The American Civil Liberties Union obtained the records from DHS in a lawsuit it filed in 2020. It provided the documents to POLITICO and released them separately on Monday.
The documents highlight conversations and contracts between federal agencies and surveillance firms Babel Street and Venntel. Only Venntel boasts that its database includes location information from over 250 million devices. The documents also show that agency staff are having internal conversations about privacy concerns over the use of phone location data.
In just three days in 2018, the documents show that CBP collected data from more than 113,000 locations from phones in the southwestern United States, which equates to more than 26 data points per minute, without getting a warrant.
The documents highlight the massive scale of location data that government agencies, including CBP and ICE, have received, and how the agencies have sought to leverage the ad industry’s trove of data. mobile.
“It was truly a shocking amount,” said Shreya Tewari, the Brennan Fellow of the ACLU’s Speech, Privacy and Technology Project. “It was a very detailed picture of how they can focus not only on a specific geographic area, but also on a time period, and how much they collect and how quickly.”
DHS did not immediately respond to a request for comment.
The location data industry represents an estimated $12 billion market, made up of hundreds of apps that collect location data, data brokers that exchange that information with each other, and buyers that seek to use that data. for purposes such as advertising and law enforcement.
Because the United States has no federal privacy laws to curb the industry, sales of location data have gone largely unchecked over the past decade and allowed data brokers to sell the location of million people to anyone who buys.
Location data has been sold in the past to help the US military identifying Muslim populations and was available on Planned Parenthood visitors. A blog also used location data to release a gay priest in 2021. In 2020, the Wall Street Journal revealed that federal agencies such as DHS, ICE, and CBP were using commercial location data for the enforcement of immigration laws. Documents released by the ACLU on Monday provide insight into the amount of location data obtained by these agencies and how they used that information.
“Venntel has a mobile location data intelligence platform that leverages the unclassified, commercially available mobile advertising ecosystem,” a CBP official wrote in an email in March 2018.
Most of the location data obtained by CBP came from its contract with Venntel, a Virginia-based location data broker. Venntel is a subsidiary of Gravy Analytics, an advertising company specializing in location data.
The data, which spans from 2017 to 2019, contained more than 336,000 location data points that reached across North America. But in reality, the agency’s data collection may go well beyond what the ACLU obtained through its FOIA requests, given that CBP continued to use Venntel in 2021.
In the filings, CBP emphasized that it uses location data for immigration enforcement, as well as human trafficking and narcotics investigations.
When Venntel first contacted federal agencies, it offered marketing materials highlighting the extent of its data collection capabilities. In a February 2017 email sent to ICE, the data broker boasted that it had collected location data from more than 250 million mobile devices and processed more than 15 billion data points from location per day.
In another brochure, Venntel showed that its location data could be used to track devices traveling between Mexico and the United States, and also plot the route of a specific vehicle. The brochure page also said Venntel data was able to identify mobile devices that were during the deadly 2017 white supremacist riot in Charlottesville, Virginia.
Another marketing brochure told CBP that “all users consent to the collection of location data” and that no personal data was ever collected. But in another email between Venntel and ICE, the data broker noted that “there are derivative means by which the identifiers and the relevant location can be put together”, meaning that this data could easily be linked. to identify individuals even if no personal data is linked to them. .
“The way they use the phrase ‘opt-in,’ they’re talking about the fact that you have to give permission on your phone for an app to access location,” said the ACLU’s Tewari, “but it’s very clear that when people do this they don’t expect it to potentially create this huge database of their full location history that is available to the government at all times.
The records obtained by the ACLU highlight how these agencies knew that the ad-tech industry’s collection of location data was both a boon to surveillance and a privacy concern.
In internal presentation documents, CBP has highlighted the potential of adtech data, particularly with advertising IDs assigned to each device. The advertising industry relies on these mobile advertising IDs to track what people have seen online and learn about their habits and behaviors.
“Over 350 million mobile devices are in use in the United States today, and that number is growing exponentially as more people buy mobile devices every day. Therefore, it is not uncommon to encounter individuals involved in illicit activities taking advantage of mobile technology to further their criminal objectives,” a contract between CBP and Venntel stated.
But in the same presentations where CBP highlighted the benefits of using advertising data, the agency also showed its staff how to reset their own advertising IDs on Android and iOS devices.
“These agencies seem fully aware that they are exploiting a huge privacy disaster in this country,” said Nathan Freed Wessler, deputy director of the ACLU’s Speech, Privacy and Technology Project. “These agencies understand that the same data dumps they can buy access to for whatever they want can also be bought by anyone else to try and target their agents.”
And in June 2019, DHS’s acting privacy officer ordered the agency “to halt all projects involving Venntel data” due to unaddressed legal and privacy concerns. It is unclear why CBP and ICE continued to use Venntel location data after this directive.
Using commercially available location data helped agencies avoid asking for a warrant to track people, because they could just buy the data instead. But the 2019 DHS privacy officer knew it was still a potential privacy issue, citing the Supreme Court’s decision in Carpenter v. United Stateswho said police needed warrants to access phone location data.
The future of location data
Despite privacy concerns raised within the agency, other branches of DHS and law enforcement remain keen to use phone location data.
Records show the Justice Department has also expressed interest in using Venntel data, as has a police department in Cincinnati, Ohio, which has sought to use location data to address the opioid crisis.
And agencies show no signs of slowing down in their use of location data. ICE signed another contract with Venntel in November, which is due to expire in June 2023.
Wessler called on the Biden administration to release an internal memo that DHS uses to justify the purchase and use of location data. The existence of the memo was first reported by BuzzFeed News.
While the proposed privacy laws aim to combat the collection of location data, sales of data to government agencies are excluded from the latest version of US privacy and data protection law, HR 8152a bill that would make it more difficult to collect and sell sensitive data, including location data.
In April 2021, Sen. Ron Wyden (D-Ore.) introduced the Fourth Amendment is not for sale, S.1265which seeks to prevent agencies from buying Americans’ data from data brokers without a warrant.
“Despite claims by data brokers, no one who downloads an app thinks they are giving permission to waive their 4th Amendment rights and let the government track their every move,” Wyden said in an email. . “The DHS Inspector General has notified my office that he has opened an investigation into the department’s purchase of location data, which I look forward to examining closely.”