Analysis

CBP’s Privacy Impact Assessment on Commercial Telemetry Data Highlights Urgent Need for PIA Reform

November 14, 2024 | Kabbas Azhar, Equal Justice Works Fellow

On August 12, 2024, Customs and Border Protection (CBP) released its long overdue Privacy Impact Assessment (PIA) on Commercial Telemetry Data. CBP defines Commercial Telemetry Data (CTD) as historic location data collected from mobile devices by tracking their advertising ID’s (adIDs).

Importantly, CTD can encompass more than just historic location data from smartphones. For example, ICE has been accessing car telemetry data from OnStar, a security system installed in millions of vehicles worldwide. In fact, most car companies sell your data. Arguably, CBP should have a much broader view of what constitutes telemetry data. The Berlin Group, an international working group on data protection, has defined telemetry data  more broadly as “data that is collected and transmitted by a device or application on a more or less continual basis. Telemetry data usually consists of information on operational behavior or environmental parameters but may also include elements like location information.” Any connected device can create telemetry data—and where it is created, it is also sold.

Thus, CBP’s PIA has an extremely narrow view of what constitutes CTD—which is no surprise. CBP’s PIA on CTD is extremely vague, years too late, and is a complete failure to comply with federal privacy regulations. PIAs are statutorily required by the E-Government Act prior to implementation of any information technology that has privacy implications. But there is a pattern of DHS and its components doing PIAs after implementing the technology and nonchalantly violating our civil liberties. This PIA is the latest example.

Contextual Background

Section 208 of the E-Government Act of 2002 requires certain privacy-sensitive technology or data obtained from such technology to have an approved PIA before such technology is developed or procured. The PIA must include:

  • what information is to be collected;
  • why the information is being collected;
  • the agency’s intended use of the information;
  • who the agency will share the information with;
  • what opportunities individuals have for notice or consent regarding the collection and sharing of their information; and
  • how the information is secured, and whether a system of records is being created under §552a of Title 5.

DHS’ own internal policies require a Privacy Threshold Analysis (PTA) to be completed before implementing an information system that processes Personally Identifiable Information (PII). PII includes “any information that permits the identity of an individual to be directly or indirectly inferred, including other information that is linked or linkable to an individual.” DHS components use the PTA process to determine whether a PIA is required. However, CBP started collecting telemetry data years before completing any sort of PIA or PTA.

In 2020, the Wall Street Journal reported that ICE and CBP were buying access to commercial databases that mapped movements of millions of cellphones in the US. Specifically, CBP bought licenses from Venntel which included subscriptions for location data. Venntel shared patents with Gravy Analytics, a mobile advertising company that gathered location information drawn from weather, e-commerce, and other game apps. Gravy Analytics repackages the location data and then sells it via Venntel to law enforcement agencies. The Federal Trade Commission has potentially opened an inquiry into Venntel and Gravy Analytics.

Other companies, such as Babel Street—whose software CBP also procured—acquire Venntel’s data and sell it to law enforcement as well. Babel’s software has an add-on called Locate X which repackages Venntel’s data and enables CBP to access location information for millions of devices. As early as 2017, CBP spent $981,005 contracting for Babel Street software. In 2021, CBP spent another $3.8 million on Babel Street. While Babel claims that Locate X data “does not have a direct correlation to identity,” studies show that only four points of data are enough to uniquely identify 95% of individuals.

