DHS Releases Previously-Withheld Report Detailing Agencies’ Abuse Of Location Data Purchased From Data Brokers
from the now-that-everyone-knows,-I-guess-we'll-share dept
The reliance on data brokers for cell location data very likely predates the Supreme Court’s 2018 Carpenter decision. But it’s safe to assume this market really took off following that decision. Prior to that, law enforcement needed, at best, a subpoena, to obtain a wealth of historical cell location data.
That decision erected some privacy protections for cell site location info. But the finding was limited to large quantities of historical data. And it had nothing to say at all about obtaining this information from third-parties-once-removed: i.e., data brokers collecting location data from apps and selling access to this data to government agencies.
The Carpenter decision dealt explicitly with location data gathered by cell service providers — the sort of data capable of creating a detailed history of a person’s movements. That appears to be the main contributing factor to the increased reliance on data brokers. Unlike service providers, which require cell phone owners to connect with towers for service, location data gathered by apps is not always a requirement to use the app. And denying access to location data gathering may prevent cell phone owners from using certain apps, but it won’t prevent them from using their phones as, well, phones.
For the past few years, report after report has surfaced detailing the federal government’s reliance on data brokers to obtain data that would otherwise require a warrant. DHS component agencies have figured heavily into these reports. The CBP, for example, not only spent hundreds of thousands on data broker access but continued to buy from one data broker even while it was under congressional investigation. ICE also makes use of this data, as does the Secret Service, which is somehow a DHS agency despite it being almost solely focused on protecting key White House residents.
The CBP, for its part, has recently sworn off data broker purchases, at least according to what it has told Senator Ron Wyden. Presumably, this concession was made in hopes that Wyden will drop his legislation that would codify a warrant requirement for obtaining location data from third parties — something that would extend Carpenter’s protections to all location data generated by cell phone users.
This report makes the case the DHS and its agencies can’t be trusted. The Inspector General’s report — originally designated “law enforcement sensitive” and hidden from the general public — shows DHS components helping themselves to location data while violating laws, internal policies, and refusing to engage in even minimal oversight. From the opening of the report:
U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and the United States Secret Service (Secret Service) did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD). Specifically, the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which require certain privacy-sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured. This occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance…
Additionally, the components did not have sufficient policies and procedures to ensure appropriate use of CTD. According to CBP, its CTD rules of behavior were interim policies and procedures until complete policies and procedures were developed. ICE and Secret Service did not develop CTD-specific policies and procedures…
We also noted that the Department does not have a DHS-wide policy governing component use of CTD. Given the number of components using CTD and the significant congressional and public interest in the potential privacy implications with law enforcement use of CTD for investigative purposes, the Department should take a proactive approach to providing DHS-wide guidance.
Deploying before mandated PIAs is just normal day-to-day government business. Why slow the roll towards more surveillance when you can act first and hand in the homework months or years after the fact?
That the use of CTD violated federal law is a bit more concerning, but it will be an unseasonably cold day on the Potomac before any administration actually holds a federal agency involved in national security accountable for violating laws.
While the opening notes what went wrong and hints towards what should be done, nothing else in the report suggests that a few years from now we’ll have anything more than periodic reviews of repeatedly “failures” to implement changes to restore our trust in the DHS and its component agencies.
It sucks but it’s what we’re used to. And DHS may have finally allowed this report to be released, but it also made sure to redact anything it thought might be too “sensitive” to be shared with the general public. There are several paragraphs completely redacted and it’s up to each reader to make a judgment call on what lies behind the black bars. Some of it may be nothing more than boilerplate about “law enforcement means and methods.” But some of it may hide some of the more egregious misuses of this data — data obtained via this process because the thing law enforcement agencies like least is getting a warrant.
Both CBP and ICE told the Inspector General they believed they had up to a year to access CTD without a Privacy Impact Assessment in place. Both agencies believed temporary assessment agreements during trial phases of location data collection nullified this requirement. The IG pointed out both assumptions were wrong. It also noted that thousands of searches (16,000 of them by ICE) were performed without required PIAs in place and without anything approaching actual oversight.
The Secret Service made the same convenient assumption, acquiring 25 licenses to access location data with the mandated privacy assessments in place. When asked about the missing documentation, Secret Service officials blamed it on employee turnover, saying those “responsible” for creating and submitting the required PIAs were “no longer with the component.” That’s like telling OSHA your business didn’t comply with federal safety requirements because your safety team lead quit. That bullshit doesn’t fly in the private sector. And it certainly shouldn’t be humored here, where its millions of Americans at the mercy of agencies that feel they don’t need to have a succession plan in place.
And the DHS can’t blame its component agencies for dropping the paperwork ball. The buck has to stop somewhere, and the DHS is the final backstop.
Based on CBP’s and ICE’s own language, DHS Privacy was aware when it approved the CBP and ICE PTAs that the components had already procured access to CTD without approved PIAs and that they intended to use it operationally.
So, it wasn’t just tacit or implicit approval of privacy violations and lawbreaking. It was explicit approval, handed down by none other than DHS’s supposed “privacy” watchdog.
Then there’s the sort of thing that always tends to happen when you give someone powerful tools with minimal instruction, oversight, or accountability. The IG report portrays this as an isolated incident, but I bet the DHS Director’s salary this is only the tip of the iceberg.
In addition to these oversight gaps, we identified one instance in which, unrelated to an investigation, a CBP employee used CTD inappropriately to track coworkers. The individual told the coworkers they had tracked their location using CTD. According to CBP, the complaint was reported by an ICE employee on August 20, 2020.
This revelation is accompanied by this rather dour note from the Inspector General’s office:
It is unlikely the inappropriate use of CTD would have been discovered due to the lack of policies and procedures governing CTD oversigh requirements.
In other words, other abuses are more than likely, they’re inevitable. And most of those likely will never be discovered via the DHS’s internal auditing and accountability processes because… well, the DHS just doesn’t have any of those.
Since the intent of using third-party data brokers was always to bypass other restrictions on location data-gathering, there was never any hurry to implement policies and processes to limit abuse or introduce accountability. The abuse was the point. Adhering to privacy laws and privacy impact assessment mandates would only prevent these agencies from giving the Fourth Amendment the slip. Worse, it would allow legislators and [gasp!] the general public to start asking questions about this apparent abuse of (constitutional) process. The less anyone knew, the better off these agencies would be. And the less anyone on the inside demanded, the more plausible the shrugs delivered to Inspector General’s office when it finally decided to stick its nose into the DHS’s business.
And while the DHS has at least agreed to many of the IG’s recommendations, it’s important to recognize there’s a whole lot of distance between agreeing to do something and actually doing something. For the DHS and its components, agreeing with recommendations simply means letting the clock run until the next IG investigation into this very specific issue. And, until that happens, DHS, ICE, CBP, and the US Secret Service don’t have to change a thing.