For years, people have wondered not if, but how much, the Department of Homeland Security accesses mobile location data to monitor US citizens. This week, the American Civil Liberties Union released thousands of heavily redacted pages of documents that provide a “glimpse” of how DHS agencies came to leverage “a shocking amount” of location data, apparently purchasing data without following proper protocols to ensure they had the authority to do so.
Documents were shared with the ACLU “over the course of the last year through a Freedom of Information Act (FOIA) lawsuit.” Then Politico got access and released a report confirming that DHS contracted with two surveillance companies, Babel Street and Venntel, to scour hundreds of millions of cell phones from 2017 to 2019 and access “more than 336,000 location data points across North America.” The collection of emails, contracts, spreadsheets, and presentation slides provide evidence that “the Trump administration’s immigration enforcers used mobile location data to track people’s movements on a larger scale than previously known,” and the practice has continued under Biden due to a contract that didn’t expire until 2021.
The majority of the new information details an extensive contract DHS made with Venntel, a data broker that says it sells mobile location data to solve “the world’s most challenging problems.” In documents, US Customs and Border Patrol said Venntel’s location data helped them improve immigration enforcement and investigations into human trafficking and narcotics.
It’s still unclear whether the practice was legal, but a DHS privacy officer was worried enough about privacy and legal concerns that DHS was ordered to “stop all projects involving Venntel data” in June 2019. It seems that the privacy and legal teams, however, came to an agreement on use terms, because the location data-buying practice has since resumed, with Immigration and Customs Enforcement signing a new Venntel contract last winter that goes through June 2023.
The ACLU still describes the practice as “shadowy,” saying that DHS agencies still owed them more documents that would further show how they are “sidestepping” the “Fourth Amendment right against unreasonable government searches and seizures by buying access to, and using, huge volumes of people’s cell phone location information quietly extracted from smartphone apps.” Of particular concern, the ACLU also noted that an email from DHS’ senior director of privacy compliance confirmed that DHS “appeared to have purchased access to Venntel even though a required Privacy Threshold Assessment was never approved.”
DHS did not comment on the Politico story, and neither DHS agencies mentioned nor did the ACLU immediately respond to Ars’ request for comment.
The ACLU says that no laws currently prevent data sales to the government, but that could change soon. The ACLU endorses a bill called the Fourth Amendment Is Not for Sale Act, which is designed to do just that. Even if that bill is passed, though, the new law would still provide some exceptions that would allow government agencies to continue tracking mobile location data. The ACLU did not immediately respond to comment on any concerns about those exceptions.
How to Stop Location Data Tracking
The main question being debated is whether a Supreme Court decision in 2017 that said police must have a warrant to search cell phone data applies to government agencies like DHS. It’s a gray area because, the Congressional Research Service says, “the Supreme Court has long recognized that the government may conduct routine inspections and searches of individuals entering at the US border without a warrant” and that “some federal courts have applied the ‘border search exception’ to allow relatively limited, manual searches at the border of electronic devices such as computers and cell phones.”
DHS isn’t the only government agency that considers itself an exception, though. In 2021, the Defense Intelligence Agency also purchased location data without a warrant, bypassing the 2017 Supreme Court decision because the Department of Defense has its own “Attorney General-approved data handling requirements.”