Documents obtained by EPIC show that CBP created an initial PTA for Babel Street on January 1, 2018. [1] In its PTA, it noted that “Babel X has the ability to create geofences so CBP can view information posted from or about certain locations only.” [2] However, the PTA “cover[ed] BabelX and not LocateX which uses AdID information to determine location. LocateX is covered by the commercial telemetry PTA.”[3] BabelX itself allowed CBP agents to look up individuals based on their Username, Email, Name, Street Address, City, State, Zip Code, Country, Social Security Number, Driver’s License Number, Domain Name, IP Address, and telephone number. [4] And while CBP disaggregated BabelX from its LocateX function, even BabelX users could query location information by “creat[ing] geofences for publicly available geotagged social media content.”[5]

Locate X allows the tracking of individual mobile users by using their “adID”—also known as a “Mobile Advertising ID” or MAID—a unique, alphanumeric ID built into all Google Android and Apple mobile devices. Locate X cross-references the adID with location data —usually generated by weather and mobile apps as well as real-time bidding advertisement auctions—to create a persistent location history for the device. The location history can extend from months to years and can be used to track and map out entire social networks. Locate X has an added “premium” functionality that offers access to additional unspecified metadata. FOIA documents obtained by EPIC show that all CBP Locate X accounts had access to the premium functionality by April 2019.[6]

In September 2023, after some pointed inquiries by Senator Wyden’s office, CBP stated it would stop using CTD by the end of September. It qualified, however, that “if CBP identified a critical mission need to re-acquire a vendor who provides CTD, we would ensure that CBP would engage Oversight, Legal, and Privacy entities at the agency and departmental level.” At the end of September 2023, the Office of the Inspector General at the DHS released a public report that revealed ICE, CBP, and the Secret Service purchased CTD in violation of the E-Government Act.[7] These failures “occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS privacy office did not follow or enforce its own privacy policies.” The OIG recommended that CBP discontinue the use of CTD until a PIA had been completed and approved.

Now, after years of collecting CTD, CBP has finally released a retroactive PIA that tries to paper over its privacy  violations. CBP’s PIA is part of a larger trend of agencies publishing PIAs long after harmful surveillance systems are put in place. ICE released its Alternatives to Detention PIA two decades after the program was implemented. And just last year, the Government Accountability Office reported that none of the seven agencies they investigated for their use of facial recognition complied with all their privacy policy requirements. But even when agencies do conduct PIAs, they are rarely more than a rubber stamp. CBP’s PIA is an apt example of that.

CBP’s deficient PIA

PIAs begin with a broad description of the information collection program. After the description, the agency analyzes the privacy risk of the information collection program under the Fair Information Practice Principles (FIPPS). The FIPPS include principles of Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing.

CBP’s PIA has numerous deficiencies. Notably, it has several faulty and questionable claims as it sets out to describe its CTD collection program. In addition, its privacy risk analysis under the FIPPS leaves a lot to be desired.

CBP’s faulty claims

Over the course of the PIA, CBP makes several claims that can only be described as “technically correct” or just flat out wrong.

In the beginning of its PIA, CBP attempts to sideline its location data collection entirely by disclaiming that it “did not, and does not acquire or ingest bulk cell phone geolocation information.”

However, this is only a technical truth that obscures the deeper data collection that CBP engages. While CBP itself does not ingest the data directly, its use of commercial vendors like Venntel and Babel that do the bulk ingestion for them make this statement functionally meaningless. CBP personnel can query the data at their leisure and store the results of said queries for decades in their databases.

CBP further tries to minimize its use of location data by hedging that “only a small number of users in CBP queried the smart device location data.”

While we would usually have no choice but to take CBP at their word as there would be no other sources of data, the OIG Report discloses enough details to undermine the picture that CBP attempts to paint. Appendix C in the OIG Report disclosed various CTD contracts that DHS components held between 2018 and 2021:

CBP held 28 user licenses for CTD databases between 2018-19, 38 between 2019-20, and 26 between 2020-21. Contracts #’s 70B04C18F00001093 ($2.3 million), 70B04C18F00001214 ($1.5 million), 70B04C19F00000798 ($2.7 million) were for Babel Street software resold by various entities. Contracts #’s 70B04C19F00000802 ($1.1 million), 70B02C20P00000521 ($20,000), and 70B04C20F00000914 ($475, 944) were with Venntel.

