Category: Ethics

For years, the Department of Homeland Security (DHS) quietly experimented with turning the digital advertising ecosystem into a surveillance tool.

Internal privacy records show that Customs and Border Protection (CBP) tested whether smartphone advertising identifiers collected by mobile apps and sold through data brokers could be used to reconstruct the movements of individuals across the U.S.

At the same time, other DHS components were purchasing similar datasets for investigative use, often without completing required privacy reviews or establishing clear policies governing how the information could be accessed.

Now, those efforts are drawing renewed scrutiny on Capitol Hill.

A coalition of lawmakers led by Senator Ron Wyden is urging the DHS Inspector General (IG) to investigate whether Immigration and Customs Enforcement (ICE) has resumed buying Americans’ cellphone location data from commercial vendors, potentially reviving a controversial surveillance practice the inspector general previously concluded violated federal law.

The congressional inquiry arrives as ICE surveys the private sector for new tools capable of harvesting and analyzing location signals generated by the digital advertising marketplace, a data pipeline capable of mapping the movements of millions of devices in near real time.

Together, the records suggest that DHS’s interest in commercial location intelligence is not a new development. It is the continuation of a strategy that has been quietly developing inside the department for years.

Documents reviewed in connection with the inquiry illustrate how that strategy has evolved inside DHS. One record, a Privacy Threshold Analysis (PIA) obtained by 404 media, describes an early pilot effort inside CBP that examined whether smartphone advertising identifiers, commonly known as AdIDs, could serve as a reliable investigative signal.

Another document reflects the mounting congressional concern that DHS components may still be purchasing commercial location data despite earlier oversight findings that identified legal and policy violations.

Taken together, the materials reveal a through-line connecting early experimentation with advertising identifier data, a major inspector general audit of DHS surveillance practices, and the current controversy surrounding ICE’s interest in new commercial location intelligence tools.

The PIA was for what CBP described as an AdID Efficacy Pilot. Privacy threshold analyses are preliminary reviews conducted within DHS to determine whether a proposed system or project requires a more detailed Privacy Impact Assessment (PIA) under federal law and departmental policy.

In this case, the document evaluated whether the proposed pilot involved privacy sensitive information and whether additional safeguards would be required before operational use.

The project focused on advertising identifier data generated by smartphones and mobile applications. Advertising identifiers are unique device level codes assigned by mobile operating systems and used by advertising networks to track user behavior across apps and websites.

Because the identifiers persist across sessions, they allow marketers to measure consumer activity over time. But the same characteristics that make AdIDs useful for targeted advertising also make them attractive for investigative analysis.

According to the privacy documentation, the pilot relied on commercially available datasets compiled from mobile applications that collect location signals through embedded software development kits.

These signals flow into advertising exchanges when mobile ads are served, where location data tied to a device identifier can be captured and aggregated by data brokers.

Commercial vendors then package that information into analytical platforms that allow users to query device movements over time.

The CBP pilot was designed to test whether those platforms could support border security investigations by revealing travel patterns associated with specific devices.

Analysts could examine location histories, identify devices that appeared together at particular locations, and reconstruct patterns of movement over extended periods.

Rather than functioning as a real time tracking tool, the system was intended to support retrospective analysis. By querying historical datasets, investigators could attempt to identify devices that had previously crossed certain locations or traveled alongside other devices of interest.

The privacy analysis also indicates that the system could access historical location data extending back several years, and that analysts could query data in ninety-day increments.

While the document emphasizes that the data originated in the commercial advertising ecosystem rather than from telecommunications providers, it also acknowledges the privacy sensitivity of the information.

Movement patterns derived from location data can reveal highly personal details about individuals, including where they live, work, worship, or seek medical care.

“Location data is extremely sensitive … It is for that reason that ordinarily, the government must obtain a warrant from a judge in order to demand such data from phone or technology companies,” the lawmakers’ letter states.

For that reason, DHS privacy officials concluded that the system qualified as a privacy sensitive program and would require a full PIA before broader operational deployment.

The document also noted that the pilot was connected to the DHS Intelligence Records System, a system of records that governs certain categories of intelligence information collected by CBP.

The internal pilot was not the only example of DHS components exploring commercial location intelligence.

In 2023, the DHS Inspector General performed a major audit examining how several DHS agencies had acquired and used what the report described as commercial telemetry data.

