own programmers (who might otherwise have resisted writing surveillance code into Amtrak’s reservation system) and travel agents (who complained and cited “chapter and verse” of Federal regulations) that Amtrak was required to provide information about passengers to to CBP.  In the clearest indication of whether Amtrak’s data sharing was truly “voluntary”, we received Amtrak email messages showing that CBP threatened to stop Amtrak trains from returning to the US from Canada if CBP didn’t get the passenger information it wanted from Amtrak.

When CBP was — literally — threatening to hold up trains if it didn’t get the data it wanted, it’s ridiculous to say that the railroad handed it over “voluntarily”.

It’s unclear if the DHS privacy officers who prepare PIAs full of nonsense like this are incompetent, mendacious, or (perhaps the most likely explanation) themselves misled and/or kept in the dark about what’s really being done by DHS operational  components.

We are continuing to pursue our FOIA requests to find out what’s really going on, including between the DHS and Amtrak, with US government surveillance and control of movement across or “near” US borders.