DHS quietly built pathway to track Americans through advertising data economy

For years, the Department of Homeland Security (DHS) quietly experimented with turning the digital advertising ecosystem into a surveillance tool.

Internal privacy records show that Customs and Border Protection (CBP) tested whether smartphone advertising identifiers collected by mobile apps and sold through data brokers could be used to reconstruct the movements of individuals across the U.S.

At the same time, other DHS components were purchasing similar datasets for investigative use, often without completing required privacy reviews or establishing clear policies governing how the information could be accessed.

Now, those efforts are drawing renewed scrutiny on Capitol Hill.

A coalition of lawmakers led by Senator Ron Wyden is urging the DHS Inspector General (IG) to investigate whether Immigration and Customs Enforcement (ICE) has resumed buying Americans’ cellphone location data from commercial vendors, potentially reviving a controversial surveillance practice the inspector general previously concluded violated federal law.

The congressional inquiry arrives as ICE surveys the private sector for new tools capable of harvesting and analyzing location signals generated by the digital advertising marketplace, a data pipeline capable of mapping the movements of millions of devices in near real time.

Together, the records suggest that DHS’s interest in commercial location intelligence is not a new development. It is the continuation of a strategy that has been quietly developing inside the department for years.

Documents reviewed in connection with the inquiry illustrate how that strategy has evolved inside DHS. One record, a Privacy Threshold Analysis (PIA) obtained by 404 media, describes an early pilot effort inside CBP that examined whether smartphone advertising identifiers, commonly known as AdIDs, could serve as a reliable investigative signal.

Another document reflects the mounting congressional concern that DHS components may still be purchasing commercial location data despite earlier oversight findings that identified legal and policy violations.

Taken together, the materials reveal a through-line connecting early experimentation with advertising identifier data, a major inspector general audit of DHS surveillance practices, and the current controversy surrounding ICE’s interest in new commercial location intelligence tools.

The PIA was for what CBP described as an AdID Efficacy Pilot. Privacy threshold analyses are preliminary reviews conducted within DHS to determine whether a proposed system or project requires a more detailed Privacy Impact Assessment (PIA) under federal law and departmental policy.

In this case, the document evaluated whether the proposed pilot involved privacy sensitive information and whether additional safeguards would be required before operational use.

The project focused on advertising identifier data generated by smartphones and mobile applications. Advertising identifiers are unique device level codes assigned by mobile operating systems and used by advertising networks to track user behavior across apps and websites.

Because the identifiers persist across sessions, they allow marketers to measure consumer activity over time. But the same characteristics that make AdIDs useful for targeted advertising also make them attractive for investigative analysis.

According to the privacy documentation, the pilot relied on commercially available datasets compiled from mobile applications that collect location signals through embedded software development kits.

These signals flow into advertising exchanges when mobile ads are served, where location data tied to a device identifier can be captured and aggregated by data brokers.

Commercial vendors then package that information into analytical platforms that allow users to query device movements over time.

The CBP pilot was designed to test whether those platforms could support border security investigations by revealing travel patterns associated with specific devices.

Analysts could examine location histories, identify devices that appeared together at particular locations, and reconstruct patterns of movement over extended periods.

Rather than functioning as a real time tracking tool, the system was intended to support retrospective analysis. By querying historical datasets, investigators could attempt to identify devices that had previously crossed certain locations or traveled alongside other devices of interest.

The privacy analysis also indicates that the system could access historical location data extending back several years, and that analysts could query data in ninety-day increments.

While the document emphasizes that the data originated in the commercial advertising ecosystem rather than from telecommunications providers, it also acknowledges the privacy sensitivity of the information.

Movement patterns derived from location data can reveal highly personal details about individuals, including where they live, work, worship, or seek medical care.

“Location data is extremely sensitive … It is for that reason that ordinarily, the government must obtain a warrant from a judge in order to demand such data from phone or technology companies,” the lawmakers’ letter states.

For that reason, DHS privacy officials concluded that the system qualified as a privacy sensitive program and would require a full PIA before broader operational deployment.

The document also noted that the pilot was connected to the DHS Intelligence Records System, a system of records that governs certain categories of intelligence information collected by CBP.

The internal pilot was not the only example of DHS components exploring commercial location intelligence.

In 2023, the DHS Inspector General performed a major audit examining how several DHS agencies had acquired and used what the report described as commercial telemetry data.

That category includes smartphone location histories derived from advertising identifiers and other commercial data sources.

