The Department of Homeland Security is purchasing consumer cellphone data that allows authorities to track immigrants trying to cross the southern border, which privacy advocates say could lead to a vast “surveillance partnership” between the government and private corporations.
In an internal memo obtained by BuzzFeed News, the DHS’s top attorney, Chad Mizelle, outlined how ICE officials can look up locations and track cellphone data activity to make decisions on enforcement.
Mizelle also believes the agency can use the data without obtaining a warrant or violating the Fourth Amendment, which protects the public against unreasonable searches and seizures. That logic could lay the groundwork for the government to use the same data to track everyday Americans, raising red flags among privacy advocates.
“This raises concerns about dragnet collection of Americans’ highly private location information that reveal where we sleep at night, where we go to the doctor, who we spend time with, and every other aspect of our lives,” said Nathan Freed Wessler, an attorney with the ACLU who specializes in privacy issues. “Police should be going to judges to get location information from these commercial entities.”
The memo offers a window into the use of new forms of technology to help ICE and Customs and Border Protection advance their enforcement aims at the border and beyond. But the use of the data has long been controversial, and its deployment within DHS has caused alarm.
Adam Schwartz, a senior staff attorney for the Electronic Frontier Foundation, told BuzzFeed News the memo is “deeply disturbing.”
“It’s essentially a secret effort by members of the government to justify the construction of this terrible surveillance partnership between the government and these corporations,” he said.
When DHS buys geolocation data, investigators only know that phones and devices visited certain places — meaning, they don’t automatically know the identities of people who visited those locations. Investigators have to match a person’s visited locations with, say, property records and other data sets in order to determine who a person is. But this also means that, technically, moment-by-moment location tracking could happen to anyone, not just people under investigation by DHS. In particular, lawyers, activists, nonprofit workers, and other essential workers could get swept up into investigations that start with geolocation data.
DHS officials said they do not comment on alleged leaked documents.
The agency is aware of potential legal vulnerabilities under the Fourth Amendment. Mizelle states in his memo that there are ways for CBP and ICE to “minimize the risk” of possible constitutional violations, pointing out that they could limit their searches to defined periods, require supervisors to sign off on lengthy searches, only use the data when more “traditional” techniques fail, and limit the tracking of one device to when there is “individualized suspicion” or relevance to a “law enforcement investigation.”
CBP has so far refused to explain this legal argument to Congress, despite the fact that senators such as Democrat Ron Wyden have demanded the information.
A CBP spokesperson said in a statement that the agency “has acquired limited access to commercial telemetry data through the procurement of a limited number of licenses to a vendor provided interface.”
The spokesperson said the access to the information “does not include cellular phone tower data, is not ingested in bulk, and does not include the individual user’s identity. Rather, CBP officers, agents, and analysts are provided with access to the vendor’s interface on a case-by-case basis, and are only able to view a limited sample of anonymized data consistent with existing border security or law enforcement operations.”
The official added that the data is used “in furtherance of CBP’s responsibility to enforce U.S. law at the border and in accordance with relevant legal, policy, and privacy requirements.”
The Wall Street Journal previously reported on the DHS’s purchase of the data for ICE and CBP. Federal spending databases show that ICE and CBP have bought licenses from Venntel, a company that collects and sells mobile device data. In 2019, DHS bought more than $1 million worth of software, which included Venntel licenses for CBP’s Targeting and Analysis Systems Program Directorate. TASPD is an intelligence-focused CBP program that involves monitoring certain individuals and cargo. Separately, this year CBP bought $475,944 worth of software, which also included Venntel licenses.
The House Committee on Oversight and Reform is currently investigating Venntel for selling data to government agencies.
Venntel did not respond to multiple requests for comment.
The document says that ICE and CBP purchased people’s mobile data from a data broker, although the document does not identify which one. All of the data is stored in an indexed, searchable database accessible through a “web portal.”
ICE and CBP buy advertising identifier data, or “AdID,” which typically includes information about where a person is located, what device they’re using, what language they use, which websites they’re visiting, and which websites they buy things from. All of this information isn’t linked to a person’s name, but to a randomly generated string of characters.
