Our main briefs were filed last Friday in the Privacy Act and Freedom of Information Act (FOIA) case of Hasbrouck v. CBP.

In this case, we are seeking to compel U.S. Customs and Border Protection (one of the components of the DHS) to disclose:

1. The CBP/DHS “travel history” dossier  about Mr. Hasbrouck, compiled from airline reservations (PNRs) and other commercial and government data and contained in the (illegal) CBP “Automated Targeting System” (ATS), including “risk assessments” of Mr. Hasbrouck and the rules used to determine those risk assessments;
2. An “accounting of disclosures”, as required by the Privacy Act, showing which other government agencies or other third parties have been given access to which of this data, and when; and
3. General information about how ATS data is indexed and retrieved.

Our main argument for summary judgment in our favor (and in opposition to CBP’s cross-motion) is contained in our proposed order, supporting brief, and Mr. Hasbrouck’s supporting declaration. Additional supporting declarations and exhibits are linked here.  Following reply briefs to be filed next month by each side, oral argument is scheduled for August 25th in Federal District Court in San Francisco.

A leaked copy of the latest draft of a proposed “Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Record [PNR] data to the United States Department of Homeland Security” has been published by the civil liberties watchdog and investigative reporting group Statewatch.

The leaked draft “agreement” fails to satisfy the criteria set by the European Parliament for its ratification of such an agreement, including that any PNR agreement should:

1. Take the form of a duly ratified international treaty binding on all parties. (The draft “agreement” is not a treaty, and would not be binding on the U.S., as discussed in more detail below.)
2. Recognize and respect fundamental rights including the freedom of movement guaranteed by Article 12 of the International Covenant on Civil and Political Rights. (The draft “agreement” does not mention freedom of movement, the ICCPR, or any fundamental rights other than those related to privacy and data protection.)
3. Require that the use of PNR data for law-enforcement and security purposes must be in line with European data protection standards. (There is no mention of these standards in the draft “agreement”.)
4. Prohibit the use of PNR data for data mining or profiling. (There is no mention of data mining or profiling in the draft “agreement”.  The draft claims that the U.S. will not make decisions that produce significant adverse actions affecting the legal interests of individuals based solely on automated processing of PNR. But all other data mining and profiling is permitted, as long as there is the slightest element of non-automated human rubber-stamping before adverse actions are taken against an individual.)
5. Take into consideration “PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” (There is no mention in the draft “agreement” of computerized reservation systems, indirect transfers of PNR data, or any of the other means by which, as we have testified to members of the European Parliament, the DHS and other U.S. government agencies could bypass the “agreement”.)
6. Provide for independent review and judicial oversight. (The only review provided for under the draft “agreement” is self-review by the DHS Privacy Office, which is directly controlled by the DHS itself, has no independence, and is the subject of an ongoing scandal and attempted cover-up involving political interference with requests — including ours — for DHS records. The only judicial oversight contemplated in the draft “agreement” is limited to violations of laws that contain no protections for privacy or other substantive fundamental rights.)

The proposed “agreement” has been negotiated in secret between the European Commission (on behalf of the EU) and an interagency Executive Branch working group led by the DHS (on behalf of the USA).

Just as the U.S. Constitution requires that any international treaty negotiated and signed by the President must be ratified by the Senate before it becomes effective, international agreements negotiated by the European Commission and approved by the Council of the European Union must be ratified by the European Parliament.

Some people and groups who ought to know better, including lobbyist and former DHS Assistant Secretary for Policy Stewart Baker — the principal architect of an earlier US-EU “agreement” on PNR data — and the Heritage Foundation, have suggested that for the European Parliament not to ratify whatever the Commission and Council propose would be to “renege” on their agreement with the US. That’s nonsense, obviously. The European Parliament has no more obligation to ratify treaties proposed by the European executive than the U.S. Senate is obligated to ratify every treaty proposed by the President.

