DHS Disregards Internal Policies and Avoids Fourth Amendment Protections to Track Your Location

February 8, 2024 | Maria Villegas Bravo, EPIC Law Fellow

The Department of Homeland Security’s Office of the Inspector General (OIG) published a report on DHS’ use of Commercial Telemetry Data (CTD). CTD, in brief, is data collected from mobile devices by private entities that can form a detailed timeline of the device’s location over the period of time contained in the dataset. The OIG report found that Customs and Border Patrol (CBP), Immigration and Customs Enforcement (ICE), and the United States Secret Service (USSS) bought and used CTD in violation of their own meager internal privacy policies. Additionally, the report found a lack the internal controls to make sure privacy policies were followed in the first place. The OIG report is a damning account of the ways in which DHS’ oversight mechanisms have failed to curtail repeated privacy abuses and hold DHS components accountable for violations of its own policy. What’s more, the buying of CTD has allowed DHS and its components to make an end-run around the Fourth Amendment warrant requirement and is just the latest example of the need to reform government surveillance to protection Americans’ privacy.

DHS Fails to Follow its Own Internal Policies at a Systemic Level

The OIG report details how the DHS components refused to follow appropriate technology procurement protocols and showcases the agency’s startling lack of internal oversight during the actual use of the products that provide CTD, allowing DHS agents to engage in detailed surveillance without credentials or guidance. For example, the report details a troubling pattern of disregard for privacy impact assessments (PIAs). Under the E-Government Act, the federal government must complete, review, and publish a privacy impact statement “before . . . initiating a new collection of information” in an identifiable form that “will be collected, maintained, or disseminated using information technology” from ten or more persons. [1] The assessment must address, among other things, what information will be collected, why the information is being collected and the agency’s intended use for the information, with whom the information will be shared, and how the information will be secured. [2] The Office of Management and Budget regulations dictate that PIAs must be completed “from the earliest stages of” and continuously throughout “the information life cycle.” PIAs also provide an analysis of privacy concerns posed by the acquisition and steps that the government agency will take to mitigate the impacts on privacy.[3]

DHS’ own Privacy Policy and Compliance instructions require a Privacy Threshold Analysis (PTA) to occur when an IT system, technology, etc. involves PII to determine whether further privacy compliance documentation (such as a PIA) is required. The OIG report defines PII as “any information that permits the identity of an individual to be directly or indirectly inferred, including other information that is linked or linkable to an individual.” While these PIAs may look like a valid safeguard on paper, DHS has systematically failed to use them appropriately, if it fills one out at all.

To avoid conducting a PIA, ICE erroneously denies that PII is being collected in connection to the CTD databases because the data is “anonymized” and therefore “not privacy sensitive,” leading to the procurement process entirely bypassing any privacy oversight. The OIG Report defines Commercial Telemetry Data as data collected from mobile devices using Advertising Identifiers (AdID) unique to each device. The data collected from mobile devices with AdIDs includes time stamps, device type, operating system, and GPS coordinates. Putting this data together, a thorough timeline of a device’s location history can be created. The advertising industry claims that AdIDs protect consumer data more than cookies because the ID is anonymous, and ICE itself argues in the report that since the data is anonymized, no PII is collected through this technology. However, there is a broad swathe of research that shows that it can take as few as three “anonymized” data points to reidentify individuals from public databases.[4] When combining detailed geolocation data with auxiliary data sets such as SocialNet and other surveillance tools employed by DHS, the reidentification of individuals becomes nearly certain. The OIG report explicitly states that both CBP and ICE used the data from these products to link devices to individuals, countering their own point that the anonymized data should not be considered PII.

By denying that PII is being collected, ICE bypassed further privacy compliance documentation and automatically sent the procurement request directly to the ICE Office of Acquisition rather than the component’s Privacy Officer, which would have otherwise been notified. Procurement requests only go to Privacy Officers if the procurement request checks a box stating that the requested technology requires access to particular categories of sensitive information, DHS information systems, or Government facilities. Otherwise, a Privacy Officer is not required to review the procurement and may not be aware of the acquisition at all. Even if a Privacy Officer is involved, all they are required to do is go through the PIA process.

