IV. ICE leverages people’s trust in state DMVs to target deportations and evades the few protections against this practice

In January 2018, Jay Inslee had a crisis on his hands. He was a two-term Democratic governor of Washington with presidential ambitions, and the last thing he needed was an immigration scandal. But one had just arrived on his desk. According to a report published in The Seattle Times, the state’s Department of Licensing had been regularly handing over Washington drivers’ personal information—including their names, addresses and driver’s license photos—to ICE agents investigating Washingtonians for deportation.102

Inslee’s office was caught off guard. The governor had tried to protect the privacy of immigrants in the state, asserting almost immediately after Trump took office that Washington would not be a “willing participant” in Trump’s “mean-spirited policies that break up families.”103 In 2017, Inslee acted on this promise by signing an executive order prohibiting state agencies from cooperating with federal immigration authorities.104 That included the Washington Department of Licensing, which promised its driver’s license applicants that the state would be a safe place for immigrants to “live, work, drive, and thrive.”105

Gov Inslee is seated at a table next to General Counsel Nick Brown in the Governor's office as he signs Executive Order 17-01.
Gov. Jay Inslee signs Executive Order No. 17-01 in Olympia on February 23, 2017. (Photo: WA Governor’s Office)

But for 35-year-old Baltazar “Rosas” Aburto Gutierrez, and other immigrants like him, the agency didn’t keep that promise.106 According to the records uncovered by The Seattle Times, ICE agents had gone to the Department of Licensing for information on Gutierrez as they prepared to arrest the 15-year-long resident of Pacific County during his trip to the grocery store for coffee and eggs. They suspected that Gutierrez was undocumented in part because he had used a Mexican birth certificate to apply for his driver’s license, which Washington State law has authorized since 1993.107

  • 106. Shapiro, supra note 102 (“20 to 30 times a month, a state agency has been giving residents’ personal information to federal immigration-enforcement officers—information used to arrest and deport people in keeping with the president’s policies.”).
  • 107. H.B. 1444, 1993 Reg. Sess. (Wa. 1993) (authorizing the issuance of a license based upon state residency, among other requirements, without consideration of immigration status).
Aburto Gutierrez drives a boat with harvested clams near Wallapa Bay.
Aburto Gutierrez harvesting clams near Wallapa Bay off of the coast of Washington State. (Photo: Gladys Diaz)

The revelation that ICE could access Washington’s driver database sent shockwaves statewide. Inslee issued a personal apology, admitting that the state “fell short” in fulfilling its commitment to protecting immigrants.108 He also moved quickly to prevent something like that from happening again. Inslee immediately ordered Department of Licensing employees to stop sharing driver information with ICE absent a court order and ordered the department to conduct a full-scale internal review of its data-sharing practices.109

From the Department of Licensing’s review came a first glimpse into the full extent of ICE’s surveillance of Washington drivers. Results showed that the Department of Licensing had given ICE direct access to its electronic Driver and Plate Search (DAPS) database, which contained detailed records of drivers and vehicles registered in the state.110 According to documents that the Center on Privacy & Technology uncovered, at least 28 ICE agents111 had used DAPS to “to conduct surveillance and apprehend” immigrants living across Washington.112 DAPS logs reveal that the ICE Enforcement and Removal Operations (ERO) division conducted more than 100,000 searches in the two-year period between Jan. 1, 2016, and Jan. 1, 2018.113 Additional records the Center on Privacy & Technology uncovered and that The Washington Post reported on showed that, for purposes of immigration enforcement, ICE agents also requested face recognition searches of the state’s driver’s license photograph database.114

A photo of an ICE agent's request for access to Washington State's plate and driver's license database is depicted. Under the section why they are seeking this information, the text states that access to this information would make it easier to surveil and apprehend individuals that are ordered removed from the US.
Excerpt from a November 14, 2013 request sent by an ICE agent for direct access to Washington State’s driver and license plate database. (Source: Center on Privacy & Technology FOIA documents)

By the time the results of the investigation went public, the Department of Licensing had decided to cut off ICE’s access to the DAPS database.115 The department no longer permitted face recognition searches on driver’s license photographs for immigration enforcement purposes. Washington was assuring drivers that it had locked the door to the state’s driver’s license information. “We really want to make clear,” Inslee’s office told the press, “that we’re not going to allow the federal government to commandeer the use of our state resources to use as part of their immigration effort.”116 Washington’s message to all drivers was clear: We have your back.

