Secret Service and government agencies illegally used smartphone location data

Intentional location sharing in iOS 17

Back in 2020, it was claimed that the US Immigration and Customs Enforcement agency bought harvested data in order to circumvent laws limiting the use of location data from phone companies. The agency then used the data to track and ultimately detain immigrants.

As first spotted by 404, the Department of Homeland Security (DHS) has confirmed the news. Specifically, a new report from the Office of Inspector General called "CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data," has been published.

While portions of the report are redacted, it says that these agencies "purchased access to commercial telemetry data (CTD) collected from mobile devices that included, among other things, historical device location."

The report details an investigation into multiple government agencies, but that work also uncovered a case of an individual in one agency using location tracking for personal use.

"[We] identified one instance in which, unrelated to an investigation, a CBP employee used CTD inappropriately to track coworkers," says the report. "The individual told the coworkers that they had tracked their location using CTD."

In that case, a complaint was filed by another employee and was "resolved administratively."

It's not illegal for government agencies to buy commercially available data for use in an investigation. However, use of such data "within the Federal Government is controlled," and agencies "are required to conduct a Privacy Impact Assessment (PIA) before developing or procuring IT that collects, maintains, or disseminates information in an identifiable form."

"CBP, ICE, and Secret Service did not adhere to Department privacy policies or develop sufficient policies before procuring and using CTD," it continues. "Specifically, the components did not adhere to DHS' privacy policies and the 2002 Act by ensuring they had approved CTD PIAs."

"This failure to adhere occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies," says the report, "and because DHS Privacy did not follow or enforce its own privacy policies and guidance."

What happens next

The report makes eight recommendations, chiefly concerning creating new procedures and implementing them. Homeland Security has agreed to six of the recommendations.

Most significantly, it has refused the report's recommendation that use of all such location data be discontinued until new procedures are in place.

"Non-concur," says the DHS in a response. "CTD is an important mission contributor to the ICE investigative process as, in combination with other information and investigative methods, it can fill knowledge gaps and produce investigative leads that might otherwise remain hidden."

"Accordingly," it says, "continued use of CTD enables ICE HSI to successfully accomplish its law enforcement mission."

Separately, it was discovered in 2018 that despite Apple's App Store privacy rules at the time, multiple apps were tracking precise location data and selling it. WeatherBug, for instance, was found to be selling data including exact longitude and latitude to 40 companies.

Apple at that time required apps to anonymize data being passed to advertisers in order protect individuals.

This data was gathered and sold by app firms without a user's permission. In 2018, Apple introduced Intelligent Tracking Protection in Safari to counter this.

Then in 2021, Apple introduced App Tracking Transparency. It requires all apps to explicitly ask permission to track a user.

Not surprisingly, when presented with the information about being a tracked, a number of iPhone users refused permission. What may be more surprising is just what a difference that made to the advertising industry.

In February 2022, Facebook announced that it would take a $10 billion revenue hit, specifically because of App Tracking Transparency.