Customs and Border Protection, the law enforcement agency which recently flew a Predator drone over anti-police brutality protests, has purchased "unlimited" alerts for the location of vehicles, and by extension people, across the country, according to internal CBP documents obtained by Motherboard. The documents, which include a coverage area map, show that the agency can track cars in major cities and populated areas of the country more generally. Many of the places it can track are far outside the border regions CBP nominally protects.
The documents provide more insight into CBP's nationwide tracking database, which it purchased access to from a commercial vendor called Vigilant.
"An agency tasked with stamping passports and searching for contraband at the border has no business buying unfettered access to the location data of hundreds of millions of Americans," Nate Wessler, senior staff attorney at activist group the American Civil Liberties Union Foundation (ACLU) told Motherboard in an email.
Do you work for CBP or Vigilant? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
One of the CBP documents reads "This service will grant access to a nation-wide database of license plate reader data via a secure web-based application and allow intelligence agents to analyze the movement of targeted vehicles as they travel on the nation's highways." Motherboard obtained the documents from CBP through a Freedom of Information Act (FOIA) request. The documents describe how the Vigilant system CBP purchased had at least 2.8 billion license plate records at the time, which detail where a specific vehicle was spotted at a particular point in time.
A project quotation included in the cache of documents contains a map showing "US Territory Coverage" of the license plate database, with much of the country covered in dots signifying where Vigilant is able to capture vehicle locations. The quote dates from August 2015, meaning the database is likely larger in scope today.
The quote also includes specific benefits that Vigilant offered CBP, including "Ability to load unlimited number of Hot-List files and/or records," "Unlimited proactive alert notifications to all users of designated client," and "Unlimited access for one (100) [sic] field office users only of all private LPR [license plate reader] and LEARN components." LEARN, or the Law Enforcement Archival Reporting Network, is Vigilant's license plate reader product.
Vigilant derives much of its data from its sister company DRN. DRN essentially crowdsources the collection of license plate data by providing hundreds of repo men with vehicle-mounted cameras that automatically take a photo of every car they pass, and record its precise GPS location at that time. For Motherboard, a source previously used DRN's system to track a target with their consent, and the tool analyzes the collected data and labels locations as someone's likely home or place of work.
Vigilant also sells cameras that law enforcement agencies can install in their own vehicles or at a fixed location to add to the database itself. Another set of documents obtained by Motherboard show that CBP also purchased some of these cameras.
"Local police departments across the country should stop dumping license plate reader information into Vigilant’s gargantuan database. Giving our sensitive location information to immigration authorities is a recipe for abuse," Wessler, the ACLU attorney, added.
Although the legality of license plate reader data has come up in some court cases, generally license plate reader data can be accessed without a warrant. DRN argues it has a First Amendment right to take the photos, which it says extends to its often-automated process.
In July, CBP published a Privacy Impact Assessment (PIA) saying that since 2017 the agency moved from collecting license plate data via cameras operated by the agency itself, and had acquired access to commercial license plate databases. The date of the Vigilant order on one of the CBP documents is listed as September 2015.
One of the CBP documents describes how the San Diego Sector Intelligence Unit (SIU) collects data from multiple sources and then tries to identify Transnational Criminal Organizations.
"When considering the amount of vehicle traffic that passes through San Diego, and for that matter, through the Nation, the intelligence value of collecting and analyzing license plate reader data from various law enforcement entities is axiomatically necessary to help understand and develop an accurate threat picture," the document reads.
Last month, Motherboard reported how CBP paid nearly half a million dollars to Venntel, a firm that sells location data harvested from ordinary apps installed on peoples' phones.
Vigilant did not respond to a request for comment. CBP acknowledged a request for comment but not provide a statement in time for publication.