The big problem with privacy is that once you relinquish some of it, you never get it back. What makes it worse is when those who are supposed to protect your rights choose to undermine them. When they do so, they eat away at the thin protections we should all enjoy in the digital age.
These are some of the reasons to be so concerned to learn from a newly released US Department of Homeland Security report that multiple US government agencies illegally used smartphone location data, breaching privacy regulations as they did. To do this, they purchased smartphone location data, including Advertising Identifiers (AdIDs) from data brokers that had been harvested from a wide range of apps.
(There’s a useful article explaining how to disable AdID on Android and iOS devices at the EFF.org.)
The agencies that have indulged in this include:
US Secret Service
US Customs and Border Protection (CPB)
US Immigration and Customs Enforcement (ICE)
As noted by 9to5Mac, Homeland Security has made available a redacted version of a previously classified report that reveals three separate US agencies broke the law in this way. It finds that the three agencies did not adhere to protections laid down in the E-Government Act of 2002 and the Homeland Security Act of 2002.
The report says the agencies:
“Did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance. Without a PIA in place, privacy risks may not be identified and mitigated.”
We don’t know precisely how the agencies then used this information, as much of the document that has been made available is redacted.
One use that is referred to, however, is combining the location data with other information to match an AdID to a specific person. This kind of information opens a person’s digital existence like a book, as Apple so well explained.
The initial report made eight specific recommendations it required the agencies to take to help prevent such disregard of privacy in the future. The redacted report confirms that three have not yet been met.
The report implies at least one agency continues to use commercial telemetry data even though privacy impacts have not been completed.
But the other two recommendations that the report confirms have not been enacted are worse, as they point to a culture in which privacy considerations are ignored:
“We recommend that the Director, U.S. Immigration and Customs Enforcement develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
“We recommend that the Chief Privacy Officer, DHS Privacy Office include a…
2023-10-06 23:00:04
Original from www.computerworld.com