Customs and Border Protection, part of the Department of Homeland Security, told senators it uses a commercial database to conduct warrantless tracking of people inside the United States.
Customs and Border Protection is using commercially available location data from cell phones to conduct warrantless tracking of people inside the U.S. and refused to provide lawmakers with a legal justification for these activities, according to five senators.
In a letter sent Friday to Homeland Security Department Inspector General Joseph Cuffari, five Democratic senators questioned CBP’s use of subscriptions with data broker Venntel, a government contractor based in Virginia, which gives them access to commercial location data.
Sens. Elizabeth Warren, D-Mass., Ron Wyden, D-Ore., Sherrod Brown, D-Ohio, and Brian Schatz, D-Hawaii, asked the inspector general to examine the legal analysis CBP performed—if such analysis exists—before the agency began using the tool.
“CBP outrageously asserted that its legal analysis is privileged and therefore does not have to be shared with Congress,” the letter reads. “We disagree.”
Privacy experts have long warned data brokers like Venntel are able to share detailed information about people’s lives using location data from apps users may not even realize are tracking such information. Many argue the need for more regulation around data privacy is urgent. Even when anonymized, geographic data can contain enough detail to re-identify individual users.
Mana Azarmi, policy counsel at the Center for Democracy and Technology, told Nextgov the Supreme Court case referenced in the letter, Carpenter v. United States, upheld in clear terms the sensitivity of this kind of data and why it demands strong protection before the government can access it.
“If government agencies like CBP can evade the warrant requirements imposed by Carpenter simply by purchasing the data, we render that ruling a nullity, and then we lack sufficient checks to protect our privacy,” Azarmi said.
Azarmi suggested CBP’s use of the Venntel database may also be an example of mission creep, where CBP deploys surveillance technology for use along the border but then applies the technology to a broader range of cases. This latest instance of CBP admitting it uses location data to track people within the U.S. is similar to the agency’s use of drones to surveill protests this summer, she added.
The five senators also asked the inspector general to determine how CBP was able to begin using the Venntel database without first publishing a privacy impact assessment. In a 2018 privacy impact assessment, CBP stated it “may use commercially available location data acquired from a data provider in order to detect the presence of individuals in areas between ports of entry where such a presence is indicative of potential illicit or illegal activity.”
In a statement shared with Nextgov, CBP repeated the assertion it may obtain access to commercially available information, adding this data is anonymized. CBP did not clarify whether the 2018 PIA is related to the agency’s use of Venntel’s database.
“All CBP operations in which commercially available telemetry data may be used are undertaken in furtherance of CBP’s responsibility to enforce U.S. law at the border and in accordance with relevant legal, policy, and privacy requirements,” the statement reads.
The DHS Office of Inspector General did not immediately respond to a request for comment.
Last month, Warren and Wyden successfully lobbied the inspector general at the Internal Revenue Service to investigate its own use of Venntel’s location tracking services.