Homeland Security records show ‘shocking’ use of phone data, says ACLU – POLITICO | Hot Mobile Press

The American Civil Liberties Union obtained the records from DHS through a lawsuit it filed in 2020. It made the documents available to POLITICO and released them separately to the public on Monday.

The documents shed light on talks and contracts between federal agencies and surveillance companies Babel Street and Venntel. Venntel alone boasts that its database contains location information from more than 250 million devices. The documents also show that agency employees are having internal discussions about privacy concerns over the use of phone location data.

In just three days in 2018, the documents show that the CBP collected data from more than 113,000 phone locations across the southwestern United States — equivalent to more than 26 data points per minute — without obtaining a warrant.

The documents highlight the vast amount of location data that government agencies such as CBP and ICE have obtained and how the agencies have attempted to leverage the mobile advertising industry’s wealth of data.

“It was definitely a shocking amount,” said Shreya Tewari, the Brennan Fellow for the ACLU’s Speech, Privacy and Technology Project. “It was a really detailed picture of how they can focus not just on a specific geographic area but also on a time period and how much they’re collecting and how fast.”

DHS did not immediately respond to a request for comment.

The location data industry is an estimated $12 billion market made up of hundreds of apps that collect location data, data brokers that share that information with each other, and buyers that want to use that data for purposes like advertising and law enforcement.

With no state privacy laws in the US to curb the industry, the sale of location data has gone largely unaudited over the past decade, allowing data brokers to sell the whereabouts of millions of people to any buyer.

Location data has been sold in the past to help the US military used to identify Muslim populations and was available to Planned Parenthood visitors. A blog also used location data to out a gay priest in 2021. In 2020, The Wall Street Journal revealed that federal agencies like DHS, ICE, and CBP were using commercial location data for immigration enforcement. The documents released by the ACLU on Monday provide insight into how much location data these agencies obtained and how they used that information.

“Venntel has an intelligent mobile location data platform that leverages the unclassified, commercially available mobile advertising ecosystem,” a CBP official wrote in an email in March 2018.

Tracking on a grand scale

Most of the location data CBP obtained came from its contract with Venntel, a location data broker based in Virginia. Venntel is a subsidiary of Gravy Analytics, an advertising company specializing in location data.

The data, which spanned 2017-2019, included more than 336,000 location data points spanning across North America. But in reality, the agency’s data collection could well exceed what the ACLU obtained through its FOIA requests, considering CBP continued to use Venntel in 2021.

In the records, CBP highlighted that it used the location data for immigration enforcement, human trafficking and drug investigations.

When Venntel first approached federal agencies, it offered marketing collateral highlighting the extent of its data collection capabilities. In a February 2017 email sent to ICE, the data broker boasted that it collected location data from more than 250 million mobile devices and processed more than 15 billion location data points per day.

In another brochure, Venntel revealed that its location data could be used to track devices traveling between Mexico and the United States, and also track a specific vehicle’s route. The brochure site also noted that Venntel’s data was able to identify mobile devices involved in the deadly white supremacist riots in Charlottesville, Virginia, in 2017.

In another marketing brochure, CBP was told that “all users consent to the collection of location data” and that no personally identifiable information was ever collected. However, in another email between Venntel and ICE, the data broker noted that “there are derived means by which identifiers and relevant locations can be assembled,” meaning that this data could easily be linked to identify individuals, although not personal data associated with it.

“The way they use the phrase ‘opt-in’ speaks to the fact that you have to give an app on your phone permission to access location,” said the ACLU’s Tewari, “but it is very clear when people do that, they don’t anticipate that it might create this huge database of their entire location history that’s available to the government at all times.”

contradictions

Records obtained by the ACLU show how these agencies knew that the advertising technology industry’s location data collection was both a boon for surveillance and a privacy concern.

In internal presentation materials, CBP highlighted the potential of adtech data, particularly with advertising IDs associated with each device. The advertising industry relies on these mobile ad IDs to track what people have seen online and learn more about their patterns and behaviors.

“There are over 350 million mobile devices in use in the United States today, and that number is growing exponentially as more people buy mobile devices every day. As such, it is not uncommon to encounter individuals engaged in illegal activities and using mobile technology to further their criminal goals,” according to a contract between CBP and Venntel.

But in the same presentations where CBP highlighted the benefits of using advertising data, the agency also showed its employees how to reset their own advertising IDs on Android and iOS devices.

“These agencies seem fully aware that they are taking advantage of a massive privacy disaster in this country,” said Nathan Freed Wessler, associate director of the ACLU’s Language, Privacy and Technology Project. “These agencies understand that the same data dumps that they can buy access to for whatever they want can also be bought by others to try and attack their agents.”

And in June 2019, DHS’ acting privacy officer directed the agency to “stop all projects involving Venntel data” amid unresolved privacy and legal concerns. Venntel provided a privacy and legal review for DHS in September 2019, but the content has been redacted. In an October 2019 email included with the ACLU’s document release, a DHS employee told Venntel that the agency was still awaiting the General Counsel’s review of the presentation. “DHS privacy and legal offices approved further use of Venntel’s data after this meeting,” Gravy Analytics said in a statement Monday.

Using the commercially available location data helped authorities avoid a warrant to track people because they could simply buy the data instead. But DHS’ privacy commissioner in 2019 knew this was still a potential privacy issue, citing the Supreme Court ruling in Carpenter vs United Statesstating that police need warrants to access the phone’s location data.

The future of location data

Despite privacy concerns raised within the agency, other departments of DHS and law enforcement remain committed to using phone location data.

Records show that the Justice Department also expressed an interest in using Venntel data, as did a police department in Cincinnati, Ohio, which was attempting to use the location data to help manage the opioid crisis.

And the agencies are showing no signs of slowing down their use of location data. ICE signed another deal with Venntel in November, which expires in June 2023.

Wessler asked the Biden administration to release an internal memo that DHS uses to justify the purchase and use of location data. The existence of the memo was first reported by BuzzFeed News.

While proposed privacy laws aim to address the collection of location data, data sales to government agencies have an exemption in the latest draft US privacy law. HR 8152a bill that would make it harder to collect and sell sensitive data, which includes location data.

In April 2021, Sen. Ron Wyden (D-Ore.) introduced the Fourth Amendment is Not For Sale Act, p. 1265aimed at preventing agencies from buying data from data brokers on Americans without a search warrant.

“Despite claims from data brokers, no one who downloads an app believes they are giving permission to waive their 4th Amendment rights and have the government track their every move,” Wyden said in an email. “The DHS Inspector General has notified my office that he has opened an investigation into the department’s purchase of location data, which I will be happy to investigate closely.”

Leave a Comment