The Washington PostDemocracy Dies in Darkness

Utility giants agree to no longer allow sensitive records to be shared with ICE

The records had been used to hunt immigration violations. Advocates cheer the closing of a ‘dangerous’ loophole.

U.S. Immigration and Customs Enforcement officers detain a man in California in 2019. (Gregory Bull/AP)
6 min

A nationwide group of utility companies that provided sensitive data from millions of Americans’ cable, phone and power bills to U.S. Immigration and Customs Enforcement and other government agencies has agreed to end the practice in response to concerns the information was being misused.

After The Washington Post revealed ICE’s use of the data in February, Sen. Ron Wyden (D-Ore.) pushed the National Consumer Telecom & Utilities Exchange to end the sale of more than 170 million people’s names, home addresses, Social Security numbers and other details gathered from companies that provide the essential elements of modern life.

The exchange had given the information, known as utility header data, to the credit bureau Equifax, which then sold it for use in databases, such as Thomson Reuters’s CLEAR, that are searched by private investigators, government agencies and the police.

In October, the exchange directed Equifax to stop selling new data, Wyden said in a letter Wednesday to the Consumer Financial Protection Bureau, the government agency charged with protecting consumer interests. Customer data from before October, however, remains available for review.

ICE investigators used a private utility database covering millions to pursue immigration violations

Wyden, a longtime critic of government surveillance, called on the CFPB to further rein in a data-broker industry that he said had spun “out of control” in part because of “vague and undefined regulations.” He urged the agency to aggressively investigate how data gathered for commercial purposes was ending up in the hands of law enforcement without court approval or oversight.

“Selling personal information that people provide to sign up for power, water and other necessities of life, and giving them no choice in the matter, is an egregious abuse of consumers’ privacy,” Wyden wrote. “… The personal privacy of hundreds of millions of people should not depend upon the goodwill of corporations worried about negative headlines.”

The change marked a rare victory in the effort to rein in the use of private databases by government agencies seeking to gather personal information they would not be allowed to collect without a court order.

Government authorities have used private databases of cellphone location records, license plate reader sightings and facial recognition scans to pursue or investigate people without a warrant.

The NCTUE told The Post in a statement that it had “worked with its members to end the practice of licensing members’ header data to third parties. We’re committed to following the law and we routinely revisit our policies and practices to strike the right balance between consumer privacy and those seeking credit.”

The NCTUE has said it shares consumers’ data among member companies so they can better assess people’s payment histories and creditworthiness. But in his letter, Wyden said some of the utility companies “had no idea that their customers’ data was being sold” by Equifax “without consumers’ knowledge or consent.”

ICE holds growing numbers of immigrants at private facilities despite Biden campaign promise to end practice

Equifax, one of America’s three major credit-reporting bureaus, said in a statement that NCTUE had for years allowed it to license the data “for law enforcement purposes in compliance with all laws.” The company said the change would “hinder our efforts to expand access to credit and protect against fraud.” NCTUE said it does not have a similar data-sharing arrangement with the other two credit bureaus, Experian and TransUnion.

The data was bundled and sold for use in databases like CLEAR, an “investigation software” service that Thomson Reuters offers via subscriptions to police departments, law firms and government agencies such as ICE, which has paid tens of millions of dollars to access the data.

ICE did not respond to requests for comment. The agency has previously declined to comment on its “investigative techniques.”

The information, which people often submitted in applications or other filings with their local utility companies, could be used to track where a person lived, where they had moved from, whom they had lived with and other details.

Jacinta González, a senior campaign organizer at the Latino civil rights group Mijente, said the change was a “huge step in the right direction” and said some of the people her group has worked with have “legitimately been asking and worried about this.” Most, she said, did not realize that information would be made available to federal agents and the police.

Gonzalez said “ICE and other agencies use data brokers as a way to go around the Fourth Amendment,” the portion of the Constitution that protects against unreasonable searches and seizures. “Any sort of loophole can be incredibly dangerous,” she said. “The data never should have been used in this way.”

FBI, ICE find state driver’s license photos are a gold mine for facial-recognition searches

Thomson Reuters has said CLEAR can be used to track people of interest, conduct viral contact tracing and investigate fraud. A Thomson Reuters specialist told a Texas sheriff’s office in 2019 that CLEAR’s data could help investigators find “people who are not easily traceable via traditional sources.”

Wyden, in his letter to CFPB Director Rohit Chopra, said data brokers were “serving as shady middlemen” to sell Americans’ personal information for purposes far beyond its original use.

The sale of credit payment histories and related data is closely regulated under federal law. But government agencies can access credit header data because the regulations do not clearly outline how the revealing information can be used. Wyden urged CFPB to clarify the law and investigate how the data is sold.

Thomson Reuters has in recent weeks sent messages to customers of its databases, including CLEAR and Westlaw PeopleMap, announcing that Equifax stopped providing utility header data to law enforcement on Oct. 23, and that non-law enforcement customers, such as private investigators, would also no longer receive the data.

“We have explored every avenue to continue to provide access to this data. To date, we have not been successful in these efforts,” Thomson Reuters said in one announcement reviewed by The Post.

License plate scanners were supposed to bring peace of mind. Instead they tore the neighborhood apart.

A 2017 cyberattack on Equifax, which compiles and sells a wide range of consumer financial data, exposed the information of more than 140 million Americans. The company in 2019 agreed to pay roughly $650 million to settle federal and state investigations related to the data breach.

Julie Mao, deputy director of the legal advocacy group Just Futures Law, said the utility data is especially sensitive because it is generally updated more frequently than other government databases, such as driver’s license registrations, and submitted by people who may not realize how it’s being used.

She saw the change as a victory, but she said she worried about the continued growth of companies amassing personal information on a national scale.

“This is one data set,” Mao said, “but there are a lot more types of data that are still at ICE’s disposal.”