Thursday, 7 December 2006
Fallout from illegal "targetting" of travellers
A Wired News story today, also picked up by Slashdot , gives the first hint of how officials of the USA Department of Homeland Security will try to rationalize having defied direct orders from Congress by developing and operating a secret "Automated Targeting System" that "builds a risk assessment for ... travelers", without limitation to those on watch lists, in the face of a law (included as an appendix on the last page of the Identity Project comments on the DHS notice of the system) requiring that, "None of the funds provided in this or previous appropriations Acts may be utilized to develop or test algorithms assigning risk to passengers whose names are not on Government watch lists."
DHS Passenger Scoring Illegal? (by Ryan Singel)
WASHINGTON - A newly revealed system that has been assigning terrorism scores to Americans traveling into or out of the country for the past five years is not merely invasive, privacy advocates charge, it's an illegal violation of limits Congress has placed on the Department of Homeland Security for the last three years.
The comment cited a little-known provision in the 2007 Homeland Security funding bill prohibiting government agencies from developing algorithms that assign risk scores to travelers not on government watchlists.
"By cloaking this prohibited action in a border issue ... the Department of Homeland Security directly and openly contravenes Congress' clear intent," wrote project members Edward Hasbrouck and James Harrison.
A DHS spokesman said the language in the appropriations bill doesn't cover the ATS, and insisted the program is legal....
Marc Rotenberg, the director of the Electronic Privacy Information Center, said he was unaware of the language but that it clearly applies to the Automated Targeting System, not just Secure Flight, the delayed successor to CAPPS II.
"Bingo, that's it -- the program is unlawful," Rotenberg said. "I think 514(e) stands apart logically (from the other provisions) and 514 says the restrictions apply to any 'other follow-on or successor passenger prescreening program'....
Jim Harper, a Cato Institute fellow who also serves on the DHS' external privacy advisory board, echoes Rotenberg's reading.
"The language is clear that the risk scoring may not be used on non-suspects," Harper said. "The counter-argument is that the section it is in is about Secure Flight, but I think you have to pretzel yourself to make that argument."
The government could still check passenger names against watchlists and criminal databases for possible matches, according to Harper's analysis.
"But it certainly makes the use of risk-scoring unlawful, I suspect," Harper said.
DHS spokesman Jarrod Agen disputes that interpretation. "The language in the appropriation bill refers specifically to Secure Flight," Agen said.
Meanwhile, the big questions to be addressed through USA Congressional and European Parliamentary hearings, criminal and European Commission enforcement investigations, audits by the GAO and the DHS Inspector General, and further investigative journalism are:
- How long has this going on, and how many people have dossiers about them in this "targetting" system?
Will those dossiers, and all copies and backups, now be destroyed?
- Who provided these reservation records (PNR's) to the DHS and its predecessor agencies, or knew that they were being provided?
Last week the Associated Press quoted Jayson P. Ahern, assistant commissioner of Customs and Border Protection, as saying that "ATS was first used to rate the risk posed by travelers in the late 1990s, using personal information about them voluntarily supplied by air and cruise lines." But airlines couldn't have done this wothout the collaboration of the reservation systems (CRS's) that host their databases. And those CRS's, which operate worldwide including in the European Union, are forbidden by the EU Code of Conduct for CRS's from divulging data collected through EU travel agents without consent of the data subjects, even to government agencies. So if airlines and CRS's "voluntarily" turned over PNR's, they were almost certainly breaking EU and perhaps other laws.
Today I was able to speak with Gordon Wilson , President and CEO of Travelport's EMEA division including Galileo operations in Europe. He told me that "there were some talks with the DHS" on access to PNR's, but that "nothing came of it.... It would have crossed my desk if it had included any PNR's from Galileo travel agencies in Europe. But so far as I know, no Galileo PNR's were provided to the U.S. government." He claimed that Galileo identifies the "country of origin" of the PNR, based on the "place of creation", but a single PNR can contain data collected in multiple jurisdictions and added at different times after it is created. Wilson said that "I'll do some checking after this conversation", and didn't speak for Worldspan.
