ICE pursuing privacy approvals related to controversial phone location data
Back in January, Immigration and Customs Enforcement said it had stopped using commercial telemetry data that government agencies buy from private companies. That practice has been frequently criticized by civil rights groups that argue that by purchasing the phone location data from third parties, the government is essentially side-stepping the Fourth Amendment and violating peoples’ privacy.
But, even though ICE says it has received no new requests for the use of commercial telemetry services since December 2022, the agency has filed a privacy impact assessment with the Department of Homeland Security’s privacy office for review. This kind of documentation is supposed to be released when agencies deploy a technology that could involve someone’s personal information. If and when that assessment is finalized, ICE plans to develop procedures focused on guiding the use of commercial telemetry services.
ICE did not address a series of questions posed by FedScoop regarding the draft PIA and CTD at the subcomponent.
The move comes as civil rights advocates have raised repeated concerns about the use of commercial telemetry data. Relatedly, Sens. Ron Wyden, D-Ore., and Rand Paul, R-Ky., have introduced the Fourth Amendment is Not for Sale Act, which seeks to rein in the government’s use of this information, among other measures.
Adam Schwartz, the privacy litigation director at the Electronic Frontier Foundation, previously told FedScoop that the digital rights nonprofit’s “view is that the Fourth Amendment to our Constitution ought to be interpreted by courts to bar the government from purchasing this kind of data given that — in order to acquire this data directly from a person or from their service provider — they would have to get a warrant.”
Within DHS, the use of this data has raised alarm bells. Last September, the department’s office of inspector general released a redacted report highlighting that agency subcomponents had not followed the law nor complied with policies surrounding privacy. ICE, in particular, was flagged for using this data without an approved privacy impact assessment. The OIG’s office identified nine contracts covering access to two different databases for this data between fiscal years 2019 and 2020.
ICE appears to have sent mixed messages on its approach to telemetry data. The subcomponent originally rebuffed a recommendation by the OIG to stop using this data until it obtained an approved PIA. At that time, DHS argued that telemetry data was “an important mission contributor to the ICE investigative process” and “can fill knowledge gaps and produce investigative leads.” In response to the OIG report, the agency said ICE was working to finalize a draft geolocation services PIA and taking steps to mitigate privacy risk concerns.
Then, in January, ICE told FedScoop it was in compliance with the OIG recommendation and that it had stopped using telemetry data, but the agency did not provide an update on whether any related PIAs surrounding the technology had been approved. In March, the nonprofit journalism outlet NOTUS reported that DHS expected to stop buying access to this data, citing three people familiar with the matter.
The fact that ICE says it has a PIA under review at the department’s privacy office with procedures focused on the use of this data pending finalization, while at the same time noting that it hasn’t received any new telemetry data requests since December 2022 and that no operational units had received approval for buying the data since 2021, has raised questions among civil rights groups.
“We’re very concerned about, again, to what extent DHS is really able to provide accountability and oversight over ICE and whether ICE’s words or actions can be trusted,” said Julie Mao, co-founder and deputy director of Just Futures Law, a legal organization that focuses on immigrant rights. “Because they’re saying one thing about not wanting to use CTD — but then also clearly confirming that they’re moving forward with trying to use the same data.”
The status of other recommendations made in the OIG report also remain unclear. Customs and Border Protection, for instance, was also instructed to discontinue use of phone location data until it obtained a privacy impact assessment. CBP told FedScoop that it didn’t have a need for telemetry data after the expiration of its contracts in fiscal year 2023, following an evaluation of the technology that began with a small group of staff in 2018 overseen by the CBP Privacy and Diversity Office and the CBP Office of Chief Counsel.
The agency also said it discontinued a contract for the technology following FY2023. Contracts with its Field Operations’ National Targeting Center expired in September, and if the agency wants to use the data again, CBP said it will incorporate the OIG’s recommendations.
But CBP did not respond to a question about the status of a privacy impact assessment for its past use of commercial telemetry data, which the DHS subcomponent originally said it expected to complete at the end of March. There doesn’t appear to be a PIA listed on the DHS website for this data.
DHS headquarters did not answer FedScoop’s question about the status of a department-wide commercial telemetry data policy, which the agency previously said it expected to complete at the end of June. The agency told FedScoop that its privacy policy and compliance instructions apply to personal information and that it has taken steps to implement recommendations from the OIG while continuing to address recommendations related to this data.
“The Department of Homeland Security (DHS) is committed to protecting individuals’ privacy, civil rights, and civil liberties,” an agency spokesperson told FedScoop. “The DHS Privacy Office coordinates with Components to embed and enforce privacy safeguards in DHS systems, technology, forms, and programs that collect personally identifiable information or have a privacy impact.”