Security
Headlines
HeadlinesLatestCVEs

Headline

The DHS Bought a ‘Shocking Amount’ of Phone-Tracking Data

The ACLU released a trove of documents showing how Homeland Security contracted with surveillance companies to scour location information.

Wired
#intel#auth

For years, people have wondered not if, but how much, the Department of Homeland Security accesses mobile location data to monitor US citizens. This week, the American Civil Liberties Union released thousands of heavily redacted pages of documents that provide a “glimpse” of how DHS agencies came to leverage “a shocking amount” of location data, apparently purchasing data without following proper protocols to ensure they had the authority to do so.

Documents were shared with the ACLU “over the course of the last year through a Freedom of Information Act (FOIA) lawsuit.” Then Politico got access and released a report confirming that DHS contracted with two surveillance companies, Babel Street and Venntel, to scour hundreds of millions of cell phones from 2017 to 2019 and access “more than 336,000 location data points across North America.” The collection of emails, contracts, spreadsheets, and presentation slides provide evidence that “the Trump administration’s immigration enforcers used mobile location data to track people’s movements on a larger scale than previously known,” and the practice has continued under Biden due to a contract that didn’t expire until 2021.

The majority of the new information details an extensive contract DHS made with Venntel, a data broker that says it sells mobile location data to solve “the world’s most challenging problems.” In documents, US Customs and Border Patrol said Venntel’s location data helped them improve immigration enforcement and investigations into human trafficking and narcotics.

It’s still unclear whether the practice was legal, but a DHS privacy officer was worried enough about privacy and legal concerns that DHS was ordered to “stop all projects involving Venntel data” in June 2019. It seems that the privacy and legal teams, however, came to an agreement on use terms, because the purchase of location data has since resumed, with Immigration and Customs Enforcement signing a new Venntel contract last winter that runs through June 2023.

The ACLU still describes the practice as “shadowy,” saying that DHS agencies still owed them more documents that would further show how they are “sidestepping” the “Fourth Amendment right against unreasonable government searches and seizures by buying access to, and using, huge volumes of people’s cell phone location information quietly extracted from smartphone apps.” Of particular concern, the ACLU also noted that an email from DHS’s senior director of privacy compliance confirmed that DHS “appeared to have purchased access to Venntel even though a required Privacy Threshold Assessment was never approved.”

DHS did not comment on the Politico story, and neither the DHS agencies mentioned nor the ACLU immediately responded to Ars’ request for comment.

The ACLU says that no laws currently prevent data sales to the government, but that could change soon. The ACLU endorses a bill called the Fourth Amendment Is Not for Sale Act, which is designed to do just that. Even if that bill is passed, though, the new law would still provide some exceptions that would allow government agencies to continue tracking mobile location data. The ACLU did not immediately respond to comment on any concerns about those exceptions.

How to Stop Location Data Tracking

The main question being debated is whether a Supreme Court decision in 2017 that said police must have a warrant to search cell phone data applies to government agencies like DHS. It’s a gray area, the Congressional Research Service says, because “the Supreme Court has long recognized that the government may conduct routine inspections and searches of individuals entering at the US border without a warrant” and that “some federal courts have applied the ‘border search exception’ to allow relatively limited, manual searches at the border of electronic devices such as computers and cell phones.”

DHS isn’t the only government agency that considers itself an exception, though. In 2021, the Defense Intelligence Agency also purchased location data without a warrant, bypassing the 2017 Supreme Court decision because the Department of Defense has its own “Attorney General-approved data handling requirements.”

It’s all part of a troubling pattern that shows a growing preference for the practice across many government agencies that have considered themselves exempt from legal concerns over the past few years.

Now, as privacy concerns over data tracking by law enforcement have heightened in post-Roe v. Wade America, more mobile phone users are considering ways to keep their data private.

The first step for many might be to stop sharing location data with untrustworthy apps or maybe even entirely. Any time an app asks to track location data, users can either opt in or out. The ACLU told Politico that this opt-in process is what gives third-party vendors like Venntel the right to grant government access to data, claiming users have given permission to share with the government just by opting in.

“It’s very clear that when people are doing that, they’re not expecting that that’s going to be potentially creating this massive database of their entire location history that’s available to the government at any time,” Shreya Tewari, the Brennan fellow for the ACLU’s Speech, Privacy and Technology Project, told Politico.

For mobile phone users concerned about DHS data tracking, users can specifically opt out of Venntel data collection.

There’s not enough information identifying other contracts DHS might have with other vendors selling location data. The ACLU did not comment on the next steps to retrieve the rest of the DHS documents the organization requested, but its initial FOIA request asked for all contracts “concerning government access to or receipt of data from commercial databases containing cell phone location information.” That information may come in a future document dump, as the ACLU lawsuit states, but history proves DHS is not always prompt to respond. The ACLU waited nine months for a response before suing and noted at that time that “DHS has even refused to provide its legal memorandum about these practices to US senators who have requested it.”

The Fourth Amendment Is Not for Sale Act was introduced in Congress in April last year, where it was read twice and then referred to the Committee on the Judiciary. A request for an update on the bill’s progress from one of its most vocal authors, Senator Ron Wyden, Democrat of Oregon, did not yield an immediate response. The ACLU advises that officials act sooner rather than later, saying, “Lawmakers must seize the opportunity to end this massive privacy invasion without delay. Each day without action only allows the government’s covert trove of our personal information to grow.”

This story originally appeared on Ars Technica.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist