High Tech Surveillance of Immigrants

January 2019

The High Tech Surveillance of Immigrants category focuses on companies that supply the U.S. Department of Homeland Security (DHS) with the technologies that undergird its high-tech surveillance apparatus, including the database and case management tools that Immigration and Customs Enforcement (ICE) uses to identify and track targets, the cloud infrastructure that powers these data systems, biometric collection and matching technologies, and the data brokerage services that mine public and digital records and sell personally identifiable information to DHS. These technologies expand the reach of immigration enforcement by enabling ICE to accumulate, query, and mine large amounts of biographic, biometric, and personal data for the purposes of identifying, monitoring, and targeting immigrants for deportation and removal.

This section of the database relies extensively on an August 2018 report published by Mijente, the National Immigration Project, and the Immigrant Defense Project and researched by Empower LLC titled, “Who’s Behind ICE? The Tech Companies Fueling Deportation.

A distinguishing feature of high-tech surveillance is what the American Civil Liberties Union (ACLU) has described as a “growing network of interconnected databases that together are drawing in more and more information.” As a result of information-sharing agreements, ICE has access to data collected and stored by other federal and sub-federal law enforcement agencies, which it can then use to identify targets and initiate deportation proceedings. For example, under the Secure Communities program - which President Trump reactivated by Executive Order in January 2017 - when an individual is arrested and booked by a state or local law enforcement agency, his or her fingerprints are automatically sent to the FBI’s Next Generation Identification (NGI) database, which then shares this information with the central DHS biometric database. By making any immigrant who interfaces with the criminal justice system - including those who are wrongfully arrested, arrested but never charged, low-level offenders, and crime victims or witnesses - automatically visible to ICE, information-sharing initiatives like Secure Communities vastly expand the deportation dragnet.

As a result of information-sharing agreements, ICE has access to the records of thousands of local, state, and regional law enforcement agencies. Many sanctuary jurisdictions that prohibit municipal employees and law enforcement from aiding federal immigration officials may still be feeding mission-critical information to ICE. In fact, regional and local data systems often contain granular data points such as alleged gang affiliations, tattoos, associates, and hangout spots that do not make it into federal databases and that help ICE carry out raids and build cases for prosecution.

Databases

The central DHS-wide database for storing information on immigrants is the Automated Biometric Identification System (IDENT). Designed in 1994, IDENT is used to store, match, process, and share biometric and biographic information.

Due to recent advancements in biometric capture devices and the Obama administration’s push to expand intelligence systems aimed at immigrants, IDENT doubled in size between 2011 and 2018. It has grown into the largest biometric repository in the U.S, containing unique identity records for 230 million people and processing on average 350,000-400,000 transactions per day. The database contains biometric information such as fingerprints, palm prints, facial images, and iris scans; biographic information; and an “IDENT watchlist” enumerating persons of interest to DHS such as alleged and known sex offenders, gang affiliated persons, deported felons, immigration violators, and those with criminal histories. At a minimum, IDENT contains biometric information on travelers entering and exiting the U.S; visa, refugee, and asylum applicants; naturalized citizens; and immigrants who have interfaced with the criminal justice system. DHS agencies, the Department of State, the Department of Defense (DOD), foreign governments, and local, regional, and state law enforcement all contribute data to and query IDENT. IDENT is also interoperable with the FBI’s Next Generation Identification database and the DOD’s Automated Biometric Identification System (ABIS). General Dynamics, through its subsidiary CSRA, provides operations and maintenance support for IDENT.  
 
IDENT will be replaced with a new biometric database called Homeland Advanced Recognition Technology (HART). This system will be built by Northrop Grumman, which was awarded a $95 million contract in February 2018 to develop phase 1 and 2 of the project. HART can be scaled quickly, and will have the capacity to store at least 500 million unique identities and support at least 720,000 daily transactions. It will perform multi-modal processing and matching using at least seven types of biometric identifiers, including fingerprints, iris scanning, DNA, facial and voice recognition, scars and tattoos, and a blanket category for “other modalities.” NEC Corporation will provide face and iris matching algorithms for HART, while Gemalto will provide fingerprint matching technology. Privacy groups have raised concerns around DHS’s lack of transparency regarding the information that will be collected in HART, as well as the dangers of building out a massive database of facial images. As of November 2018, the first phrase of HART is scheduled to be operational by April 2019.

