Customs and Border Protection (CBP) is using an invasive, AI-powered monitoring tool to screen travelers, including U.S. citizens, refugees, and people seeking asylum, which can in some cases link their social media posts to their Social Security number and location data, according to an internal CBP document obtained by Motherboard.
The news provides much more detail on how CBP deploys a tool sold widely across the U.S. government. Called Babel X, the system lets a user input a piece of information about a target—their name, email address, or telephone number—and receive a bevy of data in return, according to the document. Results can include their social media posts, linked IP address, employment history, and unique advertising identifiers associated with their mobile phone. The monitoring can apply to U.S. persons, including citizens and permanent residents, as well as refugees and asylum seekers, according to the document.
“This document provides important new information, and it raises a number of questions about what specific purposes CBP is using social media monitoring for and how that monitoring is conducted in practice,” Patrick Toomey, deputy project director of the National Security Project at the American Civil Liberties Union (ACLU), told Motherboard in an email after reviewing the document.
Do you know anything else about how Babel X is being used by government or private clients? Do you work for Babel Street? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
Babel X, made by Babel Street, provides access to publicly and commercially available information in more than 200 languages across the public, “dark,” and “deep” webs, according to the company’s website, which adds that the tool is "AI-enabled." The CBP document says that some of the commercially available records “contain social security numbers compiled by private third parties.” Babel X is also able to perform “sentiment analysis,” according to the website. In November, Babel Street announced it would acquire Rosette, an AI-powered text analysis company that would help with “identity resolution” in the context of national security, verifying identities, and preventing financial crime.
Motherboard obtained the CBP document, called a Privacy Threshold Analysis (PTA), as part of a Freedom of Information Act (FOIA) request with CBP. Components of the DHS are required to complete a PTA when implementing or updating a program, and they expire every three years, according to the DHS’s website. If the project is particularly privacy-invading, it will also require a Privacy Impact Assessment (PIA); the document says the Babel X use is covered by several PIAs. The end date for the Babel X project is listed as September this year, the document shows.
“Babel data will be used/captured/stored in support of CBP targeting, vetting, operations and analysis,” the document reads. Babel X will be used to “identify potential derogatory and confirmatory information” associated with travelers, persons of interest, and “persons seeking benefits.” The document then says results from Babel X will be stored in other CBP operated systems for 75 years.
The document specifies the use of Babel X is covered by PIAs for ESTA, the Electronic System for Travel Authorization that is designed for foreigners visiting the U.S.; the DHS’s Automatic Targeting System (ATS), a system that compares travelers against law enforcement and intelligence agency databases; and the CBP’s Publicly Available Social Media Monitoring and Situational Awareness Initiative, in which CBP analysts monitor social media for threats to its personnel or facilities.
“The U.S. government’s ever-expanding social media dragnet is certain to chill people from engaging in protected speech and association online. And CBP’s use of this social media surveillance technology is especially concerning in connection with existing rules requiring millions of visa applicants each year to register their social media handles with the government. As we’ve argued in a related lawsuit, the government simply has no legitimate interest in collecting and retaining such sensitive information on this immense scale,” Carrie DeCell, senior staff attorney at the Knight First Amendment Institute, told Motherboard in an email.
The full list of information that Babel X may provide to CBP analysts is a target’s name, date of birth, address, usernames, email address, phone number, social media content, images, IP address, Social Security number, driver’s license number, employment history, and location data based on geolocation tags in public posts.
Bennett Cyphers, a special advisor to activist organization the Electronic Frontier Foundation, told Motherboard in an online chat “the data isn’t limited to public posts made under someone’s real name on Facebook or Twitter.”
The document says CBP also has access to AdID information through an add-on called Locate X, which includes smartphone location data. AdID information is data such as a device’s unique advertising ID, which can act as an useful identifier for tracking a phone and, by extension, a person’s movements. Babel Street obtains location information from a long supply chain of data. Ordinary apps installed on peoples’ smartphones provide data to a company called Gravy Analytics, which repackages that location data and sells it to law enforcement agencies via its related company Venntel. But Babel Street also repackages Venntel’s data for its own Locate X product.
The PTA obtained by Motherboard says that Locate X is covered by a separate “commercial telemetry” PTA. CBP denied Motherboard’s FOIA request for a copy of this document, claiming it “would disclose techniques and/or procedures for law enforcement investigations or prosecutions”.
A former Babel Street employee previously told Motherboard how users of Locate X can draw a shape on a map known as a geofence, see all devices Babel Street has data on for that location, and then follow a specific device to see where else it has been.
Cyphers from the EFF added “most of the people whose location data is collected in this way likely have no idea it’s happening.”
CBP has been purchasing access to location data without a warrant, a practice that critics say violates the Fourth Amendment. Under a ruling from the Supreme Court, law enforcement agencies need court approval before accessing location data generated by a cell phone tower; those critics believe this applies to location data generated by smartphone apps too.
“Homeland Security needs to come clean to the American people about how it believes it can legally purchase and use U.S. location data without any kind of court order. Americans' privacy shouldn't depend on whether the government uses a court order or credit card,” Senator Ron Wyden told Motherboard in a statement. “DHS should stop violating Americans' rights, and Congress should pass my bipartisan legislation to prohibit the government's purchase of Americans' data." CBP has refused to tell Congress what legal authority it is following when using commercially bought smartphone location data to track Americans without a warrant.
CBP paid Babel Street more than $2.7 million for an annual subscription to Babel X if in 2019, and another $265,000 in 2020, according to online procurement records. Babel Street has also sold Babel X subscriptions to TSA, the Defense Information Systems Agency (DISA), the U.S. Coast Guard, the Navy, the Air Force, the Army, Special Operations Command, the U.S. Marshals Service, the FBI, and the State Department, according to the records.
“The Department of Homeland Security is committed to protecting individuals’ privacy, civil rights, and civil liberties,” CBP told Motherboard in a statement. “DHS uses various forms of technology to execute its mission, including tools to support investigations related to threats to infrastructure, illegal trafficking on the dark web, cross-border transnational crime, and terrorism. DHS leverages this technology in ways that are consistent with its authorities and the law.”
Babel Street didn’t respond to a request for comment. Motherboard visited the Babel X section of Babel Street’s website on Tuesday. On Wednesday before publication, that product page was replaced with a message that said “page not found.”
Update: This story has been updated with comment from CBP.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.