Giving new meaning to the epithet, “security theater”, the hit Australian reality-television show Border Security has been franchised to the USA in the form of Homeland Security USA.

The weekly hour-long “reality” program is scheduled to begin Tuesday night, January 6th, 2009, on ABC.  Having seen the Australian predecessor, we can hardly wait to see how the DHS, with its growing focus on spin control and image management, wants to be seen.

The show boasts of the “full cooperation” of all DHS departments, without which it couldn’t be produced — and, therefore, who it can’t afford to offend if it wants to continue.

On Friday, December 19th, the Privacy Office of the U.S. Department of Homeland Security released A Report Concerning Passenger Name Record Information Derived From Flights Between The U.S. and the European Union.

This is a very important report for both US and European travelers, but not for the reasons the DHS claims:

The authors of the report conclude that DHS handling of Passenger Name Record (PNR) data is in compliance with both US law (particularly the Privacy Act) and the DHS-EU agreement on USA access to, and use of, PNR data related to flights between the EU and the USA.

In fact, the report contains multiple admissions that support exactly the opposite conclusion: The DHS has complied with neither the agreement with the EU, nor US law (especially, but not only, the Privacy Act), in its use of PNR data concerning US citizens as well as Europeans and other foreigners.

The DHS has legal obligations to US citizens and residents under the Privacy Act, and commitments to travelers from the EU under the PNR agreeement, to allow individuals timely access to PNR data about them held by the DHS. According to the report:

DHS policy allows persons (including foreign nationals) to access and seek redress under the Privacy Act to raw PNR data maintained in ATS-P.

Despite this, the DHS Privacy Office has now reported that:

1. Requests for PNR data have typically taken more than a year to answer — many times longer than the legal time limits in the Privacy Act and Freedom of Information Act: “The requests for PNR took more than one year to process.”
2. When individuals have requested “all data” about them held by the DHS, often they have not been given any of their PNR data: “If an individual requests ‘all information held by CBP’ the FOIA specialist generally does not search ATS because PNR was not specifically requested.”
3. Because of this, the vast majority of requesters who should have received PNR data did not: “The PNR specific requests are a small percentage of the total requests based on the statistics provided to the Privacy Office, but if ATS-P were searched in all cases in which an individual asks for ‘all information held by CBP,’ the percentage would increase more than seven [sic]”
4. PNR data has been inconsistently censored before it was released: “The requests for PNR … were inconsistent in what information was redacted.”
5. A large backlog from the initial requests for PNR data remains unanswered, more than a year later: “Management noted that they have been understaffed and are bringing on new staff to reduce the backlog and period of time it takes to respond to requests. Additionally, management stated that part of the delayed response was due to the large number of requests initially submitted for PNR.”

To understand the full meaning and significance of the report, let’s quickly review the history of US government use of PNR data:

Read More →

Continuing its “lame-duck” promulgation of rulings that will tie the hands of the new Presidential administration — or at least delay any efforts to reform DHS rules by requiring a new rulemaking process, or legislation, before they can be withdrawn — the DHS has published two new rules that will extend requirements for individualized pre-departure DHS permisison to international visitors seeking to enter the USA under the Visa Waiver Program (VWP) and to passengers and crew on international general aviation, private, non-scheduled, and non-airline flights to and from the USA:

Read More →

Over the weekend Stewart Baker of the DHS posted an entry in the DHS “Leadership Journal” blog entitled U.S. and EU Agree on Data Protection Principles.  Readers unfamiliar with the “back story” might conclude from this — as Baker and the DHS no doubt hope they will — that some sort of formal negotiations have been concluded, and that the USA and the European Union have actually worked out their differences on privacy and data protection.

