The AP has a story tonight that follows up on a Washington Post story from a couple of weeks ago and looks at the Automated Targeting System-Passenger (ATS-P) at DHS which is used to assess travelers entering the country. Since the initial Post story, DHS has released a Privacy Impact Assessment for the program and the Electronic Freedom Foundation (EFF) has sent comments to DHS questioning the system. DHS is arguing that this is not a new risk assessment system, but instead a well-established one, an assertion with which I agree; indeed, as I showed in my previous post on this, there are references to the ATS-P in the public record as far back as 2004.
But what about its actual function? David Sobel from EFF asserts in a CQ piece today (subscription req’d) that he wasn’t aware that ATS had a passenger risk assessment function until this recent notice:
But EFF contends that â€œprior to the Departmentâ€™s publication of its Federal Register notice on Nov. 2, there had been no public disclosure of the fact that the ATS was being used to assign levels of suspicion or potential risk to individuals â€” all public discussion of the system indicated that it was used to screen cargo.â€
A DHS inspector generalâ€™s report from August that surveyed the departmentâ€™s programs using data-mining technology described ATS as a cargo screening system, said EFF senior counsel David Sobel. When he read the IGâ€™s report, â€œI was basically looking for programs that raised privacy issues . . . and I wasnâ€™t concerned about [ATS]â€ because it concerned cargo, he said.
But the notice now raises â€œsubstantial privacy issues,â€ Sobel said, adding that the department is making it â€œsound like this is not a significant change.â€ DHS claims that the Automated Targeting System is associated with the TECS, but Sobel said a previous Federal Register notice about the Treasury Departmentâ€™s program mentions nothing about ATS.
However, a quick Internet search shows that there are prior public references to the Automated Targeting System having a role in terms of the risk assessment of passengers inbound to the United States. For example, there’s this passage in a June 2006 report by Canada’s privacy commissioner on the Canadian Border Services Agency (emphasis added):
More specifically, the HRTI tool facilitates the sharing of API data from the CBSAâ€™s Passenger Information System (PAXIS) and the U.S. Automated Targeting System-Passenger (ATS-P) system over a secure IT link. We were informed that the sharing of PNR data under the HRTI initiative will not begin prior to June 2006.
….The back-end analysis component involves running risk patterns, jointly established by the CBSA and the U.S. CBP, based on known indicators, trends and analysis, against a travellerâ€™s API/PNR in order to establish a risk score for the traveller. The risk patterns are comprised of various PNR elements, however the scores and risk levels attributed to them vary in accordance to the pattern they are assigned to. The risk score total is used to assess whether a traveller meets an established risk threshold of a particular risk pattern, which would theoretically identify the traveller as an individual who may require closer scrutiny or who is of high or unknown risk.
As I stated in my original post on this, I think this is an overblown story in some respects. There should be a dialogue on the efficacy of this system and its privacy protections, but I don’t think it’s correct for privacy groups and the media to acted shock about the existence and function of the ATS-P.