FOIA documents[8] obtained by EPIC show that CBP signed another contract in 2021 (70B03C21F00001121) for Babel Street and Locate X subscriptions worth $3.8 million with an undisclosed number of subscriptions. As the OIG report detailed, DHS and its components had lax oversight mechanisms and users often shared accounts and passwords.[9]  Looking purely at the number of licenses does not show the true scope of CBP’s use of CTD. For example, in between FY 2019 and 2020 CPB conducted over 55,000 queries with its approximately 38 user accounts.[10] Thus, contrary to CBP’s implication that it minimally used smart device location, the scope of CTD use was far more expansive.

CBP also minimizes its blatant violation of the PIA requirement by claiming that its CTD evaluation “occurred only within parameters established by CBP policy and developed in consultation with the CBP Office of Chief Counsel and CBP Privacy and Diversity Office.”

Not only did CBP use CTD without conducting a PIA, CBP glosses over this fact. CBP first published an update about its CTD use in the Border System Surveillance PIA on August 21, 2018. But the approved PIA did not disclose CBP’s ability to associate CTD with other CBP tech and open-source information to identify users with a particular AdID.[11] And even when it did attempt to create a PTA for its AdID program, CBP skirted around waiting for approval before starting data collection. For example, CBP developed a PTA for its AdID Pilot that was to start on May 1, 2019, but it did not submit that PTA to DHS Privacy until August 16, 2019. The PTA was only approved on September 30, 2020 with an expiration date of September 30, 2021. The PTA was also conditional on an eventual PIA being developed.

But CBP collected CTD before any PTA or PIA was approved. Documents obtained by EPIC show that CPB was using Babel’s LocateX platform to run location-based searches years before the 2020 approval. CBP agents working on the Northern Border were requesting access to LocateX as early as May 2019;[12] the Tucson Sector Intelligence had access as early October 2019;[13] the New York Field Office as early as September 2019.[14] Meanwhile, the Rio Grande Valley Sector Border Patrol was using LocateX functionality as early as June 2018.[15]

CBP continued to use its AdID program after the PTA expired on September 30, 2021. CBP’s $3.8 million contract for BabelX/LocateX subscriptions in 2021 was delivered just days before the PTA approval expired, yet CBP persisted in collecting CTD without conducting a PIA.

CBP’s Privacy Risk Analysis

CBP’s analysis of CTD vastly underestimates the risks of location data collection all the while relying on risk mitigation tools that do not demonstrably work.

Data Minimization Principle

Under the Data Minimization principle, DHS should only collect PII that is directly relevant and necessary to accomplish a specific purpose and only retain said PII for as long as is necessary to fulfill that purpose.

CBP’s collection and use of CTD exceeds any reasonable interpretation of the Data Minimization principle. CBP claims in its PIA that it was “limited to only viewing AdIDs, the GPS coordinates associated with those AdIDs, the date and time of AdID collection, and limited metadata related to the device’s operating system.” Any depiction of this data as limited is deceptive at best.

Indeed, recent reporting has shown the broad reach of surveillance tools like Locate X. A private investigator working Atlas Security, a data removal company that is suing Babel Street, was able to access a trial of Locate X by claiming to be an investigator that would potentially work with the government in the future. Investigators using LocateX were able to track a single Alabama resident (where abortion is illegal) as they went to a Lowe’s Home Improvement Store, traveled along a highway, visited a church, went to an abortion clinic for two hours (in Florida, where abortion is restricted), and then came back to Alabama. For that phone alone, LocateX had approximately 88,000 data points.