The CEO's of all 4 major CRS's (soon to be 3, with the acquisition of Worldspan by Galileo's parent company announced today) including Sabre and Amadeus need to be called to account before Congress, the European Parliament, and the European Commission (which enforces the Code of Conduct for CRS's). Europan Union citizens and residents can help by requesting your travel records from airlines, CRS's, travel agents, and tour operators.
- What are Congress and the European Parliament going to do about this?
Hearings are not enough. Heads need to roll, but not just as scapegoats. More importantly, policies and practices need to change.
The creation and maintenance of the Automated Targeting System, in the face of repeated express Congressional prohibitions, makes clear the inability of the DHS to police itself or conform to the law. It has proven that it will ignore the law, do whatever it wants, and keep doing it until someone puts the cuffs on it.
As has been true since these schemes first reared their ugly head under the name of CAPPS-II, then Secure Flight, and now ATS, Congress needs to enact comprehensive privacy legislation for commercial data, or at minimum a privacy law for travel records that governs their use both by government agencies and commercial entities.
But passing more laws reenacting the prohibition on passenger scoring for a fourth time, or additional privacy and data protection rules, will have no effect unless Congress also repeals the DHS exemptions from the Privacy Act and FOIA, and expressly revokes any DHS authority to enforce secret laws or unpublished regulations .
EU authorities need to recognize that unilateral DHS "undertakings" are unenforceable and will continue to be ignored by the DHS. Only a treaty, duly ratified by the U.S. Senate and enforceable in U.S. and European courts, and subject to genuinely independent auditing by authorities with subpoena power over CRS access logs, not just those records kept by the government, can actually bind the DHS.
Addendum: More from the Associated Press :
Link | Posted by Edward on Thursday, 7 December 2006, 14:38 ( 2:38 PM) | TrackBack (0)
Traveler Risk System May Violate Ban (by Michael J. Sniffen)
The Homeland Security Department's newly revealed computerized risk assessments of international travelers may violate a specific ban that Congress imposed as part of the agency's budget over the past three years.
Some members of Congress and privacy advocates on Thursday questioned the legality of Automated Targeting System, or ATS, risk assessments that have been assigned to millions of Americans and foreigners who entered or left the United States over the past four years.
"It clearly goes contrary to what we have in law," Rep. Martin Sabo, D-Minn., said in an interview. He said ATS is the kind of computerized risk assessment "we have been trying to prohibit."
Homeland Security Secretary Michael Chertoff told The Associated Press: "I don't think it (the prohibition) can be read as applying to this program. The statute doesn't bar the use of funds for the purpose of analyzing the risks for people entering the country."...
Sabo, the top Democrat on the House Appropriations subcommittee on homeland security, wrote into the agency's spending bills the ban on computerized passenger risk assessments. For the past three budget years, the legislation has said no funds from the appropriations bill could be used to develop or test computerized data-mining tools "assigning risk to passengers whose names are not on government watch lists."...
Sen. Patrick Leahy, a Vermont Democrat, agreed. "There is growing concern in Congress that this program invites abuse, and that the administration is plowing ahead with it in apparent violation of the law," said Leahy, a member of the counterpart subcommittee in the Senate and incoming chairman of the Senate Judiciary Committee.
Chertoff noted that the prohibition barred risk assessments of "passengers." He said "other people may have a different opinion of what they intended, but it's clear this is all aimed at what Secure Flight was, which was deciding who could board aircraft" in the United States....
In comments filed with the government this week, The Identity Project , a legal defense fund for people whose travel has been impeded by government screening, argued ATS violated the spending ban and said "any records or data already collected ... for this forbidden purpose should be immediately destroyed."...
The department's operation of ATS since the ban was passed might violate the Anti-Deficiency Act, which bars government officials from spending money not appropriated by Congress...
That act carries administrative penalties that include firing. It also has criminal penalties for willful violations up to two years in prison, although no one ever has been prosecuted.