Why I'm suing the Department of Homeland Security

[Update: Several readers have asked, "What can I do to help?" See the Identity Project's FAQ: Edward Hasbrouck v. U.S. Customs and Border Protection for answers to this and other questions about the lawsuit. If you'd like to be kept informed (and to receive other travel news and articles), sign up for my newsletter (see the form in the sidebar) and/or follow me on Twitter. If you'd like to volunteer to help out in other ways, please contact me directly.]

Today the First Amendment Project is filing a lawsuit on my behalf against U.S. Customs and Border Protection (one of the divisions of the Department of Homeland Security) for violating the Privacy Act and the Freedom Of Information Act (FOIA) by refusing to disclose their records of my travels, what they did with my requests for my records, and how they index, search for, and retrieve these travel surveillance records.

According to the complaint in Hasbrouck v. CBP filed today with the U.S District Court in San Francisco:

This complaint concerns the failure to disclose records regarding the warrantless, suspicionless dragnet collection and maintenance of Federal government records of the travel, activities, and other personal information concerning U.S. citizens not accused of any crime.... In November, 2006, Defendant CBP, an agency within the Department of Homeland Security, revealed that it was already operating a system of records -- for which, despite the requirements of the Privacy Act, no prior System of Records Notice ("SORN") had been promulgated -- which it labeled the "Automated Targeting System" ("ATS"). According to the SORN, ATS contained records related to international travel by U.S. citizens and others, including complete airline reservations or Passenger Name Records (PNRs), used among other purposes for making "risk assessments" of travelers. In 2007, in his capacity as a member of the news media and a consultant to the Identity Project ("IDP") on travel-related technical, civil liberties, and human rights issues, Plaintiff Edward Hasbrouck requested copies of his own records pursuant to his right of access under the Privacy Act. When he received a response which appeared manifestly incomplete and which invoked FOIA exemptions clearly inapplicable to records required to be released pursuant to the Privacy Act, Hasbrouck appealed. Almost three years later, he has received no acknowledgment or response to that appeal. In October 2009, Hasbrouck tried again, filing a new, broader Privacy Act request to CBP for his own travel-related records from ATS and other CBP systems of records and an accounting of when and to whom they had been disclosed by CBP, a FOIA and Privacy Act request for records concerning what had happened to his 2007 request and appeal, and a FOIA request for general information concerning the indexing, search, and retrieval capabilities of the ATS records system. When Hasbrouck received no response, he appealed the constructive denial of each of these requests. Nine months after making these requests and seven months after making these appeals, he has received no information in response.

I've never sued anyone before in my life, or been sued by anyone. It's not something I want to do, or that I'd do lightly.

So why am I suing the Department of Homeland Security?

I'm suing the government because they gave me no choice. After years of stonewalling, it became clear that the DHS would tell me, and tell the public, nothing about its secret dossiers about us unless forced to do so by court order.

I'm suing the government because of the significance of commercial airline reservations and the DHS "Automated Targeting System" as one of the largest post-9/11 U.S. government surveillance programs, and one of the largest collections of Federal government dossiers about the lives of innocent civilians after the IRS (tax) and Social Security (retirement) databases.

I'm suing the government because of the intimate personal details and the sensitivity of the information contained in airline reservations and the government's records, which I'm familiar with from 15 years of travel industry experience with airline reservations and from the censored excerpts from its travel dossiers that the DHS has released to some other people who've brought them to me for help in understanding their coding and significance: not just credit card numbers and IP addresses but also friends' telephone numbers, whether two people asked for one bed or two in their hotel room, and what book someone was carrying when they entered the country.

I'm suing the government now, while I still can, because they have already tried to change the rules to exempt much of the information in PNR's from disclosure, and to exempt themselves from any obligation to provide an accounting of what other government agencies, foreign governments, commercial entities, or other third parties they have "shared" this data with. (My requests were all made before these changes to the DHS Privacy Act regulations, so I'm entitled to this information regardless of whether the new rules are upheld.)

I'm suing the government because it's important for other people to know that the DHS has been lying when they claimed on page 29 of this PDF to the European Union that "all requests for access [to travel records kept by DHS] have been successful and passengers were always given access to their data" despite ignoring my request and appeal, and when they claimed on page 4 of this PDF that "the [DHS] Privacy Office received no reports of misuse of PNR ... since 2005", despite specific formal complaints filed with that office since 2006 by the Identity Project.

