Originally published October 6, 2023 1:10 pm PDT
The Office of Inspector General (OIG) at the Department of Homeland Security (DHS) released a report dated September 28, revealing that several federal agencies didn’t adhere to privacy policies or develop adequate policies before procuring and utilizing commercial telemetry data (CTD).
The report is addressed to DHS Secretary Alejandro Mayorkas, and comes from Dr. Joseph Cuffari, the Inspector General.
The investigative audit was initiated to determine if the DHS and its components had “developed, updated, and adhered to policies related to the use of CTD.”
The report underscores that CTD, which may include historical device location data collected from mobile device applications and sold commercially, was used for investigative purposes by the respective agencies.
The critical findings of the report highlighted that the U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and the United States Secret Service did not comply with the DHS’ privacy policies or the E-Government Act of 2002.
The Act mandates an approved Privacy Impact Assessment (PIA) for any “privacy-sensitive technology or data obtained from that technology” before its procurement or development.
This lapse occurred as the named components lacked “sufficient internal controls to ensure compliance with DHS privacy policies,” and the DHS Privacy Office neither followed nor enforced its own privacy policies and guidance.
The report states, “Without a PIA in place, privacy risks may not be identified and mitigated.”
This crucial oversight implies that there might have been unidentified and unaddressed privacy risks concerning the use of commercial telemetry data.
Moreover, the audit found that the federal agencies in question did not have adequate policies and procedures to ensure the appropriate use of CTD.
The CBP had only interim rules of behavior regarding CTD usage pending the development of complete policies and procedures.
On the other hand, ICE and the Secret Service did not develop any CTD-specific policies and procedures.
The OIG report emphasized the lack of a DHS-wide policy governing the use of CTD despite the “significant congressional and public interest in the potential privacy implications with law enforcement use of CTD for investigative purposes.”
It recommends a proactive approach by the Department in providing DHS-wide guidance.
The report concludes with eight recommendations aimed at “improving policies and internal controls related to the use of commercial telemetry data.”
It requests a written response from the DHS Secretary, including a corrective action plan and target completion date for each recommendation, within 90 days of the memorandum.
In July 2022, it was revealed that documents obtained by the American Civil Liberties Union (ACLU) through a Freedom of Information Act (FOIA) lawsuit shed light on the expansive scale of mobile location data surveillance carried out by the Department of Homeland Security (DHS).
The uncovered documents, encompassing over 6,000 records, confirmed approximately 336,000 location data points across North America harvested from mobile devices.
A remarkable revelation from the documents was the data accumulation over a mere three-day span in 2018, where the Customs and Border Protection (CBP) amassed records of around 113,654 location points in the southwestern region of the United States, amounting to over 26 location points per minute.
The documents also showcased the government’s endeavor to justify these practices.
For instance, the location data was labeled as devoid of personally identifying information (PII), a claim contested by the ACLU since this data enables the tracking of individuals or population movements within specific locales.
The records further asserted that the data collection was “100 percent opt-in” with mobile users “voluntarily” sharing their location data.
However, many remain unaware that their smartphone applications are not only collecting but also distributing their GPS information, sometimes even to government authorities.
In light of these revelations, the ACLU emphasized the urgency for legislative intervention, advocating for the enactment of the bipartisan “Fourth Amendment Is Not For Sale Act.”
ACLU’s Brennan Fellow for the Speech, Privacy, and Technology Project, Shreya Tewari, voiced her support for the legislation stating: “Legislation like the Fourth Amendment Is Not For Sale Act would end agencies’ warrantless access to this data and head off their flimsy justifications for obtaining it without judicial oversight in the first place.”
Read the full September report from the Inspector General below:
