ICE seemingly inflated its contract with a cellphone location-tracking data broker to work around a "commercial data pause"
After a 2021 "data pause", ICE continually expanded a one-year, $816,700 contract signed with Babel Street in 2019. The contract has so far paid out more than $3.6 million and is active into 2024.
An irregularity with how U.S. Immigrations and Customs Enforcement (ICE) has been ostensibly circumventing its advertised “commercial data pause” is hiding in plain sight. Yet the behavior and its context were omitted from a scathing document published last Wednesday by the Inspector General of the Department of Homeland Security, entitled “CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data (REDACTED)”. The Inspector General’s conclusions were first discussed by The Washington Post and then 404 Media, but the contracting irregularity has not previously been reported.
The broad outlines of the new report, which goes by the code OIG-23-61 and was signed by DHS Inspector General Dr. Joseph V. Cuffari, are made clear in its pointed and verbose title. Mr. Cuffari and his staff asserted that three of their recommendations to DHS were unresolved, with the overall gist being that:
ICE should cease its usage of commercial cellphone-location tracking data — referred to as “Commercial Telemetry Data” (CTD) — until approval of a Privacy Impact Assessment (PIA),
ICE should cease purchasing sensitive data until PIA approval, and
The Chief Privacy Officer of DHS should issue a statement on PIA requirements for purchases of sensitive data.
The report also noted “oversight gaps” regarding DHS’s usage of CTD, such as “shared accounts and passwords” and “no supervisory review to ensure proper user of the technology”, despite 16,000 queries being conducted in 2020 alone.
ICE’s official response to the Inspector General recommendation of ceasing usage of CTD was “Non-Concur”, and that “CTD is an important mission contributor to the ICE investigative process as…it can fill knowledge gaps and produce investigative leads that might otherwise remain hidden”. ICE also rejected that cellphone location-tracking data contains Personally Identifiable Information (PII), stating “the CTD technologies HSI [Homeland Security Investigations] uses do not directly correlate an individual to a device”. ICE went on to assert that “All devices are masked by vendor-generated device numbers, and no information in identifiable form (i.e., PII) is contained in the tool.” (As revealed by the author last year, a spin-out of ICE’s current main CTD contractor built a button into its software for deanonymizing cellphone location histories, which they labeled ‘Regularity’.)
The Inspector General’s report also notes that “ICE instituted a ‘commercial data pause’ that required ICE operational components to obtain ICE Deputy Director approval before acquiring access to commercial data, which includes CTD”. The document’s appendix also helpfully included a list of what is claimed to be all ICE contracts relating to commercial telemetry data signed in 2019 and 2020. While seven contract identifiers were listed in total, vendor names were withheld and three of the seven were incorrectly listed with several zeroes removed from their identifiers. With the proper fixes, six of the contracts were found to be with Venntel, Inc. — which has since largely merged into its parent company Gravy Analytics — and one was to data fusion company Babel Street, which reportedly resells Venntel’s cellphone location-tracking data through its Locate X product.
Due to the discussion of the “commercial data pause” beginning in January 2021, as well as the appendix of the Inspector General’s report implying that the last ICE contract for commercial cellphone location-tracking data ended in September 2021, readers could be forgiven for inferring that ICE’s cellphone location-tracking contracts ended the same year. But public contracting records tell a dramatically different story. In fact, the Babel Street contract listed in the appendix which was originally signed in September 2019 never ended. It paid out an additional $1.3 million just one month ago.
The Babel Street contract, which takes the form of a “Blanket Purchasing Agreement” (BPA), also involves an irregularity in its only actual work order, known as a “BPA Call”. While Babel’s ICE BPA was signed for a roughly five year ordering period with a $6.5 million total purchasing cap, the only BPA call from it was originally signed one week later, but with a roughly one year ordering limit and a spending cap of only $816,700. But as the contract’s original end of September 2020 and the January 2021 “commercial data pause” approached, the completion date was pushed back a year, and over time it would be steadily extended to September 2024, along with roughly $3 million dollars in additional payouts.
Thus, a contract which the DHS Inspector General presented as ending in September 2021 not only never ended, it increased in size by more than 350%, ostensibly to circumvent the additional contract sign-offs instituted by the January 2021 “commercial data pause”. Since the pause went into effect, neither Venntel nor Babel Street has signed another contract with ICE. Babel instead extended and pumped up its one existing BPA Call.
Despite more than two days of phone calls, voicemails, and emails, the Office of the Inspector General of the Department of Homeland Security has not responded to a request for comment, despite acknowledging receipt of the request.
Appendix
Due to the Inspector General’s report pointedly withholding and/or redacting the cellphone location-tracking vendor names, as well as the three errors in the listed contract identifiers, we are providing a full list of links to the relevant official U.S. Government purchasing records.
The seven unique ICE contracts identifiers listed by OIG-23-61, along with the associated vendors, were:
70CMSD18P00000127: Venntel
70CMSD19P00000012: Venntel
70CMSD19P00000043: Venntel
70CMSD19A00000007: Babel Street, a reported reseller of Venntel
70CMSD20P00000089: Venntel
70CMSD20P00000159: Venntel
70CTD020P00000016: Venntel
The six equivalent contracts with U.S. Customs and Border Protection were:
70B04C18F00001093: Babel Street resold by Panamerica Computers, Inc. (DBA PCi Tec)
70B04C18F00001214: unnamed company, which is likely Babel Street, resold to Counter Network Division’s Publicly Available Information Group (PAIG) by PCi Tec
70B04C19F00000798: Babel Street, a reported reseller of Venntel, resold by PCi Tec
70B04C19F00000802: Venntel resold by PCi Tec
70B02C20P00000521: Venntel
70B04C20F00000914: Venntel, resold by Govplace
And the two commercial telemetry data contracts with the Secret Service were:
HSSS01-15-C-004 (7th amendment): Babel Street
HSHQDC-12-D-00011: Camunda & MariaDB, resold by C & C International
I went to the ICE website and looked at their ‘most wanted’ list. The Guzman band of brothers were front and center. If I understand correctly, ICE contracts with Babel Street to use cell phone data to track people like the Guzmans. The question I have is, who else are they tracking if they are being disingenuous about ID’ing their contracts?