I'm suing the government to find out who was responsible for sending my original requests and appeals into a black hole, and whether they were among those requests that were illegally delayed or blocked by high-level political commissars in DHS or the White House.

I'm suing the government because no one else has done so, because foreigners have no right to do so under the U.S. Privacy Act, and because someone had to do it -- despite my fear, and my lawyers' fear, that the government may retaliate against us by putting us on (another?) of their secret lists and/or further interfering with our freedom of movement.

More information and the complaint filed today in Hasbrouck v. CBP are available from the Identity Project (PapersPlease.org), along with links to news reports about the case.

[Update, via Tnooz: "A CBP spokeswoman declined to comment on the particulars of Hasbrouck's suit, citing his privacy concerns. The CBP spokeswoman added that passengers 'voluntarily' give airlines permission to collect their travel data and personal information, and the CBP culls that information and performs a risk assessment for possible enforcement action. In an interview, Hasbrouck said it's false that passengers freely give airlines the right to collect personal information because ... if travelers withhold that information from airlines or travel agencies they may not be able to board a plane or leave the country.... He also warns that U.S.-based GDSs and travel agencies should be aware that if they go along with such data requests that they could be risking legal action by European individuals or governments and could face substantial liabilities. 'This should be a wake-up call to travel intermediaries in the U.S. that they can't escape liability for [releasing] personal information when they are part of the conveyor belt,' Hasbrouck says."]

[Heise.de: US-Burgerrechtler klagt auf Herausgabe von Flugpassagierdaten]

[FutureZone @ ORF.at: Passenger Name Records / Flugdaten: "US-Heimatschutz belugt EU" Portions of the the PNR showing root access to the Galileo CRS by DHS/CBP, mentioned in the ORF article, were reproduced on page 5 of the Identity Project's initial report on our research into ATS records. This was a real PNR for a real person obtained from DHS/CBP. The traveller went from the USA (SFO) to Berlin (TXL) on United Airlines. She stayed six days in Berlin. Then she went from Berlin to Prague to London on Czech Airways (IATA code "OK"). Then she stayed for another 6 days in London. Then she returned from London to SFO on United. The flights on Czech Air were entirely within the EU. They did not connect to or from flights to or from the US, or on a US airline. The PNR shows that travel agent issued a separate ticket, and a separate fare, for the Czech Air flights -- they weren't on same ticket with the United flights. But the travel agent followed standard travel agency procedures and made all the reservations for the entire journey in the same CRS, in this case Galileo (the CRS used by United). When DHS pulled the PNR, they didn't just pull the portion on United, but pulled the entire travel agency PNR, including the flights on Czech Air. This confirms that DHS had root access to Galileo, not just access through United, since United would not have been able to see the details of the Czech Air flights and ticket. Detailed questions based on this article were asked in the Austrian Parliament on 14 October 2010.]

[SF Weekly, Department of Homeland Security Sued Over Secret Traveller Files: "J. Edgar Hoover might have been proud." Follow-up: Travel writer Edward Hasbrouck sues Homeland Security over travel data.]

[My interview with the travel ("reisen") section of Zeit: "In dieser Datenbank steht, wer mit wem schlaft" ("This database is available, who is sleeping with whom"). One commenter on Twitter summed it up even better: "Du fliegst - Du bist Terrorist. Die USA weiss, mit wem du schlafst und welches Buch du liest." (You fly - You are a terrorist. The U.S. knows who you sleep with and what book you read.") The incidents involving European citizens on Paris-Mexico flights that were forbidden to overfly the US are discussed here and here.]

[SG.hu: A legiutasok szemelyes adatait koveteli a legitarsasagoktol az amerikai kormany]

[Follow-up from Futurezone @ORF.at: PNR: Massive US-Intervention im EU-Parlament. Compare what is being said to Members of the European Parliament by the US diplomats and lobbyists with my testimony to the EP in Brussels earlier this year, and the formal comments of the Identity Project to the DHS on the illegality of the ESTA scheme.]

[Further fallout in Europe, with questions being asked of the European Commissioner, again from Futurezone @ORF.at: Grundzuge des neuen PNR-Abkommens ("Daten-Wild-West verhindern")]

[BoingBoing: Travel author sues DHS to make it obey the law with its vast traveller databases]