Yet Inslee’s attempts to sever ICE’s access to driver’s license records appear to have only encouraged the agency to turn toward a secretive side door.

The governor’s 2017 executive order had ended the Department of Licensing’s “very liberal” policy for sharing driver’s license photos, but as one employee explained to a CBP agent, there was another way. The Department of Licensing wasn’t the only agency in the state that could grant access to drivers’ records and license photos; the Washington State Police operated an electronic data-sharing system known as WSP ACCESS, and according to the employee, agents could use it to electronically query and receive the license photos of Washington drivers.117 Never-before-seen records from Washington suggest that DHS, ICE’s parent agency, did not hesitate to take advantage of that alternative mode of accessing driver data. The number of queries for driver’s license information that DHS sent through WSP ACCESS exploded in the years following the executive order. As Figure 2 shows, from 2016 to 2019, the number of yearly searches from DHS rose from approximately 400,000 to a staggering 1.1 million.118

ICE has also prolifically used WSP ACCESS to access Washingtonians’ driver data, sometimes with state employees’ encouragement. As recently as October 2019, ICE agents requesting driver’s license photographs for immigration enforcement purposes were advised by Department of Licensing employees that a driver’s “image may be available to you in real time in WSP’s ACCESS system through the driver query.”119 According to a Department of Licensing internal audit, never published publicly before, ICE submitted approximately 68,000 WSP ACCESS queries for driver’s license information in 2019,120 seeking driver’s license photographs about half of the time.121

  • 115. Washington State Department of Licensing, DAPS Contract Terminations, 2017/2018, WADMV_002563 (“US Dept. of Homeland Security, Immigration & Customs Enforcement / ERO Fugitive Ops Unit ... TERMINATED - NO OPTION to sign a new contract ... US Dept. of Homeland Security, Immigration & Customs Enforcement/DRO Yakima ... TERMINATED - NO OPTION to sign a new contract ... US Dept. of Homeland Security, Immigration & Customs Enforcement, Homeland Security Investigations ... TERMINATED - WITH OPTION to sign a new contract”).
  • 116. Frank Bajak, Washington DOL denies giving ICE access to facial recognition searches, KING-TV (Jul. 8, 2019), https://www.king5.com/article/news/ice-used-facial-recognition-to-search-state-drivers-license-databases/507-3f905179-519d-4acc-bb92-a5ae6aaea275.
  • 117. Washington State Department of Licensing, Email from Jeff Oehlerich, Investigator 3 to Border Patrol Agent (Mar. 30, 2017), WADMV_001963-WADMV_001964 (“In the past, we have been very liberal in accepting the justification of ‘criminal investigation’ from requestor’s [sic] and not required more specific descriptions. This changed about a month ago as the result of an executive order from the governor. We now require the title or statutory citation of the actual crime being investigated before we will provide a photo. This is at the direction of our executive leadership team. The wording that authorizes a photo for verifying identity when an officer may request identification, was added to allow officers to have direct access to photos in their patrol cars and sue them when they stop a violator who does not have ID. The WSP ACCESS system does have a specific query format where they can get a photo when they request a driver’s check. The actual method of making the query depends on the interface program the agency uses, so I don’t know what limitations or requirements each department may have. I would suggest contacting one of the agencies in your local area to see if thaye [sic] can assist.”).
  • 118. Washington State Police, Response to Harrison Rudolph (Jan. 4, 2021), WANLETS_000007 (“Number of queries: 2015 – 398710, 2016 – 393666, 2017 - 539638, 2018 - 997069, 2019 - 1129711, 2020 - 680847”).
  • 119. Washington Department of Licensing, Response to Harrison Rudolph (Feb. 5, 2021), WADMV_3269-WADMV_3274; Washington Department of Licensing, Response to Harrison Rudolph (Feb. 5, 2021), WADMV_003275-WADMV_003281.
  • 120. Washington Department of Licensing, Requests via NLETS and WSP access from Federal Immigration Agencies - FY2019, WADMV_002876-WADMV_002883 (In FY2019, 67,822 ICE-DOL queries (33,731 drivers), but 1,395,531 DHS queries overall).
  • 121. Id. (17,940 image requests / 30,801 drivers = 58%).
A figure depicts DHS queries of WSP Access from 2015 to 2020. The number of queries remains stagnant between 2015 to 2016. From 2016 to 2019, the number of queries increases before declining between the years of 2019 and 2020.
Figure 2DHS Queries of WSP ACCESS, 2015-2020
Despite Governor Inslee’s best efforts, all signs suggest that ICE still has unrestricted, warrantless access to Washington drivers’ data.

