"There is an ability in theory for government to cast a wider net," he said. "The reality of it is customs is barely able to manage the data they have."
The data-mining program stemmed from an effort in the early 1990s by customs officials to begin assessing the risk of cargo originating in certain countries and from certain shippers. Risk assessment turned more heavily to automated, computer-driven systems after the 2001 attacks.
The risk assessment is created by analysts at the National Targeting Center, a high-tech facility opened in November 2001 and now run by Customs and Border Protection.
In a round-the-clock operation, targeters match names against terrorist watch lists and a host of other data to determine whether a person's background or behavior indicates a terrorist threat, a risk to border security or the potential for illegal activity. They also assess cargo.
Each traveler assessed by the center is assigned a numeric score: The higher the score, the higher the risk. A certain number of points send the traveler back for a full interview.
The Automated Targeting System relies on government databases that include law enforcement data, shipping manifests, travel itineraries and airline passenger data, such as names, addresses, credit card details and phone numbers.
The parent program, Treasury Enforcement Communications System, houses "every possible type of information from a variety of federal, state and local sources," according to a 2001 Federal Register notice.
It includes arrest records, physical descriptions and "wanted" notices. The 5.3 billion-record database was accessed 766 million times a day to process 475 million travelers, according to a 2003 Transportation Research Board study.
In yesterday's Federal Register notice, Homeland Security said it will keep people's risk profiles for up to 40 years "to cover the potentially active lifespan of individuals associated with terrorism or other criminal activities," and because "the risk assessment for individuals who are deemed low risk will be relevant if their risk profile changes in the future, for example, if terrorist associations are identified."
DHS will keep a "pointer or reference" to the underlying records that resulted in the profile.
The DHS notice specified that the Automated Targeting System does not call for any new means of collecting information but rather for the use of existing systems. The notice did not spell out what will determine whether someone is high risk.
But documents and former officials say the system relies on hundreds of "rules" to factor a score for each individual, vehicle or piece of cargo.
According to yesterday's notice, the program is exempt from certain requirements of the Privacy Act of 1974 that allow, for instance, people to access records to determine "if the system contains a record pertaining to a particular individual" and "for the purpose of contesting the content of the record."