A stunning variety of authorities companies are shopping for location knowledge for cell telephones. The legislature needs to know why.
The Department of Homeland Security (DHS) will investigate its own use of location data after it becomes known that Customs and Border Protection (CBP) has purchased cell phone location data from commercial vendors for use in their work.
The Inspector General's DHS office recently informed Sens. Sherrod Brown, Ed Markey, Brian Schatz, Elizabeth Warren and Ron Wyden – all Democrats – that it would review the agency's guidelines on cell phone surveillance. The OIG letter is in response to these senators' request for an investigation last October. CBP has refused to reveal much about how the data purchased from commercial vendors will be used, other than confirming publicly available information that such contracts are in place with these vendors.
The type of location data in question is captured by millions of phones, with most people unaware that their movements are being tracked this way and cannot find out who has access to that information. There are few laws governing location data companies, and government agencies have used this to their advantage, spending millions to get access to this information. Privacy advocates have long opposed this practice, and privacy-conscious lawmakers have pushed for investigation and law to regulate it.
Location data purchased from private corporations enables government agencies to access potentially enormous amounts of personal information on millions of people who are not suspected or involved in crime. While there are few laws governing the collection and use of this information by private companies, law enforcement agencies are usually required to have an arrest warrant and a reason to obtain this information themselves. Getting it through a private provider with no such restrictions can work around those restrictions and is currently a legal gray area.
"When federal agencies prosecute American citizens without a warrant, the public deserves responses and accountability," Wyden said in a statement sent to Recode. "I will accept nothing less than a thorough and prompt general investigation by the inspector into the CBP program for monitoring telephone location data."
CBP is one of several law enforcement and government agencies that is acquiring location data from private companies – data that they would otherwise not have been able to easily access and that may not be available on their own rules. The Wall Street Journal reported in February that DHS's CBP and ICE (Immigrations and Customs Enforcement) weapons were using location data from a company called Venntel to locate undocumented immigrants and routes they crossed the border. Records show that CBP gave Venntel hundreds of thousands of dollars to access its location database.
"CBP is not above the law and has refused to answer questions about buying mobile location history from people without guarantee – not even from seedy data brokers like Venntel," added Warren. "I'm glad the Inspector General agreed to our request to investigate this potentially unconstitutional abuse of power by the CBP as we need to protect public rights after the Fourth Amendment to be free from lawful searches."
The agency has claimed that it only uses a limited amount of anonymized data as per its guidelines. However, experts say that it is not difficult to identify the owner of a device if there is enough information about where and when that device was. And there is so little transparency about how this data is collected that it is doubtful whether anyone knows for sure whether it is in line with the guidelines the agencies have put in place.
Not to be outdone, the American Civil Liberties Union (ACLU) announced on Wednesday that it is suing the DHS for forcing the agency to make its records of phone location data purchases public after the agency made its inquiries for the Freedom of the Information Act.
"It is important that we understand how federal agencies access bulk databases of American location data and why," said Nathan Freed Wessler, lead lawyer for the ACLU Language, Technology and Privacy Project, in a statement sent to Recode. "Without transparency there can be no accountability."
The DHS isn't the only government agency that purchases and uses Venntel's services. Venntel also has contracts with the FBI and the DEA. The Internal Revenue Service also tried Venntel in 2017 and 2018, but did not seem to find the data useful for its work, the Wall Street Journal reported. And Venntel isn't the only location data company working with the government this way: X-Mode and Babel Street also have contracts with government agencies and their contractors.
Other parts of the government are fighting back. In June, the House Oversight and Reform Committee began investigating the "collection and sale of sensitive cell phone location data" to federal agencies for law enforcement purposes. The IRS is also in the midst of a review of its use of Venntel, initiated upon another request from Wyden and Warren.
In 2018, the Supreme Court ruled in the Carpenter v. United States case that law enforcement agencies could not buy cell phone tower data without a warrant, and the FCC recently fined Verizon, AT&T, and the United States several hundred million dollars Sprint / T-Mobile for selling tower data to private companies without customer knowledge or consent.
The type of data that Venntel sells comes for other reasons: Usually trackers are placed in mobile apps. But there are other sources as well. Location data companies also work with other companies who provide this data or buy it directly from the app developers, making it difficult for anyone – including their own customers – to know exactly what they have and where they got it from. For example, Venntel is a subsidiary of Gravy Analytics, which has data location information from "tens of thousands of apps" purchased through "many different data partners" and provides access to "billions of daily location signals".
Venntel offers device owners the option of deactivating the collection of their location data by the company. However, users need to know their device's mobile identifier (Venntel suggests downloading an app to find out) and then select the option. out request every time that identifier is reset – which Apple and Android devices now allow customers to use as a privacy measure. Users must also have cookies enabled in their browser when submitting the request.
It remains to be seen what, if anything, the DHS investigation of itself will reveal or effect, or whether the ACLU's lawsuit will be successful. In any case, the unregulated and persistent collection and sale of our location data provides data brokers with a tremendous amount of information about us, which in turn can be used in a multitude of ways by all types of buyers, including government. Your privacy options, however, are limited.
Open Sourced is made possible by Omidyar Network. All open sourced content is editorially independent and is produced by our journalists.
Are you helping keep Vox free for everyone?
Understanding has enormous power. Vox answers your most important questions and gives you clear information to help you understand an increasingly chaotic world. A financial contribution to Vox will help us continue to provide free explanatory journalism to the millions who rely on us. Please consider contributing to Vox today, starting at $ 3.