U.S. Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and other parts of the Department of Homeland Security (DHS) have bought access to and used large volumes of people’s cell phone location information extracted from smartphone apps.

The files, which the American Civil Liberties Union (ACLU) and the New York Civil Liberties Union (NYCLU) obtained through an ongoing Freedom of Information Act (FOIA) lawsuit, detail the millions of taxpayer dollars DHS used to buy access to cell phone location information, which was aggregated and sold by two data brokers, Venntel and Babel Street.

In scattered emails, some DHS employees raised concerns, with internal briefing documents even acknowledging that “[l]egal, policy and privacy reviews have not always kept pace with the new and evolving technologies.” Several email threads highlight internal confusion in the agency’s privacy office and potential oversight gaps in the use of this data — to the point where all projects involving Venntel data were temporarily halted because of unanswered privacy and legal questions.

Among the records released to the ACLU by CBP were seven spreadsheets containing a small subset of the raw location data purchased by the agency from Venntel. For one three-day span in 2018, the records contain around 113,654 location points — more than 26 location points per minute.

“The Supreme Court has made clear that because our cell phone location history reveals so many ‘privacies of life,’ it is deserving of full Fourth Amendment protection,” said Nathan Freed Wessler, Deputy Director of ACLU’s Speech, Privacy and Technology Project. “Yet, here we see data brokers and government agencies tying themselves in knots trying to explain how people can lack an expectation of privacy in such obviously personal and sensitive location information. With the potential for abuse so high, Congress must step in to definitively end this practice.”