The audit found that CBP, ICE, and the U.S. Secret Service had all obtained or used commercial location data without fully complying with federal privacy laws or departmental policy requirements.

Investigators determined that the agencies had procured or used the data without completing required PIAs in advance, a step mandated by the E-Government Act of 2002 when federal agencies deploy systems that collect or process personally identifiable information.

The review concluded that weak internal controls and insufficient oversight by the DHS Privacy Office allowed these acquisitions to proceed without the required safeguards.

The inspector general also found that DHS lacked a department-wide policy governing how commercial telemetry data could be purchased or used across components.

Without a consistent framework, different agencies were left to develop their own ad hoc rules for accessing and analyzing the data, the IG found.

The IG recommended that DHS develop a comprehensive department wide policy governing commercial telemetry data and strengthen controls to ensure privacy assessments are completed before such technologies are deployed.

The audit also raised concerns about how the data was being accessed internally. Investigators found examples of employees sharing database login credentials and supervisors failing to review audit logs that could reveal potential misuse. In at least one case, an employee used the data to track coworkers.

Those findings now form the backdrop to the new congressional request for investigation.

In the letter Wyden and fellow lawmakers sent Tuesday to the inspector general, they said contracting records and public reporting indicate ICE may have resumed purchasing Americans’ location data from commercial vendors even though DHS has not fully implemented the oversight reforms recommended in the earlier audit.

The lawmakers also pointed to a 2025 procurement involving the investigative analytics firm PenLink. According to the letter, ICE issued a no bid contract that included licenses for a location intelligence platform known as Webloc.

Webloc was developed by the data analytics company Cobwebs Technologies, which merged with Nebraska-based PenLink as part of a private equity acquisition valued at roughly $200 million.

An Israeli startup, Cobwebs had previously drawn controversy in the technology sector after Meta in December 2021 banned the company from its platforms during a crackdown on surveillance mercenary firms that were accused of targeting activists, journalists, and political figures.

The lawmakers’ letter states that ICE cancelled a scheduled February 10 congressional briefing about the contract at the last minute and has not provided further information about the purchase.

“ICE cancelled it with no explanation and without any offer to reschedule,” the letter states.

PenLink is not a new presence in federal law enforcement technology procurement. The company has spent decades supplying communications analysis platforms used by investigators to process call records, digital evidence and intercepted communications obtained through lawful investigative authorities.

Federal agencies including the Federal Bureau of Investigation, Drug Enforcement Administration, and numerous state and local law enforcement organizations have purchased PenLink software for digital investigative work.

Federal procurement records show that contracts for PenLink investigative platforms extend back more than a decade across multiple government agencies.

Many of the individual purchases appear relatively modest, often involving software licenses or maintenance agreements valued in the tens or hundreds of thousands of dollars.

However, larger enterprise deployments and multi-year agreements have pushed some contracts into the multi-million-dollar range.

When these enterprise contracts are combined with the dozens of smaller purchase orders issued across federal law enforcement agencies, the cumulative federal investment in PenLink and related investigative analytics platforms likely reaches well into the tens of millions of dollars.

The company’s merger with Cobwebs expanded that technology ecosystem into the commercial data analytics market, including platforms capable of processing open source intelligence and location signals derived from commercial datasets.

That convergence between investigative analytics tools and commercial location intelligence platforms is precisely what has alarmed privacy advocates and members of Congress.

The DHS IG report made clear that the department has struggled to establish consistent rules governing how commercial location data can be used.

the IG determined that CBP, ICE, and the Secret Service “did not adhere to department privacy policies or develop sufficient policies before procuring and using commercial telemetry data.”

Even after the audit, the department still lacked a comprehensive DHS-wide policy governing the acquisition and use of commercial location intelligence.

The renewed congressional scrutiny suggests lawmakers believe those gaps remain unresolved.

If ICE ultimately moves forward with new contracts for advertising technology-based location intelligence, the capability first tested quietly in a CBP pilot program could become a routine investigative tool across DHS.

At that point, the central question for policymakers will not be whether the technology works. It will be whether the rules governing its use are strong enough to prevent the commercial data marketplace from becoming one of the most powerful surveillance infrastructures available to the federal government.

DHS signals major expansion of biometric matching infrastructure

The Department of Homeland Security (DHS) has issued a Request for Information (RFI) seeking industry input on biometric matching software capable of operating across all major DHS components.

