A mobile app used by Immigration and Customs Enforcement to monitor certain migrants is collecting large amounts of sensitive data with uncertain protections regarding how that data is being used and stored, according to public records obtained by the Just Futures Law legal project.
Faced with large numbers of migrants arriving in the United States, ICE has in recent years moved toward monitoring migrants in the United States rather than detaining them. In doing so, the agency is increasingly relying on contractors to build the technology it relies on, creating a growing surveillance apparatus operated by ICE to monitor migrant communities.
One such contractor is BI Inc., which operates a cellphone app known as SmartLINK on the agency’s behalf. According to records obtained by Just Futures and shared with CyberScoop, SmartLINK collects a trove of sensitive information, including personally identifying information, geolocation data, phone numbers of contacts, and vehicle and driver data. BI also collects biometric and health data including facial images, voice prints, medical information, pregnancy and births.
ICE, a component of the Department of Homeland Security, has maintained a contract since 2004 with BI, a subsidiary of the private prison company Geo Group, to provide GPS ankle monitors and to run its Intensive Supervision Appearance Program, a program to monitor certain migrants. ICE describes ISAP as “an alternative to detention,” and the SmartLINK app allows for real-time communications between supervisory agents and program participants, including video check-in calls, messaging and other automated location data collection.
In short, rather than be physically detained, migrants participating in ISAP agree to be tracked, using SmartLINK or other methods. According to ICE data from fiscal year 2023, a total of 197,490 users participated in ISAP’s “alternative to detention” programs, with 177,654 participating in SmartLINK.
The documents shared with CyberScoop — which were obtained following a 2022 lawsuit by the non-profit groups Mijente, Just Futures Law and Community Justice Exchange — indicate that data collected by SmartLINK may be retained longer than ICE has stated publicly and that the agency has broad authority to use data collected by the app.
Immigration rights advocates argue that these broad rules around retention and use may be misused by the agency to monitor immigrant communities.
“ICE’s ultimate goal with this kind of program is to increase the agency’s punitive control over the lives and autonomy of black and brown and immigrant communities,” said Hannah Lucal, a data and technology fellow with Just Futures.
ICE’s public statements about how long the data collected by SmartLINK is stored contradict the language in its contracts with BI and internal records. For instance, a DHS privacy impact assessment states that BI maintains data for 7 years after a program participant leaves the program. However, FOIA records show that BI may retain the data indefinitely.
It’s also possible that ICE is combining data collected by BI with data from other sources to create even more extensive databases. According to its contract with BI, ICE has “unlimited rights to use, dispose of, or disclose” all ISAP data.
ICE’s relationship with BI represents the latest example of how the agency relies on partners to amass large amounts of data on immigrant communities. With many local authorities adopting so-called “sanctuary” laws that forbid cooperating with federal immigration authorities, ICE has turned toward outside contractors to collect data. In addition to its work with BI, ICE has a $16.8 million agreement with data broker LexisNexis that it uses to fuel its policing work.
BI’s data services aren’t limited to what it collects through the SmartLINK and GPS ankle monitoring programs. According to public records, BI partnered in 2021 with a third-party company, ClearForce, to obtain incarceration data from jails. The pilot, which pertained to 10,000 people under ISAP surveillance, specifically targeted “sanctuary states” that limit cooperation with federal immigration authorities.
ICE has promoted its “alternatives to detention” technologies as a “humane” way to track migrants instead of imprisonment. Critics of the program say that participants report how mentally and physically damaging the program is to them and their communities, which are often also surveilled as a byproduct of the data collection involved in the program.
Advocates say the agency’s unclear practices around the collection of real-time location data are particularly troubling.
Records from ICE present contradictory answers as to how often it uses location data from SmartLINK to surveil participants. Documents state that SmartLINK only tracks location data during a log-in, biometric enrollment, check-ins and the start of video calls. However, DHS’s Privacy Impact Assessment doesn’t mention collecting location data during calls.
SmartLINK is also capable of continuous monitoring, which means ICE could turn on the feature at any time. ICE told the Congressional Research service in 2019 that it did not “actively monitor” the location of participants of the app, but a 2023 Marketplace article found that an ICE agent in Houston tracked “the movements of one person with the B.I. SmartLINK app over the course of 24 hours.”
“ICE needs to give us information about what discretion individual ICE agents and individual BI agents have in terms of their technical capability to turn on continuous location tracking for a person that they are surveilling,” Lucal said.
Data collected by BI have been used to inform arrests. In 2018, for example, BI shared location data with ISAP staff in Virginia, resulting in the arrest of 40 people.
ICE did not provide a response to a list of questions from CyberScoop.
The expansion of the ISAP program, the budget for which increased from $28 million to $475 million between 2006 and 2021, has raised concerns among lawmakers who say that ICE hasn’t been transparent about its data collection practices.
In February, 25 lawmakers led by Rep. Rashida Tlaib, D-Mich., wrote to DHS Secretary Alejandro Mayorkas expressing their reservations regarding the ISAP program and SmartLINK’s data collection: “We have serious concerns over data sharing and privacy of this application including the ability of ICE and B.I. to track individuals in real-time and collect and repurpose the data.”
ICE’s handling of sensitive data has been brought into question before. Last year, ICE accidentally posted to a public website the sensitive personal information of more than 6,000 asylum seekers.
The SmartLINK program isn’t the Department of Homeland Security’s only foray into biometrics. DHS’s updated biometrics system Homeland Advanced Recognition Technology (HART) is expected to include profiles of 270 million unique individuals, including 6.7 million iris scans and 1.1 billion face images. The project has been riddled with costly delays and criticism over the agency’s lack of transparency regarding the project. The Government Accountability Office has warned that the program fails to mitigate significant privacy risks, recommendations that DHS has acknowledged. Experts say that biometric data can be particularly damaging if leaked since biometric data can’t be altered.
More recently, ICE has announced it is experimenting with using a new BI technology Veriwatch, a wrist-worn monitor with biometric authentication. While not much is known about the program, Hannah says it comes with the same concerns as the mobile app and ankle monitors.
“What we’ve learned from the FOIA records is that ICE’s public-facing statements about its data collection practices, including location data practices, can’t be trusted,” Lucal said.