New ICE Privacy Impact Assessment Shows All the Ways the Agency Fails to Protect Immigrants’ Privacy

DHS’s Immigrations and Customs Enforcement (ICE) proudly proclaimed its “first-ever Alternatives to Detention Privacy Impact Assessment”, bragging about the release of a document that the agency should have produced twenty years ago at the start of the so-called Alternatives to Detention (ATD) program. But the PIA that ICE produced is not just decades late, it is substantively deficient, likely wrong about key facts, and already outdated. This PIA process reflects the behavior of an agency that does what it wants and seeks justifications later.

Background

To start, we need to recognize that ICE is an agency with a continuing history of unauthorized and abusive practices. This month alone, two major stories about ICE’s bad behavior broke. According to Wired, the agency is using administrative subpoenas, a tool meant to pursue customs violators, to request information from “elementary schools, news organizations, and abortion clinics”. And a database of ICE’s internal investigations demonstrates how ICE agents and hired contractors regularly violate the agency’s rules on database access, allowing for stalking, wrongful surveillance and the sale of government information. That is on top of a long history of impersonating police officers, abusing immigrants in ICE detention, building a vast surveillance network of data purchased from brokers and other legally questionable means, and even detaining and deporting U.S. citizens. Any fulsome accounting for ICE’s impact on immigrants privacy and safety needs to consider that ICE agents and contractors are likely to abuse any data they have access to.

Under section 208 of the E-Government Act of 2002, every federal agency is required to produce a Privacy Impact Assessment (PIA) before it rolls out a “new collection of information … using information collection technology”. Agencies across the federal government routinely flaunt this requirement by doing their PIAs after they start using new technologies or initiating new collections. But no agency operates quite like ICE. For years, the agency has claimed that its Alternatives to Detention program is covered by tiny amendments to existing PIAs for other programs that failed to account for the size of the ATD program and couldn’t keep up with the technology that ICE was using. 

The Alternatives to Detention program is a system of electronic monitoring technologies that ICE applies to immigrants passing through the Southern border to the U.S or arrested in the U.S. and awaiting immigration hearings, along with immigrants who have had their hearings and are awaiting deportation. The ATD program is also frequently referred to as the Intensive Supervision Appearance Program (ISAP), though there are also several small pilot programs that do not rely heavily on surveillance technology.[1] ICE claims that ATD serves as a way to keep migrants out of detention facilities while ICE keeps tabs on them, but in reality the program has become something of a default for migrants crossing the Southern border. Historically, immigrants crossing the border would be released in the U.S. without any form of monitoring. Immigrants released without tracking reliably show up for their court dates. Under the program, ICE currently has over 280,000 migrants under some form of surveillance, according to up-to-date records from Syracuse University’s TRAC Center. That’s down from a record high of almost 380,000 people in December 2022. A Government Accountability Office assessment of the ATD program from last year found that ICE was not sufficiently overseeing its BI contractors or assessing the performance of the program.

Immigrants assigned to ATD are released from ICE prisons in exchange for some form of surveillance, which ICE chooses based on the agency’s assessment of how likely the immigrant is to attend their immigration proceedings. The most invasive option is a GPS ankle monitor that continuously tracks the wearer and gives ICE access to historical location data. Next is the SmartLink phone app that requires immigrants to check in, submit a selfie for facial recognition matching, and send ICE their phone’s GPS location. Finally, ICE can require immigrants to call in and report their location, with the immigrant’s identity confirmed by voice recognition. All of this tech is supplied to ICE under a $2.2 billion contract with BI Incorporated, a prison technology company. BI doesn’t just provide the tech to make ATD work, it also supplies case managers, third-party contractors doing the work of ICE officers. On April 18, 2023, ICE announced that it will start testing BI’s new GPS monitoring watches, making the PIA published just weeks ago obsolete. ICE is also piloting several small ATD programs focused on providing immigrants with resources and intensive case management instead of just surveilling them. The largest such program is the Young Adult Case Management Program, which targets 18–19-year-old immigrants with additional supportive services and meetings instead of requiring technological monitoring.

If an immigrant can’t keep in regular contact with ICE through their assigned surveillance device, ICE is free to put that person back in ICE prisons until their court hearings, which could be months or years in the future. Equipment failures, unexpected emergencies, and difficulty understanding how to navigate the immigration legal system in a foreign language all make it very difficult for immigrants to fully comply with ICE’s terms of release. However, there is an easy alternative to surveillance that would meet ICE’s claimed goal of making sure people show up to court. Studies show that providing lawyers for immigrants is by far the most effective way to ensure they show up in court. When immigrants have lawyers, they make it to 97 percent of court proceedings in the U.S.

