Customs and Border Protection acquired ‘huge amount of surveillance power’

Avatar

A contract signed last year by U.S. Customs and Border Patrol (CBP) appears to give the agency the most aggressive and expansive package of surveillance tools it has ever used, according to an advocacy group.

The deal with the data broker LexisNexis Risk Solutions provided CBP with capabilities such as collecting geolocation data, monitoring social media accounts and tracking cell phone call histories for non-U.S. and U.S. residents alike, according to public records obtained by Just Futures Law (JFL), which advocates against against mass surveillance and deportation.

The contract, signed in November 2022, is the latest example of the expansion of immigration-related agencies’ abilities to track people through their digital lives, according to Julie Mao, deputy director of JFL, who said the organization obtained the records under the Freedom of Information Act.

“It’s a huge amount of surveillance power that CBP has, frankly, secretly acquired with little oversight,” Mao said in an interview. JFL has cited LexisNexis Risk Solutions as a data broker that violates human rights and privacy laws by selling invasive mass surveillance tools. JFL is suing the company in Illinois for selling individuals’ data without their consent.

LexisNexis Risk Solutions has the same corporate parent as LexisNexis Legal and Professional but separate management.

The capabilities CBP acquired from LexisNexis are more extensive, Mao said, than those used by Immigration and Customs Enforcement (ICE) — another federal agency with a related mandate. Both agencies are part of the Department of Homeland Security. CBP typically handles immigration at ports of entry, while ICE enforces immigration laws internally in the U.S.

CBP and ICE have been called out for use of other powerful surveillance tools recently. The department’s inspector general issued a report in March saying ICE illegally used cell-site simulators (CSS) for surveillance purposes without proper authorization.

CBP referred a request for comment to LexisNexis Risk Solutions, whose spokesperson defended the contract, saying LexisNexis policies “emphasize a respect for human rights, and focus on threats to national security, public safety, and security at the border.”

The company supports the “responsible use of data in accordance with governing statutes, regulations and industry best practices,” the spokesperson added.

Records show that LexisNexis Risk Solutions received about $3 million for the first year of work, and the contract could be worth a total of $15.9 million if CBP extends the contract into 2027. A spokesperson for the agency could not say whether the contract has been extended.

The contract’s accompanying statement of work includes references to facial recognition technology and the contract refers to the controversial Babel X social media surveillance software, but LexisNexis Risk Solutions said it is not providing those services to CBP.

LexisNexis Risk Solutions advertises that it has compiled individual files on more than 280 million people in the U.S., Mao noted. The company sells similar surveillance technology to local law enforcement, she said, and refers to its product as a “Law Enforcement Investigative Database.”

“These data sets are not just about immigration,” Mao said. “It’s about everybody living in the U.S.”

Black Lives Matter groups and other protestors have been CBP targets, she said, adding to her concern about how the surveillance tools in the new contract could be used.

In June 2020 CBP’s role in policing often peaceful protesters came to light after the agency deployed agents, aerial surveillance drones, and other resources across the country, including in the Texas city where George Floyd was buried, according to news reports and the American Immigration Council.

The agency reportedly failed to identify itself when detaining protestors and used pepper spray and other less lethal weapons in its work.

Full suite of surveillance tools

The documents acquired by JFL show the contract includes the Accurint TraX and Viper products, which offer geolocation analysis and geographic mapping of cell phone data. It also includes access to the Accurint Virtual Crime Center, which compiles personal information from more than 10,000 government and private sources on U.S. residents, according to JFL.

In September, CBP told Sen. Ron Wyden (D-OR) that it would no longer use commercially sourced smartphone location data. It appears to be a disingenuous assertion, Mao said.

The LexisNexis Risk Solutions package also includes access to real time jail booking data, which JFL said has previously been used by ICE to circumvent sanctuary protections. Those protections bar law enforcement from asking a person’s immigration status or detaining undocumented immigrants for minor offenses in protected spaces such as schools and in some cities.

To take one example of how powerful the LexisNexis Risk Solutions surveillance tools are, Accurint TraX Viper offers mobile device geolocation with pen register capabilities, providing real-time information on calls from a given device, the other numbers it called and duration of calls.

By pairing the technology with other LexisNexis Risk Solutions products like LexID, numbers can be linked to an individual and any personal information about them already stored in the broader Accurint database, according to JFL.

The contract’s statement of work underscores how CBP can use the technology for mass surveillance, JFL said, citing a CBP request that LexisNexis Risk Solutions offer “batching” query capabilities. The technology allows users to search a vast array of information on thousands of people with a quick command, JFL said.

The agency sought “search capability for current and large volume online batching: phone, people, real time arrests and incarcerations, real estate records that include temporal and apartment information for residential addresses, utility bills, with detailed information, businesses, work affiliation, and motor vehicle registration,” according to the statement of work.

The documents also underscore CBP’s interest in acquiring facial recognition technology as part of the suite, saying “database requirements include the ability to incorporate diverse images from different law enforcement sources to perform facial recognition.”

CBP also appears to have asked LexisNexis to provide access to Babel X, which can link Social Security numbers to telephone numbers and social media profiles as well as location data. Babel X allows information to be collected on both U.S. and non-U.S. residents, including refugees and asylum seekers.

LexisNexis Risk Solutions told Recorded Future News that it is not providing CBP with Babel X, but previous reporting has documented that CBP uses it.

The Babel X software also allows users to search social media sites within specific parameters such as geographic area.

The deal extends beyond the U.S. with CBP asking LexisNexis Risk Solutions to provide information on phone numbers and businesses in Canada and Mexico, according to the statement of work.

Data broker expert Justin Sherman said the CBP contract is a symptom of a larger problem. He condemned federal law enforcement for supporting data brokers, particularly given the demonstrated threat they pose to national security.

Sherman spearheaded a Duke University Sanford School of Public Policy study published earlier this month which showed data brokers selling military service members names, home addresses, and sensitive financial and health information to a .asia domain for as little as 12 cents an individual.

“This kind of data purchasing is an invasive surveillance practice, and while some agencies have made some smaller changes in these areas, the overwhelming practice persists of police spying on Americans, without warrants, through data brokers,” said Sherman, who is founder and CEO of Global Cyber Strategies, a research and advisory firm, as well as a senior fellow at Duke.

PrivacyTechnologyGovernmentNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Israeli private eye gets 80-month sentence for global hack-for-hire scheme

Next Post

Toyota recovering from cyberattack on its financial services division

Related Posts

Patch Your GoAnywhere MFT Immediately – Critical Flaw Lets Anyone Be Admin

A critical security flaw has been disclosed in Fortra's GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user. Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10. "Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," Fortra&
Avatar
Read More