- DHS officials were reassigned after opposing a plan to restrict public access to privacy records.
- Privacy Threshold Analyses provide the earliest official descriptions of government surveillance and data tools.
- The shift could hide how biometrics and facial recognition are used in immigration screening.
(UNITED STATES) — The U.S. Department of Homeland Security reassigned multiple Customs and Border Protection officials after they objected to efforts to classify Privacy Threshold Analyses as exempt from disclosure under the Freedom of Information Act, a shift that could narrow public access to early privacy details about immigration screening and surveillance tools.
The internal dispute centers on whether DHS and CBP can treat Privacy Threshold Analyses, known as PTAs, as “draft” and “pre-decisional” records that agencies can withhold, even when the documents have historically surfaced as part of routine transparency practices tied to privacy compliance.
PTAs function as a gateway document inside DHS: an internal questionnaire that helps determine whether a new system or program handling personally identifiable information triggers a more extensive review, including a Privacy Impact Assessment, or PIA. That makes the fight over PTA disclosure a practical issue for immigrants, visa holders, green card applicants, international students, and U.S. citizens who face screening at ports of entry or in other DHS interactions.
Privacy paperwork can sound remote, but PTAs can contain some of the earliest official descriptions of what a government tool does, what data it collects, how long it keeps that data, and whether U.S. citizens or lawful permanent residents appear in the dataset. In the immigration context, those details can shape how the public learns about biometric collection, automated screening, and cross-system data sharing before technologies become widely deployed.
DHS describes a PTA as an internal questionnaire used to identify whether a system, technology, program, or information collection involving personally identifiable information needs a fuller privacy review, such as a PIA or other compliance steps. The framework connects to expectations for privacy review under the E-Government Act of 2002, which informs how agencies document and disclose privacy impacts for certain federal information systems.
Because PTAs come early in a project’s life, they can provide a first paper trail that a program exists at all, what categories of information it touches, and whether DHS flagged privacy risks that demanded deeper scrutiny. When those documents become harder to obtain, oversight groups, lawyers, journalists, and affected communities can lose an early window into what DHS and CBP built and why.
Internal DHS emails described a “major change” requiring future PTAs to include language labeling them as “draft,” “pre-decisional,” and exempt from public release under FOIA. DHS denied adopting a policy that made PTAs categorically exempt from FOIA, but the internal communications pointed to a broader restriction than the public posture suggested.
The controversy also revived attention on what PTAs can reveal in immigration-facing systems. One PTA helped surface details about Mobile Fortify, a facial-recognition app tied to DHS operations. The record indicated the app could capture faces and fingerprints without consent and that images could be retained for up to 15 years, including images involving U.S. citizens and lawful permanent residents.
Mobile tools like that have direct relevance for travelers arriving in the United States, foreign nationals encountering immigration officers, and people caught in identity checks. When DHS limits visibility into privacy compliance records, the public can face a higher bar to understand where tools operate, what safeguards exist, and how long sensitive identifiers remain in government systems.
The push to treat PTAs as protected drafts also marks a departure from how the documents have appeared in practice at CBP. CBP has publicly posted PTAs in the past, including records related to its own systems, signaling that at least some PTAs functioned as ordinary agency records rather than internal legal drafts.
A CBP webpage for PTAs remained publicly indexed, and CBP materials linked through its FOIA records section include privacy documentation for agency tools and programs. That history has become part of the tension: if PTAs were once posted and shared as routine records, critics argue that reclassifying them as broadly exempt can reduce outside review of new programs that shape immigration screening and border operations.
The effect of that shift extends beyond document access fights. DHS and CBP increasingly rely on technology-heavy processes across ports of entry, traveler verification systems, mobile apps, and facial-recognition workflows. As those systems grow, early-stage privacy documentation can become one of the few ways the public learns what information DHS collects, whether it shares data across systems, and what guardrails it claimed to apply.
Reduced visibility also matters because many DHS tools are not confined to one narrow mission. Border screening and immigration enforcement often involve biometric identifiers and other personal information that can move across databases, watchlisting processes, and risk-scoring tools.
TECS and the Automated Targeting System, or ATS, were described as ecosystems used for screening and border risk scoring on citizens and non-citizens, with TECS containing travel, banking, and social media data. In that kind of architecture, a seemingly small change in data intake, retention, or sharing can ripple outward, affecting later encounters with immigration officials and how records appear in future adjudications.
PTAs can help flag such shifts early, before a program becomes widely deployed. A PTA can point to new categories of data collection, outline potential sharing relationships, and identify whether a tool touches U.S. citizens or lawful residents, details that can be central to public accountability when a program expands.