Inside ICE’s New PIA

Privacy Impact Assessments generally follow a defined structure. The document describes the information collection program, and then analyzes a series of “Privacy Risks” organized under the Fair Information Practice Principles (FIPPS) — Transparency, Individual Participation Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing. Although these are separate categories, there tends to be some overlap between the relevant information and policies that determine whether a risk exists, and to what extent that risk is “mitigated”. With that context, let’s take a look at what the PIA reveals, and how it analyzes the harms of ATD’s surveillance. 

ICE Admits to Invasive, Unnecessary Surveillance Practices

The document reveals that ICE agents and hired case managers don’t just get access to immigrants current GPS location from BI’s ankle shackle, they also have access to the full history of a person’s movements while wearing the shackle. This information is entirely irrelevant to ICE’s claimed need — locating immigrants when they fail to show up for court. All that would require is the immigrant’s current location. But the Data Minimization section never even mentions that this information is unnecessary and ripe for abuse. Instead, it concludes that the risk of over-collection is entirely mitigated with only a cursory justification:

The document similarly fails to grapple with the deep harms caused by ankle monitors, including shame and stigma, depression and suicidality, and the ways ankle shackles interfere with people’s lives. ICE admits that the monitor can be compelled to beep until the wearer presses a button acknowledging the notification. Failure to respond to the beep can be grounds for returning an immigrant to detention. But ICE does not recognize the impacts of persistent and disruptive monitoring. According to Human Rights Watch:

• When US immigration authorities release people from detention, they often put them on ankle monitors. But these devices cause physical and psychological pain and carry a stigma, due in part to their association with the criminal justice system. This makes it harder, for example, for those who wear them to get jobs.
• “Whoever finds out that I’m wearing [the ankle monitor], they don’t get close to me anymore,” said a 39-year-old man from Mexico. “I dream of the day somebody will cut it.”

ICE Gives Contractors Access to Voluminous Records From Data Brokers

The PIA also reveals, for the first time, that ATD staff specifically (e.g. ICE officers and hired case managers) are given access to vast troves of data purchased from commercial data brokers. The PIA provides one example of such a data broker, a database of arrest and jail records compiled from municipalities around the country. The document implies that agents have access to other records as well but does not actually say which other databases ICE agents and case managers get access to. Last year, EPIC compiled a report on the various ways ICE and CBP manage to evade constitutional limits on surveillance by buying data from vendors in our report DHS’s Data Reservoir. After describing the data aggregator services initially, the PIA provides no analysis of the risks created by such a database, including the risk that an immigrant will be erroneously flagged due to a common name or technical error and detained for no reason.

ICE Punts, Provides Few Details on Technical Protections

The PIA is also noticeably deficient on the technical details and policies needed to determine whether ICE is doing enough to prevent abusive practices. Despite waiting nearly 20 years to publish the PIA, and after several years of promises from ICE’s Privacy Office that the document is forthcoming, this PIA contains few details on the technical standards or policy controls to prevent abuse. 

Notably, it fails to include whether anyone has tested claims about the technical limits on surveillance in BI’s SmartLink phone app. ICE claims that the app cannot access any other information on a person’s phone except location data when it is used for a check in. But ICE provides no proof that the app has been red-team tested to guarantee that there are technical limits on access, suggesting the agency is taking contractor BI’s word that the app is secure. 

And independent reporting suggests that ICE is wrong about the app only accessing location data when an immigrant “checks in” with their facial recognition selfie. The Guardian reports:

• Immigrants in the program told the Guardian they had been instructed by BI employees to always keep their phones on so the company could track them. José, an immigrant in the program whose name the Guardian is withholding to protect his immigration case, said he had been told by BI employees to have his phone with him at all times so BI could locate him. Macarena, another [ISAP] participant whose name the Guardian is withholding to avoid jeopardizing her proceedings, was told the app was always running and she always had to have her location services on. Several immigrants told the Guardian they had been told they could not let their phone batteries die. “It’s exactly like my [ankle monitor], but now it’s in my phone,” Macarena said about the instructions she received.

Even by ICE’s own standards, the PIA is inconsistent. The SmartLink app is only supposed to report location data when immigrants check-in, but the document later admits to at least two points of data collection:

A person could log into the app multiple times per day, giving ICE access to far more location data than the agency claims it needs. Despite this, ICE considers the risk of persistent monitoring and other unauthorized surveillance “partially mitigated”. And ICE believes that the risk that “ICE ATD programs will over-collect information from the participants” is fully mitigated. Essentially, ICE sees no risk of over-collecting information whatsoever. That analysis flies in the face of technical details provided in the PIA and outside reporting on the program.

