In a bombshell report, an oversight body for the Department of Homeland Security (DHS) found that Immigration and Customs Enforcement (ICE), Customs and Border Enforcement (CBP), and the Secret Service all broke the law while using location data harvested from ordinary apps installed on smartphones. In one instance, a CBP official also inappropriately used the technology to track the location of coworkers with no investigative purpose.
For years U.S. government agencies have been buying access to location data through commercial vendors, a practice which critics say skirts the Fourth Amendment requirement of a warrant. During that time, the agencies have typically refused to publicly explain the legal basis on which they based their purchase and use of the data. Now, the report shows that three of the main customers of commercial location data broke the law while doing so, and didn’t have any supervisory review to ensure proper use of the technology. The report also recommends that ICE stop all use of such data until it obtains the necessary approvals, a request that ICE has refused.
“It is disturbing that these agencies blithely ignored the federal law that requires serious assessment of the privacy impacts of exactly this kind of access to people’s private information. If these agencies had gone through the appropriate process before buying this sensitive data, they could have only reached one reasonable conclusion: the privacy impact is extreme," Nate Wessler, deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union (ACLU), told 404 Media in a statement.
The report is titled CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data, is dated September 28, 2023, and comes from Joseph V. Cuffari, the Inspector General for DHS. The report was originally marked as “law enforcement sensitive,” but the Inspector General has now released it publicly.
Commercial Telemetry Data, or CTD, is the internal term DHS uses to describe commercially sourced location data. In one section, the report says that a CBP employee used such data to spy on coworkers.
“The individual told the coworkers they had tracked their location using CTD,” the report reads. A complaint followed, and the report says the issue was “resolved administratively.”
On the broader legal issues, the report says the agencies did not follow the E-Government Act of 2002, which requires that agencies receive an approved Privacy Impact Assessment (PIA) before buying access to tools like this.
“This occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance,” the report reads.
Beyond that, the report also says the various parts of DHS did not have sufficient policies and procedures in place to ensure that the location data was used appropriately. CBP’s rules were interim policies and did not have complete versions, according to the report. ICE and the Secret Service meanwhile did not have any policies specifically for the data at all. That, and DHS did not have an overarching policy to govern its various components’ use of location data.
In other words, ICE, CBP, and the Secret Service all purchased access to location data, which is typically siphoned from seemingly innocuous apps on phones, often without the users’ knowledge or informed consent, while not having enough formal guardrails in place that dictated how that data could be used. That, again, does not adhere to the law.
“The report makes it clear that DHS agencies have been playing it fast and loose with their acquisition of Americans’ location data. Congress needs to explicitly bar law enforcement and intelligence agencies from purchasing data from private companies that they would have otherwise needed a warrant to acquire,” Josh Richman, a spokesperson for activist organization the Electronic Frontier Foundation, told 404 Media in a statement. The Fourth Amendment is Not for Sale Act, which passed the House Judiciary Committee in July, would address that loophole. The proposed piece of legislation was written in direct response to some of my reporting on the location data industry.
The report later specifically says that CBP did not have a PIA which covered using location data to match an AdID—the anonymous advertising identifier that can be used to track smartphones—to a specific person, despite wanting to do exactly that. “CBP intended to analyze and correlate suspect devices against both open-source and CBP data to match the AdID to a specific person,” the report continues.
The Wall Street Journal first reported in 2020 that CBP and ICE were using commercial smartphone location data from a vendor called Venntel to investigate a variety of crimes and for border enforcement. Tech publication Protocol then reported that the Secret Service had a contract with another vendor called Babel Street.
I then reported a years-long series of stories about the U.S. government’s purchase of the data, including a more than $400,000 contract CBP had with Venntel; that the data sold to CBP was “global” in nature; and the names of specific apps that fed location data into the long supply chain which powers Venntel. I also revealed a Muslim prayer app was selling location data to a broker whose end clients included U.S. military contractors (Apple and Google booted the company, called X-Mode, from their respective app stores in response).
“The individual told the coworkers they had tracked their location using CTD.”
I also reported that CBP refused to tell Congress what legal authority it was following to use American’s location data without a warrant.
Now we know that, at minimum, the agencies had not taken the legally mandated steps to ensure the technology was being used appropriately.
“Without a [Privacy Impact Assessment] PIA, CBP, ICE, and Secret Service may not have identified and mitigated the privacy risks associated with CTD use,” the report reads.
Last month, I reported that CBP has decided to no longer use commercially sourced location data. Notably, the report from the Inspector General recommends that CBP discontinue the use of CTD until related PIAs are approved. A response from CBP included in the report says it did not intend on renewing the contracts anyway.
The report also recommends that ICE stop using such data until it obtains the necessary approvals. But ICE’s response is that it will continue to deploy commercially sourced location data. “CTD is an important mission contributor to the ICE investigative process as, in combination with other information and investigative methods, it can fill knowledge gaps and produce investigative leads that might otherwise remain hidden. Accordingly, continued use of CTD enables ICE HSI to successfully accomplish its law enforcement mission,” ICE’s response reads. It adds that ICE is currently working to finalize its “Geolocation Services PIA.”
The new report says that the Secret Service also stopped its use of such data in FY 2021, but continued to purchase the technology.
A CBP spokesperson told 404 Media in a statement that “CBP is committed to protecting all individuals’ privacy, civil rights, and civil liberties.” The spokesperson also reiterated that CBP has discontinued access to the location data.
ICE and the Secret Service did not respond to requests for comment.
“The Inspector General has confirmed that the Department of Homeland Security violated federal law by purchasing Americans' location data without conducting a privacy review. This outrageous violation of Americans' privacy should have never been approved by the Trump Administration, and it should not have taken nearly three years for the Biden Administration to shut it down,” Senator Ron Wyden told 404 Media in a statement. “Congress must pass legislation like my Fourth Amendment is Not for Sale Act to stop the government from bypassing the Fourth Amendment by buying Americans' personal data.”
Update: This piece has been updated to include comment from the ACLU, the EFF, Senator Ron Wyden, and CBP.