404 Media

2025-09-30 21:46:34

ICE to Buy Tool that Tracks Locations of Hundreds of Millions of Phones Every Day

Immigration and Customs Enforcement (ICE) has bought access to a surveillance tool that is updated every day with billions of pieces of location data from hundreds of millions of mobile phones, according to ICE documents reviewed by 404 Media.

The documents explicitly show that ICE is choosing this product over others offered by the contractor’s competitors because it gives ICE essentially an “all-in-one” tool for searching both masses of location data and information taken from social media. The documents also show that ICE is planning to once again use location data remotely harvested from peoples’ smartphones after previously saying it had stopped the practice.

Surveillance contractors around the world create massive datasets of phones’, and by extension people’s movements, and then sell access to the data to government agencies. In turn, U.S. agencies have used these tools without a warrant or court order.

“The Biden Administration shut down DHS’s location data purchases after an inspector general found that DHS had broken the law. Every American should be concerned that Trump's hand-picked security force is once again buying and using location data without a warrant,” Senator Ron Wyden told 404 Media in a statement.

💡
Do you know anything else about this contract or others? Do you work at Penlink or ICE? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

The ICE document is redacted but says a product made by a contractor called Penlink “leverages a proprietary data platform to compile, process, and validate billions of daily location signals from hundreds of millions of mobile devices, providing both forensic and predictive analytics.” The products the document is discussing are Tangles and Webloc.

Forbes previously reported that ICE spent more than $5 million on these products, including $2 million for Tangles specifically. Tangles and Webloc used to be run by an Israeli company called Cobwebs. Cobwebs joined Penlink in July 2023.

The new documents provide much more detail about the sort of location data ICE will now have access to, and why ICE chose to buy access to this vast dataset from Penlink specifically.

“Without an all-in-one tool that provides comprehensive web investigations capabilities and automated analysis of location-based data within specified geographic areas, intelligence teams face significant operational challenges,” the document reads. The agency said that the issue with other companies was that they required analysts to “manually collect and correlate data from fragmented sources,” which increased the chance of missing “connections between online behaviors and physical movements.”
A screenshot from the document.
ICE’s Homeland Security Investigations (HSI) conducted market research in May and June, according to the document. The document lists two other companies, Babel Street and Venntel, which also sell location data but which the agency decided not to partner with.

404 Media and a group of other media outlets previously obtained detailed demonstration videos of Babel Street in action. They showed it was possible for users to track phones visiting and leaving abortion clinics, places of worship, and other sensitive locations. Venntel, meanwhile, was for some years a popular choice among U.S. government agencies looking to monitor the location of mobile phones. Its clients have included ICE, CBP, and the FBI. Its contracts with U.S. law enforcement have dried up in more recent years, with ICE closing out its work with the company in August, according to procurement records reviewed by 404 Media.

Companies that obtain mobile phone location data generally do it in two different ways. The first is through software development kits (SDKs) embedded in ordinary smartphone apps, like games or weather forecasters. These SDKs continuously gather a user’s granular location, transfer that to the data broker, and then sell that data onward or repackage it and sell access to government agencies.

The second is through real-time bidding (RTB). When an advert is about to be served to a mobile phone user, there is a near instantaneous, and invisible, bidding process in which different companies vie to have their advert placed in front of certain demographics. A side-effect is that this demographic data, including mobile phones’ location, can be harvested by surveillance firms. Sometimes spy companies buy ad tech companies out right to insert themselves into this data supply chain. We previously found at least thousands of apps were hijacked to provide location data in this way.

Penlink did not respond to a request for comment on how it gathers or sources its location data.
playlist.megaphone.fm?p=TBIEA2…
Regardless, the documents say that “HSI INTEL requires Penlink's Tangles and Weblocas [sic] an integral part of their investigations mission.” Although HSI has historically been focused on criminal investigations, 90 percent of HSI have been diverted to carry out immigration enforcement, according to data published by the Cato Institute. Meaning it is unclear whether use of the data will be limited to criminal investigations or not.

After this article was published, DHS Assistant Secretary Tricia McLaughlin told 404 Media in a statement “DHS is not going to confirm or deny law enforcement capabilities or methods. The fact of the matter is the media is more concerned with peddling narratives to demonize ICE agents who are keeping Americans safe than they are with reporting on the criminals who have victimized our communities.” This is a boilerplate statement that DHS has repeatedly provided 404 Media when asked about public documents detailing the agency’s surveillance capabilities, and which inaccurately attacks the media.

In 2020, The Wall Street Journal first revealed that ICE and CBP were using commercially smartphone location data to investigate various crimes and for border enforcement. I then found CBP had a $400,000 contract with a location data broker and that the data it bought access to was “global.” I also found a Muslim prayer app was selling location data to a data broker whose clients included U.S. military contractors.

In October 2023, the Department of Homeland Security (DHS) Inspector General published a report that found ICE, CBP, and the Secret Service all broke the law when using location data harvested from phones. The oversight body found that those DHS components did not have sufficient policies and procedures in place to ensure that the location data was used appropriately. In one case, a CBP official used the technology to track the location of coworkers, the report said.

The report recommended that CBP stop its use of such data; CBP said at the time it did not intend to renew its contracts anyway. The Inspector General also recommended that ICE stop using such data until it obtained the necessary approvals. But ICE’s response in the report said it would continue to use the data. “CTD is an important mission contributor to the ICE investigative process as, in combination with other information and investigative methods, it can fill knowledge gaps and produce investigative leads that might otherwise remain hidden. Accordingly, continued use of CTD enables ICE HSI to successfully accomplish its law enforcement mission,” the response at the time said.

In January 2024, ICE said it had stopped the purchase of such “commercial telemetry data,” or CTD, which is how DHS refers to location data.

Update: this piece has been updated with a statement from DHS.

ICE says it’s stopped using commercial telemetry data

Spokesperson for Immigration and Customs Enforcement tells FedScoop that the agency is no longer using commercial telemetry data, but regulations are still scant.

^{Rebecca Heilweil (FedScoop)}