New records detail DHS purchase and use of vast amounts of cellphone location data

Today the ACLU released thousands of pages of never-before-seen material on how Customs and Border Protection, Immigration and Customs Enforcement and other parts of the Department of Homeland Security are circumventing our Fourth Amendment right against unreasonable government searches and seizures by buying access to, and use of, massive volumes of people’s cell phone location information quietly extracted from smartphone apps.

The records, which the ACLU obtained over the past year in a Freedom of Information Act (FOIA) lawsuit, shed new light on the government’s ability to obtain our most private information by simply opening the federal wallet. These documents are further evidence that Congress needs to pass the Fourth Amendment Act Is Not For Sale, which would end law enforcement’s practice of circumventing the Fourth Amendment warrant requirement.

ICE and CBP’s warrantless purchase of access to people’s sensitive location information was first reported by The Wall Street Journal in early 2020. After the news broke, we submitted a request FOIA to DHS, ICE, and CBP, and we filed a lawsuit to force the agencies to respond to the request in December 2020. While litigation is ongoing, we are now making public the records that CBP, ICE , US Secret Service, US Coast Guard, and several DHS Headquarters offices have provided us to date.

The released records shine a light on the millions of taxpayer dollars DHS used to buy access to cell phone location information aggregated and sold by two shadowy data brokers, Venntel and Babel Street. The documents expose the companies’ – and the government’s – attempts to rationalize this unfettered sale of massive amounts of data in the face of US Supreme Court precedent protecting similar cellphone location data from government access. without warrant.

Four years ago, in Carpenter v. United States, the Supreme Court has ruled that the government needs a warrant to access a person’s cell phone location history from cellular service providers because of the “intimacy of life” such records can reveal. This case was based on a request for information on the historical location of a suspect over a period of several months. In documents we received over the past year, we found marketing materials from Venntel sent to DHS explaining how the company collects over 15 billion location points from over 250 million cell phones. and other mobile devices. all daytime.

With this data, law enforcement can “identify observed devices at places of interest” and “identify regular visitors, frequented locations, identify known associates, and discover lifestyle,” according to a marketing brochure. of Venntel. The documents explain how accurate and illuminating this data is, allowing “analysis of life patterns to identify persons of interest”. By searching this immense wealth of location information at will, government investigators can identify and track specific individuals or everyone in a particular area, learning details of our private activities and associations.

Faced with the obvious privacy implications of warrantless access to this information, these companies and agencies are going to great lengths to streamline their actions. Throughout the docs, cell phone location information is referred to as mere “digital escapes” and containing no “PII” (personally identifiable information) as it is associated with a phone’s digital ID. mobile rather than a name – even if the whole purpose of this data is to be able to identify and follow people. The records also claim that this data is “100% opt-in”, that cellphone users share location information “voluntarily” and is collected with the app user’s consent and “the permission of the individual”. Of course, this consent is a fiction: many cellphone users don’t realize how many apps on their phones collect GPS information, and certainly don’t expect that data to be sold en masse to the government.

In scattered emails, some DHS employees raised concerns, with internal briefing documents even acknowledging that “[l]legal, policy and privacy reviews have not always kept pace with new and evolving technologies. Indeed, in an internal email, a senior privacy compliance manager reported that the DHS Office of Science & Technology appeared to have purchased access from Venntel even though a required privacy threshold assessment had never been approved. Several threads highlight internal confusion within the agency’s privacy office and potential gaps in oversight of the use of this data – as all projects involving Venntel data have been temporarily halted due to unanswered legal and privacy issues.

Nonetheless, DHS continued with these bulk location data purchases. And the volume of sensitive location information obtained by the agency is staggering. Among the records released to us by CBP were seven spreadsheets containing a small subset of the raw location data the agency purchased from Venntel. (Although the location coordinates of each spreadsheet entry are redacted, the date and time of each location point are not.) The 6,168 pages of location records we reviewed contain approximately 336 000 location points obtained from people’s phones. During a three-day period in 2018, the records contain approximately 113,654 location points, or more than 26 location points per minute. And this data appears to come from a single region in the southwestern United States, meaning it’s only a small subset of the total volume of people location information available to the US. ‘agency.

The documents also highlight particular privacy concerns for people living near our country’s borders. A 2018 internal DHS document proposed using location data to identify illegal immigration patterns, threatening to indiscriminately sweep away information about people going about their daily lives in border communities. It is also possible that local law enforcement has access to this large mass of data in ways that they usually could not. This is exemplified by a troubling request made to DHS by a local Cincinnati police department, seeking analysis of location data relating to opioid overdoses in their jurisdiction.

DHS owes us even more documents, but whatever they show, it is already abundantly clear that the law enforcement practice of circumventing fundamental Fourth Amendment protections must end. There is currently bipartisan legislation in Congress that would do just that. The Fourth Amendment is not for sale would require the government to obtain a court order before obtaining Americans’ data, such as location information from our smartphones, from data brokers. The principle here is simple: the government should not be allowed to circumvent fundamental constitutional protections against unreasonable searches of our private information. There is no end to the Fourth Amendment.

Lawmakers must seize the opportunity to put an end to this massive invasion of privacy without delay. Every day without action only allows the secret government treasury of our personal information to grow.