The RFI signals a department wide effort to standardize and scale biometric matching capabilities across Customs and Border Protection, Immigration and Customs Enforcement, the Transportation Security Administration, U.S. Citizenship and Immigration Services, the Secret Service, and headquarters elements.

At its core, DHS is seeking a single scalable software capability that can handle mission critical identity verification, vetting, and investigative operations under an enterprise license structure.

Taken together, the RFI and accompanying documents outline a sweeping modernization effort aimed at consolidating and scaling biometric matching across the department. DHS is effectively mapping out a lifecycle management framework that extends from initial award through ongoing performance assessment.

If DHS proceeds to a formal solicitation, the resulting contract would shape how identity verification, watchlist screening, fraud detection, and investigative matching are performed across some of the most security sensitive missions in the federal government.

For industry, the RFI is an invitation to demonstrate not only algorithmic performance but architectural maturity, compliance depth, and governance alignment.

For policymakers and civil liberties observers, it signals a continued expansion and integration of biometric infrastructure within DHS, albeit under tighter data ownership, portability, and audit controls than have characterized some earlier deployments.

According to the draft Statement of Work attached to the RFI, DHS requires an enterprise level, scalable, and secure biometric matching software solution that can seamlessly integrate with other biometric systems already operating within the department.

The objective is not simply to purchase software licenses but to define requirements, deliverables, scope, and performance expectations for a department wide solution that includes integration, testing, documentation, training, and sustainment.

The envisioned system must support multimodal biometric inputs. The draft requirements specify facial recognition, fingerprint and palm print matching, iris recognition, voiceprint matching where applicable, and biographic matching augmentation.

DHS expects both real time and batch matching capabilities, support for search and identification workflows, configurable watchlists, deduplication functions, and adjustable scoring thresholds.

The software must meet defined performance standards for false accept and false reject rates while maintaining high throughput and low latency in high volume environments.

Performance is a central theme throughout the RFI. DHS emphasizes that vendors must demonstrate the ability to support large scale 1 to 1 verification and 1 to N identification searches with strict latency targets and uptime service level agreements.

The department is asking for empirical evidence drawn from operational deployments or government relevant testing environments rather than relying solely on vendor laboratory claims. In effect, DHS is signaling that any future award will hinge on demonstrated operational maturity.

Security and privacy requirements are equally prominent. The draft Statement of Work requires compliance with federal, state, and international privacy and data protection frameworks and DHS privacy directives, along with alignment to ISO biometric performance and presentation attack detection standards.

Encryption of biometric data at rest and in transit, role-based access controls, secure key management, and integration with DHS security monitoring tools are mandatory features.

Auditability and oversight are embedded into the technical requirements. The solution must generate comprehensive logs covering enrollment, matching transactions, administrative actions, configuration changes, access attempts, and data exports, and must integrate with DHS approved Security Information and Event Management platforms such as Splunk, QRadar, or Elastic.

These provisions underscore that DHS views biometric matching as a mission critical capability that must withstand continuous security review and forensic scrutiny.

Data governance and ownership provisions are unusually explicit. The government will retain exclusive ownership over all raw biometric data, templates, metadata, matching results, audit logs, and performance data generated during operations.

Contractors are prohibited from asserting ownership or reuse rights over government data and may not use DHS biometric data for algorithm training or commercial improvement without written authorization.

The RFI explicitly notes that biometric data must remain the exclusive property of the government and that the enterprise license must permit broad use across DHS components and operational environments.

These clauses directly address long standing concerns about vendor use of government biometric datasets for proprietary model enhancement. They also reflect an intent to avoid fragmented component level licensing arrangements and to consolidate biometric matching capabilities under a single contractual umbrella.

The RFI also reflects a strong emphasis on portability and exit rights. Vendors must ensure that all government data can be exported in nonproprietary or standards-based formats to support migration, archival, independent testing, or vendor transition at contract expiration.

In a market often criticized for vendor lock in, DHS is clearly seeking architectural and contractual safeguards to preserve flexibility.

Deployment flexibility is defining feature of the requirement. The system must support on premises, cloud-based, hybrid, and optional edge deployments, and must accommodate elastic scaling and capacity growth over a three to five year horizon without major architectural redesign.

Vendors are asked to detail supported biometric modalities, demonstrated performance metrics, interoperability strategies, and approaches to minimizing vendor lock in.

They must also explain encryption methods, access control models, audit capabilities, compliance certifications, and policies governing the use of government data.

Finally, they are required to address sustainment models, disaster recovery architectures, licensing structures, and experience supporting proof of concept evaluations and integration testing.