LocateX also allowed users to do a  “signal proximity search” to find other devices that frequently appear near a device of interest. Any associations, connections, and relationships can be tracked, catalogued, and then followed to create a web of surveillance that maps out entire social networks. Using CTD then, CBP can capture the private intimate details of a person’s life—exactly the sort of “near perfect surveillance” that the Supreme Court ruled required a warrant.[16]

CBP tries to minimize its over-collection by claiming that CTD tools did not provide “any biographic information on the device owner, such as device owner’s name, phone number(s), social security numbers, email address(es), social media, and/or application usernames.” But the tool is explicitly built to allow law enforcement to identify and surveil suspects. As the OIG noted in its report, CBP has the capability “to associate CTD with other CBP technologies and open-source information to identify a user associated with a particular adID.”[17] Yet, CBP tries to hide the ball by not mentioning its other capabilities and vast data-holdings.

Use Limitation Principle

The Use Limitation Principle is similar in focus to the Data Minimization Principle and limits DHS to using PII solely for the purpose specified in its notice.

To comply with the “Use Limitation” principle, CBP states that commercial platforms “were limited to providing CBP with up to three years of historical data related to an AdID.” Three years of consistent data points are far more than the four months of CSLI data that merited a warrant in Carpenter, but under CBP’s analysis in the PIA, that time limit is enough to mitigate the risk.

To grant itself a cover of legitimacy for having access to three years’ worth of data, CBP limits itself to searching for more than 14 days’ worth of data for a specific adID only if “there was a reasonable suspicion of a violation of a criminal law enforced or administered by CBP and/or a national security concern.” But CBP provides no clear guidelines on what constitutes reasonable suspicion. Nor is there any indication of any sort of review done to ensure that reasonable suspicion was actually reasonable. CBP personnel using CTD, at best, sign an agreement agreeing to certain Rules of Behavior before using LocateX. For searches that query less than 14 days’ worth of data, CBP does not list any clear guiding principles that governed the search.

Either way, once CBP decides to query a specific adID, they store the results for extremely long durations.

FOIA documents obtained by EPIC show that in the Babel Street PTA[18] CBP set out a policy for storing query results and any associated findings and analysis for 75 years. In the PIA itself, CBP claims it meets the Use Limitation principle despite storing information for decades at a time. For example, “Raw, unevaluated information on threat reporting originating from operational data and supporting documentation” that is not covered by another existing DHS system of records notice will be retained for 30 years.

And even though CBP claims it no longer collects CTD, it continues to store and hold such data in other databases without any clear indication of how and in what ways such data will be used. For example, CBP “incorporated and maintained AdID information into CBP systems if the results of the search of the commercial vendor platform were relevant to an ongoing investigation or inquiry” in its Intelligence Research System-Next Generation (IRS-NG) platform. IRS-NG allows CBP to access a “consolidated view of data about a person or an entity” across various data sources such as Passenger Name Records, license plate and DMV registration data, “projects developed by CBP users that may include public source information,” as well as systems like IDENT.

IRS-NG, despite already being in use and containing a vast trove of Personally Identifiable Information, still does not have a Privacy Impact Assessment of its own completed yet. The August 2024 Telemetry PIA claims that the IRS-NG PIA is still under development. But a 2017 PTA by CBP shows that CBP started a pilot program to give external users access to IRS-NG as early as October 2015. CBP continues to flaunt its statutory requirements to produce a PIA before implementing such technology.

Accountability and Auditing Principle

The Accountability and Auditing principle requires that DHS audit the actual use of PII to demonstrate compliance with the other principles. Audit practices are extremely important because they are the main enforcement mechanisms that mitigate privacy risks. But if the auditing procedures are never actually enforced, agencies have carte blanche authority to do what they like with no consequences.

DHS and its components have often identified internal protocols in their PIAs—however actual enforcement is a bit of a black box. The OIG report helps give a unique view into how dysfunctional and ineffective auditing mechanisms are at mitigating privacy risks.

CBP’s PIA lists no mandatory auditing schedule or time horizon. And in fact, no auditing occurred. Of the two CTD databases that CBP had contracted with (Babel Street and Venntel), CBP was unable to provide audit logs from one commercial vendor when asked by the OIG. The CTD vendor did not even respond to the audit request.[19] Nor did any CBP supervisor ever request any logs to audit CTD queries between 2018-2021. In fact, the OIG investigation of CBP’s CTD use was the first time the responsive CTD vendor had received an audit request. As they had never bothered to create an audit process, the vendor then had to make an audit process out of whole cloth for the OIG request.

