A Homeland Security report on the illegal use of smartphone location data by multiple government agencies – including the US Secret Service – has now been made public. The report concludes that three separate US agencies broke the law by breaching privacy protections.
The report was originally categorized as Law Enforcement Sensitive, but this classification has now been removed, and a redacted version made available to the public …
US government agencies buying app location data
We’ve known for at least three years that the US Secret Service and other government agencies were purchasing smartphone location data harvested from a wide range of apps.
The US Secret Service bought smartphone location data harvested from popular apps, says a new report today. The claim is backed by a contract revealed through a Freedom of Information Act (FOIA) request. The data was purchased from a data broker.
US Customs and Border Protection was identified as another agency purchasing this data.
The questionable legality of this was raised at the time, by Democratic Senator Ron Wyden, who said that it violated the 4th Amendment.
It is clear that multiple federal agencies have turned to purchasing Americans’ data to buy their way around Americans’ Fourth Amendment Rights.
Homeland Security report confirms illegal use
The Department of Homeland Security carried out an audit of the purchase of smartphone location data by three government agencies, and concluded that they did indeed break the law.
Specifically, US Customs and Border Protection (CBP), US Immigration and Customs Enforcement (ICE), and the US Secret Service all contravened privacy protections enacted in the E-Government Act of 2002 and the Homeland Security Act of 2002.
Copies of the report were made available to law enforcement agencies last month, but not to the public. However, a redacted copy has now been made public, and was put online by 404 Media.
U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and the United States Secret Service did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD).
Specifically, the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which require certain privacy- sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured.
This occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance. Without a PIA in place, privacy risks may not be identified and mitigated.
The report makes eight recommendations, and implies that five of them have been acted on to the satisfaction of the inspector general.
Photo: Matt Popovich/Public domain
Based on information provided in your response to the draft report, we consider recommendations 3, 4, and 6 open and unresolved.
The full set of recommendations are listed below, with the unresolved ones highlighted in bold:
Recommendation 1: We recommend that the Commissioner, U.S. Customs and Border Protection discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.
Recommendation 2: We recommend that the Commissioner, U.S. Customs and Border Protection develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
Recommendation 3: We recommend that the Director, U.S. Immigration and Customs Enforcement discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.
Recommendation 4: We recommend that the Director, U.S. Immigration and Customs Enforcement develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
Recommendation 5: We recommend that the Director, United States Secret Service develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
Recommendation 6: We recommend that the Chief Privacy Officer, DHS Privacy Office include a statement on approved Privacy Threshold Analyses that use of the project, program, or system determined to be privacy sensitive is not authorized for operational use until approval of the required Privacy Impact Assessment.
Recommendation 7: We recommend that the Chief Privacy Officer, DHS Privacy Office ensure compliance with its privacy policies or revise them to include the guidance necessary for program offices to meet the intent of the privacy requirements when, with due diligence, the technology needs to be procured and tested to complete the Privacy Impact Assessment process. The additional guidance, if developed, should address justification for deviating from Privacy Impact Assessment–related privacy policies and restrictions on the operational use of privacy-sensitive information; the guidance should also ensure Privacy Impact Assessments are completed before privacy-sensitive information is collected and used operationally.
Recommendation 8: We recommend that the Chief Data Officer, Office of Chief Information Officer, Management Directorate develop and implement a department-wide commercial telemetry data policy, including component policy requirements, to ensure oversight of commercial telemetry data use, privacy protection, and applicable legal standards.
FTC: We use income earning auto affiliate links. More.
Comments