Case Management Software

In addition to using databases to store and find information about immigrants, ICE uses case management software to discover and investigate targets and build cases for prosecution. In 2014, Palantir was awarded a $51.6 million contract to replace ICE’s legacy information sharing and case management platform, called TECS.  The new system, which is currently in use by ICE, is called Investigative Case Management (ICM) and enables ICE agents to create and manage case files by searching and retrieving information from a range of databases internal and external to DHS. According to a Privacy Impact Assessment filed by DHS, ICM is the “core law enforcement case management tool” used by ICE’s Homeland Security Investigations (HSI). HSI is primarily tasked with investigating serious cross-border crimes like human trafficking, but has also spearheaded workplace raids and provides intelligence support to ICE Enforcement and Removal Operations (ERO), the division responsible for deporting immigrants. ERO personnel use ICM to manage criminal immigration cases and to query the system for information that will assist their civil immigration cases. The Privacy Impact Assessment also states that ICE’s Office of the Principal Legal Advisor also uses ICM to represent the agency in “exclusion, deportation, and removal proceedings.”
 
ICE uses ICM in tandem with another information management system called FALCON-SA, also built by Palantir. FALCON-SA is a link-analysis software that searches, analyzes, and visualizes data ingested from ICM to help agents identify connections and patterns and to produce intelligence reports in support of criminal and civil immigration investigations. From 2013 to 2018, Palantir received $52.5 million for the development, operation, and maintenance of FALCON-SA (see here, here, and here). In November 2018 it was awarded a one-year contract for FALCON-SA services worth potentially $42.3 million.

Through information sharing agreements, ICE also has access to data systems maintained by local, regional, and state law enforcement agencies through its Law Enforcement Information Sharing Service (LEISS). There are a number of database and case management platforms used by sub-federal law enforcement agencies and queried by ICE, including COPLINK, Palantir Law Enforcement, and LinX. These are built and operated by Forensic Logic, Palantir, and Northrop Grumman, respectively.

Cloud and Data Center Services

DHS relies on a combination of enterprise data centers and commercial cloud providers to power the massive databases and case management tools it uses to track, monitor, and deport immigrants.

Beginning in 2008, DHS began to migrate most of its systems to two main data centers in Stennis, Mississippi and Clarksville, Virgina. The first was set up and operated by CSC Government Solutions (now CSRA/General Dynamics), and the second by Electronic Data Systems (now DXC Technology). Customs and Border Protection (CBP) maintains a separate data center in Springfield, Virginia. In 2017, Accenture was awarded a contract worth $307 million to provide data center services at all three facilities.

In May 2018, DHS CIO John Zangardi noted that 29 DHS applications are hosted in the cloud and another 70 are being migrated to the cloud as part of a “multi-cloud” strategy using various providers. According to Zangardi, the two immigration enforcement agencies CBP and ICE, have been the quickest to move their systems to the cloud. It is difficult to discern which cloud providers host data systems that are implicated in immigrant surveillance and enforcement, since cloud service contracts are usually awarded through third-party IT firms that may or may not disclose the cloud providers they partner with. However, as of January 2019 only four cloud providers are authorized with DHS and have the “high-level” security authorization reserved for the kind of sensitive data contained in DHS databases and case management software: Amazon (AWS GovCloud), Microsoft (Azure Government), Oracle (Government Cloud-Common Controls), and General Dynamics (CSRA/ARC-P Cloud). Of these, Amazon has 110 authorizations compared to 26 for Microsoft, 16 for General Dynamics, and 11 for Oracle.

Several companies have contracts to migrate ICE’s TECS Modernization Program, of which ICE’s primary case management software ICM is a central component, to AWS GovCloud. Both Booz Allen Hamilton and Prizum (d.b.a. IntegrityOne Partners) have TECS Modernization contracts through May 2019 dating from at least June 2018 and March 2017, respectively. Palantir, the developer of ICM, reportedly pays Amazon approximately $600,000 a month for use of its servers. The central DHS database IDENT is hosted on the AWS GovCloud and its replacement HART will be cloud-based. Amazon also provides cloud storage for the Student and Exchange Visitor Information System (SEVIS), a database that ICE agents can access through ICM to build cases for prosecution.

Biometrics Collection and Matching Technologies

To complement the biographic and personally identifiable information obtained from data brokers, ICE and DHS have placed a major emphasis on the development and use of biometrics. Biometrics refers to the capture and conversion of an individual’s intrinsic physical and behavioral characteristics into precise, digitized measurements for the purposes of identification and identity verification.  Biometric identifiers include fingerprints, iris, face, palm prints, gait, voice, and DNA.
 
