The Department of Homeland Security (DHS) has been buying location data of millions of cellphone users from third party players. According to documents released by the American Civil Liberties Union (ACLU) on July 18, the DHS is buying this data without any warrants to track movements of civilians.
The documents show that this vast amount of location data of people are being purchased by various DHS agencies, including the Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) without any judicial oversight, to track people’s movements and use it for “unreasonable government searches and seizures.”
The ACLU obtained the documents over the course of the last year through a Freedom of Information Act (FOIA) lawsuit. It had first submitted a FOIA request to DHS, ICE, and CBP back in 2020 following a report by The Wall Street Journal that CBP and ICE were purchasing people’s sensitive location information without warrants. In December 2020, ACLU took the agencies to court for getting a response. Even as the litigation process is still ongoing, ACLU chose to make public the records that the DHS agencies — CBP, ICE, the U.S. Secret Service, the U.S. Coast Guard, and others — have provided it to date.
The records, running into thousands of pages – 6,168 to be precise — contain more than 336,000 location points across North America that had been obtained from people’s smartphones.
If that wasn’t shocking, consider this: ACLU found that in just three days in 2018, CBP obtained records containing around 113,654 location points in the southwestern United States. This was more than 26 location points per minute!
And that data appears to come from just one area in the Southwestern United States, meaning it is just a small subset of the total volume of people’s location information available to the agency, ACLU states.
ALSO READ: Location Data Protection – A Tale of Two Countries
The Fourth Amendment is not for sale
“These documents are further proof that Congress needs to pass the Fourth Amendment Is Not For Sale Act, which would end law enforcement agencies’ practice of buying their way around the Fourth Amendment’s warrant requirement,” Shreya Tewari, the Brennan Fellow for ACLU’s Speech, Privacy, and Technology Project, wrote in a blog post.
“The released records shine a light on the millions of taxpayer dollars DHS used to buy access to cell phone location information being aggregated and sold by two shadowy data brokers, Venntel and Babel Street,” she added. “The documents expose those companies’ — and the government’s — attempts to rationalize this unfettered sale of massive quantities of data in the face of US Supreme Court precedent protecting similar cell phone location data against warrantless government access.”
The Supreme Court precedent
In June 2018,the US Supreme Court had ruled that the authority’s needed a warrant to access the location history of a user from cellular service providers. The case, known as Carpenter v. United States, involved the local police tracking a robbery suspect by obtaining detailed location data from his cellphone company without a warrant. That data exposed Carpenter’s daily routines.
The SC ruled that government access to such detailed location data provides a method of “near-perfect surveillance,” while upheld the Fourth Amendment to protect such “sensitive information”.
What the current documents reveal
The documents obtained by ACLU over the past year reveals that the bulk of the data came from two companies – Venntel, a location intelligence company headquartered in Washington, DC, and Babel Street, a Virgina-based AI company.
What is more shocking is that the documents also reveal in detail that not only were the federal agencies aware of what they were doing but also made efforts to rationalize those actions, or even hide them. For instance, the records claimed that the data was “opt-in” and “voluntarily” shared by users, and that it is collected with consent of the app user and “permission of the individual.”
“Of course, that consent is a fiction: Many cell phone users don’t realize how many apps on their phones are collecting GPS information, and certainly don’t expect that data to be sold to the government in bulk,” ACLU hammers in.
Similarly, ACLU found that the records officially characterized cellphone location data as containing no personally identifying information, despite the fact that officials were actually tracking individuals in a given area.
The documents also reveal that the companies actually made great marketing efforts to sell the benefits of all this data. Venntel marketing materials sent to DHS explains how the “company collects more than 15 billion location points from over 250 million cell phones and other mobile devices every day”.
Another marketing brochure explains that with this data, law enforcement can “identify devices observed at places of interest,” and “identify repeat visitors, frequented locations, pinpoint”, while yet another details how precise and illuminating this data is, allowing “pattern of life analysis to identify persons of interest.”
“By searching through this massive trove of location information at their whim, government investigators can identify and track specific individuals or everyone in a particular area, learning details of our private activities and associations,” says ACLU.
The documents flag privacy concerns for people living near the border areas in particular. For instance, a 2018 DHS internal document was found to have proposed that the CBP should use location data to identify patterns of illegal immigration, which could translate to them indiscriminately snooping on people living in the border areas.
What makes it further worrisome is the potential for local law enforcement entities to gain access to this huge data pool. For instance, a local police department in Cincinnati sent a request to DHS seeking location data analytics pertaining to opioid overdoses in their jurisdiction.
Acts to protect data privacy
According to ACLU, DHS still owes it more documents. There is a bipartisan legislation in Congress currently that seeks to curtail this overwhelming power of the enforcement that violate people’s privacy. The Fourth Amendment Is Not For Sale Act require the government to secure a court order before obtaining Americans’ data, such as location information from smartphones or from data brokers.
There is another bill similar in nature that seeks to protect the privacy of data. Introduced by Sen. Elizabeth Warren and a group of other Democratic lawmakers in early June, the Health and Location Data Protection Act (HLDPA) seeks to make it “unlawful for data brokers to sell, resell, license, trade, transfer, share, or otherwise provide or make available any of the following forms of data, whether declared or inferred, of an individual”.
However, as we noted earlier, what’s extremely worrisome is that the Act defines “data broker” as “a person that collects, buys, licenses, or infers data about individuals and then sells, licenses, or trades that data”. This brings almost the entire geospatial and location industry under its ambit.
HLDPA was introduced and has gathered steam following recent media reports that “data brokers” were selling location data on people visiting abortion clinics in states where abortion is banned. Following the US Supreme Court’s Roe v Wade ruling, there are also widespread concerns, and justifiably so, that harvesting health and location data could be used for profiling and exploiting, and even spying and stalking of people.
At that time, a few location intelligence players were found selling location data of users to authorities. Last week, Sen. Warren, announced data brokers SafeGraph and Placer.ai made a permanent commitment to not sell location data of individuals visiting abortion clinics.
The need for comprehensive policy
Nathan Freed Wessler, Deputy Director of ACLU’s Speech, Privacy, and Technology Project, said in a statement that data brokers brought a new threat to privacy and, as such, should be regulated by the government.
The location industry in the United States is largely unregulated by federal law, and in the absence of a comprehensive data privacy legislation on the lines of GDPR, there are increasingly instances of “unethical” business practices, and the biggest of the tech companies, including Google and Facebook have been hauled up by the courts for blatantly profiting selling sensitive information of people.
“The Supreme Court has made clear that because our cell phone location history reveals so many ‘privacies of life,’ it is deserving of full Fourth Amendment protection,” Wessler said. “Yet, here we see data brokers and government agencies tying themselves in knots trying to explain how people can lack an expectation of privacy in such obviously personal and sensitive location information. With the potential for abuse so high, Congress must step in to definitively end this practice.”