That category includes smartphone location histories derived from advertising identifiers and other commercial data sources.

The audit found that CBP, ICE, and the U.S. Secret Service had all obtained or used commercial location data without fully complying with federal privacy laws or departmental policy requirements.

Investigators determined that the agencies had procured or used the data without completing required PIAs in advance, a step mandated by the E-Government Act of 2002 when federal agencies deploy systems that collect or process personally identifiable information.

The review concluded that weak internal controls and insufficient oversight by the DHS Privacy Office allowed these acquisitions to proceed without the required safeguards.

The inspector general also found that DHS lacked a department-wide policy governing how commercial telemetry data could be purchased or used across components.

Without a consistent framework, different agencies were left to develop their own ad hoc rules for accessing and analyzing the data, the IG found.

The IG recommended that DHS develop a comprehensive department wide policy governing commercial telemetry data and strengthen controls to ensure privacy assessments are completed before such technologies are deployed.

The audit also raised concerns about how the data was being accessed internally. Investigators found examples of employees sharing database login credentials and supervisors failing to review audit logs that could reveal potential misuse. In at least one case, an employee used the data to track coworkers.

Those findings now form the backdrop to the new congressional request for investigation.

In the letter Wyden and fellow lawmakers sent Tuesday to the inspector general, they said contracting records and public reporting indicate ICE may have resumed purchasing Americans’ location data from commercial vendors even though DHS has not fully implemented the oversight reforms recommended in the earlier audit.

The lawmakers also pointed to a 2025 procurement involving the investigative analytics firm PenLink. According to the letter, ICE issued a no bid contract that included licenses for a location intelligence platform known as Webloc.

Webloc was developed by the data analytics company Cobwebs Technologies, which merged with Nebraska-based PenLink as part of a private equity acquisition valued at roughly $200 million.

An Israeli startup, Cobwebs had previously drawn controversy in the technology sector after Meta in December 2021 banned the company from its platforms during a crackdown on surveillance mercenary firms that were accused of targeting activists, journalists, and political figures.

The lawmakers’ letter states that ICE cancelled a scheduled February 10 congressional briefing about the contract at the last minute and has not provided further information about the purchase.

“ICE cancelled it with no explanation and without any offer to reschedule,” the letter states.

PenLink is not a new presence in federal law enforcement technology procurement. The company has spent decades supplying communications analysis platforms used by investigators to process call records, digital evidence and intercepted communications obtained through lawful investigative authorities.

Federal agencies including the Federal Bureau of Investigation, Drug Enforcement Administration, and numerous state and local law enforcement organizations have purchased PenLink software for digital investigative work.

Federal procurement records show that contracts for PenLink investigative platforms extend back more than a decade across multiple government agencies.

Many of the individual purchases appear relatively modest, often involving software licenses or maintenance agreements valued in the tens or hundreds of thousands of dollars.

However, larger enterprise deployments and multi-year agreements have pushed some contracts into the multi-million-dollar range.

When these enterprise contracts are combined with the dozens of smaller purchase orders issued across federal law enforcement agencies, the cumulative federal investment in PenLink and related investigative analytics platforms likely reaches well into the tens of millions of dollars.

The company’s merger with Cobwebs expanded that technology ecosystem into the commercial data analytics market, including platforms capable of processing open source intelligence and location signals derived from commercial datasets.

That convergence between investigative analytics tools and commercial location intelligence platforms is precisely what has alarmed privacy advocates and members of Congress.

The DHS IG report made clear that the department has struggled to establish consistent rules governing how commercial location data can be used.

the IG determined that CBP, ICE, and the Secret Service “did not adhere to department privacy policies or develop sufficient policies before procuring and using commercial telemetry data.”

Even after the audit, the department still lacked a comprehensive DHS-wide policy governing the acquisition and use of commercial location intelligence.

The renewed congressional scrutiny suggests lawmakers believe those gaps remain unresolved.

If ICE ultimately moves forward with new contracts for advertising technology-based location intelligence, the capability first tested quietly in a CBP pilot program could become a routine investigative tool across DHS.

At that point, the central question for policymakers will not be whether the technology works. It will be whether the rules governing its use are strong enough to prevent the commercial data marketplace from becoming one of the most powerful surveillance infrastructures available to the federal government.