Revealed: the contentious tool US immigration uses to get your data from tech firms
The US Immigration and Customs Enforcement Agency (Ice) sent tech giants including Google, Twitter and Meta at least 500 administrative subpoenas demanding sensitive personal information of users, documents reviewed by the Guardian show.
The practice highlights the vast amount of information Ice is trying to obtain without first showing probable cause. Administrative subpoenas are typically not court-certified, which means companies are not legally required to comply or respond until and unless a judge compels them to. The documents showed the firms handing over user information in some cases, although the full extent to which the companies complied is unclear.
It further highlights how broad of a net Ice is casting in its surveillance of migrants.
“When Ice gets subscriber data from Google or from Instagram they can combine that information with billions of other data points on hundreds of millions of US residents that they get access to from other companies,” said Hannah Lucal, data and tech fellow at Just Futures Law, one of the organizations that obtained the documents.
“While perhaps sounding benign or like a legal tool, administrative subpoenas are actually enabling very invasive Ice surveillance, not only of someone that the agency is targeting, but potentially also of anyone who might be communicating with that person on these tech platforms,” Lucal said.
The documents, which detail requests between 2018 and 2021, show most demands were related to the agency’s immigration enforcement efforts. A handful of cases were related to human smuggling and one was part of a murder investigation.
In the vast majority of cases, Ice demanded the companies hand over account information such as a person’s IP address over time and payment details.
In a few cases, the agency went much further, the documents show. In one instance, Ice asked Google for the account details behind Migrant Media, a YouTube channel that focused on and shared resources about migrant issues. In the subpoena, an Ice officer said the agency was seeking the names, addresses, screen names, payment and bill-face information “and any and all IP addresses associated w/ the YouTube page” as part of an ongoing “investigation or inquiry related to the enforcement of US immigration laws”. The subpoena did not provide any additional details on the nature of the inquiry. In another case, Ice asked Facebook for any location information associated with one account. And in yet another, Ice asked Facebook for “all public content photos, videos, wall posts, subscriber information and replies” associated with one user’s account. Documents show Ice also asked Facebook for geolocation information associated with an account.
Google said it has a “rigorous process designed to protect people’s privacy”, including when it comes to Ice administrative subpoenas. “We examine requests closely for legal validity and constitutional concerns such as overbreadth,”company spokesperson Christa Muldoonsaid in a statement. “We will notify users when a request has been made about their account and have a long track record of pushing back against inappropriate demands for user data, objecting to some entirely.”
Meta said it responds to, and carefully reviews, requests for data in accordance with the law and its terms of service, according to spokesperson Erin McPike. Twitter and Ice did not provide comment by the time of publication.
The non-court ordered requests are just one tool in Ice’s vast arsenal of surveillance systems the agency uses to monitor migrants, according to Lucal.
Ice also purchases user information from data brokers as a mechanism to get around sanctuary policies, which restrict local law enforcement agencies from cooperating with Ice. And it spends billions of dollars to contract with a private prison corporation to track migrants in the US using ankle monitors and facial-recognition apps. The Department of Homeland Security, Ice’s parent agency, also contracts with companies that help analyze and collect information from social media platforms.
It’s not clear how often tech companies give Ice information in response to administrative subpoenas. There’s been historically little transparency into how often Ice is issuing these types of requests to tech companies.
Just Futures Law and Boston University obtained the documents after suing Ice for not responding to its public records request. “We don’t know whether [these documents] represent every administrative subpoena that Ice submitted during that time period to these companies, but we do know that Ice overall has a consistent practice of using administrative subpoenas as a tool to seek access to personal information from a huge array of companies,” Lucal said.
The companies’ transparency reports, which detail the number of government requests for user data they receive, show that they respond to the vast majority of law enforcement requests for user information with some level of data. Google, for instance, handed over data in response to 85% of more than 55,000 requests they received in the first half of 2022. “It’s in their best interest to maintain good relationships with government agencies,” Lucal said.
But tech firms don’t break out how many of the tens of thousands of requests they field and respond to every six months are Ice administrative subpoenas.
The documents show tech companies responded, in some cases, with some level of data. In one case, Google handed Ice details of a user’s message and call history in response to an administrative subpoena. In another case, Twitter handed over the name and other personal details of a user in response to a request for all the account information behind a specific Twitter handle.
“In some ways part of what this reveals is the lack of transparency about what is actually happening,” said Sarah Sherman-Stokes, the associate director & clinical associate professor of Immigrants’ Rights and Human Trafficking Program at Boston University School of Law. “We know that at least 500 administrative subpoenas were issued but we don’t have great information about what happened after that.”
Some of the administrative subpoenas, the documents show, came with gag requests, or requests not to disclose to the account owner that their user information was being shared with Ice. In at least one case, the administrative subpoena came with an indefinite gag request, which means that it’s possible a person whose information was handed over to Ice through a request like this would never be notified.
In the exceptional case a person is notified before a tech company hands over their data to Ice, they’re given very little opportunity to fight it off. When possible, a tech firm will notify the user that their information is being requested and in some cases give them as little as seven days to hire a lawyer and file a request to quash the subpoena. In the case of administrative subpoenas, Sherman-Stokes points out, the company could instead just decline to respond.
“It’s confirmation of something that we suspected, but should be troubling to us which is that big tech is increasingly complicit with Ice’s expanding surveillance, detention and deportation regime,” Sherman-Stokes said. “Despite these subpoenas not being legally binding, big tech seems very ready and willing to open their doors to disclose our personal and really highly sensitive information.”
The revelations also come as there are renewed efforts by lawmakers and activists to secure data privacy protections in the aftermath of the reversal of Roe v Wade. But many of those efforts are narrowly focused on reproductive and health data and do little to protect those seeking abortions or the many marginalized groups who have been historically targeted by law enforcement through requests for their user information.
“Communities who are most targeted and criminalized, including Black and brown and immigrant communities are basically exempted from privacy protections because so many of these conversations focus on data privacy as something that you “deserve” based on what you’re doing and who you are – not based on this idea that our data is ours,” Lucal said. “We should have a say over who gets access to [our data] and how it is used and whether it is monetized.”