How ICE became a $2.8b domestic surveillance agency

Your US tax dollars at work

The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

ICE did not respond to The Register's request for comment.

The agency pulls data from Department of Motor Vehicle records, calls, child welfare reports, employment records, geolocation information, health-care and housing records and social media reports, the report said.

In addition to accessing public agencies' records on individuals, ICE also buys customer records from utility companies through its contact with data brokers Thomson Reuters. This is because undocumented people may not want to provide their information to government bodies — like the DMV — because they fear deportation. But they still need to connect their homes to water, gas, electricity and internet services.

"For people who are not easily traceable via traditional sources," a cited Thomson Reuters marketing letter reads, "locator information from utility hookup records may provide the only current and accurate address and phone number data available."

These types of contracts with private data brokers have helped ICE amass utility records from more than 218 million customers across all 50 states and Washington, DC, according to the Georgetown researchers.

Access to all of this information, along with AI tools for scanning and analyzing huge data sets, has turned ICE into a modern-day domestic spy agency, the report suggested:

By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time.

This includes using facial recognition technology to scan driver's license photographs of 32 percent of all adults in the US, the research said. In fact, ICE has access to driver's license data of 74 percent of US adults, and tracks the movements of cars in cities where nearly 70 percent of the adult population lives, it added.

Additionally, ICE was automatically alerted when 74 percent of US adults connected gas, electricity, phone or internet to a new home — thus providing the agency with their home addresses.

And as the researchers noted: "Almost all of that has been done warrantlessly and in secret."

In one particularly heart-wrenching example, the report detailed how ICE used interviews with unaccompanied children crossing US borders and being interviewed by Department of Health and Human Services about family members in America who could care for them. Per an information-sharing agreement between the two agencies, ICE used these kids' interviews to arrest at least 400 of their family members. The practice has now been formally banned by the agency.

Congress and state lawmakers remain mostly unaware of ICE surveillance activities, according to the researchers, which noted that there hasn't been any congressional hearings or Government Accountability Office report focused on such efforts. 

And as such, the report authors called on Congress to do a better job overseeing ICE surveillance. This includes updating the Driver's Privacy Protection Act (DPPA) to prohibit, or at least require a warrant or court order, the use of any DMV data for immigration enforcement purposes.

Additionally, states should prohibit the disclosure, sale or resale of utility data for immigration purposes, the team suggests. ®

Other stories you might like

  • America edges closer to a federal data privacy law, not that anyone can agree on it
    What do we want? Safeguards on information! How do we want it? Er, someone help!

    American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.

    The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.

    Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Big Tech silent on data privacy in post-Roe America
    We asked what they will do to prevent cases being built against women. So far: Nothing

    Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.

    These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.

    Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.

    Continue reading

Biting the hand that feeds IT © 1998–2022