The Homeland Security Department is breaking the law by not telling the public exactly how personal information is used to screen international travelers, including Americans, congressional investigators said Wednesday.
One of the screening programs at issue is a computer-based system called the Automated Targeting System that is used by the Customs and Border Protection agency to rate the risk posed by travelers coming to and from the United States.
In its report, the Government Accountability Office said the department is not in full compliance with privacy laws that require agencies to tell the public how the government uses their personal information.
"CBP's current disclosures do not fully inform the public about all of its systems for prescreening aviation passenger information," the GAO report said. "Nor do they explain how CBP combines data in the prescreening process, as required by law."
The GAO, Congress' auditing agency, also said Customs has not publicly disclosed all the sources of data it reviews on passengers, including information obtained from commercial sources. It did not explain what those commercial sources may be and government officials declined to comment.
Homeland Security spokesman Russ Knocke defended the program.
"The GAO in this case is woefully uninformed and I think that Congress and the public are being poorly served by this report," Knocke said. This program, he added, "has been the subject of more than 20 speeches or testimonies at hearings."
Except for two footnotes to documents sent to Congress, however, the administration's public references primarily described the system as a cargo and passenger screening system without details of its operations. Many officials were only aware of the cargo aspect of the screening system until last fall.
David Sobel, senior counsel at the rights group Electronic Frontier Foundation, said the amount of detailed public information now available to the government presents more of a concern about privacy today than when the Privacy Act was first enacted after the Watergate scandal.
"There is a very good historical reason for the Privacy Act and DHS just seems to have a real blind spot when it comes to compliance," said Sobel.
House Homeland Security Committee Chairman Bennie Thompson, D-Miss., also sounded a note of concern.
"While we support rigorous security screening of airline passengers bound for the United States, Customs and Border Protection must conduct this screening in a manner that protects our citizens' privacy rights," Thompson said in a statement.
The other prescreening process about which the GAO expressed disclosure concerns was the Advance Passenger Information System, APIS, which uses information derived from passports or other government-issued documents such as visas.
The Associated Press disclosed late last year that the Automated Targeting System used by Customs had been developing risk assessments of millions of Americans over the last four years without their knowledge. The AP also reported that those assessments were to be kept for 40 years and could be shared with state, local and foreign governments.
The ATS program compares passenger data, such as a passenger's name, address, credit card information and data from government databases, such as a terrorist screening database, with a set of rules derived from the government's knowledge of terrorists and criminals.
Government officials have declined to detail those rules, for security reasons. But the comparison results in a risk assessment, which can prevent someone for boarding a plane or require additional screening measures at the airport.
While the GAO found that Customs has disclosed aspects of the program, it said the agency has failed to publish a "system of records notice or a privacy impact assessment that comprehensively describes the entire prescreening process."