Privacy and immigration advocates have sounded the alarm on biometric systems for a number of reasons. First, there are numerous sources of uncertainty and variation in biometric systems, including but not limited to variation within persons; sensor calibration and performance; differences in feature extraction, matching algorithms, and comparison scoring mechanisms; and data integrity. Accuracy issues and failure rates within ICE’s biometric processing and matching systems can lead to misidentification, unwarranted arrest, and deportation. A lawsuit brought by the ACLU in 2013 takes issue with the Secure Communities program and charges that ICE’s reliance on interoperable databases and faulty fingerprint matching technology has resulted in immigrants without criminal histories, legal immigrants, and naturalized U.S. citizens being wrongly targeted for removal. Research by the U.S. GAO, the ACLU, and MIT Media Lab have shown that facial recognition technology in particular is more likely to misidentify people of color as targets, which can lead to racial profiling and wrongful targeting by ICE. Second, biometric systems can easily become tools of mass surveillance given that certain biometric identifiers like facial recognition can operate a distance, without an individual’s consent, knowledge, or cooperation. As ICE moves towards databases that combine multimodal biometrics with geo-location tracking technologies and biographic and personal information, constant mass surveillance of immigrants might become the norm. Third, with the proliferation of data-sharing agreements, biometric databases containing information on migrants are being linked together and used for different purposes, turning databases created for reasons unrelated to immigration enforcement into intelligence files used by ICE. For example, ICE has relied on DMV's use of facial recognition software to identify and locate targets.
 
Both ICE and CBP collect biometric data in the field for immigration enforcement purposes. ICE field agents gather biometric information while carrying out investigations and enforcement operations. ICE collects biometric data on not only those it is targeting for arrest, but also on “collateral” subjects it encounters during the course of an operation. Meanwhile, CBP engages in biometric data collection during enforcement operations and at border crossings and ports of entry as part of its Biometric Entry-Exit program.

The biometric information gathered by ICE and CBP are loaded into DHS’s two main biometric databases, EID and IDENT (soon to be HART). Tokyo-based NEC Corporation currently provides face and iris matching algorithms for IDENT, while Netherlands-based Gemalto provides fingerprint matching algorithms. Both companies will continue providing these technologies for the first two developmental phases of HART, the DHS biometric database set to replace IDENT. ICE agents in the field use NEC’s NeoScan mobile fingerprint device, as well as a mobile application called EDDIE developed by Wexler Technical Solutions to take fingerprints and photographs and scan them against databases instantaneously. ICE offices in Dallas, Houston, and San Antonio were found to be experimenting with installing covert surveillance cameras in streetlights.

In 2016, CBP awarded Unisys a $229.7 million contract to implement biometric checks at U.S. ports of entry and exit. Prior to the 2016 contract, Unisys worked with CBP to deploy automated license plate reader technology to screen vehicles crossing the border and radio frequency identification technology to confirm the identity and immigration or citizenship status of travelers. Unisys has also been instrumental in building CBP’s Travel Verification Service (TVS), a cloud-based program that uses facial recognition and biometric matching technologies to verify the identities of air travelers. The program works like this: Prior to boarding an aircraft, a traveler’s photograph is matched to a gallery of photos maintained by DHS and the State Department. The traveler’s citizenship or immigration status is also checked against various DHS and intelligence databases. If there is no match and the traveler is found to be undocumented, a criminal alien, or have been served a deportation order, he or she is subject to enforcement by CBP or ICE. In cases where the traveler is permitted to board the outgoing plane, CBP can use a mobile device to collect his or her biometrics. If in the future the traveler tries to return to the U.S. or is encountered illegally crossing the border, his or her biometrics will be verified against DHS databases and an alert will be dispatched to immigration enforcement authorities. NEC Corporation provides facial recognition algorithms for TVS, and TVS appears to be hosted on Amazon Web Services. Airlines including JetBlue and Delta, airports, and cruise line operators participate in the Biometric Exit program and are responsible for procuring, operating, and maintaining the front-end biometric capture devices that interface with TVS. As of August 2018, TVS facial recognition matching had been piloted at 14 airports, with CBP intending to scale the program to all U.S. international airports.
 
Because of data sharing agreements that enable DHS to access biometric information collected and maintained by other federal agencies and local, regional, and state law enforcement, the companies that supply biometric technologies to these agencies are also implicated in immigrant surveillance. France-based IDEMIA provides finger and palm print, facial recognition, and iris matching technology for the FBI’s Next Generation Identification (NGI) biometric database, which under the Secure Communities program automatically sends arrested persons’ fingerprints to DHS. Three companies - NEC Corporation, Gemalto, and IDEMIA - hold the lion’s share of contracts with state and local law enforcement agencies for Automated Fingerprint Identification Systems. Major law enforcement agencies, including the LA County Sheriff’s Department, use biometric technologies and mobile capture devices manufactured by Gemalto, NEC Corporation, and the privately-held company DataWorks Plus. ICE agents can access biometric information collected by sub-federal law enforcement through NGI and other information-sharing platforms such as the Law Enforcement Information Sharing Service (LEISS).

Major tech companies are starting to actively market facial recognition software to law and immigration enforcement agencies. In the summer of 2018, Amazon Web Services pitched ICE on its real-time facial recognition surveillance technology called Rekognition. In a January 2018 company blog post, Microsoft claimed that its Azure cloud software enabled ICE to “process data on edge devices or utilize deep learning capabilities to accelerate facial recognition and identification.” In response to public and employee outrage, Microsoft walked back the statement and said that the ICE contract in question was not being used for facial recognition.