Even if DHS believed the technology contained PII, all three DHS components used CTD without waiting for PIA approval. CBP and ICE both stated that they believed DHS policy allowed for operational use of the technology while a PTA was active (i.e. before the PTA expired) while a PIA was in development. However, the Secret Service initially and correctly waited 6 months for PIA approval, before erroneously deciding in this instance that “operational need to use CTD superseded the requirement to have an approved PIA.” All three components used CTD without approved PIAs in the audited years and, in total, conducted at least 71,000 queries between FY 2019 and 2020.

Even once the CTD was procured and approved by a PIA, DHS and its components failed to develop sufficient policies and procedures to govern the use of CTD. Across the board, the components individually instituted baseline IT security practices, but the substantive use of the technology was almost entirely unregulated. Agents commonly shared accounts and passwords, did not have a standard method to maintain records of use, and did not have any supervisory review of the use of the technology.

In one notable incident, a CBP employee used CTD to inappropriately track coworkers, and the incident was reported to CBP’s Joint Intake Center and Office of Professional Responsibility. The matter was “resolved administratively,” yet CBP still failed to institute any supervision on the use of the technology after the incident. According to the OIG report, at no point, either during the event or subsequently, was there a request to the CTD vendors for audit logs that provide detailed meta data and the search queries made by users. Use of supervisory review could deter the unauthorized use of CTD, or at least detect the misuse and put an end to it. None of the supervisors interviewed by the OIG mentioned using the audit logs, evaluating CTD queries, or doing any other review of queries being made by agents. A Secret Service official interviewed by the OIG was unaware the audit logs even existed, three years after the Secret Service began using the CTD technology. Beyond flaunting their own internal privacy policies, DHS components have interpreted the Fourth Amendment to allow them to buy data that would require a warrant if DHS collected it directly.

DHS Exploits Vague Interpretations of Fourth Amendment Laws to Collect Historical Location Data

Americans have a reasonable expectation in the whole of their physical movements,[5] which means that law enforcement officials must obtain a warrant[6] to follow an individual’s movements over a long period of time. Under US v. Jones and Carpenter v. US, law enforcement officials are required to obtain a warrant when obtaining long-term[7] location data through physical trespass, like attaching a GPS device to a car, or by requesting historical cell site location data (CSLI) directly from wireless carriers. The Supreme Court has emphasized the unique nature of cellphones, as they “track[] nearly exactly the movements of its owner” which allows the government to “achieve[] near perfect surveillance” of any individual.[8]

For the past three years, however, DHS has avoided the warrant requirement that would apply if the agency directly collected long-term location data or requested CSLI from wireless carriers by buying it from data brokers like Babel Street. This “workaround” to the Fourth Amendment completely ignores the spirit of the ruling in Carpenter that made clear that individuals have a reasonably expectation of privacy in their cell-site location information. DHS interprets the Supreme Court’s ruling in Carpenter—which acknowledged that CSLI is more detailed than GPS data—to allow the agency to buy even more detailed location information than DHS could obtain through a warrant for CSLI. This interpretation eliminates the protections provided by the warrant requirement of Fourth Amendment, which would require a judge to approve, based on probable cause, any instance DHS wanted to acquire location data on a particular individual. More than DHS’s failure to follow internal privacy policies, the Fourth Amendment warrant requirement loophole needs to be addressed.

Unfortunately, we don’t know whether the OIG report examines the end-run around the Fourth Amendment to acquire location data without a warrant—a discussion that would no doubt benefit the public. In a largely redacted section of the report, it references that the components had different uses for CTD before the rest of the section is redacted minus a single footnote citing the full text of the Fourth Amendment. It’s possible the report references the Fourth Amendment warrant loophole issue in this redacted section, but it’s not clear. What is clear is that DHS is taken advantage of this gray area of the Fourth Amendment and disregarded its own internal privacy policies to expand its surveillance footprint.

This is not the first, nor the most egregious, instance of DHS disregarding privacy protections and avoiding warrant requirements in favor of broadening its surveillance dragnet. The OIG has called DHS out before for failing to obtain the necessary warrants to obtain cell-site simulators in violation of departmental and federal requirements. Furthermore, ICE has abused its investigative authority by using its investigative arm, Homeland Security Investigations (ICE HSI), to pretextually investigate individuals to later conduct deportations and family separation operations through its Enforcement and Removal Operations arm, which is not allowed to execute search warrants. In early 2023, Wired reported that ICE misused 1509 custom summonses, meant to be used for “criminal investigations about illegal imports or unpaid customs duties[,]” by sending them to a youth soccer league in Texas, a major abortion provider in Illinois, an elementary school in Georgia, multiple different boards of elections, and even a Lutheran organization that provides humanitarian support for refugees.

