Border Protection (CBP) released its long overdue Privacy Impact Assessment (PIA) on Commercial Telemetry Data. CBP defines Commercial Telemetry Data (CTD) as historic location data collected from mobile devices by tracking their advertising ID’s (adIDs).
Importantly, CTD can encompass more than just historic location data from smartphones. For example, ICE has been accessing car telemetry data from OnStar, a security system installed in millions of vehicles worldwide. In fact, most car companies sell your data. Arguably, CBP should have a much broader view of what constitutes telemetry data. The Berlin Group, an international working group on data protection, has defined telemetry data more broadly as “data that is collected and transmitted by a device or application on a more or less continual basis. Telemetry data usually consists of information on operational behavior or environmental parameters but may also include elements like location information.” Any connected device can create telemetry data—and where it is created, it is also sold.
Thus, CBP’s PIA has an extremely narrow view of what constitutes CTD—which is no surprise. CBP’s PIA on CTD is extremely vague, years too late, and is a complete failure to comply with federal privacy regulations. PIAs are statutorily required by the E-Government Act prior to implementation of any information technology that has privacy implications. But there is a pattern of DHS and its components doing PIAs after implementing the technology and nonchalantly violating our civil liberties. This PIA is the latest example.