By Joseph Cox
In a bombshell report, an oversight body for the Department of Homeland Security (DHS) found that Immigration and Customs Enforcement (ICE), Customs and Border Enforcement (CBP), and the Secret Service all broke the law while using location data harvested from ordinary apps installed on smartphones. In one instance, a CBP official also inappropriately used the technology to track the location of coworkers with no investigative purpose.
For years U.S. government agencies have been buying access to location data through commercial vendors, a practice which critics say skirts the Fourth Amendment requirement of a warrant. During that time, the agencies have typically refused to publicly explain the legal basis on which they based their purchase and use of the data. Now, the report shows that three of the main customers of commercial location data broke the law while doing so, and didn’t have any supervisory review to ensure proper use of the technology. The report also recommends that ICE stop all use of such data until it obtains the necessary approvals, a request that ICE has refused.
“It is disturbing that these agencies blithely ignored the federal law that requires serious assessment of the privacy impacts of exactly this kind of access to people’s private information. If these agencies had gone through the appropriate process before buying this sensitive data, they could have only reached one reasonable conclusion: the privacy impact is extreme,” Nate Wessler, deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union (ACLU), told 404 Media in a statement.
Do you know anything else about government use of location data? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at joseph@404media.co.
Become a paid subscriber to 404 Media HERE.
The report is titled CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data, is dated September 28, 2023, and comes from Joseph V. Cuffari, the Inspector General for DHS. The report was originally marked as “law enforcement sensitive,” but the Inspector General has now released it publicly.
Commercial Telemetry Data, or CTD, is the internal term DHS uses to describe commercially sourced location data. In one section, the report says that a CBP employee used such data to spy on coworkers.
“The individual told the coworkers they had tracked their location using CTD,” the report reads. A complaint followed, and the report says the issue was “resolved administratively.”
On the broader legal issues, the report says the agencies did not follow the E-Government Act of 2002, which requires that agencies receive an approved Privacy Impact Assessment (PIA) before buying access to tools like this.
“This occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance,” the report reads.
A screenshot of the report. Image: DHS.
Beyond that, the report also says the various parts of DHS did not have sufficient policies and procedures in place to ensure that the location data was used appropriately. CBP’s rules were interim policies and did not have complete versions, according to the report. ICE and the Secret Service meanwhile did not have any policies specifically for the data at all. That, and DHS did not have an overarching policy to govern its various components’ use of location data.
In other words, ICE, CBP, and the Secret Service all purchased access to location data, which is typically siphoned from seemingly innocuous apps on phones, often without the users’ knowledge or informed consent, while not having enough formal guardrails in place that dictated how that data could be used. That, again, does not adhere to the law.
The report later specifically says that CBP did not have a PIA which covered using location data to match an AdID—the anonymous advertising identifier that can be used to track smartphones—to a specific person, despite wanting to do exactly that. “CBP intended to analyze and correlate suspect devices against both open-source and CBP data to match the AdID to a specific person,” the report continues.
The Wall Street Journal first reported in 2020 that CBP and ICE were using commercial smartphone location data from a vendor called Venntel to investigate a variety of crimes and for border enforcement. Tech publication Protocol then reported that the Secret Service had a contract with another vendor called Babel Street.
I then reported a years-long series of stories about the U.S. government’s purchase of the data, including a more than $400,000 contract CBP had with Venntel; that the data sold to CBP was “global” in nature; and the names of specific apps that fed location data into the long supply chain which powers Venntel. I also revealed a Muslim prayer app was selling location data to a broker whose end clients included U.S. military contractors (Apple and Google booted the company, called X-Mode, from their respective app stores in response).
“The individual told the coworkers they had tracked their location using CTD.”
I also reported that CBP refused to tell Congress what legal authority it was following to use American’s location data without a warrant.
Now we know that, at minimum, the agencies had not taken the legally mandated steps to ensure the technology was being used appropriately.
“Without a [Privacy Impact Assessment] PIA, CBP, ICE, and Secret Service may not have identified and mitigated the privacy risks associated with CTD use,” the report reads.
Last month, I reported that CBP has decided to no longer use commercially sourced location data. Notably, the report from the Inspector General recommends that CBP discontinue the use of CTD until related PIAs are approved. A response from CBP included in the report says it did not intend on renewing the contracts anyway.
The report also recommends that ICE stop using such data until it obtains the necessary approvals. But ICE’s response is that it will continue to deploy commercially sourced location data. “CTD is an important mission contributor to the ICE investigative process as, in combination with other information and investigative methods, it can fill knowledge gaps and produce investigative leads that might otherwise remain hidden. Accordingly, continued use of CTD enables ICE HSI to successfully accomplish its law enforcement mission,” ICE’s response reads. It adds that ICE is currently working to finalize its “Geolocation Services PIA.”
The new report says that the Secret Service also stopped its use of such data in FY 2021, but continued to purchase the technology.
CBP, ICE, and the Secret Service did not immediately respond to requests for comment.
Update: This piece has been updated to include comment from the ACLU.
Source: 404 Media
Joseph Cox is focused on generating impact. His work has triggered hundreds of millions of dollars worth of fines, stopped companies selling location data linked to abortion clinics, and much more.
Become a Patron!
Or support us at SubscribeStar
Donate cryptocurrency HERE
Subscribe to Activist Post for truth, peace, and freedom news. Follow us on SoMee, Telegram, HIVE, Flote, Minds, MeWe, Twitter, Gab, and What Really Happened.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.
Be the first to comment on "ICE, CBP, Secret Service All Illegally Used Smartphone Location Data"