• United States



by Dave Gradijan

EPIC, Other Privacy Groups Slam DHS Terrorist Risk Plan

Dec 07, 20064 mins
CSO and CISOData and Information Security

More than two-dozen privacy groups have joined a growing chorus of voices calling for the immediate suspension of a federal data mining program that assigns secret terrorist ratings to millions of U.S. citizens and foreigners traveling to and from the country.

In formal comments filed with the U.S. Department of Homeland Security on Monday, the group called the government’s Automated Targeting System (ATS) a “massive black box” for secretly profiling citizens in violation of the Privacy Act.

The program will give individuals no right to access the information used for such profiling, nor will it allow them to correct details that are inaccurate, irrelevant or outdated, the group said in its comments. At the same time, the information “will be made readily available to an untold number of federal, state, local and foreign agencies, as well as a wide variety of third parties, including contractors [and] grantees,” the statement said.

As of this story posting, the DHS had not responded to requests for comment.

If the program goes forward, the government needs to ensure that individuals have judicially enforceable rights of access to the data and to correct it if needed, the group said. It also needs to make sure that only information that is needed for the screening process is collected and that use of such information is restricted. Among the 30 organizations that sent the comments were the Privacy Rights Clearinghouse, the Center for Democracy and Technology, the Electronic Privacy Information Center and the World Privacy Forum.

The ATS is designed to allow U.S. Customs and Border Protection officials to screen inbound and outbound cargo and passengers for terrorist threats. As part of the screening process, the system compares “information obtained from the public with a set series of queries designed to permit targeting of conveyances, goods, cargo or persons to facilitate DHS’ border enforcement mission,” according to the official DHS description.

The information for such screening will come from a variety of sources and can be stored for as long as 40 years. In the case of inbound and outbound passengers, the information will be obtained from the Passenger Name Record (PNR) data that is collected by each carrier. The information collected and stored by the ATS will include details such as names and addresses of all travelers, billing and travel agent information, e-mail addresses, number of bags checked and no-show history.

The DHS disclosed the details of its use of the ATS in a notice published in the Federal Register on Nov. 2. The purpose of the notice was to “provide expanded notice and transparency” related to the use of the ATS, the DHS wrote in the notice. The public comment period for the notice ended Dec. 4 but was extended to Dec. 29.

In comments filed with the DHS last week, the Electronic Frontier Foundation, a privacy advocacy group, called the ATS “precisely the sort of system that Congress sought to prohibit when it enacted the Privacy Act of 1974.”

“There has not yet been an adequate public explanation of how the system works and what the consequences might be for individuals who are assigned ‘bad’ risk assessments,” said David Sobel, senior counsel at the EFF. The fact that there is no access to the data in the ATS nor any opportunity to correct it is also a problem, he said. “These problems are compounded by the 40-year data retention period, which means that people could be tainted for life by bad information,” Sobel said.

Using algorithms to predict who is likely to present a terrorist threat is also questionable, he said. “The more likely result is a very high rate of false positives,” said Sobel.

While data mining works in some cases, such as for detecting credit card fraud, it is a totally unproven technique for uncovering terrorist plots, said Bruce Schneier, chief technology officer at managed service provider BT Counterpane in Mountain View, Calif.

“It’s just plain silly,” said Schneier, who was one of the 16 security experts who added their signatures to the coalition of privacy groups that filed a comment with the DHS earlier this week. “There isn’t enough data to find patterns, and the instances of what you are looking for are so small that the false alarms will kill you,” he said.

Others who have called for review of the DHS system include the American Civil Liberties Union, which filed formal comments with the DHS earlier this week. In its comments, the ACLU argued that the ATS would put the government into the “business of creating ‘security ratings’ for millions of its own citizens.” Such a course of action had the potential to “alter the relationship between the state and the individual,” the ACLU said.

-Jaikumar Vijayan, Computerworld

Keep checking our Security Feed page for updated news coverage.