Our “Bestiary”

Commercial data brokers

Commercial data brokers collect and sell information about us collected from photos posted to social media, historic geolocation data collected by our cell phone apps, banks, credit agencies, purchase history, education records, employment records, property records and real-time location.Footnote 1 These data points are among billions archived in public and private sources. This personal data is mined by third-party vendors and data resellers, then aggregated and analyzed by data brokers who in turn look for buyers of its troves of profiles.

If you have a cell phone, you are being stalked and your personal data sold by multiple companies whose names you’ve likely never heard.Footnote 2 So-called “third-party vendors” or data brokers like Venntel, Babel Street, Cuebiq, and LocationSmart collect real-time location data via GPS.Footnote 3 They monitor your activities and movements through your phone via benign-seeming apps that use software development kits, or SDKs.Footnote 4 Apps that use SDKs include weather apps, exercise monitoring apps, and video games.Footnote 5 Third-party vendors provide SDKs to app developers for free in exchange for the information they can collect from them, or a cut of the ads they can sell through them. The aggregate information that apps collect can be extremely revealing. One third-party vendor, Mobilewalla, claimed to be able to track cellphones of protesters, and said it could identify protesters’ age, gender, and race via their cell phone use.Footnote 6 Historical location extracted by a data vendor from the gay hookup app, Grindr, was used by two reporters to “out” a top Catholic Church official.Footnote 7

Law enforcement purchases criminal history reports, financial data from credit bureaus, and other personal data to profile people.Footnote 8 For example, CBP purchases access to the Venntel global mobile location database via a portal, so that CBP officers search a Venntel database to look for addresses or cell phone numbers.Footnote 9 DHS can also access cell phone location history from private databases that sell subscriptions or search platforms, such as LexisNexis and TransUnion.Footnote 10

Some experts have noted that “anonymized” GPS location data is notoriously easy to cross-reference.Footnote 11 A New York Times op-ed posed the question: “Consider your daily commute: Would any other smartphone travel directly between your house and your office every day?” The authors concluded: “In most cases, ascertaining a home location and an office location was enough to identify a person.”Footnote 12 More recently, cell phone location “pings,” collected by apps and stored under profiles tied to mobile ad IDs that are assigned to smartphones, were sufficient to identify individuals who ransacked the Capitol building in Washington, D.C., on January 6.Footnote 13 And the use of “geo-fencing,” i.e. obtaining information from private companies about all persons in an area at a given time, has become exponentially more common in recent years.Footnote 14

As long as surveillance capitalists and others are permitted to steal and sell our real-time and historical location data, this information will be available to anyone who can buy it — including DHS and other government agencies.Footnote 15

Today, we as a society are just beginning to ask questions about the commodification of personal data and the implications of having our behaviors constantly predicted and used as fodder to improve future predictions. Within the prison abolitionist movement, we are familiarizing ourselves with RATs (risk assessment tools) used in the pretrial criminal process to deny or grant money bail. In the migrant justice movement, we know that DHS and other law enforcement agencies circumvent the hassle of judicial search warrants by simply buying personal data from commercial vendors.

This practice isn’t new: A good two decades before ICE figured out that it could buy location data from commercial third-party vendors, DHS’ precursor, the Immigration and Naturalization Service (INS), was by 1998 digitally stalking airline travelers using records created by online airplane ticket purchases, and profiling them based on their ticket-purchasing habits.Footnote 16 See PNR.

After 9/11, the federal government ramped up its data-collecting, database-sharing, automated predictive threat modeling and terrorist risk profiling. It beefed up its biometric identification technologies and partnerships with commercial entities that secretly collect, retain and sell consumer data for profit. The World Trade Center attacks allowed the government to exceptionalize sites of travel (especially international flights) as deserving of extreme surveillance; meanwhile, big data collection and analysis industries, facilitated by growing Internet and cell phone use, were handed billions of dollars in research and development funds, and enjoyed little to no oversight as they churned out new data-collecting and prediction technologies. The US government spent at least $2.8 trillion on counterterrorism related efforts between 2002 and 2017, granting contracts to old time war profiteers like Boeing, Lockheed Martin, and Northrop Grumman — but also to Silicon Valley technology giants such as Amazon, Google, and Palantir Technologies.Footnote 17

Today, commercial data collected by airlines are stored and mined by various DHS data systems to look for patterns, predict “risk” and “identify abnormalities in travel patterns.”Footnote 18 Privately-owned and contracted vendors provide new, state-of-the-art, cloud-based data visualization, AI tools and interfaces that seamlessly integrate with other commercial datasets to make sense of the massive, constantly-expanding data pool of location and behavioral data collected by private aggregators and public records.

DHS data systems that rely on commercial data brokers

At the Pacific Enforcement Response Center (PERC), contract analysts cross-check multiple criminal legal and DHS datasets against commercial databases like LexisNexis, seeking to identify and locate people who might be deportable. Ironically, data fed into commercial data aggregators is often recycled, itself coming from numerous government and other commercial databases.Footnote 19 These include real-time incarceration records (including booking photos), cell phone location and automated license plate reader data history, home address and Social Security information from Equifax, and social media accounts.

Likewise, ICE uses its Operations Management Module, or OM² — part of the EID system — to perform manual and batch address checks of ICE’s “leads” against US Postal Service commercially available data sets that update city and state information by zip code. OM² cross-references those data against commercial sources that provide open source data that includes biographical information, criminal history, criminal case history, and vehicle information (including vehicle registration information). It includes “phone numbers of targets associated with the lead.”Footnote 20

Other predictive tools, such as DHS’ AFI, provide geospatial, temporal and statistical analysis, and advanced search capabilities using commercial databases and Internet sources, including social media and traditional news media.