Not so at all.  Many details remain unclear, as has been typical of DHS international diplomacy. All the meetings of the previous so-called “EU US High Level Contact Group on information sharing and privacy and personal data protection” occurred in secret.  But the joint statement by a new group of selected officials from US and EU executive agencies, released as an attachment to Baker’s blog post, indicates essentially the same impasse remains as existed when the “High Level Contact Group” made its final report in May 2008:

Read More →

Today we filed comments with the Department of Homeland Security objecting to a newly-defined DHS “system of records” containing logs of everyone who crosses U.S. borders, including those who cross by car or on foot.  “Border Crossing Information” (BCI) about innocent U.S. citizens not suspected of any crime would be kept for 15 years, while records on foreign vistors would be kept for 75 years.

DHS has, apparently, told the press that they didn’t start keeping records of land border crossings by innocent U.S. citizens until 2008.  According to a story last week in the Washington Post,

Customs and Border Protection agents only this year began to log the arrivals of all U.S. citizens across land borders.

But we know that’s not true, because we’ve seen copies — provided by CBP itself in response to individual requests for records from its Automated Targeting System (ATS) — of records of routine land border crossings by innocent U.S. citizens at least as far back as 2006.

The DHS previously considered the logs now being labeled “BCI” to be part of the ATS system of records. We’ve objected to ATS as illegal, and demanded that these dossiers be destroyed. According to our comments on BCI:

The data now being relabeled as BCI is part of the same data that was previously labeled as ATS. The collection and retention of this data was and is illegal….  Changes to the name of the system of records containing this data neither make it legal nor address our prior comments regarding its illegality. As when such data was considered a part of ATS, collection and retention of travel history data in BCI is prohibited by 5 U.S.C. 552a(e)(7). This section of the Privacy Act restricts the collection or retention of records of the exercise of rights protected by the First Amendment….  Rather than trying again, as they did with the ATS SORN, to provide retroactive notice and yet more new excuses for this illegal travel surveillance dragnet and system of “historical” travel records about the activities of innocent Americans, DHS should entirely expunge these illegal records of lawful activities protected by the First Amendment and international human rights treaties.

Why has the DHS created this new BCI label for portions of its files of travel histories?  The DHS claims they are “providing additional transparency”.  But as we point out in our comments, it’s really a “shell game” that willl do more to hide these records than to faciliate transparency:

Under the Privacy Act, “transparency” is provided by the right to obtain records about oneself. This SORN will make it more difficult to exercise that right, since to obtain the records of their travels held by DHS an individual will now need to request records from even more systems of records: at a minimum, TECS, ATS, APIS, and now also BCI. Given the absence of a clear separation or well-defined distinctions between these “systems” within DHS – as is made clear by the succession of redefined SORNs which DHS claims cover the “same” records — greater transparency would be provided by recognizing that these are all parts of a single system of “Travel Records”, and allowing individuals to obtain all such records held by all DHS components with a single request.

We’ll be revising our templates for requests for travel records, and posting new versions you can use to request your records from as many DHS “systems of records” about travelers as we know about (ATS, APIS, BCI, and TECS).

We’ll keep trying — through helping individuals request their records — to find out exactly what information ATS and these other systems of travel records contain.  The only way anyone can really know what’s in the government’s files about them is to exercise their right to review those files.  But as we say in our comments on BCI:

That right, and the transparency it should provide, are meaningless unless DHS actually responds to requests for access. Rather than issuing new SORNs that complicate the task of obtaining DHS records, the DHS Privacy Office should concentrate on processing the backlog of requests that has accumulated since the public learned of the existence of these travel records through news reports about ATS. The Identity Project has received numerous reports from individuals who have been waiting months without any response to their Privacy Act requests and appeals for ATS records (portions of which would, under this SORN, be recategorized as BCI records). One of our own appeals of the failure to provide requested ATS records has gone almost a year without any acknowledgment, assignment of a docket number, or reply.

The names of the systems of records have changed, but the crimes of the DHS in maintaining these travel histories remain the same.  We haven’t given up on our requests, and we’ll keep you posted on what we find out.