ICE Fails to Consider Impacts on Third Parties

The document recognizes that there is a serious risk ATD participants family members, friends, roommates, and other non-participants will be subjected to wrongful surveillance. But ICE both over-estimates the validity of consent to the program and deliberately ignores several ways that people could fall under wrongful surveillance. This section never discusses the serious risk that immigrants video-conferencing with ICE agents through the SmartLink app will subject their homes, families, and friends to surveillance. We’ve all had a roommate or colleague walk into the background of a Zoom call at some point, but that call probably never came with the risk arrest or deportation for the roommate. Earlier in the document, ICE points to a policy of not recording videoconferences but does not even recognize this as a risk to be mitigated.

Similarly, ICE does not consider how GPS monitoring of an immigrant can impact their friends and family. Historical location tracking would let ICE know where a person’s children go to school, who that person regularly visits, and a bevy of other information that might lead to someone being investigated or subject them to an ICE raid. The document admits that ICE does not get consent from friends and family listed as emergency contacts to be contacted for the program, yet still considers the risk to be “partially mitigated”.

ICE Fully Ignores Dangers of Interconnected Databases

In one of the most frustrating parts of the document, ICE claims that the serious risk information from the ATD program will be disseminated throughout DHS, across the federal government, and might even end up in the hands of local law enforcement is “partially mitigated”. But all ICE can point to is a DHS policy that information should be transmitted wherever it might be useful, absent a law to the contrary. That is effectively an admission that instead of being mitigated, this risk is an open, ongoing, and harmful practice.

EPIC has catalogued the harms of interconnected government databases and opposed their expansion for decades. The more people who have access to the highly invasive data collected as part of the ATD program, the greater the risk that someone, somewhere along the chain abuses that data. These risks are not hypothetical, as recent reporting on unauthorized access to ICE databases demonstrates. But the PIA fully fails to consider that abuse of data is a near-certainty at ICE, and that putting that data in more hands by sending it to DHS’s far-reaching databases increases the likelihood of harm.

ICE Overstates the Importance of Small, Low-Tech Pilot Programs

The new PIA spends a huge amount of time discussing the YACMP program for 18–19-year-olds despite the fact that this program touches only a tiny fraction of all immigrants in the ATD program. Twenty-four of the 35 pages in the document reference YACMP, and an extensive amount of analysis is focused on it, instead of the far more commonly used SmartLink app, voice monitoring, and GPS monitoring. This is part and parcel of ICE’s strategy to whitewash ATD by highlighting small, mostly inconsequential pilot programs instead of grappling with the reality of subjecting hundreds of thousands of people every year to surveillance. 

Despite long-running claims that ICE is transitioning away from ankle monitors and pursuing “de-escalation” of surveillance for many participants, records suggest that the agency is not serious about reducing the level of surveillance immigrants are subjected to. Reporting from the Guardian last year revealed that even when BI’s contracted case managers recommend a lower level of surveillance for a person, ICE only approves that request about 20 percent of the time. The repeat pattern of claimed de-escalation, even while the program grew to record high numbers of participants in 2022, is reflected in this document. There is a 10-page addendum on the tiny Case Management Pilot Program, and an overwhelming focus on the youth program. This optimistic focus comes at the expense of immigrants surveilled under the much larger ISAP portion of ATD.

ICE Gives Agents, and Hired Contractors, Too Much Power Over Immigrants Lives and Safety

One of the most consistent themes of the PIA is that ATD gives ICE’s Enforcement and Removal Operations officers and BI’s hired case managers an extraordinary degree of control over immigrants’ lives. Hired case managers are not federal employees, but private contractors provided by BI. Yet they have many of the powers of an ICE agent, allowed to perform check-ins, determine conditions of supervision for immigrants, and even use GPS tracking to surveil immigrants directly.

As the PIA makes clear, case managers have discretion on whether to treat a failure to check-in as a technical error or report it as a violation of the terms of the program, meaning that the immigrant is termed an “absconder” and will be sent back to an ICE prison. 

Conclusion

ICE’s new PIA does not seriously consider the real harms caused by the ATD program. It consistently overstates the degree of mitigation, and deliberately ignores many elements of the program that are most harmful to immigrants. And the document is overly focused on small pilot programs, suggesting that ICE wants to be seen as more compassionate than the agency really is. A meaningful analysis of the ATD program would recognize that subjecting hundreds of thousands of people to intensive surveillance over a period of 20 years in violation of federal privacy laws like the E-Government Act cannot be remedied by a conclusory impact assessment. The fact that this document is already out of date with ICE’s new trial of GPS wristwatches demonstrates how the agency has consistently failed to build privacy analysis into the decision-making process, and instead uses PIAs as post-facto justifications for programs the agency would undertake regardless of the harms they cause.

---

[1] For a good summary of the program, see this factsheet from the American Immigration Council.