Tech

CBP Refuses to Tell Congress How it is Tracking Americans Without a Warrant

The CBP is buying location data harvested from ordinary apps installed on peoples’ phones.
Location data
Image: Stuart Kinlough/Getty Images

U.S. Customs and Border Protection is refusing to tell Congress what legal authority the agency is following to use commercially bought location data to track Americans without a warrant, according to the office of Senator Ron Wyden. The agency is buying location data from Americans all over the country, not just in border areas.

The lack of disclosure around why CBP believes it does not need a warrant to use the data, as well as the Department of Homeland Security not publishing a Privacy Impact Assessment on the use of such location information, has spurred Wyden and Senators Elizabeth Warren, Sherrod Brown, Ed Markey, and Brian Schatz on Friday to ask the DHS Office of the Inspector General (DHS OIG) to investigate CBP's warrantless domestic surveillance of phones, and determine if CBP is breaking the law or engaging in abusive practices.

Advertisement

The news highlights the increased use of app location data by U.S. government agencies. Various services take location data which is harvested from ordinary apps installed on peoples' phones around the world, repackages that, and sells access to law enforcement agencies so they can try to track groups of people or individuals. In this case, CBP has bought the location data from a firm called Venntel.

"CBP officials confirmed to Senate staff that the agency is using Venntel’s location database to search for information collected from phones in the United States without any kind of court order," the letter signed by Wyden and Warren, and addressed to the DHS OIG, reads. "CBP outrageously asserted that its legal analysis is privileged and therefore does not have to be shared with Congress. We disagree."

Do you work at Venntel, Babel Street, or other company providing location data to the government? Are you a customer of such data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Venntel sources its data from weather, games, e-commerce, and other innocuous apps, whose users may be unaware that their location is being sold to the U.S. government. CBP said that it believes the Venntel data is sourced both from software development kits (SDKs)—small bundles of code placed into apps that collect the location information—and bidstream data, according to a Wyden aide. Bidstream data is information gleaned from the real-time bidding that occurs when online advertisers pay to insert their adverts into peoples' browsing sessions; that data can include location data.

Advertisement

As well as not obtaining court orders to query the data, CBP said it's not restricting its personnel to only using it near the border, the Wyden aide added.

CBP is unable to tell what nationality a particular person is based only on the information provided by Venntel; but what the agency does know is that the Venntel data the agency is using includes the movements of people inside the United States, the Wyden aide said. This corroborates a document previously obtained by Motherboard, which described the Venntel data CBP purchased as "global."

A former Venntel worker previously told Motherboard that customers can use Venntel's tool to search an area for devices, or lookup an identifier assigned to a specific device to then see where else that data has been. The data is pseudonymous, with Venntel assigning its own identifier to each device.

"If you search a certain house, you're only going to get three or four different signals out of there. I think from that standpoint, you could definitely try and identify specific people," the source said. A second source who previously worked with Venntel said that identifying someone would be laborious, though.

As Motherboard reported, CBP paid Venntel nearly half a million dollars in August, for Venntel's software "in support of mission critical decision making by providing access to commercially available, multi-sourced, validated, location marketing data via custom geolocation data research requests." In a statement at the time, CBP told Motherboard that "Consistent with its border security and law enforcement authorities, CBP has acquired limited access to commercial telemetry data through the procurement of a limited number of licenses to a vendor provided interface." The Wyden aide added that CBP said it was also using the data for national security threats.

Advertisement

CBP said that the legal justification for this surveillance without a warrant is privileged, the Wyden aide said. Wyden's office also asked if CBP had taken a position on whether location data sold by Venntel didn't fall under the Supreme Court ruling of Carpenter v United States, which said that location data requires a warrant; CBP also said that information was privileged, the Wyden aide said.

"CBP outrageously asserted that its legal analysis is privileged and therefore does not have to be shared with Congress. We disagree."

Traditionally, the DHS publishes Privacy Impact Assessments that lay out what a particular type of surveillance technology does, its benefits, and its harms to privacy. Motherboard recently reported on one such assessment for the deployment of a nationwide vehicle tracking database, also sourced from a commercial vendor. But CBP said the DHS had not published a Privacy Impact Assessment of the use of Venntel location data, the Wyden aide said. It is unclear whether the Office has performed such an assessment even if it is not currently published.

"CBP is not above the law and it should not be able to buy its way around the Fourth Amendment. Accordingly, we urge you to investigate CBP’s warrantless use of commercial databases containing Americans’ information, including but not limited to Venntel’s location database. We urge you to examine what legal analysis, if any, CBP’s lawyers performed before the agency started to use this surveillance tool. We also request that you determine how CBP was able to begin operational use of Venntel’s location database without the Department of Homeland Security Privacy Office first publishing a Privacy Impact Assessment," the Senators' letter continues.

The Internal Revenue Service also previously declined to elaborate on its legal reasoning for using Venntel's data without a warrant. The Inspector General is now formally investigating the IRS' use of the data.

CBP did not immediately respond to a request for comment.