A US-based credit reporting agency and data broker that provides US immigration authorities with information that enables them to locate people targeted for deportation.
Equifax Inc, headquartered in Atlanta, is a data broker and one of three major credit reporting companies in the U.S. The company collects information on millions of U.S. residents, including from their employers, on their credit history, financial assets, telecommunications and utility payments, employment, income, and other demographics. The company then provides this information to its clients to condition access to credit, mortgages, child support, and social services. Equifax generated $4.1 billion in revenue during 2020.
U.S. Immigration and Customs Enforcement (ICE) uses Equifax’s data from utility companies to locate people targeted for arrest or deportation. ICE has access to these data through a database called CLEAR, a product provided by Thomson Reuters, which the agency has been using since at least 2009. CLEAR includes “more than 400 million names, addresses and service records from more than 80 utility companies.” CLEAR also includes Equifax’s credit data, covering 352 million records including name, address, Social Security Number, and more.
Equifax obtains its utilities data from the National Consumer Telecom & Utilities Exchange (NCTUE), an organization of the largest telecom and utilities companies in the U.S. NCTUE was established by the telecom industry in 1997 and its database has been operated by Equifax ever since. The platform allows companies to evaluate individuals’ creditworthiness and share address information for “skip tracing,” i.e. locating people with missed payments. NCTUE members point out that the platform is particularly useful for locating and identifying “underserved, underbanked, multicultural consumers,” a demographic that overlaps with persons targeted by ICE. These data thus allow ICE to locate undocumented immigrants who pay utility bills.
Federal laws regulate how the U.S. federal government can use and acquire data, but do not cover privately-owned databases such as CLEAR. As a result, more U.S. law enforcement agencies have turned to such private data sources. In 2021, Democratic members of the U.S. House of Representatives sent letters to Equifax and Thomson Reuters, expressing concern that “the commercialization of personal and use data of utility customers and sale of broad access to ICE is an abuse of privacy, and that ICE’s use of this database is an abuse of power.” Both Thomson Reuters and Equifax refused to comment on ICE’s use of their databases.
Since early 2021, ICE also uses a database called Justice Intelligence (formerly JusticeXchange), a product of data broker Appriss Insights, which Equifax announced it would acquire later that year. This database collects incarceration records and real-time jail booking data from thousands of U.S. jails and prisons, information which ICE uses to learn the release date of people it wants to deport. ICE has access to this database as an add-on to its subscription to LexisNexis Accurint.
Access to this database is particularly important for ICE in the wake of state and local sanctuary laws. ICE noted in its justification for this contract that “policy or legislative changes” have caused “an increase in the number of law enforcement agencies and state or local governments that do not share information about real-time incarceration of foreign-born nationals with ICE. Therefore, it is critical to have access to Justice Intelligence services through LexisNexis' Appriss Insights.” In other words, Justice Intelligence, now owned by Equifax, serves as a backdoor for ICE to circumvent sanctuary laws.
Other clients of Appriss Insights’ Justice Intelligence database include some of the fusion centers of the Department of Homeland Security (DHS). These centers share local law enforcement data with DHS, which includes ICE, and other federal law enforcement agencies. For example, Justice Intelligence is used by the Austin Regional Intelligence Center (ARIC), a DHS fusion center that shares data across 10 counties in Central Texas. As of August 2021, Appriss held 4 contracts with the city of Austin worth $204,554 to provide database services.
In addition to using Equifax’s databases through 3rd parties such as Thomson Reuters CLEAR and LexisNexis product Accurint, ICE has a small contract directly with Equifax for unspecified “support services.” This contract started in 2020 and can be extended through 2023.
Equifax has a Political Action Committee (PAC) that raises money for U.S. Congressional candidates. It spent $1.2 million from 1981 to 2021 on both Democratic and Republican candidates through direct contributions and other PACs. From 1999 to June 2021, the company also spent $24.5 million in lobbying expenses in relation to issues like financial services, privacy, cybersecurity, background investigations, use of commercial data by federal government agencies, and the Comprehensive Credit Act.
As the U.S. House of Representatives was discussing the Student Borrower Credit Improvement Act in 2021, several organizations called for a major overhaul of the credit reporting system, stating that the current system not only charges people to obtain their own credit reports but also disproportionately impacts communities of color. Furthermore, they characterized attempts at trying to fix the credit reporting system as a “Kafkaesque nightmare in which the Big Three nationwide consumer report agencies (CRAs) – Equifax, Experian, and TransUnion – consistently favor the side of the creditor or debt collector… over the consumer.”
In 2017, Equifax’s data system was hacked and 143 million records were stolen, including social security numbers and credit card information. Prior to this breach, hackers had access to employee tax records from April 2016 to March 2017. In March 2021, the U.S. Senate Committee on Homeland Security and Governmental Affairs stated that “Equifax failed to prioritize cybersecurity,” and that after being audited, the company detected over “8,500 known vulnerabilities that had not been patched.” After the breach, the company waited six weeks before notifying the public, leaving usernames and passwords exposed while conducting business as usual.