Data Brokers

Data brokers collect, repackage, or aggregate information about consumers and civilians from a wide variety of sources for the purposes of reselling it to ICE and CPB. A data broker is also known as an information broker, information reseller, data aggregator, or information solution provider.

In September 2017, DHS announced that it would collect and study social media data on all immigrants, including non-criminals and legal aliens. DHS’s spending on social media mining software reached $24.6 million in 2017, three times what it was in 2013. One company that helps DHS collect and analyze social media information is Giant Oak, a private firm that specializes in finding “the people behind the data” to “identify illicit actions, actors, and networks,” according to its website. Through its deep web search engine Giant Oak Search Technology (GOST), Giant Oak has been providing social media data mining services to ICE since at least 2014 with contracts totaling nearly $45 million. In 2018, the company received three ICE contracts worth $2.7 million for “social media data analytics.” GOST scrapes public indices and social media sites to extract biographic and geo-location information on individuals. It sweeps parts of the Internet that are not indexed by mainstream search engines like Google, and its sophisticated search capability uses machine learning to determine less-than-obvious keywords that can signal an individual’s criminal activities or immigration status. In 2016, ICE’s Homeland Security Investigations admitted to using GOST to identify visa violators. The CEO of Giant Oaks Gary Shiffman previously worked on Nexus 7, a controversial war-zone surveillance project used by the U.S. military in Afghanistan that mined big data to gather “population-centric, cultural intelligence.” Data Mining International, Pen-Link, and Akira Technologies are some of the other companies that have won DHS contracts for social media vetting.
 
Two subsidiaries of Thomson Reuters, Thomson Reuters Special Services and West Publishing Corporation, are also involved in ICE’s data gathering apparatus. In February 2018, TRSS, the U.S. subsidiary of Thomson Reuters, signed a $6.7 million contract with ICE’s Detention Compliance and Removal office for a “continuous monitoring and alert service that provides real-time jail booking data to support the identification and location of aliens.” In addition to providing real-time information and jail booking, the new system will be capable of tracking 500,000 identities per month and and will catalog arrested persons’ vehicle registration information, insurance claims, credit history, payday loans, public court records, employer records, wire transfers, and Taxpayer Identification Numbers. Through its CLEAR (Consolidated Lead Evaluation and Reporting) service,  West Publishing Corporation provides law enforcement agencies access to a vast database of public and proprietary information, including utilities data, DMV records, real property data, professional licenses, criminal and court records, healthcare provider content, consumer and credit bureau data, real-time incarceration and arrest records, business data, data from social networks, chatrooms, and blogs, and live access to over 7 billion license plate detections. West Publishing Corporation has over $46 million in current potential contracts with ICE’s Homeland Security Investigations for CLEAR services (see here and here). CLEAR is designed to interface and be compatible with Palantir’s FALCON analytics program in order to make it easier for ICE to “narrow in and locate persons and assets of interest.”

Thomson Reuters also provides ICE’s Enforcement Removal Operations access to its license plate reader database, a service it contracts through Vigilant Solutions. Vigilant is a leading supplier of the license plate recognition information fed into ICE-accessible databases. Automated license plate readers (ALPRs) are high-speed, computer-controlled camera systems that are mounted on street poles, street lights, highway overpasses, or police squad cars that automatically capture all license plate numbers that come into view, along with location and timestamp data. ALPR data can assist in immigration raids by enabling ICE officials to map immigrants’ travel patterns and schedules, their home and work addresses, and their social networks. In December 2017, ICE signed a contract with Vigilant to gain access to its commercial license-plate reader database, which has more than 2 billion records. The commercial database is populated with data collected by repossession and towing companies, which connect license-plate readers to their vehicles to scan plates on cars that they pass by, along with location and timestamp data. Vigilant also has contracts with local, county, and state law enforcement agencies, which share data with ICE and other DHS partners. A January 2018 analysis by the Electronic Frontier Foundation found that over a dozen California law enforcement agencies share ALPR data with ICE through their Vigilant Solutions account.

In 2018, ICE awarded a $2.4 million no-bid follow-up contract to privately owned Pen-Link for a proprietary telecommunications analysis and intercept software suite. The software mines and analyzes telecommunications and geolocation data, including but not limited to call detail records, cell site usage, email accounts, precision location pings, social media, SMS/texts, and smartphone messaging services such as WhatsApp. Pen-Link also collects wiretap intercepts in real-time for tracking and live monitoring. The $2.4 million contract is part of a larger 4-year contract with ICE through 2022 worth potentially $10 million.