Broader Surveillance Reform Is Needed

This pattern of disregarding basic privacy practices and avoiding the requirements of the Fourth Amendment is not limited to historical location data, or even to DHS itself. The intelligence community has a long history of failing to follow internal privacy policies and dancing around the Fourth Amendment to build up its warrantless surveillance ecosystem.

In an ODNI report that was declassified and released publicly in 2023 after EPIC filed a Freedom of Information Act request for it, ODNI confirmed that the intelligence community is increasingly bypassing Fourth Amendment protections by buying commercially available information (CAI). This information includes location data, like discussed above, but can also include social media data, internet records, religious and political affiliations, sexual orientation, gender identity, health data, and more. Just like DHS, the intelligence community interprets Carpenter to allow for the purchase of data that would otherwise require a warrant for government agencies to collect directly. Buying data is not the only way government agencies avoid the requirements of the Fourth Amendment.

The surveillance conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA) results in the “incidental” collection of Americans’ communications—communications that would normally require a warrant to obtain and search. The Federal Bureau of Investigation (FBI)—a notorious “problem child” when it comes to taking advantage of loopholes around the Fourth Amendment warrant requirement—conducts warrantless searches of these communications for routine criminal investigations of U.S. persons. The FBI’s policies provide a lot of leeway to search these incidentally collected communications of Americans for evidence of a crime, but the Bureau has even failed to follow their own lacks policies—searching the names racial justice protestors and sitting members of Congress despite no connection to a crime.

The National Security Agency (NSA) has routinely failed to comply with statutory and constitutional privacy requirements when it comes to its “abouts” collection activities. These collections refer to a surveillance technique that collects communications that merely reference a target under FISA. It voluntarily suspended some of its collection of this data in 2018, but with FISC approval and notification to Congress, it can restart its abouts collection at any time.

The path forward cannot rely on any one fix and merely doing a better job of adhering to current agency privacy policies is not enough. Although PIAs are important, and doing them better and prior to implementation of privacy invasive tech or programs would be a welcome change, the assessments would not stop the current end-run around the Fourth Amendment. EPIC is a strong proponent of surveillance reform, from varied administrative comments to its public records requests. Most recently, EPIC has focused on the upcoming deadline to reauthorize FISA section 702.

EPIC and EPIC’s coalition partners’ have endorsed a comprehensive list of recommendations that would thoroughly reform government surveillance to better protect Americans’ privacy and provide the needed oversight and accountability that is currently missing. Although no bill perfectly encapsulates all the reforms advocated for by EPIC and our partners, the Government Surveillance Reform Act (GSRA) and the Protect Liberty and End Warrantless Surveillance Act both represent meaningful reform and have been endorsed by EPIC and many of our coalition partners. Both the GSRA and the Protect Liberty Act would prohibit intelligence and law enforcement agencies from purchasing Americans’ data from data brokers under circumstances where they would need some form of a court order to compel that information directly. Additionally, both bills would also prevent the FBI from searching “incidentally” collected Americans’ communications without a warrant, among many other reforms. The need for reform is long overdue. The OIG report is just the latest example. It’s time for Congress to act.

[1] E-Government Act of 2002 § 208, Homeland Security Act of 2002 PL 107-296.

[2] Id.

[3] Id.  

[4] P. Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L. Rev. 1701 (2009).

[5] Carpenter, 138 S. Ct. 2206, 2217 (2018)(quoting Jones).

[6]  Katz v. United States, 389 U.S. 347 (1967) (stating that the Fourth Amendment “protects people, not places” and introducing the concept of a “reasonable” expectation of privacy as the standard for when a search or seizure would require a warrant).

[7] In Jones, 28 days was deemed sufficiently long term to require a warrant. United States v. Jones, 615 F.3d 544 (2012). In a footnote, the Court in Carpenter declined to define the amount of time sufficient to indicate that a warrant may be required, but stated that “accessing seven days of CSLI constitutes a Fourth Amendment search” thereby triggering the warrant requirement. Carpenter v. United States, 138 S. Ct. 2206, 2217 (2018). 

[8] Carpenter at 2218.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.