EPIC logo

EPIC v. Department of Homeland Security, et al.

Requests for Information About Passenger Data Collection

Latest News | Background Information | Procedural History| Legal Documents | FOIA Documents | Previous Top News

Latest News

Background Information

In September 2003, JetBlue Airways confirmed that it had provided 5 million passenger itineraries, without the passengers' consent, to defense contractor Torch Concepts to test the feasibility of an Army data mining project. Torch Concepts added to the JetBlue data information it purchased from Acxiom, a large consumer research company. This information included passengers' Social Security numbers, occupations, income, gender, home ownership, car ownership, and the number of adults and children living in the passengers' households.  

On February 20, 2004, the Department of Homeland Security (DHS) Privacy Office released a report (pdf) on the JetBlue disclosure which said that in 2002 officials of Torch Concepts met with Transportation Security Administration (TSA) officials. After this meeting, a TSA employee sent JetBlue a written request asking the airline to provide passenger data to the Defense Department for use in the Torch Concepts study. The report found that TSA employees involved "acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974," but that no violation of the law had occurred.

In April 2004, American Airlines' parent corporation issued a press release admitting that an American Airlines vender had turned over passenger travel data to four research companies vying for contracts with TSA.

In April 2004, EPIC received documents from the National Aeronautics and Space Administration (NASA) in response to a FOIA request. One document (pdf) stated that Northwest Airlines "gave the FBI one year's [passenger] data on 6000 CDs." 

To learn the extent of the government's passenger data collection scheme, and to determine whether passenger data might have been collected for purposes of developing the controversial second-generation Computer Assisted Passenger Prescreening System (CAPPS II), EPIC ultimately sent four expedited Freedom of Information Act requests to TSA and the Federal Bureau of Investigation (FBI) seeking information on passenger data disclosure from any airline since September 11, 2001, as well as records relating to Acxiom, Torch Concepts, and SRS Technologies (the primary contractor in the Defense Department project). 

Procedural History

September 22, 2003, FOIA Request to TSA

EPIC's first FOIA request (pdf) to TSA about passenger profiling was sent on September 22, 2003. In the request, EPIC asked for information relating to JetBlue, Acxiom, Torch Concepts, and SRS Technologies. After conferring with TSA, EPIC agreed to limit the request to records from September 2002 to the present time. TSA granted expedited processing of the request on September 30, 2003.

In February 2004, in a series of three "interim responses," TSA informed EPIC that it had identified four relevant documents totaling 138 pages that had been withheld in full under exemptions to the FOIA. TSA also released to EPIC three e-mails and a 23-page presentation named "Homeland Security Airline Passenger Risk Assessment." On February 24, 2004, EPIC appealed TSA's first two interim responses stating the agency had improperly withheld material responsive to EPIC's request and had not conducted an adequate search for responsive material.  On April 26, 2004, TSA responded to the appeal, but did not release any additional information.

April 2, 2004, FOIA Request to TSA

The DHS Privacy Office's report (pdf) on the JetBlue transfer revealed that passenger data collection had begun prior to September 2002, the cut-off date from EPIC's first FOIA request.  On April 2, 2004, EPIC filed a second FOIA request (pdf) with TSA seeking information dated from September 2001 to September 2002 that related to JetBlue, Acxiom, Torch Concepts, and SRS Technologies. TSA granted expedited processing of the request on April 16, 2004, but had not released any information or issued a determination on the request prior to EPIC filing suit.

April 12, 2004, FOIA Request to TSA

After American Airlines released its press release admitting the disclosure of passenger data to research companies working for TSA, EPIC filed a third FOIA request (pdf) with TSA seeking information on this disclosure.  On April 15, 2004, TSA granted expedited processing of this request. On May 19, 2004, EPIC was informed that, at the request of the DHS, EPIC's FOIA request was forwarded to that agency for response. No information had been released nor had a determination on the request been issued by DHS prior to EPIC filing suit.

