A surprising number of government agencies buy cellphone location data. Lawmakers want to know why.

The Department of Homeland Security (DHS) will investigate its own use of location data after it was revealed that Customs and Border Protection (CBP) was purchasing cell phone location data from commercial vendors for them. use in his work.

The DHS Inspector General’s office recently informed Meaning. Sherrod Brown, Ed Markey, Brian Schatz, Elizabeth Warren and Ron Wyden – all Democrats – that he would check the agency’s policies on cell phone surveillance. The letter from the BIG comes in response to these senators request for an investigation last October. CBP has declined to disclose much about how it uses data purchased from commercial vendors except to confirm publicly available information that such contracts with these vendors exist.

The type of location data in question is collected from millions of phones, with most people unaware that their movements are tracked this way and unable to know who has access to that information. There are few laws regulating location data companies, and government agencies have used this to their advantage, spending millions to access this information. Privacy advocates have long denounced the practice, and privacy-conscious lawmakers have pushed for investigations and laws to regulate it.

Location data purchased from private companies allows government agencies to access potentially huge quantities personal data of millions of people who are not suspected or involved in any crime. Although there are few laws regarding the collection and use of this data by private companies, law enforcement generally must have a mandate and justify a reason to obtain this information themselves. Obtaining it through a private provider without such restrictions is a way to get around these constraints, and currently a legal gray area.

“If federal agencies hunt down American citizens without a warrant, the public deserves answers and responsibilities,” Wyden said in a statement to Recode. “I will not agree to anything less than a thorough and swift investigation from the Inspector General that sheds light on CBP’s telephone location data monitoring program.”

CBP is one of many law enforcement and government agencies that buy location data from private companies – data that they would not otherwise have easy access to and that their own rules might prohibit them from obtaining. . The Wall Street Journal reported in February that CBP and DHS’s Immigration and Customs Enforcement (ICE) services used location data from a company called Venntel to locate undocumented immigrants and the routes they were using to cross the border. Records show that CBP has gave Venntel hundreds of thousands of dollars to access its location database.

“CBP is not above the law and has refused to answer questions about purchasing warrantless people’s mobile location history – including from shady data brokers like Venntel,” added Warren. “I am pleased that the Inspector General has accepted our request to investigate this potentially unconstitutional abuse of power by CBP, as we must protect the public’s rights to the Fourth Amendment to be free from searches without mandate.”

The agency has argued that it only uses a limited amount of anonymized data according to its policies, but experts say it’s not difficult to identify the owner of a device by giving them enough information. information about the location and time of this device. And there is so little transparency in how this data is collected that anyone is unlikely to know for sure if it even follows the policies put in place by the agencies.

Not to be outdone, the American Civil Liberties Union (ACLU) announced on Wednesday that He pursues DHS to force the agency to release its records of location data purchases by phone after the agency dodged its Freedom of Information Act demands.

“It’s critical that we find out how federal agencies access bulk databases of Americans’ location data and why,” said Nathan Freed Wessler, senior counsel for the ACLU’s Speech, Technology, and Privacy Project, in a press release sent to Recode. “There can be no accountability without transparency.”

DHS is not the only government agency to purchase and use Venntel’s services. Venntel also has contracts with the FBI and the DEA. The Internal Revenue Service also tried Venntel in 2017 and 2018, but apparently did not find the data useful in its work, the Wall Street Journal reported. And Venntel isn’t the only location data company that works with the government this way: X-Mode and Babel Street also have offers with government agencies and their subcontractors.

Other parts of the government are fighting back. In June, the House of Representatives Supervisory and Reform Committee started to investigate “The Collection and Sale of Sensitive Mobile Phone Location Data” to Federal Agencies for Law Enforcement Purposes. The IRS is also in the in the middle of an audit of his use of Venntel, prompted by Another request by Wyden and Warren.

In 2018, the Supreme Court has ruled in Carpenter v. United States that law enforcement couldn’t buy cell tower data without a warrant, and the FCC recently fined Verizon, AT&T and Sprint / T-Mobile hundreds of millions of dollars for selling turn data to private companies without customer knowledge or consent.

The kind of data Venntel sells, according to the company, comes from other means: typically, trackers placed in mobile apps. But there are other sources as well. Location data companies also work with other companies that either provide this data or buy it directly from app developers, making it difficult for anyone – including their own customers – to know exactly what they have and where they got them. Venntel, for example, is a subsidiary of Gravy Analytics, who says it has data location information from “tens of thousands of apps” acquired through “many different data partners”, giving it access to “billions of daily location signals”.

Venntel does provide device owners with a way to ‘opt out’ of their location data being collected by the company, but it requires users to know their device’s mobile ID (Venntel suggests downloading an app to find out), then make the deactivation request every hour that that ID is reset – something Apple and Android devices now allow customers to do as a privacy measure. Users should also enable cookies on their browser when submitting the request.

It remains to be seen what DHS’s investigation of itself will reveal or do, or whether the ACLU lawsuit will be successful. Regardless, the unregulated and persistent collection and sale of our location data gives data brokers a huge amount of information about us, which in turn can be used in all kinds of ways. by all kinds of buyers – including the government. Your privacy options, on the other hand, are limited.

Open source is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.