On May 10, 2022, Georgetown Center on Privacy and Technology published American Dragnet: Data-Driven Deportation in the 21st Century, which details how Immigration and Customs Enforcement (ICE) weaved a surveillance dragnet that captured a wealth of data from an array of sources. The data collected by ICE “contained detailed personal records on the vast majority of people in the United States” with little government oversight over how the data was acquired and used. After a two-year investigation, the Center’s “report quantifies the reach and expansion of ICE surveillance,” which was used by ICE agents to track, identify, and deport individuals.
The report found that the scale and magnitude of data collected by ICE was so great that:
- ICE has scanned the driver’s license photos of 1 in 3 adults;
- ICE has access to the driver’s license data of 3 in 4 adults;
- ICE tracks the movements of drivers in cities home to 3 in 4 adults; and
- ICE could locate 3 in 4 adults through their utility records
Types of Data Captured by ICE’s Surveillance Dragnet
Allegations of improper acquisition and use of data by ICE are not new. In 2020, it was reported that ICE bought cell phone location data from third party companies to track and locate individuals in violation of immigration laws. While the data that is sold to ICE was anonymized, it has been shown time and time again that geolocation data coupled with some simple online searches can reidentify individual users. Likewise, in 2021, ICE used information from private utility databases, such as ones for cable, water and electricity, to track individuals.
Besides datasets, ICE also tapped into the vast databases of biometric information, such as facial recognition. The report uncovered that as early as 2008 ICE contracted with biometric company L-1 Identity Solutions to access the Rhode Island Department of Motor Vehicles’ facial recognition database. ICE used the facial recognition data to “recognize criminal aliens.” ICE further leveraged state DMVs’ databases and exploited “people’s trust in state DMVs to target deportation.” States that allow immigrants without documentation to apply for driver’s licenses are particularly vulnerable as “ICE can warrantlessly search the state driver records for the purpose of civil immigration enforcement” in 5 out of 17 such jurisdictions.
In addition to contracts with third party companies, ICE established inter-agency information-sharing contracts. For example, ICE established one such information-sharing contract with the Department of Health and Human Services (HHS). ICE then used the information HHS gathered during interviews with unaccompanied children or their family members “to find and arrest at least 400 of those family members.” While the information-sharing program was formally rescinded, this tactic is repeated in how ICE acquired data from social services databases to identify individuals who applied for services and lack immigration documentation.
State Privacy Laws and ICE Circumvention
With the recent addition of Connecticut’s omnibus privacy law, there are now a total of five states with comprehensive consumer data protection laws that place limits on access, use, and sharing of consumer data. Some states have specifically attempted to end ICE’s unfettered access and use of its databases. For example, the California Values Act passed in 2017 was intended to limit the cooperation and sharing of information between local law enforcement and ICE. Similarly, Colorado passed a law in 2019 that would prevent local law enforcement from sharing immigration status of detainees with ICE and prevent local law enforcement from detaining individuals based on their immigration status.
However, ICE circumvented state protective measures by using third party data brokers, such as Thomas Reuters, LexisNexis, and Equifax. While Thomas Reuters did not renew its contract with ICE in 2021, ICE continued its contract with LexisNexis. This means ICE still has access to the “data it needs to locate people with little if any oversight.” The data that is packaged as commodity by data brokers are fueled by direct contracts with state agencies, such as DMVs. States with protective laws that prohibit direct information sharing with ICE may not currently prevent the sale of data to data brokers. For example, the report highlighted the Oregon DMV as one such agency that was prevented from sharing data directly with ICE by state law but then contracted with Thomas Reuters and LexisNexis.
Calls For Accountability and Change
The Center’s report ends with a call for accountability and several recommendations to Congress, States, Department of Homeland Security, and ICE about ways to end such unchecked access and violation of peoples’ data privacy. Some of the recommendations include reforming immigration law, implementing more data privacy protections, protecting vulnerable populations, implementing aggressive oversight of ICE surveillance, and ending all surveillance dragnet.