Alarmingly, despite the governor’s best efforts, there is every indication that ICE still has unrestricted, warrantless access to Washington drivers’ data. How is that possible? The answer lies in the multiplicity of intersecting access points through which states like Washington allow driver information to flow to outside agencies and the difficulty of severing those points of access. Despite the efforts states have taken to restrict ICE’s access to driver’s license data, ICE routinely finds ways to circumvent most state-imposed limits. When one spigot turns off, ICE simply moves to another pipeline.

This section identifies the different pipelines ICE uses to tap driver data, describes the scope and frequency of the agency’s searches, and illustrates how a patchwork of federal and state laws (as well as ICE’s willingness to secretly evade the few meaningful standards that do exist) have allowed ICE to weave driver data into its surveillance dragnet.

When one spigot turns off, ICE simply moves to another pipeline.

A. ICE uses at least three different pipelines to access driver data.

ICE investigators use a sprawling web of databases, networks and information-sharing initiatives to access states’ driver records. On June 8, 2018, an ICE agent pursuing a case in Georgia wrote to an employee at the state’s Department of Driver Services. “Can you assist me,” the agent wrote, “with finding a specific person in GA?” The agent stated that they had the person’s “cell [phone] number and the CLEAR results,” referring to records pulled from a commercial database, and wanted to know if the person had a Georgia driver’s license.122 In a similar email sent to the department two weeks earlier, an ICE agent inquired whether a person had a driver’s license, but only after the agent was “unable to verify [this information] in NLETS,” a separate government system that ICE uses to access driver data.123

This set of communications reference the three major pipelines that ICE uses to obtain state driver’s license information. First, ICE accesses driver’s information by making direct requests to DMVs. ICE agents may contact DMV employees to ask for records and may also request employees to conduct face recognition searches. Second, ICE accesses drivers’ information via government databases. ICE agents may directly search electronic databases of registered drivers and vehicles. Finally, ICE accesses drivers’ information through data brokers. DMVs frequently sell driver’s license data to private companies that resell access to ICE agents and others.

  • 122. Georgia DDS, ICE HSI Email to Georgia DDS (Jun. 8, 2018), GADMV_000198 (“Can you assist me with finding a person in GA? We don't have specific identifiers other than a cell number and the CLEAR results. Trying to determine if there is any dl on possible subject”).
  • 123. Georgia DDS, DHS Email to Georgia DDS (May 24, 2019), GADMV_000436 (“Please advise if [redacted] has a valid GA DL or state ID. I'm unable to verify in NLETS.”).

1. ICE agents directly ask state employees to search drivers’ data and scan their faces, often in secret.

ICE agents often turn directly to DMV employees to request assistance with obtaining a person’s driver’s license information. Those requests frequently take place through long-standing relationships of active collaboration with state DMV employees, who are often eager to hand drivers’ information over to immigration officials.124 In Vermont, for example, one DMV employee was so cooperative in sharing information about possible targets that an ICE agent responded, “We’re going to have to make you an honorary ICE officer!”125

Close working relationships between ICE agents and DMV employees enable ICE investigators to directly reach out to state employees asking for driver’s license information. ICE’s direct requests for driver’s license information come in two main forms: requests for information associated with (1) a person’s name, date of birth or other biographical information; and (2) a person’s driver’s license photograph, queried using face recognition technology.

        a. Direct requests using biographical information

A May 2019 email from an ICE agent to a Georgia licensing official is depicted. The agent claims to need the information in order to ID and target the individual they are inquiring about.
A May 1, 2019 email from an ICE agent to a Georgia licensing official. (Source: Center on Privacy & Technology FOIA documents)

In cases where ICE agents have some basic information about a person of interest, like a name or a phone number, they may email DMV employees to assist with obtaining additional information from the person’s driver records. A single state DMV may receive dozens of direct requests each year from ICE officials presenting a subject’s name or other biographical information.126

