In a bombshell report, an oversight body for the Department of Homeland Security (DHS) found that Immigration and Customs Enforcement (ICE), Customs and Border Enforcement (CBP), and the Secret Service all broke the law while using location data harvested from ordinary apps installed on smartphones. In one instance, a CBP official also inappropriately used the technology to track the location of coworkers with no investigative purpose.
For years U.S. government agencies have been buying access to location data through commercial vendors, a practice which critics say skirts the Fourth Amendment requirement of a warrant. During that time, the agencies have typically refused to publicly explain the legal basis on which they based their purchase and use of the data. Now, the report shows that three of the main customers of commercial location data broke the law while doing so, and didn’t have any supervisory review to ensure proper use of the technology. The report also recommends that ICE stop all use of such data until it obtains the necessary approvals, a request that ICE has refused.
“It is disturbing that these agencies blithely ignored the federal law that requires serious assessment of the privacy impacts of exactly this kind of access to people’s private information. If these agencies had gone through the appropriate process before buying this sensitive data, they could have only reached one reasonable conclusion: the privacy impact is extreme,” Nate Wessler, deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union (ACLU), told 404 Media in a statement.
The report is titled CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data, is dated September 28, 2023, and comes from Joseph V. Cuffari, the Inspector General for DHS. The report was originally marked as “law enforcement sensitive,” but the Inspector General has now released it publicly.
Commercial Telemetry Data, or CTD, is the internal term DHS uses to describe commercially sourced location data. In one section, the report says that a CBP employee used such data to spy on coworkers.
“The individual told the coworkers they had tracked their location using CTD,” the report reads. A complaint followed, and the report says the issue was “resolved administratively.”
On the broader legal issues, the report says the agencies did not follow the E-Government Act of 2002, which requires that agencies receive an approved Privacy Impact Assessment (PIA) before buying access to tools like this.
“This occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance,” the report reads.
A screenshot of the report. Image: DHS.
Beyond that, the report also says the various parts of DHS did not have sufficient policies and procedures in place to ensure that the location data was used appropriately. CBP’s rules were interim policies and did not have complete versions, according to the report. ICE and the Secret Service meanwhile did not have any policies specifically for the data at all. That, and DHS did not have an overarching policy to govern its various components’ use of location data.
In other words, ICE, CBP, and the Secret Service all purchased access to location data, which is typically siphoned from seemingly innocuous apps on phones, often without the users’ knowledge or informed consent, while not having enough formal guardrails in place that dictated how that data could be used. That, again, does not adhere to the law.
The report later specifically says that CBP did not have a PIA which covered using location data to match an AdID—the anonymous advertising identifier that can be used to track smartphones—to a specific person, despite wanting to do exactly that. “CBP intended to analyze and correlate suspect devices against both open-source and CBP data to match the AdID to a specific person,” the report continues.
The Wall Street Journal first reported in 2020 that CBP and ICE were using commercial smartphone location data from a vendor called Venntel to investigate a variety of crimes and for border enforcement. Tech publication Protocol then reported that the Secret Service had a contract with another vendor called Babel Street.
Full article: ICE, CBP, secret service all illegally used smartphone location data