(Writing in the Heritage Foundation blog, Baker’s former assistant Paul Rosenzweig also repeats the bogus claim that the Chicago Convention treaty provisions for flights arriving at U.S. airports somehow give the U.S. extra-territorial jurisdiction over foreign citizens boarding foreign-flag aircraft at foreign airports. This clearly false claim by Baker and Rozenzweig was first made by their then boss, Secretary of Homeland Security Chertoff, in a speech to the European Parliament in 2007, and we debunked it in detail at that time. The proposed agreement goes far beyond the explicitly detailed and narrow specifications in the Chicago Convention for what data elements are required to be provided to governments, how, when, and where. )

Both the European Parliament and the U.S. Senate have approved resolutions intended to provide guidance to their respective negotiators as to what sort of agreement they would or would not ratify. Neither legislative body is any more or less out of line in doing so.

The draft “agreement” does not appear to be intended to constitute a treaty, and would not be binding on the U.S., so it would not need to be presented to the U.S. Senate for ratification. The recent Senate resolution, however, makes clear that even if the “agreement” were presented to the Senate, the Senate is unwilling to make any concessions to privacy or human rights, or to enact any new or expanded protections for privacy or for any of the other fundamental rights at stake.

The European Parliament resolution is less intransigent. While it starts from the explicit (and proper) premise that fundamental rights must be respected, and provides details of how that might be done, it still leaves open the possibility of compromise with the U.S. and of modifying existing EU data protection rules.

The key problem is that as long as both the DHS and the U.S. Senate (with, so far as we can tell, the full backing of the Obama Administration, and the concurrence of the U.S. House of Representatives) are completely unwilling to compromise or to provide travelers with any additional rights, any “agreement” will inevitably result only in more infringement of those rights.

No good can come of any such “agreement”. It would serve only to give airlines, Computerized Reservation Systems (CRSs), and other travel companies impunity from EU legal sanctions for ongoing transfers of PNR data to the U.S. that are currently in violation of EU data protection laws, and to remove EU authorities’ current responsibility, which they have been improperly shirking, to enforce those laws against travel companies.

If it is presented to the European Parliament in its present form, the draft “agreement” should be debated, and rejected, not as a “data protection” agreement but as a grant of immunity from EU data protection law to travel companies that are currently making their reservations (PNR) databases accessible to the U.S. government, and the EU authorities who have deliberately refrained from enforcing EU data protection laws against those companies.

The draft “agreement” would not be binding on the U.S., according to the U.S. Constitution, because it would not be a treaty and would not be presented to the U.S. Senate for ratification.  (That’s why we use the term “agreement” in quotation marks.)  By its own explicit terms, the draft “agreement” would not create any enforceable individual rights.  The “agreement” does not purport to contain any enforcement mechanisms or sanctions for breach of the agreement.

But if the “agreement” would not be a binding treaty, and would not provide any enforceable individual rights, what is it? What, if anything, would it accomplish? What purpose, and whose interests, would it serve? Read More →

The travel industry — concerned that treating all travelers as suspected terrorists will discourage travel and reduce their business — has joined forces with the homeland-security industrial complex of providers of travel surveillance and control technology in a pseudo-grassroots lobbying and propaganda campaign for more profiling of travelers.

The motives of DHS contractors and their lobbyists are obvious. But we’re disgusted with travel companies, especially “common carriers” required to transport all would-be customers, whose pitch to the public is that it’s OK for the travel industry to collaborate with the government in collecting lifetime travel histories of their customers, and to subject some of them to everything from virtual strip-searches and/or manual groping to standardless secret no-fly orders, as long as those invasions of privacy and the right to travel are imposed selectively.

Making sexual assault, warrantless searches, and denial of transportation discriminatory and selective — where the selection is based on anything other than a search or arrest warrant, injunction, or  other court order — only exacerbates the unfairness and the denial of rights.

The latest euphemistic buzzword for “trusted traveler” and other profiling schemes is “risk-based”. The term “risk-based’ is used to create the mis-impression that profiling actually measures risk. But let’s be clear: whether there is sufficient evidence of “risk” in a particular case to justify search, detention, and/or denial of freedom of movement is a matter to be determined by a judge, not a profiling algorithm. And even if we wanted to ignore the Bill of Rights, there is no reliable algorithm for identifying “risky people”.  Some people do bad things, but trying to identify “bad people” is impossible without trying to read minds. Any trusted traveler program would inevitably be a “Department of Pre-Crime”, and not based on any actual judicial determination of risk — much less of risk sufficient to justify prior restraint on the exercise of First Amendment rights of assembly.

