Watchdog: Secret Service, ICE failed to follow federal statutes in using cell phone tracking devices
Two federal agencies failed to consistently apply court statutes and Department of Homeland Security policies for the use of cell site simulators in law enforcement cases, in part because of insufficient policy guidance, a new report claims.
A new audit by the Department of Homeland Security's inspector general claims that the Secret Service and the investigative arm of the U.S. Immigration and Customs Enforcement did not fully adhere to federal statutes or DHS policies around the use of cell site simulators.
Use of the simulators — which mimic the signals used by cell towers in order to track the phones for law enforcement agencies — require that officials obtain both a search warrant supported by probable cause under the Federal Rules of Criminal Procedure and a court order under the law that governs the use of pen registers and trap and trace devices.
The OIG audit, released Wednesday, found that both Secret Service and ICE Homeland Security Investigations officials did not always obtain court orders related to the Pen Register Statute.
DHS policies governing cell site simulators offer two exceptions to the warrant requirement, including exigent circumstances where "the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice."
The other instance is exceptional circumstances where obtaining a warrant is impractical.
Those exceptions are separate from the Pen Register Statute, which allows a court order exemption under emergency situations such as immediate danger of death or serious bodily injury to any person, an immediate threat to a national security interest or other circumstances.
The emergency circumstances still require that officials apply for a court order within 48 hours of installing, or beginning to install, a cell site simulator. And even when a warrant requirement has been waived, the Pen Register Statute requirements must still be followed.
The report noted both agencies failed to obtain Pen Register Statute court orders in cases with exigent circumstances, in part, because "CSS policies do not include sufficiently detailed guidance on working with external law enforcement agencies" and because officials did not correctly interpret policies related to obtaining a court order within 48 hours of installing a CSS under emergency situations.
"The policies do not provide sufficiently detailed guidance for how to comply with requirements when other entities, such as local law enforcement, are responsible for obtaining the required CSS judicial authorizations," the partially redacted audit said. "According to Secret Service and ICE HSI officials, when providing CSS support to other agencies, they rely on other Federal, state and local law enforcement agencies to obtain required court authorizations."
The audit also found that ICE HSI did not always follow federal statute and DHS policies on privacy.
DHS policies require component agencies to conduct a privacy impact assessment before procuring technology that collects, maintains or disseminates identifiable information, as well as a privacy threshold analysis to help identify when an agency activity involves personally identifiable information.
The audit found that a January 2022 privacy assessment "may not have identified and mitigated the privacy risks associated with CSS use" as required. It also noted that while the agency possessed a PTA approved in April 2015, "it did not have an approved PIA during the FYs 2020 and 2021 investigations using CSS, despite DHS Privacy requiring ICE HSI to submit a new PIA." A new PIA was finally approved on Jan. 24, 2022.
The audit also noted that the Secret Service or ICE HSI did not always have documented support of supervisory approval and data deletion of privacy information collected by a CSS upon mission completion.
The OIG offered six recommendations to develop and implement internal controls around compliance for CSS usage and privacy policies. DHS officials concurred with all six recommendations.