May 6, 2004, FOIA Request to FBI

On May 6, 2004, EPIC filed a FOIA request (pdf) with the FBI seeking "any records concerning, involving, or related to the FBI's acquisition of passenger data from any airline since September 11, 2001." EPIC also informed the agency that it had sent three FOIA requests to the TSA seeking similar information and that TSA had granted EPIC's request for expedited processing. On May 19, 2004, the FBI denied EPIC's request for expedited processing.

EPIC's Complaint for Injunctive Relief and Motion for Preliminary Injunction

On June 9, 2004, EPIC filed a complaint (pdf) with the United States District Court for the District of Columbia to force DHS, TSA, and the FBI to comply with FOIA and release all materials responsive to EPIC's four FOIA requests in an expedited manner. EPIC also filed a motion for an emergency order (pdf) to compel the FBI to grant expedited processing. The FBI reevaluated EPIC's request and soon thereafter granted (pdf) expedited processing, which effectively mooted out EPIC's motion.

The agencies answered (pdf) EPIC's complaint on July 9, 2004, and admitted they had not finalized the processing of EPIC's four FOIA requests. They stated that the relevant offices would coordinate the final responses to EPIC's requests. The agencies also denied that they had wrongfully withheld records EPIC had requested.

On January 19, 2005, the agencies moved for summary judgment, arguing (pdf) that they had "conducted a thorough search and released all responsive, non-exempt documents" to EPIC. DHS and TSA released a "Vaughn index"(pdf), a document which listed the documents responsive to EPIC's request and explained why exemptions were used to withhold some material. The index and an accompanying declaration (pdf) from the DHS Privacy Office described more than 80 documents that had been withheld in full by TSA and DHS.  The FBI also filed a declaration (pdf) detailing its search and the documents the FBI withheld from EPIC. This declaration revealed that the FBI obtained 257.5 million Passenger Name Records following 9/11, and that the Bureau has permanently incorporated the travel details of tens of millions of innocent people into its law enforcement databases.

EPIC agreed not to challenge exemptions claimed by the FBI in its decision to withhold certain records. EPIC also decided not to challenge TSA and DHS's withholdings under certain exemptions to FOIA which protect the agencies' internal rules and practices, privileged commercial information, information protected by attorney client privilege, or information when disclosure would interfere with ongoing law enforcement investigations.  EPIC did challenge TSA and DHS's broad use of FOIA exemptions to protect "sensitive security information," personal privacy and the agencies' deliberative processes.

On February 22, 2005, EPIC opposed (pdf) the agencies' motion. EPIC asked the court to direct the FBI to conduct an adequate search for records responsive to EPIC's request. EPIC also asked the court to review each of the documents which TSA and DHS had withheld from EPIC and to determine whether they should be released to the public.

The District Court Decision

On July 25, 2005, the U.S. District Court for the District of Columbia issued its opinion (pdf) in the case. The court denied the agencies' Motion for Summary Judgment in respect to certain documents withheld by TSA and DHS.  

The court determined that the FBI had conducted an adequate search for documents, and that DHS and TSA properly withheld some information under the FOIA. However, the court found that the agencies did not provide enough justification for numerous withholdings.

The court found that DHS may not withhold a document sought by the public simply by describing it as "sensitive security information" or "part of the deliberative process." Though federal agencies "are not required to describe the withheld portions in so much detail that it reveals the sensitive security information itself," the court found that the DHS and TSA's descriptions of certain withheld documents were insufficient.

The court also determined that while agency employees have a privacy interest in their identities, the agencies did not provide enough information for the court to decide whether business and agency identifiers and domain names were properly redacted to protect personal privacy. 

The court has ordered TSA and DHS to provide more detailed justification for numerous withholdings.

Legal Documents

Selected FOIA Documents

Previous Top News

EPIC Open Government Page | EPIC Passenger Profiling Page | EPIC Home Page

Last Updated: July 28, 2005
Page URL: http://www.epic.org/privacy/airtravel/passengerdata/default.html