Customs and Border Protection (CBP) has told Sen. Ron Wyden that it plans to stop using commercially sourced smartphone location data at the end of this month, Wyden’s office told 404 Media.
For years CBP, like many other U.S. law enforcement agencies, has bought access to location data harvested from smartphones, which one former location data company worker previously told me is useful for tracking “herds of people.” Another previously said it can be used to monitor specific targets too. Since the agencies paid a commercial vendor for the data, the agencies have generally not acquired a warrant or other court order to obtain the information; a move that critics say skirts the Fourth Amendment.
CBP told 404 Media it determined the agency does not have a current need to buy more access to such data. Lawmakers and campaigners who have pushed back against CBP and other agencies’ purchase of location data are welcoming the news, while demanding more protections against data use in the future.
“While it is good news that CBP is ending its purchase of Americans' location information, it's troubling that the agency still hasn't released the Trump-era DHS legal memo that provided CBP with the authority to engage in such warrantless surveillance in the first place,” Wyden told 404 Media in a statement.
Wyden’s office shared what CBP told its staff. That included “CBP will not be utilizing Commercial Telemetry Data (CTD) after the conclusion of FY23 (September 30, 2023).” CTD is the term CBP has used when I’ve previously asked the agency about its purchase of location data. In one case, I found CBP paid $476,000 to a location data firm called Venntel in August 2020. At the time, a CBP spokesperson told me that “Consistent with its border security and law enforcement authorities, CBP has acquired limited access to commercial telemetry data through the procurement of a limited number of licenses to a vendor provided interface.” I also reported that the location data CBP bought access to was “global” in scope.
In its recent message to Wyden’s office, CBP added that if the agency “identifies a critical mission need to re-acquire a vendor who provides CTD, we would ensure CBP would engage Oversight, Legal, and Privacy entities at the agency and department level.”
Over the past several years, multiple journalists and Senator Wyden’s office have investigated U.S. law enforcement, intelligence, and military agencies’ purchase of location data. The supply chain of that data often starts with software development kits (SDKs), small bundles of code that a location data firm will pay app developers to place inside their otherwise ordinary apps. Venntel, for example, obtained peoples’ locations using navigation and weather apps “Sygic GPS Navigation & Offline Maps” and “Fu*** Weather (Funny Weather),” I reported with Norwegian media organization NRK.
These SDKs then record where each phone with an installed app is at any point in time, and transfer that information to the location data vendor. Companies may also obtain location information through the real-time bidding process that is part of online advertising, where companies bid for the ability to serve ads to specific target demographics. A side effect of this process can be the acquisition of location data by these firms.
The vendor may then sell that data to clients such as hedge funds, real estate investors, or law enforcement. Other companies that cater more specifically to government agencies sometimes enrich the data with greater analytics and wrap it in a software product that makes it easier to zoom in on specific targets or areas of interest.
Two people who have worked with Venntel previously explained some of the product’s capabilities to me. They include being able to search for which devices were in a particular place at a specific time, or selecting a unique identifier for a target device and then seeing a history of where that individual phone, and potentially by extension a specific person, has been.
“If you search a certain house, you're only going to get three or four different signals out of there. I think from that standpoint, you could definitely try and identify specific people,” the first person previously told me. “I think that was part of the goal in using it for government customers and things like that, is that you're able to identify devices, and then you can do device searches to see where else they might have been.” Agencies have not necessarily been successful at tracking individual targets with such data. Senator Wyden’s office previously found that the criminal investigation unit of the IRS tried and failed to track criminal suspects in a year-long Venntel contract.
With that in mind, the second person who has worked with Venntel told me that the company’s data is more useful for tracking “herds of people.” The Wall Street Journal previously reported that some U.S. agencies have used Venntel’s data to identify border crossings and then arrest people.
A CBP spokesperson told 404 Media in a statement that “The Department of Homeland Security is committed to protecting individuals’ privacy, civil rights, and civil liberties. DHS, including CBP, uses various forms of technology in furtherance of its mission, including tools to support investigations related to, among other things, illegal trafficking on the dark web, cross-border transnational crime, and terrorism. DHS leverages this technology in ways that are consistent with its authorities and the law. Following an evaluation of the use of CTD technology, CBP plans to discontinue its contract utilizing CTD after the conclusion of Fiscal Year 2023.” CBP said it started to evaluate CTD in 2018.
Julie Mao, deputy director of Just Futures Law, which has campaigned against U.S. immigration authorities’ purchase and use of certain data, told 404 Media in a statement that “We welcome CBP’s announcement that it will stop surveilling people using this type of location data. But given the long history of abuse and misconduct by CBP, we’re waiting to see what actions the agency will actually take. We call on CBP to be transparent about what, if any, contracts it plans to cancel with the tech companies selling this data. We also urge CBP to reconsider its deployment of other invasive surveillance technologies that jeopardize the privacy and civil rights of communities at the border and far into the US.”
Senator Wyden has previously introduced The Fourth Amendment is Not for Sale Act, written partly in response to my investigations, which would stop agencies from purchasing location and other types of data without a warrant.
Senator Wyden’s statement to 404 Media added that “Americans need real, enforceable protections against the government tracking our movements and buying our personal data. That's why it is essential for Congress to stop the government from buying its way around the Fourth Amendment when we take up surveillance reform later this year.”
Update 09/14/2023: This piece has been updated to include a statement and more information from CBP.