Thirty privacy groups have joined a growing chorus of voices calling for the immediate suspension of a federal data mining programme that assigns secret terrorist ratings to millions of US citizens and foreigners travelling to and from the country.
In formal comments filed with the US Department of Homeland Security on Monday, the group called the government's ATS (Automated Targeting System) a "massive black box" for secretly profiling citizens in violation of the Privacy Act.
The programme will give individuals no right to access the information used for such profiling, nor will it allow them to correct details that are inaccurate, irrelevant or outdated, the group said in its comments. At the same time, the information "will be made readily available to an untold number of federal, state, local and foreign agencies, as well as a wide variety of third parties, including contractors and grantees", the statement said.
At time of writing, the DHS had not responded to requests for comment.
If the programme goes forward, the US government needs to ensure that individuals have judicially enforceable rights of access to the data and to correct it if needed, the group said. It also needs to make sure that only information that is needed for the screening process is collected and that use of such information is restricted. Among the 30 organisations that sent the comments were the Privacy Rights Clearinghouse, the Center for Democracy and Technology, the Electronic Privacy Information Center and the World Privacy Forum.
The ATS is designed to allow US Customs and Border Protection officials to screen inbound and outbound cargo and passengers for terrorist threats. As part of the screening process, the system compares "information obtained from the public with a set series of queries designed to permit targeting of conveyances, goods, cargo or persons to facilitate DHS's border enforcement mission", according to the official DHS description.
The information for such screening will come from a variety of sources and can be stored for as long as 40 years. In the case of inbound and outbound passengers, the information will be obtained from the PNR (Passenger Name Record) data that is collected by each carrier. The information collected and stored by the ATS will include details such as names and addresses of all travellers, billing and travel agent information, email addresses, number of bags checked and 'no-show' history.
The DHS disclosed the details of its use of the ATS in a notice published in the Federal Register on 2 November. The purpose of the notice was "to provide expanded notice and transparency", the DHS wrote in the notice. The public comment period for the notice was intended to end on 4 December but was extended to 29 December.
In comments filed with the DHS last week, the Electronic Frontier Foundation, a privacy advocacy group, called the ATS "precisely the sort of system that Congress sought to prohibit when it enacted the Privacy Act of 1974".
David Sobel, senior council at the EFF, said: "There has not yet been an adequate public explanation of how the system works and what the consequences might be for individuals who are assigned 'bad' risk assessments."
The fact that there is no access to the data in the ATS nor any opportunity to correct it is also a problem, he said. "These problems are compounded by the 40-year data retention period, which means that people could be tainted for life by bad information," Sobel said.
Using algorithms to predict who is likely to present a terrorist threat is also questionable, he said. "The more likely result is a very high rate of false positives," said Sobel.
While data mining works in some cases, such as for detecting credit card fraud, it is a totally unproven technique for uncovering terrorist plots, said Bruce Schneier, chief technology officer at managed service provider BT Counterpane.
"It's just plain silly," said Schneier, who was one of the 16 security experts who added their signatures to the coalition of privacy groups that filed a comment with the DHS earlier this week. "There isn't enough data to find patterns, and the instances of what you are looking for are so small that the false alarms will kill you."
Others who have called for review of the DHS system include the ACLU (American Civil Liberties Union), which filed formal comments with the DHS earlier this week. In its comments, the ACLU argued that the ATS would put the government into the "business of creating 'security ratings' for millions of its own citizens". Such a course of action had the potential to "alter the relationship between the state and the individual", the ACLU said.