Related beasts

Return to Bestiary

Jump back to text at footnote 1Max Rivlin-Nadler, “How ICE Uses Social Media to Surveil and Arrest Immigrants,” The Intercept, December 22, 2019, https://theintercept.com/2019/12/22/ice-social-media-surveillance/; see also Drew Harwell, “ICE investigators used a private utility database covering millions to pursue immigration violations,” Washington Post, February 26, 2021, https://www.washingtonpost.com/technology/2021/02/26/ice-private-utilit…; Benjamin Hayes, “U.S. Immigration and Customs Enforcement Use of Automated License Plate Reader Databases,” 33 Georgetown Immig. L.J. 145, 2018, https://www.law.georgetown.edu/immigration-law-journal/wp-content/uploa….
Jump back to text at footnote 2Alex Pasternack and Steven Melendez, “Here Are the Data Brokers Quietly Buying and Selling Your Personal Information,” Fast Company, March 2, 2019, https://www.fastcompany.com/90310803/here-are-the-data-brokers-quietly-….
Jump back to text at footnote 3Charles Levinson, “Through Apps, Not Warrants, 'Locate X' Allows Federal Law Enforcement to Track Phones,” Protocol, March 5, 2020, https://www.protocol.com/government-buying-location-data.
Jump back to text at footnote 4Sara Morrison, “The Hidden Trackers in Your Phone, Explained,” Vox, July 8, 2020, https://www.vox.com/recode/2020/7/8/21311533/sdks-tracking-data-location.
Jump back to text at footnote 5Josh Hafner, “While You Track Pokémon, Pokémon Go Tracks You,” USA Today, July 13, 2016, https://www.usatoday.com/story/tech/nation-now/2016/07/11/while-you-tra….
Jump back to text at footnote 6Caroline Haskins, “Almost 17,000 Protesters Had No Idea A Tech Company Was Tracing Their Location,” BuzzFeed News, June 25, 2020, https://www.buzzfeednews.com/article/carolinehaskins1/protests-tech-com….
Jump back to text at footnote 7Shoshana Wodinsky, “A Priest Was Outed by His Phone's Location Data. Anyone Could Be Next.,” Gizmodo, July 21, 2021, https://gizmodo.com/a-priest-was-outed-by-his-phones-location-data-anyo….
Jump back to text at footnote 8Aaron Rieke et al., Data Brokers in an Open Society, November 2016, https://www.opensocietyfoundations.org/uploads/42d529c7-a351-412e-a065-….
Jump back to text at footnote 9Joseph Cox, “CBP Bought ‘Global’ Location Data from Weather and Game Apps,” VICE, October 6, 2020, https://www.vice.com/en/article/n7wakg/cbp-dhs-location-data-venntel-ap….
Jump back to text at footnote 10Biddle, “LexisNexis to Provide Giant Database of Personal Information to ICE”; Rieke et al. Data Brokers.
Jump back to text at footnote 11Shoshana Wodinsky, “'Anonymized' Data Is Meaningless Bullshit,” Gizmodo, February 3, 2020, https://gizmodo.com/anonymized-data-is-meaningless-bullshit-1841429952.
Jump back to text at footnote 12Thompson and Warzel, “One Nation, Tracked,” New York Times, 2019.
Jump back to text at footnote 13Charlie Warzel and Stuart A. Thompson, “They Stormed the Capitol. Their Apps Tracked Them,” The New York Times, February 5, 2021, https://www.nytimes.com/2021/02/05/opinion/capitol-attack-cellphone-dat….
Jump back to text at footnote 14Zack Whittaker, “Google Says Geo-Fence Warrants Make Up One-Quarter of All U.S. Demands,” TechCrunch, August 18, 2021, https://techcrunch.com/2021/08/19/google-geofence-warrants/.
Jump back to text at footnote 15“Buy SDK Location Data,” Datarade, undated, https://datarade.ai/data-categories/sdk-location-data.
Jump back to text at footnote 16House of Representatives Hearing, Improving the Pre-screening of Aviation Passengers Against Terrorism and Other Watch Lists: Hearing before the Subcommittee of Economic Security, Infrastructure Protection, and Cybersecurity of the Committee on Homeland Security, 109th Cong., 1st sess., July 29, 2005, https://www.govinfo.gov/content/pkg/CHRG-109hhrg26959/html/CHRG-109hhrg….
Jump back to text at footnote 17Emma Knight and Alex Gekker, “Mapping Interfacial Regimes of Control: Palantir's ICM in America's Post-9/11 Security Technology Infrastructures,” Surveillance & Society, June 16, 2020, 4, https://doi.org/10.24908/ss.v18i2.13268.
Jump back to text at footnote 18U.S. Department of Homeland Security Privacy Office, Re: DHS/OS/PRIV 07-160/Sobel request, letter, Washington, D.C., from Electronic Freedom Frontier, https://www.eff.org/files/filenode/foia_ats/20071107_ats01.pdf.
Jump back to text at footnote 19Dena Kozanas, U.S. Department of Homeland Security’s (DHS) 2019 Data Mining Report to Congress, December 2, 2020, 36, https://www.dhs.gov/sites/default/files/publications/2019_data_mining_r….
Jump back to text at footnote 20U.S. Department of Homeland Security, “Privacy Impact Assessment Update for the Enforcement Integrated Database (EID) Prosecutions Module (PM), Electronic Removal Management Portal (eRMP), Operations Management Module (OM²), Law Enforcement Notification System (LENS), and Compliance Assistance Reporting Terminal (CART) DHS/ICE/PIA-015(i),” December 3, 2018, https://www.dhs.gov/sites/default/files/publications/privacy-pia-ice-ei….