The dispute over PTAs has also drawn attention to other DHS practices, including data collection tied to commercial telemetry and location-related identifiers. CBP pilots explored AdIDs for location tracking tied to the DHS Intelligence Records System, and oversight attention focused on whether required PIAs accompanied those efforts.
A 2023 DHS Inspector General audit found CBP, Immigration and Customs Enforcement, and the Secret Service procured commercial telemetry data without required PIAs, and the audit found DHS lacked department-wide policies. Such audits can surface compliance gaps that the public might not see when foundational documents like PTAs become harder to access through FOIA.
DHS growth in artificial intelligence use cases has also drawn scrutiny over whether the agency’s expanding inventory of AI-supported tools keeps pace with required safeguards. DHS AI use cases rose 37% since July 2025, driven by ICE, and that trend was tied to compliance and safeguards questions that privacy reviews are designed to address.
House Democrats, led by Rep. Shontel Brown (D-OH), criticized warrantless location surveillance that they said could reveal home, work, and worship sites. While the PTA dispute sits inside DHS, the broader focus reflects a persistent oversight issue: as enforcement technology expands, transparency over what data enters government systems and how it is used becomes harder to maintain without routine access to the earliest privacy documentation.
Another point of scrutiny involved CBP’s proposed data collection expansion for Visa Waiver Program travelers through the Electronic System for Travel Authorization, or ESTA. CBP seeks information spanning years of social media and phone or email history, as well as biometrics including selfies, DNA, and iris scans from Visa Waiver Program travelers.
Coalitions including the Software & Information Industry Association urged PIAs, retention clarity, and voluntary pilots, and cited $15.7 billion tourism losses. These concerns were framed around both privacy compliance and the broader risk that expanded data demands could chill travel and tourism.
Other DHS actions involved administrative subpoenas and criticism that the practice can chill speech. ICE issued hundreds of administrative subpoenas for personal data, including names, emails, and phone numbers, from social media critics.
One case against “Jon Doe” for emailing DHS was quashed February 2026 by a court for First Amendment violations, according to Stephen A. Loney, senior supervising attorney at ACLU-PA. Greg Nojeim of the Center for Democracy & Technology called them “dangerous” for chilling speech.
For immigrants and noncitizens, the practical relevance of these tools and policies often emerges at moments of entry, re-entry, and screening. H-1B holders, international students, green card applicants, and families traveling in and out of the United States can face biometric capture, questioning, or secondary inspection, while their records may travel through systems that share data across different DHS components.
No direct change to immigration status rules was described as tied to the PTA dispute. Instead, the issue was framed as one of transparency and accountability: oversight structures influence whether people can learn what data the government collected about them, how long it retained that data, and whether errors can be identified and corrected.
Retention periods and data-sharing also matter beyond a single border encounter. When personal identifiers and travel-linked records persist and move across screening systems, they can shape future visa processing, security checks, and the consistency of an individual’s record across interactions with DHS.
The legal scaffolding behind the dispute runs through FOIA and the question of what counts as an agency record subject to disclosure. Claims that a document is “draft” or “pre-decisional” can matter because they can support withholding under FOIA, limiting public access to internal deliberations and early documentation.
At DHS, PTAs sit alongside PIAs as part of privacy oversight expectations, including those informed by the E-Government Act of 2002. In practice, a PTA can determine whether a PIA is required, making the availability of PTAs relevant to whether the public can track, from the start, what privacy reviews a system triggered and what DHS considered before deployment.
Watchdog pressure can come from multiple directions, including Inspector General audits, litigation, and FOIA requests that pull internal records into public view. The current PTA fight was tied to that broader ecosystem, where document access can determine whether the public learns about new surveillance capabilities early or only after they shape real-world immigration screening.
Inspector General Joseph Cuffari initiated a February 2026 audit on DHS data collection, management, and sharing. Such audits can become a focal point for whether DHS components followed required privacy review steps, particularly when new datasets, identifiers, or automated tools enter immigration enforcement workflows.
The next developments to watch include whether DHS or CBP clarifies its disclosure posture toward PTAs and how FOIA offices handle requests for those documents. Another focal point involves outcomes from Inspector General work tied to commercial data, data-sharing, and privacy documentation requirements that can include PIAs and other compliance steps.
Rulemaking and public comment processes also remain central to how far DHS and CBP seek to expand traveler data collection. Public comments on CBP’s ESTA rule closed February 2026, keeping attention on whether DHS clarifies retention practices, privacy safeguards, and the scope of information sought from travelers.
As DHS, CBP, and other components expand biometrics, automated screening, and data-sharing systems, the internal fight over Privacy Threshold Analyses has become a proxy for a broader question: whether the public can see early evidence of what the government builds before those tools shape immigration screening in routine, difficult-to-challenge ways.