The travel industry and the profiling companies want you to think that you’d never fit the profile, that you’d be considered a “trusted” traveler, and that all the bad things would be reserved for other bad people who, on the basis of their travel history or other (legal) activities, “deserve” to be treated like terrorists. But the reality is that any trusted traveler program is a threat to all our rights.

Just say no to any “trusted traveler” proposal. Just say no to the traveler surveillance and profiling it would require. And just say no to the discrimination it would embody and institutionalize.

The DHS can’t exempt itself from the civil remedies provided by the Privacy Act for people who are harmed by government violations of the law, according to a decision announced today by the 6th Circuit Court of Appeals in Cincinnati in the case of Shearson v. Department of Homeland Security.

The case was brought by Julia Shearson, Executive Director of the Cleveland chapter of the Council on American-Islamic Relations (CAIR). The incident that led to the case is described in today’s court opinion as follows:

Shearson and her four-year-old daughter, United States citizens by birth and Muslims, returned by car from a weekend in Canada at around 8:30 p.m. on January 8, 2006, via the Peace Bridge in the Buffalo, New York/Fort Erie area. On scanning their United States passports, the CBP computer flashed “ARMED AND DANGEROUS,” and CBP agents asked Shearson to turn over her car keys and step out of the car. Shearson was handcuffed, and, after several hours of questioning in the terminal, she and her daughter were released without explanation. As they left, Shearson inquired whether her vehicle had been searched and was told no search had been conducted. This proved to be false; Shearson’s vehicle had been searched and was damaged in the course of the search. After Shearson wrote several Ohio congressional representatives, who in turn contacted the CBP, the CBP advised the legislators that its agents had acted “in response to what later proved to be a false computer alert.”

The DHS admitted that they had improperly flagged her as a “suspected terrorist” in the (illegal) travel records system that later came to be known as the “Automated Targeting System,” but refused to say why or on the basis of what, if any evidence or allegation against her they did so. Five years later, she’s still trying to find out why — other than working for CAIR — she was labeled in ATS as a “suspected terrorist” to be arrested at gunpoint, separated from her child, and held in handcuffs.

Shearson brought suit against the DHS under the Privacy Act for, among other violations, improperly maintaining records of her religious and other activities protected by the First Amendment, failure to maintain accurate records, improper disclosure of the erroneous records about her, and refusal to show her their files about her.  She filed and argued the case pro se for several years, although Gadeir Abbas (then a law student and now a staff attorney with CAIR) and David Wolfe Leopold (now the president of AILA, the American Immigration Lawyers), later assisted in the case, and attorney Kurt Hunt represented Ms. Shearson in the appeal to the 6th Circuit Court of Appeals.

In response to the lawsuit, CBP (U.S. Customs and Border Protection, a division of DHS), argued that they had exempted themselves from any liability related to ATS for under the provisions of the Privacy Act for civil remedies. Such overbroad self-exemption claims have been a common technique of the DHS to shield itself from acountability to the courts for its actions, even when they infringe citizens’ rights.

As Shearson’s attorney in the 6th Circuit appeal, Kurt Hunt, described the ruling, it means that, “A citizen can sue the government for breaching mandatory provisions of the Privacy Act (for example: improperly maintaining records of First Amendment activity), and the government cannot simply pass a rule to ‘exempt’ itself from potential civil liability for violating those mandatory provisions. In short, it makes it possible for a citizen to actually enforce the Privacy Act in a civil action.”

Hunt notes that, “The circuits are currently split about this question, and the split appears to be widening. Because this was the first 6th Circuit decision to address civil remedies exemptions, today’s ruling will have national implications. We hope the Sixth Circuit’s decision will be the start of a trend of decisions putting the “teeth” back into the Privacy Act.”

Now that DHS’s attempt at self-exemption has been overturned by the Court of Appeals, Shearson’s case has now been remanded for further action on her claims for violation of the Privacy Act and her rights.

We don’t yet know whether similar claims of total self-exemption from  liability to civil remedies will be asserted by CBP in our own case, Hasbrouck v. CBP, which so far as we know is the only other case to have been brought under the Privacy Act and related to Automated Targeting System records.