The complete lack of actual auditing highlights the risks of CBP personnel potentially abusing their access to a rich trove of location data. With no oversight and verification, there is no accountability on how these invasive surveillance systems are used. Nor is any of this hypothetical: the OIG report detailed at least one incident where a CBP employee used CTD to track co-workers. And hundreds of ICE employees and contractors have faced internal investigations for misuse of law enforcement databases. Those investigations were only for misuses that were found; nonexistent audit processes practically ensure that there is a plethora of abuse that goes unnoticed.

Conclusion

CBP’s continued retention of CTD via a program that it belatedly published a lackluster PIA for show the urgent need to reform federal enforcement of PIAs.  Federal agencies purchase commercial information and conduct mass surveillance, only to publish post-hoc justifications when they are caught. Even when agencies purport to stop existing collection programs, their ability to retain information despite violating their statutory duty to publish PIAs gives them no incentive to comply. EPIC recently submitted comments to the Office of Management and Budget urging for greater transparency and enforcement of PIAs. CBP’s latest PIA shows just how urgent the need for reform is.


[1] U.S. Dep’t Homeland Sec., U.S. Customs & Border Prot., Privacy Threshold Analysis for Babel Street “BabelX” Platform, Version number: 03-2020 (available at First Interim Production, # 000014) [hereinafter BabelX PTA].

[2] Id. at 3 (available at First Interim Production, # 000015).

[3] Id. at 4 (available at First Interim Production, # 000016).

[4] Id. at 7 (available at First Interim Production, # 000019).

[5] Id. at 8 (available at First Interim Production, # 000020).

[6] Email from Babel Street Director of Border Programs to CBP Analyst, National Targeting Center, Counter Network Division, Publicly Available Information Group (April 12, 2019) (available at Second Interim Production, # 000076-77).

[7] Off. Inspector Gen. Dept. Homeland Sec., OIG-23-61, CBP, ICE and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data (REDACTED) (Sept. 28, 2023)(available at  https://www.oig.dhs.gov/sites/default/files/assets/2023-09/OIG-23-61-Sep23-Redacted.pdf ) [hereinafter OIG Report].

[8] Dep’t. Homeland Sec., Delivery Schedule and Accounting Data for Delivery Order: 70B3C21F00001121 (delivery scheduled for 09/21/2021) (available at First Interim Production, # 000003).

[9] OIG Report, supra note 7, at 13.

[10] Id. at 8.

[11] Id. at 6.

[12] Email from CBP Intelligence Research Specialist, U.S. Border Patrol, Norther Border Coordination Center to Babel Street Director of Border Programs (May 7, 2019) (available at  Third Interim Production, # 000220).

[13] Email from Babel Street Director of Customer Experience to CBP Supervisory Border Patrol Agent, Tucson Sector Intelligence Unit (Oct. 25, 2019) (available at Second Interim Production, # 000051-52).

[14] Email from CBP Officer, New York Field Office to Babel Street Director of Border & Vetting Programs (Sept. 16, 2019 (available at Second Interim Production, # 000058-61).

[15] Email from CBP Supervisory Border Patrol Agent, Rio Grande Valley Sector to Contractor with National Targeting Center, Counter Network Division, Publicly Available Information Group & Babel Street Director of Account Management (June 6, 2018) (available at Second Interim Production, # 000095-97).

[16] Carpenter v. US, 138 S. Ct. 2206, 2218 (2018).

[17] OIG Report, supra note 7, at 6.

[18] BabelX PTA, supra note 1, at 8 (available at First Interim Production, # 000020).

[19] OIG Report, supra note 7, at 8.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate