Does ICE Data Surveillance Violate Human Rights Law? The Answer is Yes, and It's Not Even Close

Hinako Sugiyama is an international human rights lawyer and a faculty member at the University of California, Irvine School of Law, where she supervises the work of the International Justice Clinic. Emily Tucker is the Executive Director at the Center on Privacy & Technology at Georgetown Law, where she is also an adjunct professor of law.

On November 3, the United Nations Human Rights Committee released its Concluding Observations on the fifth periodic report of the United States of America, explicitly calling out Immigration and Customs Enforcement (ICE) for surveillance practices that conflict with human rights law. The Human Rights Committee is the independent body that monitors the implementation of the International Covenant on Civil and Political Rights (ICCPR). The ICCPR is the one of only four human rights treaties that the US has ratified, and this is the first time that the Committee has reviewed the US’s compliance with its treaty obligations since 2014.

In its report, the Committee expressed concern that “government agencies, such as Immigration and Customs Enforcement (ICE), resorted to databases of personal information systematically collected by private entities without individuals’ consent, particularly for surveillance purposes and without proper mechanisms for protecting the right to privacy (art 2, 17 and 26).”

ICE’s surveillance practices came up during the October 18 meeting in Geneva as well when a Committee member, Professor Chanrok Soh, expressed concern about the lack of data privacy regulations in the United States, drawing special attention to ICE.

“I’m also concerned that government agencies employ data collection, including from private companies, without protection of the right to privacy,” Soh said. “Reports indicate that ICE has expanded its data sources to include private companies and government agencies with no law enforcement functions, exploiting the absence of data privacy regulations in the state party.”

Professor Soh’s remarks and the Committee’s Concluding Observations respond directly to a report submitted to the Committee last month by the Center on Privacy & Technology at Georgetown Law and the International Justice Clinic at the University of California, Irvine School of Law, arguing that ICE’s dragnet surveillance practices amount to an egregious violation of human rights law, and of US obligations under the ICCPR.

In some cases, evaluating the human rights implications of particular government practices requires careful analysis because of, for example, the evolving nature of the human rights law and because of complex fact patterns. But when it comes to the human rights implications of ICE’s data-intensive surveillance practices, there is little complexity or nuance. As our report to the Committee shows, ICE is engaging in daily, large-scale violations of Article 17 of the ICCPR, which prohibits unlawful or arbitrary interference with the right to privacy, and it’s not even a close case.

Article 17 guarantees the right to privacy as a fundamental human right and requires that any state interference with privacy be proscribed by a specific, accessible law, necessary to pursue a legitimate purpose, and proportionate to that purpose. Article 17 also stipulates that everyone has the right to the protection of the law against privacy violations. Over the last few decades ICE has established a sprawling digital infrastructure through which it amasses sensitive data from hundreds of public and private sources.

In so doing, ICE has failed to meet any of the requirements of Article 17. ICE’s data dragnet is vast and indiscriminate. The agency buys and collects information from every possible source. This includes commercial data brokers, departments of motor vehicles, utility companies, automated license plate reader databases, cell phone location data, social media, welfare records of unaccompanied children, and even foreign law enforcement databases in countries with precarious rule of law, such as El Salvador. ICE then uses a variety of automated analytical tools to process the data. These include things like risk assessment software and facial recognition technology, which have been shown time and again to be rife with inaccuracies and racial bias.

There is no federal statute or regulation authorizing ICE to engage in digital surveillance on such a scale, and no independent oversight of ICE’s surveillance practices to ensure that it complies with domestic civil rights law, let alone human rights law. If ICE has undertaken any analysis of the legality, necessity, or proportionality of its digital surveillance practices under the ICCPR, it has not made that analysis public.

But it is difficult to see how the current extent of ICE’s privacy infringement could be necessary and proportionate to any legitimate state purpose. According to a 2022 report by the Center on Privacy & Technology at Georgetown, ICE has scanned the driver’s license photos of 1 in 3 people, has access to the driver’s license data of 3 in 4 people, tracks the movements of drivers in cities where 3 out of 4 of people in the US live, and has access to the utility records of 3 out of 4 people. And this is only a small subset of the data we know ICE is currently collecting, which -- given ICE’s non-compliance with disclosure requirements about its operations -- is itself most likely a small subset of the data ICE is actually collecting.

Such comprehensive surveillance is not explainable in terms of any specific law enforcement purpose. Rather, ICE’s goal seems to be the creation of an overall surveillance environment in which the agency will be able to use its data infrastructure to further any purpose that might arise for the government at any time in the future. The speculative nature of this purpose is in stark opposition to the necessity and proportionality requirements of the ICCPR.

After expressing his concerns at the meeting, Professor Soh asked the US delegation what measures are in place to ensure that its practices around data collection, sharing, and analysis, comply with the ICCPR. In response, the representative from the Department of Homeland Security (DHS) stated that (1) DHS is currently undertaking a privacy impact assessment (PIA) of ICE’s use of commercial databases, and (2) ICE has instituted a “pause” on the acquisition of new commercial data services. The representative explained that what the “pause” consists of is an apparently brand new requirement that the ICE deputy director approve the acquisition of any new commercial data services in consultation with ICE’s privacy and legal teams.

These two assertions are inadequate to remediate the violation. First, a PIA is a memo issued by an agency’s internal bureaucracy. It doesn’t represent any kind of independent check on ICE’s power, and it does nothing to create or enhance enforceable rights protections. ICE has a track record of failing to follow its own internal standards, resulting in—among other things—endemic abuse and neglect of those in its custody, and the illegal detention or deportation of thousands of U.S. citizens and permanent residents. For an agency with such a record, the promise of a new PIA is worth about as much as a years-late promise that the check is in the mail.

Second, the claim that DHS has “paused” the acquisition of new commercial data services strains the definition of the word. “Pause” means to temporarily stop doing something. But DHS has not temporarily stopped anything. There are in fact several procurement notices from DHS on the federal contracting website expressing the agency’s interest in new data intensive surveillance technologies. Rather, DHS has temporarily started doing something (having its privacy and legal teams review new commercial data systems), which it should have always been doing as the absolute most minimal due diligence.

The Committee’s Concluding Observations include recommendations to the US for improving compliance with the ICCPR. On the right to privacy, the Committee states that the US “should ensure that its surveillance activities…conform to its obligations under the Covenant…and that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of the individuals whose communications are under surveillance.” The Committee then emphasizes the importance of Congressional action to protect privacy rights, calling on the US “to adopt and effectively enforce at all levels, through independent, impartial and well-resourced authorities, data privacy legislation for the public and private sectors that complies with international human rights law, including safeguards, oversight and remedies to effectively protect the right to privacy. It should further ensure that those responsible are brought to justice, and if found guilty, punished with appropriate sanctions, and that victims of human rights violations and abuses linked to the use of surveillance systems have access to effective remedies.”

It isn’t news that the US needs comprehensive domestic privacy laws. But human rights law is law. It is law which has been developed over 75 years to protect the human dignity of every person. When it comes to ICE surveillance specifically, the evidence that the government is violating its human rights treaty obligations is overwhelming. In our report to the Committee, we recommended that Congress should investigate ICE’s surveillance practices, consider their implications under the ICCPR, and make its findings public. The Committee’s observations today make clear that this minimal first step is both urgently needed and legally justified.