A previously secret watchdog report reveals that multiple federal agencies obtained and used Americans’ smartphone location data illegally and with insufficient guardrails in place to protect privacy.
Specifically, the watchdog found that Immigration and Customs Enforcement (ICE), Customs and Border Enforcement (CBP), and the Secret Service all failed to adhere to privacy policies or did not develop sufficient policies before procuring and using commercially available data on Americans, which often collected without their knowledge.
Privacy and Safety Risks
Recent reporting from The Epoch Times shows that U.S. intelligence and spy agencies have bought and stored massive amounts of such data on Americans, including location, smartphone, and web browsing data, with a risk to their privacy—and even safety.While CTD may be anonymous, it’s often possible to deanonymize it and identify the individuals it pertains to, including persons in the United States.
According to a separate report about the use of CTD by intelligence agencies, after the data is subjected to various types of “deanonymization” or “reidentification” treatments, this information could then be used to “cause harm to an individual’s reputation, emotional well-being, or physical safety.”
CBP, ICE, and Secret Service have cited various uses of CTD for law enforcement intelligence purposes, such as historical mobile device locations related to criminal activity.
But, the watchdog report says that the three DHS components all failed to comply with a law meant to protect users’ privacy when they procured and used their location data, which poses various risks.
A spokesperson for activist organization the Electronic Frontier Foundation (EFF), told The Epoch Times in an emailed statement that the OIG report shows that DHS agencies have been “playing it fast and loose with the acquisition of Americans’ location data” and that Congress should prohibit warrantless obtaining of CTD.
DHS has responded to the findings of the watchdog in a series of statements included in the report—and has pledged to shape up.
Litany of Failures
The watchdog found that the three DHS agencies failed to adhere to the E-Government Act of 2002, which requires that privacy-sensitive technology—or data obtained from it, such as CTD—may only be procured or used after agencies first get an approved Privacy Impact Assessment (PIA).The watchdog said the agencies procured or used CTD without approved PIAs.
“Without a PIA, CBP, ICE, and Secret Service may not have identified and mitigated the privacy risks associated with CTD use,” the report reads, noting also that one of the risks is that using the data could expose sensitive personally identifiable information.
The agencies failed to follow the law and obtain PIAs in part because they lacked sufficient internal controls to comply with DHS privacy policies, and because the DHS Privacy Office failed to adhere to or enforce its own privacy policies and guidance.
Also, the agencies lacked policies and procedures to ensure that they used CTD appropriately.
“ICE and Secret Service did not develop CTD-specific policies and procedures,” the watchdog report states, while noting that CBP’s rules of behavior regarding CTD were interim until something permanent was to be developed at a later time.
Also, in one case cited in the report, a CBP employee used CTD “inappropriately to track coworkers,” leading to a complaint lodged by an ICE employee on Aug. 20, 2020. The matter was “resolved administratively,” per the report.
The Fix
A key recommendation was for CBP to discontinue the use of CTD until PIAs are completed and approved, with DHS concurring.“CBP’s Office of Field Operations National Targeting Center does not intend to renew existing contracts for the use of CTD, which are set to expire September 21, 2023, but will use existing CTD until such contracts lapse,” the agency said in a written response.
However, DHS did not agree with the watchdog’s recommendation to discontinue use of CTD by ICE, saying that it’s working to finalize its Geolocation Services PIA that will address some gaps and that its use of CTD technologies does not directly correlate an individual to a device.
“Non-concur,” the agency said. “CTD is an important mission contributor to the ICE investigative process as, in combination with other information and investigative methods, it can fill knowledge gaps and produce investigative leads that might otherwise remain hidden.”
“Accordingly, continued use of CTD enables ICE HSI to successfully accomplish its law enforcement mission,” it added.
The other recommendations were mostly about developing procedures that would mitigate some of the risks associated with CTD use.
EFF Media Relations Director Josh Richman told The Epoch Times in an emailed statement that more needs to be done to protect Americans’ safety and privacy.
“Congress needs to explicitly bar law enforcement and intelligence agencies from purchasing data from private companies that they would have otherwise needed a warrant to acquire,” he said.
The Fourth Amendment is Not For Sale Act, which passed the House Judiciary Committee in July, would address this issue.
