Skip to main content

Previously secret Homeland Security report on illegal use of smartphone location data now public

A Homeland Security report on the illegal use of smartphone location data by multiple government agencies – including the US Secret Service – has now been made public. The report concludes that three separate US agencies broke the law by breaching privacy protections.

The report was originally categorized as Law Enforcement Sensitive, but this classification has now been removed, and a redacted version made available to the public …

US government agencies buying app location data

We’ve known for at least three years that the US Secret Service and other government agencies were purchasing smartphone location data harvested from a wide range of apps.

The US Secret Service bought smartphone location data harvested from popular apps, says a new report today. The claim is backed by a contract revealed through a Freedom of Information Act (FOIA) request. The data was purchased from a data broker.

US Customs and Border Protection was identified as another agency purchasing this data.

The questionable legality of this was raised at the time, by Democratic Senator Ron Wyden, who said that it violated the 4th Amendment.

It is clear that multiple federal agencies have turned to purchasing Americans’ data to buy their way around Americans’ Fourth Amendment Rights.

Homeland Security report confirms illegal use

The Department of Homeland Security carried out an audit of the purchase of smartphone location data by three government agencies, and concluded that they did indeed break the law.

Specifically, US Customs and Border Protection (CBP), US Immigration and Customs Enforcement (ICE), and the US Secret Service all contravened privacy protections enacted in the E-Government Act of 2002 and the Homeland Security Act of 2002.

Copies of the report were made available to law enforcement agencies last month, but not to the public. However, a redacted copy has now been made public, and was put online by 404 Media.

U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and the United States Secret Service did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD).

Specifically, the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which require certain privacy- sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured.

This occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance. Without a PIA in place, privacy risks may not be identified and mitigated.

The report makes eight recommendations, and implies that five of them have been acted on to the satisfaction of the inspector general.

Photo: Matt Popovich/Public domain

Based on information provided in your response to the draft report, we consider recommendations 3, 4, and 6 open and unresolved.

The full set of recommendations are listed below, with the unresolved ones highlighted in bold:

Recommendation 1: We recommend that the Commissioner, U.S. Customs and Border Protection discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.

Recommendation 2: We recommend that the Commissioner, U.S. Customs and Border Protection develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.

Recommendation 3: We recommend that the Director, U.S. Immigration and Customs Enforcement discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.

Recommendation 4: We recommend that the Director, U.S. Immigration and Customs Enforcement develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.

Recommendation 5: We recommend that the Director, United States Secret Service develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.

Recommendation 6: We recommend that the Chief Privacy Officer, DHS Privacy Office include a statement on approved Privacy Threshold Analyses that use of the project, program, or system determined to be privacy sensitive is not authorized for operational use until approval of the required Privacy Impact Assessment.

Recommendation 7: We recommend that the Chief Privacy Officer, DHS Privacy Office ensure compliance with its privacy policies or revise them to include the guidance necessary for program offices to meet the intent of the privacy requirements when, with due diligence, the technology needs to be procured and tested to complete the Privacy Impact Assessment process. The additional guidance, if developed, should address justification for deviating from Privacy Impact Assessment–related privacy policies and restrictions on the operational use of privacy-sensitive information; the guidance should also ensure Privacy Impact Assessments are completed before privacy-sensitive information is collected and used operationally.

Recommendation 8: We recommend that the Chief Data Officer, Office of Chief Information Officer, Management Directorate develop and implement a department-wide commercial telemetry data policy, including component policy requirements, to ensure oversight of commercial telemetry data use, privacy protection, and applicable legal standards.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications