The Department of Homeland Security (DHS) will investigate its own use of location data after it was revealed that Customs and Border Protection (CBP) was purchasing cellphone location data from commercial vendors for use in its work.
The DHS’s Office of the Inspector General recently informed Sens. Sherrod Brown, Ed Markey, Brian Schatz, Elizabeth Warren, and Ron Wyden — all Democrats — that it would audit the agency’s policies regarding cellphone surveillance. The OIG’s letter comes in response to those senators’ request for an investigation last October. CBP has refused to reveal much about how it uses the data purchased from commercial vendors other than confirming publicly available information that such contracts with those vendors exist.
The type of location data in question is collected from millions of phones, with most people unaware that their movements are being tracked this way and unable to find out who has access to that information. There are few laws regulating location data companies, and government agencies have used this to their advantage, spending millions to gain access to this information. Privacy advocates have long decried this practice, and privacy-minded lawmakers have pushed for investigations and laws to regulate it.
Location data purchased from private companies gives government agencies access to potentially enormous amounts of personal data from millions of people who aren’t suspected of or involved in any crimes. While there are few laws regarding private companies’ collection and use of this data, law enforcement typically has to have a warrant and show cause to get this information on its own. Obtaining it through a private vendor with no such restrictions is a way to get around those constraints, and currently a legal gray area.
“If federal agencies are tracking American citizens without warrants, the public deserves answers and accountability,” Wyden said in a statement sent to Recode. “I won’t accept anything less than a thorough and swift inspector general investigation that sheds light on CBP’s phone location data surveillance program.”
CBP is one of several law enforcement and government agencies that purchase location data from private companies — data they otherwise would not have such easy access to and which their own rules may forbid them from obtaining. The Wall Street Journal reported in February that the DHS’s CBP and Immigrations and Customs Enforcement (ICE) arms used location data from a company called Venntel to locate undocumented immigrants and routes they used to cross the border. Records show that CBP has given Venntel hundreds of thousands of dollars to access its location database.
“CBP is not above the law and refused to answer questions about purchasing people’s mobile location history without a warrant — including from shady data brokers like Venntel,” Warren added. “I’m glad that the Inspector General agreed to our request to investigate this potentially unconstitutional abuse of power by the CBP because we must protect the public’s Fourth Amendment rights to be free from warrantless searches.”
The agency has maintained that it only uses a limited amount of anonymized data in accordance with its policies, but experts say it’s not difficult to identify a device’s owner given enough information about where that device has been and when. And there’s so little transparency in how this data is collected that it’s doubtful anyone knows for sure if it even follows whatever policies agencies have in place.
Not to be outdone, the American Civil Liberties Union (ACLU) announced on Wednesday that it is suing the DHS to force the agency to make its records over phone location data purchases public after the agency ducked its Freedom of Information Act requests.
“It’s critical we uncover how federal agencies are accessing bulk databases of Americans’ location data and why,” Nathan Freed Wessler, senior staff attorney with the ACLU’s Speech, Technology, and Privacy Project, said in a statement sent to Recode. “There can be no accountability without transparency.”
The DHS is not the only government agency to purchase and use Venntel’s services. Venntel also has contracts with the FBI and the DEA. The Internal Revenue Service also tried Venntel in 2017 and 2018 but apparently didn’t find the data useful in its work, the Wall Street Journal reported. And Venntel is not the only location data company that works with the government in this way: X-Mode and Babel Street also have deals with government agencies and their contractors.
Other parts of the government are fighting back. In June, the House of Representatives Committee on Oversight and Reform began investigating “the collection and sale of sensitive mobile phone location data” to federal agencies for law enforcement purposes. The IRS is also in the middle of an audit of its use of Venntel, prompted by another request from Wyden and Warren.
In 2018, the Supreme Court ruled in Carpenter v. United States that law enforcement couldn’t buy cellphone tower data without a warrant, and the FCC recently issued hundreds of millions of dollars in fines to Verizon, AT&T, and Sprint/T-Mobile for selling tower data to private companies without customer knowledge or consent.
The kind of data Venntel sells, the company says, comes from other means: typically, trackers placed in mobile apps. But there are other sources as well. Location data companies also work with other companies that supply this data or purchase it directly from the app developers, making it hard for anyone — including their own customers — to know exactly what they have and where they got it. Venntel, for example, is a subsidiary of Gravy Analytics, which says it has data location information from “tens of thousands of apps” acquired through “many different data partners,” giving it access to “billions of daily location signals.”
Venntel does provide device owners with a way to “opt-out” of having their location data collected by the company, but it requires users to know their device’s mobile identifier (Venntel suggests downloading an app to find out) and then making the opt-out request every time that identifier is reset — which Apple and Android devices now allow customers to do as a privacy-preserving measure. Users must also have cookies enabled on their browser when submitting the request.
It remains to be seen what, if anything, the DHS’s investigation of itself will reveal or do, or if the ACLU’s lawsuit will be successful. Either way, unregulated and persistent collection and sale of our location data gives data brokers a tremendous amount of information about us, which, in turn, can be used in all kinds of ways by all kinds of purchasers — including the government. Your privacy options, by contrast, are limited.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.