ICE says it’s stopped using commercial telemetry data
Immigration and Customs Enforcement has stopped using commercial telemetry data, which can include phone data that reveals a person’s location, an agency spokesperson confirmed to FedScoop.
“Like other law enforcement agencies, Homeland Security Investigations (HSI) employs various forms of technology to investigate violations of the law, while appropriately respecting civil liberties and privacy interests,” the spokesperson said.
The move comes amid ongoing bipartisan concern about law enforcement agency purchases of peoples’ location data without obtaining a warrant. Sens. Rand Paul, R-Ky., and Ron Wyden, D-Ore., have proposed the Fourth Amendment is Not for Sale Act, which would require law enforcement agencies to seek the permission of a court before paying for location data. The Federal Trade Commission also recently took action against the selling of location data by data brokers. Civil liberties experts continue to raise alarms about the practice, too.
Adam Schwartz, the privacy litigation director at the Electronic Frontier Foundation, said the digital rights nonprofit’s “view is that the Fourth Amendment to our Constitution ought to be interpreted by courts to bar the government from purchasing this kind of data given that — in order to acquire this data directly from a person or from their service provider — they would have to get a warrant.”
“This is sort of the government credit card exception from the warrant requirement,” he added. “This is a question that the courts have not reached yet, in part because the government is secretive about what they are doing.”
ICE’s decision to stop buying this data is a marked change from late September, when the inspector general of the Department of Homeland Security released a partially redacted report noting that three components of the agency — ICE, Customs and Border Protection, and the U.S. Secret Service — had not complied with the department’s privacy policies in regard to commercial telemetry data (CTD). ICE specifically did not have an approved CTD privacy impact assessment, a type of disclosure meant to provide an overview into how personal information could be used by a digital technology deployed by the government, violating internal DHS privacy policies and the E-Government Act.
(The OIG report also highlighted employee misuse or irresponsible use of CTD as a risk. For instance, one CBP employee used CTD to track their coworkers for no investigative purpose, the report states).
At the time, ICE had said it would continue to use CTD, that it was working to finalize a geolocation services PIA in the first quarter of this year, and that it was implementing privacy risk mitigation strategies, among other efforts. That response did not satisfy DHS, which noted that its recommendation would be “open and unresolved until ICE completes PIA requirements or discontinues its non-compliant use of CTD.” Notably, DHS OIG’s office found that ICE had nine contracts and access to two CTD databases during fiscal years 2019 and 2020, which they used to conduct more than 16,000 searches.
The two other DHS components mentioned in the report also provided comments to FedScoop. CBP “discontinued its contract utilizing CTD technology” after the end of fiscal year 2023, according to a spokesperson.
“DHS, including CBP, uses various forms of technology in furtherance of its mission, including tools to support investigations related to, among other things, illegal trafficking on the dark web, cross-border transnational crime, and terrorism,” the spokesperson added. “DHS leverages this technology in ways that are consistent with its authorities and the law.”
Alexandria Worley, a spokesperson for the U.S. Secret Service, said in an email that “as a matter of operational security, the Secret Service does not comment on our protective means and methods,” though she referenced internal privacy compliance policy on discussing PIA requirements.
“As part of this policy, the Secret Service also works hand-in-hand with the DHS Privacy Office to determine if/when additional privacy compliance documentation is required. OIG determined that these corrective actions met the intent of their recommendation and considers the issue resolved.”
An Oversight.gov posting notes that eight of the recommendations from that OIG report remain open, including a plan for the chief information officer of DHS to create a formal department-wide policy for CTD. The department’s original response estimated that it would complete the recommendation to create a policy by June 2024.
DHS CIO Eric Hysen did not respond to a request for comment about this policy. The department’s inspector general office said that DHS had still not provided an update on its progress on the recommendations — past the typical 90-day response time.
“Typically, following issuance of our reports, within 90 days, the Department submits to DHS OIG a recommendation update letter,” said a spokesperson for the OIG. “We look forward to receiving the Department’s 90-day update letter for OIG-23-16.”
