The Office of Inspector General has found that U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and the United States Secret Service (Secret Service) did not adhere to department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD).
Department of Homeland Security (DHS) law enforcement components use CTD for investigative purposes. CTD collected from mobile device applications and sold commercially may include historical device location.
OIG found the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which requires certain privacy-sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured.
The failings occurred, OIG says, because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance.
Additionally, OIG determined that the components did not have sufficient policies and procedures to ensure appropriate use of CTD. According to CBP, its CTD rules of behavior were interim policies and procedures until complete policies and procedures were developed. ICE and Secret Service did not develop CTD-specific policies and procedures. PIAs are intended to identify privacy risks and mitigation strategies that may facilitate developing policies and procedures for ensuring proper use and oversight of CTD.
OIG’s interviews revealed CTD oversight gaps at CBP, ICE, and Secret Service such as shared accounts and passwords, ad hoc methods for maintaining records, and no supervisory review to ensure proper use of the technology.
During the course of the review, inspectors identified one instance in which, unrelated to an investigation, a CBP employee used CTD inappropriately to track coworkers. The individual told the coworkers they had tracked their location using CTD. According to CBP, the complaint was reported by an ICE employee on August 20, 2020. The incident was reported to CBP’s Joint Intake Center and Office of Professional Responsibility and was resolved administratively.
OIG also noted that DHS does not have a department-wide policy governing component use of CTD. Given the number of components using CTD and the significant congressional and public interest in the potential privacy implications with law enforcement use of CTD for investigative purposes, OIG says the Department should take a proactive approach to providing DHS-wide guidance. It is making eight recommendations to improve policies and internal controls related to the use of CTD. DHS concurred with the majority of the recommendations and told OIG of its intended actions to meet them. For example, the DHS Office of the Chief Information Officer, in coordination with DHS Privacy, will lead a DHS-wide effort to develop a department-level CTD policy, which it expects to complete by July 2024.