Appendix

Appendix A: Detailed Procurement Analysis Methodology

A. Data Sources

We surveyed all ICE contracts from January 2008 to September 2021—40,715 unique ICE contracts, totalling 108,873 transactions.376 We downloaded ICE contract information from USAspending, the federal government’s “official source for spending data.”377 In cases where ICE closed out a surveillance contract during our review period without spending more money on it, we excluded the contract.  

There are some limitations with the reliability of this dataset.378 For example, we do not have access to ICE’s actual payouts.379 We instead used USAspending data that tracks ICE’s promises to spend funds, which are known as obligations.380 For a closed contract, the total obligation should equal the real-world total ICE spent, but any open contract we reviewed might change in value. Furthermore, ICE provides its award spending data to the Federal Procurement Data System data, shared on USAspending, and agency mistakes can lead to misreported values.381 Our data is current as of September 2021.382

B. Methodology

1. Overview

To identify and analyze ICE spending on surveillance technologies, we reviewed ICE award transactions listed on USAspending, the official source of federal spending information.383 We identified ICE spending transactions that were likely for surveillance technologies and categorized them under six functionalities: geolocation, biometrics, data analysis, data brokers, government databases, and telecom interception.384

2. Identifying Surveillance Awards

We took two approaches to identifying surveillance awards. With the first approach, we started with a list of known surveillance tools and identified the ICE awards for those tools. With the second, we started with a set of ICE awards and looked into the ones that we suspected were for surveillance tools. 

For our first approach, we assembled a list of known ICE surveillance vendors. We reviewed DHS/ICE’s Privacy Impact Assessments (PIAs) and System of Record Notices (SORNs), which are some of the only public-facing documents that DHS makes available about its initiatives. We downloaded each PIA and SORN from the DHS/ICE website archive and read the documents for mentions of technologies covered in our functionality categories. Almost none of the PIAs or SORNs related to a particular contract but rather gave general information of existing ICE initiatives, projects or programs (e.g., LeadTrac, RAVEN, VISA, etc). We later connected initiatives and programs to certain contracts through alternative means. We also gathered the names of known ICE surveillance vendors from reports published by organizations like NILC, Mijente, TechInquiry and Top10VPN.385 Lastly, we conducted keyword searches on search engines to identify names of other ICE surveillance programs and technologies.

For our second approach, we read through thousands of awards, flagging those that we suspected were related to surveillance functionalities.386 We flagged awards for software that contained surveillance-related keywords (e.g., “biometric”), awards that were labeled under a possibly surveillance-related category (i.e., had a product code for “Information Retrieval”) or had other fields that stood out. Then, we conducted online keyword searches of suspected surveillance contracts by their contract award number, the contracting companies, and the product or service provided. Those searches yielded company websites, media coverage and other information that helped us create a list of vendors and their surveillance products. 

For any vendor that we identified as a surveillance vendor, we searched for its other ICE awards using its unique identifier, known as a DUNS number. We then reviewed each of the company’s ICE awards, adding awards that matched our functionality categories. In cases where the vendor predominately sells technology falling under a functionality, we included all its ICE awards in our list. Moreover, since ICE may make more than one transaction for any award, whenever any spending transaction associated with an award that was likely surveillance related, we included the entire award in our final list.

3. Categorizing Awards

Many ICE awards were for technologies that provided multiple surveillance functionalities. For example, ICE uses some technologies that cut across categories, such as cell-site simulators that intercept communications (telecom interception) to track people (geolocation).387 To decide on one functionality, we relied on a contract’s labeled product or service category. Contract awards are assigned codes from the North American Industry Classification System (NAICS), a federal standard for classifying businesses,388 and a Product Service Code (PSC), a Federal Procurement Data System (FPDS) standard for describing products and services.389 When analyzing the contracts that fell under our functionality categories, we noticed patterns in how NAICS and PSC codes were assigned. For example, FPDS assigned the PSC “Web-based Subscription” for many of the ICE contracts we categorized as data brokers. As a result, we treated the PSC code “Web-based Subscription” as a signal that an award may best belong under the data broker functionality. 

4. Automated Contract Analysis

Our manual review of ICE transactions yielded an initial dataset of ICE surveillance transactions, but the approach was time-intensive. To evaluate more contracts and to find contracts we missed on our first pass, we trained a model to identify contracts with a high probability of being surveillance related. We then manually reviewed each contract flagged by the model. The model complemented our manual review and flagged vendors, products and services that we did not identify in our first pass, for reasons such as irregular spelling in the award description. Using the model to aid our process also allowed us to analyze a significantly larger number of contracts and identify more instances of ICE surveillance spending.

5. Standardizing Contractor Names

      a. Removing duplicates

ICE often fails to keep to a standard when recording the names of recipients. For example, ICE may record the City of Philadelphia, a contractor, as “philadelphia city of,” “philadelphia, city of,” or simply “Philadelphia.” To standardize recipients’ names, we used Open Refine’s key collision algorithms to fuzzy-match and merge names.390 We then supplemented that automatic merge with manual corrections. 

      b. Listing Contractors by Their Parent Company

Attributing a contract to a vendor is not always straightforward. Some companies obscure their ICE contracts by providing services through shell or child companies. Companies also change names or acquire or merge with smaller companies. To disentangle this web, we refer to award recipients by their present-day parent company names, current as of October 2021. To connect vendors to their parent companies, we used a vendor mapping developed by TechInquiry.391

6. Calculating Total Spending

Our report tracks the cumulative amount ICE spent over 12 years. Because awards frequently do not record cumulative spending on the contract, we recalculated the running total values of all surveillance awards. To compute the running sum of an award’s value each year, we summed each award’s yearly transactions—the “federal action obligations” in a running sum. 

7. Limitations

      a. Undercounting contracts

By erring on the side of caution, we may have undercounted ICE’s surveillance contracts. Even after significant research, we were unable to make out whether some contracts had a categorizable surveillance purpose. For example, we excluded an ICE purchase of “scanners”392 because the vendor sells both image scanners and fingerprint scanners. 

      b. Overcounting contracts

We also may have overcounted surveillance awards as a consequence of ICE’s opaque reporting practices. ICE seldom discloses enough information to tell what the agency is purchasing or how its agents will use it. For example, ICE described one purchase as “required for electronic surveillance operations.”393 Not only is the award ambiguous, but the vendor sells many kinds of surveillance technologies, including those our report does not track.394

      c. Third-party contractors

Our review does not disentangle providers from third-party vendors. For example, we listed a HART contract acquiring Amazon Web Services under the third-party vendor awarded the contract.395

Appendix B: List of ICE Surveillance Contracts and Spending Calculations

Find our spreadsheet and calculations here.

Appendix C: Sample Records Requests

A. Sample Requests to State DMVs

      1. Request to State DMVs for Records on Direct Searches and Nlets 


[Date]
[Agency Address]

Re.:    Records Request

Open Records Officer:

The Center on Privacy & Technology, a think tank based at the Georgetown University Law
Center, is conducting a survey of departments of motor vehicles concerning agency information
sharing practices.

Pursuant to [State Records Request Law and citation], we request the following records.

Records Requested

Please provide copies of the following records related to information sharing since 2015:

  1. Requests received from U.S. Immigration and Customs Enforcement (ICE) seeking driver information, including requests for driver address information.
  2. Agreements or memoranda of understanding signed with ICE or the U.S. Department of Homeland Security concerning access to driver information, including access to driver address information.
  3. Policy documents, including guides, manuals, or other memoranda, containing procedures for using Nlets to share driver information, including driver address information.

This request is made on behalf of a not-for-profit organization whose mission is to advance the
field of privacy and technology policy and to train law students from around the county in this
field. Because of our not-for-profit status and the fact that this request is about a matter of public concern, we request a fee waiver. If such a waiver is denied, please inform us in advance if the cost will be greater than $50.

According to [State Records Request Law], a custodian of public records shall comply with a request [within X business days of receipt / timeframe specified in the law]. Please furnish responsive documents to [name and contact information].

or:

[mailing address]

If you have any questions or if you cannot comply with this request in the statutory time period,
or if this request is misdirected, please contact me at [contact information]. Thank you for your prompt attention to this matter.

Sincerely,

[name]


      2. Request to State DMVs for Information about Database Access and Face Recognition Searches

[Date]
[Agency Address]

Re.:    Records Request

Open Records Officer:

The Center on Privacy & Technology, a think tank based at the Georgetown University Law
Center, is conducting a survey of state agency information sharing with data broker companies.

Pursuant to [State Records Request Law and citation], we request the following records.

Records Requested

Please provide copies of the following records related to facial recognition since 2015:

  1. Requests received from the U.S. Department of Homeland Security, including its components U.S. Immigration and Customs Enforcement, and U.S. Customs and Border Protection, to run facial recognition searches or internal logs recording DHS facial recognition searches, and any materials sent to DHS in response to these requests and/or searches.
  2. Agreements or memoranda of understanding signed with the U.S. Department of Homeland Security, including its components U.S. Immigration and Customs Enforcement and U.S. Customs and Border Protection, permitting the agency to run or request facial recognition searches.

Please provide copies of the following records related to information sharing with data broker companies since 2015:

  1. Contract documents, including purchase orders, invoices, licensing agreements, non-disclosure agreements, or other procurement, service, or maintenance agreements with Giant Oak, IHS Markit (previously d/b/a RL Polk), Thomson Reuters (including its subsidiary, West Publishing Corporation) and RELX (including its subsidiary, LexisNexis).
  2. Marketing materials advertising products or services offered by Giant Oak, IHS Markit (previously d/b/a RL Polk), Thomson Reuters (including its subsidiary, West Publishing Corporation) and RELX (including its subsidiary, LexisNexis).

This request is made on behalf of a not-for-profit organization whose mission is to advance the field of privacy and technology policy and to train law students from around the county in this field. Because of our not-for-profit status and the fact that this request is about a matter of public concern, we request a fee waiver. If such a waiver is denied, please inform us in advance if the cost will be greater than $50.

According to [State Records Request Law], a custodian of public records shall comply with a request [within X business days of receipt / timeframe specified in the law]. Please furnish responsive documents to [name and contact information]

or:

[mailing address]

If you have any questions or if you cannot comply with this request in the statutory time period,
or if this request is misdirected, please contact me at [contact information]. Thank you for your prompt attention to this matter.

Sincerely,

[name]


B. Sample Requests to Utility Providers

[Date]
[Agency Address]

Re.:    Records Request

Open Records Officer:

The Center on Privacy & Technology, a think tank based at the Georgetown University Law Center, is conducting a survey of public utility companies about the sale or transfer of utility customer information to credit reporting agencies.

Pursuant to [State Records Request Law and citation], we request the following records.

Records Requested

Please provide copies of the following records since January 2015:

  1. Contract documents, including purchase orders, invoices, licensing agreements, non-disclosure agreements, or other correspondence, procurement, service, or maintenance agreements with Equifax, Experian, and Transunion.
  2. Policy documents, including guides, manuals or other memoranda, containing procedures for conducting a credit check or an identity verification on prospective or existing customers.

This request is made on behalf of a not-for-profit organization whose mission is to advance the field of privacy and technology policy and to train law students from around the county in this field. Because of our not-for-profit status and the fact that this request is about a matter of public concern, we request a fee waiver. If such a waiver is denied, please inform us in advance if the cost will be greater than $50.

According to [State Records Request Law], a custodian of public records shall comply with a request [within X business days of receipt / timeframe specified in the law]. Please furnish responsive documents to [name and contact information] or:

[mailing address]

If you have any questions or if you cannot comply with this request in the statutory time period, or if this request is misdirected, please contact me at [contact information]. Thank you for your prompt attention to this matter. 

Sincerely,

[name]

Appendix D: Utility Providers that have Likely Participated in NCTUE

  1. AT&T396
  2. DIRECTV397
  3. Verizon398
  4. Sprint399
  5. Citizens Communications Inc. (now Frontier)400
  6. Broadwing Communications Inc.401
  7. Dish Network402
  8. American Electric Power403
  9. Baltimore Gas & Electric404
  10. Southern Company405
  11. Georgia Power406
  12. PSNC Energy (now North Carolina Gas)407
  13. Scana Energy408
  14. Piedmont Natural Gas409
  15. Citizens Energy410
  16. Nevada Energy411
  17. Consumers Energy Company412
  18. Miami-Dade County Water and Sewer Department413

Evidence also indicates that the following utility providers have not been or are no longer members of NCTUE:

  1. Duke Energy414
  2. Minnesota Energy Resource Corporation415
  • 396. Letter from Craig L. Caesar to Assistant Attorney Gen. Hon. Charles A. James 3 (Aug. 17, 2001), https://www.justice.gov/atr/page/file/1019991/download (“the Founding Members of what will become NCTUE are the following: AT&T Corp.; BellSouth Telecommunications, Inc.; Citizens Communications, Inc; Global Crossing, Inc.; Broadwing Communications, Inc.; Verizon Long Distance Company; Sprint Communications Company LP and MCI Telecommunications, Inc.”); Equifax Insights, More Bang for Your Bucks with the NCTUE(R), Youtube (Mar. 15, 2019), https://www.youtube.com/watch?v=yWdI1us2j8E.
  • 397. NCTUE Users Conference: We’re Better Together 2 (Nov. 2015), https://www.nctue.com/userimages/2015_NCTUE_Users_Conference_Agenda.pdf.
  • 398. Letter from Craig L. Caesar, supra note 396; Equifax Insights, More Bang for Your Bucks with the NCTUE(R), supra note 396. Some Verizon branches appear to not have had membership in NCTUE. For example, Verizon New York Inc.’s request to join NCTUE in 2016 was denied. State of New York Public Service Commission, CASE 13-C-0154 – Petition of Verizon New York Inc. for Clarification or Waiver of Commission Requirements Related to the Provision of Customer Information to Credit Reporting Agencies (Apr. 22, 2016), https://drive.google.com/file/d/1YSb5GfV7sIzqusilPWkUOO_gD8p5AnBT/.
  • 399. Letter from Craig L. Caesar, supra note 396.
  • 400. Id.
  • 401. Id.
  • 402. Equifax Insights, supra note 396.
  • 403. Letter from Craig L. Caesar, supra note 396, at 3 n.4 (These designees represent American Electric Power; Baltimore Gas & Electric; Duke Power; and Southern Company, companies that have been active in the regional utility exchanges.”).
  • 404. Id.
  • 405. Id.
  • 406. Equifax, NCTUE Association Infographic, http://assets.equifax.com/assets/corp/nctue-association-infographic.pdf (“Along with lowering write-offs by $1,000,000, Georgia Power used NCTUE to anticipate results to help avoid debt”).
  • 407. Id. (“With this matched information from NCTUE, PSNC Energy has found that their contact rate is 41 percent higher than before.”).
  • 408. Equifax Insights, supra note 396.
  • 409. NCTUE Users Conference: We’re Better Together, supra note 397.
  • 410. Equifax Insights, supra note 396.
  • 411. NV Energy uses the Equifax Advanced Energy Risk Model to evaluate customer credit risk. Public Utilities Commission of Nevada, Response of Nevada Power Company d/b/a NV Energy and Sierra Pacific Power Company d/b/a NV Energy to Procedural Order No. 1 8 (Oct. 7, 2016), https://drive.google.com/file/d/1Jnf_Vny3n1xcKkpgp3l3HTN53Drjp-ev/view?usp=sharing. According to a product sheet from Equifax, the Advanced Energy Plus score draws on NCTUE data and is only accessible to NCTUE members. Equifax, Advanced Energy Plus (Mar. 3, 2017), https://resources.datadrivenmarketing.equifax.com/collateral/advanced-risk-score-for-utilities-product-sheet-2.
  • 412. Michigan Public Service Commission, Consumers Energy Company Summary of Electric Benefits O&M Expenses for the years 2015, 2016, 2017 and 12 Months Ended September 30, 2018 7 (Mar. 2017), https://mi-psc.force.com/sfc/servlet.shepherd/version/download/068t0000001UXldAAG (“Using a combination of data in the NCTUE database (National Consumer Telecom & Utilities Experience [sic]) along with historical information in SAP, this project will use a risk scoring model to reduce our exposure by collecting money before they move in and target our higher risk customer with a more aggressive dunning procedure.”).
  • 413. Miami-Dade County Water and Sewer Department, Contract/Project Measure Analysis and Recommendation for Credit and Risk Assessment Services, Miami-Dade County (Mar. 22, 2019),  
    http://www.miamidade.gov/smallbusiness/library/reports/sbe/bw9744-0-22-project-package.pdf (Miami-Dade County’s Water and Sewer Department is a member of the National Consumer Telecom and Utilities Exchange (NCTUE), a consortium of over 95 member companies from the telecommunications, utilities and pay TV industries. NCTUE provides members with credit risk verification services designed specifically for utility companies.”).
  • 414. Duke Energy, Duke Energy notifying Midwest customers of payment reporting error, Duke Energy News Center (Oct. 7, 2014), https://news.duke-energy.com/releases/duke-energy-notifying-midwest-customers-of-payment-reporting-error (Duke Energy “no longer reports payment data to NCTUE, D&B or ECS. All information previously reported to NCTUE has been blocked and can no longer be used by others for credit-related decisions”).
  • 415. Before the Minnesota Office of Administrative Hearings for the Minnesota Public Utilities Commission In the Matter of the Application of Minnesota Energy Resource Corporation for Authority to Increase Rates for Natural Gas Utility Service in Minnesota 105 (Mar. 18, 2016), https://www.edockets.state.mn.us/EFiling/edockets/searchDocuments.do?method=showPoup&documentId=%7B0BE6F0A7-DEC7-42D5-9BC9-B626E74F4BDE%7D&documentTitle=20163-119256-01 (“However, in order to ensure compliance with the Minnesota Public Utilities Commission’s June 24, 2014 Order Requiring Utilities to Adopt and Document Processes Regarding Personally Identifiable Information and Other Action and related Orders in Docket No. E,G999/CI-12-1344, MERC does not plan to participate in [NCTUE].”).