Both Apple and Android phones require app developers who are engaging in targeted advertising to assign people individualized AdIDs. People have to go into their phone settings in order to restrict advertisers’ access to their AdIDs.
The document states that the DHS purchased AdID data that is anonymized and only shows “timestamped signal location(s) within a specific time period” — or where one device has been, and when. This in and of itself doesn’t tell ICE and CBP who a person is. But the document notes that it’s possible to “combine” the data “with other information and analysis to identify an individual user.”
In other words, the DHS agencies can cross-reference where a device has been with property ownership records. This way, officers can find a person’s identity based on the location of their home.
The geolocation data associated with a person’s AdID is extremely sensitive. In the document’s own words, it can be used “to track the movements of a mobile device over an extended period of time.” Officers with this data can see where a person lives, their commute to work, which friends they visit, any religious locations they might frequent, and which protests they attend.
Privacy experts have argued that geolocation data is inherently identifiable and impossible to be truly anonymous, even if it’s linked to a string of numbers rather than a person’s name.
“This description puts the lie to the assertion of some of these companies that all they are gathering is anonymized information about phone users,” said Wessler, the ACLU privacy expert. “This agency is contemplating using this data to track and identify and locate particular people.”
Schwartz added that partnerships between governments and private entities are a “growing menace to privacy in the world.”
“The government has vast surveillance powers, private corporations have vast surveillance powers, and when the two are combined, the whole is greater than the sum of the parts,” he said. “This is an area that all members of the public should be concerned about, and our elected officials, and really need to shut this down.”
Typically, an app will assign a person one AdID. But according to the memo, the data broker “aggregates geolocation data obtained by a wide variety of apps,” meaning ICE and CBP may have multiple data sets about the same person if that person uses more than one app that engages in targeted advertising. But ICE and CBP don’t know which apps the information comes from.
Mizelle said ICE officials could use the data to their benefit in deciding when to conduct immigration enforcement, specifically to “identify hot spots of illicit activity and combine this data with other data (such as weather conditions) to identify trends and make more predictive resources and targeting decisions regarding immigration enforcement.”
Mizelle wrote the memo to “analyze” law enforcement use of geolocation data and detail the potential legal problems that could arise under the Fourth Amendment or the Privacy Act. The tracking data has been profiled in the New York Times, which found dozens of companies that sell the consumer data to advertisers to target advertisements.
In a landmark 2018 Supreme Court opinion, Carpenter v. United States, law enforcement officers were ordered to get criminal warrants to obtain geolocation data in most cases directly from the cellphone carriers.
“As with GPS information, the timestamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations,’” Chief Justice John Roberts said in delivering the majority opinion. “These location records hold for many Americans the ‘privacies of life.’”
Mizelle, however, writes in his memo that this Supreme Court ruling doesn’t apply to ICE and CBP because the agencies purchase data that is commercially available, meaning it technically does not require obtaining a warrant.
The data broker, according to the memo, told DHS that it doesn’t “independently verify” that each piece of AdID data comes from an application with a valid “terms of service agreement.” DHS says that the data broker obtains guarantees that the AdID data was lawfully obtained.
Wessler, from the ACLU, believes this admission is concerning.
“It shows a lack of due diligence by the government to ensure that all that people have actually consented to this collection of sensitive location information and there are plenty of examples of apps secretly collecting location information of people,” he said.
But Mizelle argues in his memo that “under existing precedent, there is no reasonable expectation of privacy in geolocation data from a mobile electronic device associated with AdID data that has been provided to a third party with the user’s consent.”
“As such, the government’s acquisition of that information is not a ‘search’ under the Fourth Amendment,” he added.
Schwartz said that argument falls short because there is no meaningful consent when a person downloads a game to their phone, and this data eventually winds up in the hands of DHS investigators.
“This person who downloaded the video game — did they have any knowledge that any of this was gonna happen?” Schwartz said. “No. They were presented with dense legalese, and they pressed a button. It seems irrational to conclude that the technology user, who did nothing besides download a video game, consented to this kind of surveillance of their movements.”