A report made public recently by the DHS Inspector General reveals that the Secret Service, Customs and Border Enforcement (CBP) and Immigration and Customs Enforcement (ICE) have illegally used smartphone location data acquired from third-party vendors that collected it through various innocent-looking applications, in many cases without the user’s knowledge or consent.
The oversight body for the Department of Homeland Security (DHS) found that ICE, CBP, and the Secret Service all broke the law while using location data harvested from ordinary apps installed on smartphones. In one instance, a CBP official also inappropriately used the technology to track the location of coworkers with no investigative purpose.
For years U.S. government agencies have been buying access to location data through commercial vendors, a practice which critics say skirts the Fourth Amendment requirement of a warrant. During that time, the agencies have typically refused to publicly explain the legal basis on which they based their purchase and use of the data. Now, the report shows that three of the main customers of commercial location data broke the law while doing so, and didn’t have any supervisory review to ensure proper use of the technology. The report also recommends that ICE stop all use of such data until it obtains the necessary approvals, a request that ICE has refused.
Commercial Telemetry Data, or CTD, is the internal term DHS uses to describe commercially sourced location data. In one section, the report says that a CBP employee used such data to spy on coworkers.
On the broader legal issues, the report says the agencies did not follow the E-Government Act of 2002, which requires that agencies receive an approved Privacy Impact Assessment (PIA) before buying access to tools like this.
“This occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance,” the report reads.
Beyond that, the report also says the various parts of DHS did not have sufficient policies and procedures in place to ensure that the location data was used appropriately. CBP’s rules were interim policies and did not have complete versions, according to the report. ICE and the Secret Service meanwhile did not have any policies specifically for the data at all. That, and DHS did not have an overarching policy to govern its various components’ use of location data.
In other words, ICE, CBP, and the Secret Service all purchased access to location data, which is typically siphoned from seemingly innocuous apps on phones, often without the users’ knowledge or informed consent, while not having enough formal guardrails in place that dictated how that data could be used. That, again, does not adhere to the law.
From The Shadows Emerges Knowledge