Response to ICE and Homeland Security Investigations Request for Information from Big Data and Ad Tech Providers

 

The Association for Computing Machinery (ACM), with more than 100,000 members worldwide, is the world’s largest educational and scientific computing society. ACM’s U.S. Technology Policy Committee (USTPC) serves as the focal point for ACM’s interaction with all branches of the U.S. government, the computing community, and the public on policy matters related to information technology.

On January 24th, 2025, Immigration and Customs Enforcement (ICE) published a request for information on how companies with “commercial Big Data and Ad Tech” products can “directly support investigations activities.” This effort would go against the best practice of minimizing data collection as a safeguard against misuse. ACM’s USTPC has advocated the importance of preserving personal privacy by instituting recommendations from our Foundational Privacy Principles and Practices.

ICE is effectively asking AdTech and “big data” vendors whether they can provide real-time and historical location/mobility and behavioral data derived from ad ecosystems, and whether that data can be searched by identifiers (name, phone, device/account, location) to identify, target, and develop leads. They also ask about the ability to link people, devices, and locations across large datasets (including transactions/public records), enabling broad tracking and pattern analysis at scale. The unusually short RFI window (Jan 23 to Feb 2) only heightens concerns that the agency is continuing to ramp up surveillance operations without meaningful feedback from experts and civic society advocates, missing an opportunity to engage while also avoiding oversight.

Data collected for advertising should not be repurposed for law enforcement surveillance or tracking [1]. This kind of secondary use of personal data violates contextual integrity [2,3]—the expectation that personal data flows only in ways that are appropriate, normative, and meaningfully consensual for the original context—and it breaches basic data minimization by turning commercially gathered information into a generalized investigative resource.

Even where notice or “consent” is claimed somewhere in the ad-tech supply chain, that does not make downstream government monitoring appropriate or proportionate; it is functionally an end-run around law, judicial oversight, and due process, transforming consumer data into a tool for tracking and enforcement while inevitably sweeping in non-targets, including U.S. citizens and lawful residents.

This RFI is a reminder that data minimization must be the default: collect and retain only what is strictly necessary, reduce or eliminate PII wherever possible, and discard data that isn’t essential. Data stewards, brokers, and AdTech vendors should refuse to partner with ICE/DHS for surveillance uses and instead adopt the guardrails described in ACM’s Foundational Privacy Principles and Practices, including short retention, strict purpose limits, and strong de-linking, so commercially gathered data cannot be repurposed into a tracking tool. Normalizing these pipelines is not just a civil-liberties problem; it’s also a national-security risk: if this kind of location and identity linkage can be bought and operationalized here, it can be bought and abused by others as well. Moreover, it creates a single point of compromise: if these data are collected and aggregated by one entity (DHS/ICE), a compromise of that entity would compromise the personal data of all involved.

References:

  • [1] Rahbar, D. H. (2022). Laundering Data: How the Government’s Purchase of Commercial Location Data Violates Carpenter and Evades the Fourth Amendment. Colum. L. Rev., 122, 713.
  • [2] Nissenbaum, Helen. “Privacy as contextual integrity.” Wash. L. Rev. 79 (2004): 119.
  • [3] Lee, H. P. H., Logas, J., Yang, S., Li, Z., Barbosa, N., Wang, Y., & Das, S. (2023, May). When and why do people want ad targeting explanations? Evidence from a four-week, mixed-methods field study. In 2023 IEEE Symposium on Security and Privacy (SP) (pp. 2903-2920). IEEE.

PDF available here.

Members help shape the Committee’s action agenda, author its official Statements and other materials shared with policy makers and the public, and spot emerging issues on which the Committee might engage. Join USTPC today!