The Department of Homeland Security has collected reams of location data from a private vendor in order to track people across the United States.

Earlier this month, we reported that private data brokers harvest location data from hundreds of mobile apps and then sell it to government agencies including state and local law enforcement, ICE, the FBI, the Department of Homeland Security and the Department of Defense. New documents obtained by the ACLU through an ongoing Freedom of Information Act (FOIA) lawsuit reveal the extent of this data collection.

According to TechCrunch, in a review of over 6,000 DHS records, the ACLU discovered around 336,000 location points across the continent lifted from people’s phones. Back in 2018, Customs and Border Patrol obtained data containing some 113,654 location points collected in southwestern states over a three-day period. That amounts to more than 26 location points per minute.

The bulk of this data came from a private company – Venntel. The company collects and aggregates location data from hundreds of different smartphone apps, aggregates it, and sells it to the feds. According to EFF, current and former Venntel clients include the IRS, the DHS, along with its subsidiaries ICE and CBP, the DEA, and the FBI. The Federal Procurement Database reveals that the DHS paid at least $2 million for location data products from Venntel. A heavily redacted document obtained from the FBI shows the agency paid $22,000 for a single license to the Venntel portal.

Motherboard reported that Venntel allows users to search for devices in a particular area. Users can also conduct searches for particular device identifiers allowing them to track a specific device. With this information, the users can track devices to specific workplaces, businesses and homes.

By purchasing data from private companies, these federal agencies can sidestep any legal hurdles — however insubstantial — preventing them from collecting such information.

Venntel is just one of several companies in the location data game.

According to TechCrunch, the documents also reveal how these federal agencies try to justify this data collection.

Cell phone location data is characterized as containing no personally identifying information (PII) in the records obtained by ACLU, despite enabling officials to track specific individuals or everyone in a particular area. Similarly, the records also claim that this data is ‘100 percent opt-in’ and that cell phone users “voluntarily” share the location information. But many don’t realize that apps installed on their phones are collecting GPS information, let alone share that data with the government.

You might think the collection of this kind of data is relatively harmless and doesn’t reveal much information about everyday people. But if this were true, why would the feds spend millions to obtain this location data?

It’s virtually impossible to truly anonymize location data. Even if the data doesn’t include specific information such as names or phone numbers, it’s not “anonymous.” As one former employee told Motherboard, “you could definitely try and identify specific people.”

An EFF report asserted that it’s impossible to make location data completely anonymous.

Practically speaking, there is no way to deidentify individual location data. Information about where a person is and has been itself is usually enough to reidentify them. Someone who travels frequently between a given office building and a single-family home is probably unique in those habits and therefore identifiable from other readily identifiable sources. One widely cited study from 2013 even found that researchers could uniquely characterize 50 percent of people using only two randomly chosen time and location data points.

Once the feds get access to data, it becomes available to hundreds of state, local and federal agencies through fusion centers and the Information Sharing Environment (ISE). This creates the potential for the federal government to track the movement of millions of Americans with no warrant, no probable cause, and without the people even knowing it.

Fusion centers were sold as a tool to combat terrorism, but that is not how they are being used. The ACLU pointed to a bipartisan congressional report to demonstrate the true nature of government fusion centers: “They haven’t contributed anything meaningful to counterterrorism efforts. Instead, they have largely served as police surveillance and information sharing nodes for law enforcement efforts targeting the frequent subjects of police attention: Black and brown people, immigrants, dissidents, and the poor.”

Fusion centers operate within the broader ISE. According to its website, the ISE “provides analysts, operators, and investigators with information needed to enhance national security. These analysts, operators, and investigators…have mission needs to collaborate and share information with each other and with private sector partners and our foreign allies.” In other words, ISE serves as a conduit for the sharing of information gathered without a warrant. Known ISE partners include the Office of Director of National Intelligence which oversees 17 federal agencies and organizations, including the NSA. ISE utilizes these partnerships to collect and share data on the millions of unwitting people they track.

Mike Maharrey