While the total number of ICE’s direct requests has largely been kept secret, evidence suggests that ICE makes hundreds or thousands of them each year to DMVs across the U.S. In advance of immigration raids planned for Atlanta, for instance, an ICE agent sent an email to Georgia’s Department of Driver Services requesting a whole “batch” of driver’s license information, including driver’s license photographs, because there was “a surge coming up” and he had “so many” targets.127 Similar records show an ICE agent sending a request to the Virginia DMV, seeking information about Virginians’ driver’s license application documents.128 Those requests also reveal that ICE’s searches have not been limited to people who are undocumented. In Arizona, an ICE agent emailed the Department of Transportation requesting driver’s license information for a person with status under the DACA program.129

  • 126. See, e.g., Oregon DMV, Spreadsheet of ICE Requests for Driver Information (Aug. 7, 2020), ORDMV_000040-ORDMV_000048 (2015: 35 addresses run; 2016: 40 addresses run; 2017: 27 addresses run; 2018: 3 addresses run; 2019: 0 addresses run; 2020: 0 addresses run).
  • 127. Georgia DDS, ICE Email to Georgia DDS (May 1, 2019), GADMV_000467 (“We have a surge coming up and need to ID these target [sic] for [redacted] ... I am trying to but [sic] a batch since I have so many. I will fill out the form once you verify they have a photo. Thanks in advance.”).
  • 128. See Virginia DMV, Letter to Harrison Rudolph (Aug. 17, 2020), VADMV_000300.
  • 129. See Arizona Department of Transportation, OIG/Professional Standards Unit Narrative (Mar. 29, 2017), AZDMV_000071.

        b. Direct requests for face recognition searches

When the only reliable information in ICE’s possession about a person is a photograph, investigators may enlist state DMV officials’ help in using face recognition technology to search for that individual among the state’s database of driver’s license photos.130

  • 130. See U.S. Department of Homeland Security, DHS/ICE/PIA-054, Privacy Impact Assessment for the ICE Use of Facial Recognition Services 2 (May 13, 2020), https://www.dhs.gov/sites/default/files/publications/privacy-pia-ice-frs-054-may2020.pdf (“HSI routinely encounters digital images of potential victims or individuals suspected of crimes but cannot connect those images to identifiable information through existing investigative means and methods. HSI, therefore, submits those images to government agencies and commercial vendors to compare against their digital image galleries via facial recognition processes.”).
A face recognition search request made by an ICE agent to an employee of a Georgia Licensing Department is depicted.
A face recognition search request from an ICE agent to a Georgia licensing department employee. (Source: Center on Privacy & Technology FOIA documents)

Records show that since 2015, ICE has requested face recognition scans of DMV databases in at least 14 states. That includes the DMV databases of Alaska,131 Arizona,132 Colorado,133 Florida,134 Georgia,135 Illinois,136 Maryland,137 Michigan,138 Ohio,139 Pennsylvania,140 Utah,141 Vermont,142 Washington143 and Wisconsin.144 (As of the publication of this report, Colorado,145 Illinois,146 Maryland,147 Utah,148 Vermont149 and Washington150 have since prohibited DMV compliance with ICE face recognition requests for civil immigration enforcement purposes.) Furthermore, as described in Finding 1, ICE also held a contract with the Rhode Island DMV for access to its face recognition database.151 Combined, this suggests that ICE agents and DMV officials acting on ICE’s behalf have used face recognition technology to scan the faces of at least 83 million drivers.152 This includes about 1 in 3 adults in the U.S.153 

Those searches easily constitute a dragnet. When ICE, and DMV officials on its behalf, use face recognition to search a state’s license photograph database, everyone’s image is being scanned by ICE, not just those of the person under investigation. In Wisconsin, one ICE agent conducting an identity fraud investigation requested a face recognition comparison against Wisconsin’s database of 4.3 million driver’s license photographs.154 In Georgia, another ICE agent repeatedly requested face recognition comparisons of an individual’s photographs against Georgia’s collection of 7.3 million driver’s license photographs.155
ICE’s use of face recognition may result in misidentifications and false arrests. According to peer-reviewed research by scholars Joy Buolamwini, Timnit Gebru and others, face analysis algorithms often underperform when analyzing the faces of women, young people and people with darker skin tones.156 Those bias problems extend to facial comparison systems and may worsen when state DMVs use antiquated face recognition systems—as is sometimes the case.157

There are few regulations limiting law enforcement’s use of face recognition generally and almost no regulations addressing ICE’s use of the technology. While courts have yet to rule on the constitutionality of face recognition in the law enforcement context, several scholars have raised concerns about its legality under various constitutional provisions, especially the First and Fourth Amendments, and it is unclear whether the practice is even legally authorized in the first place. Since at least May 2020, ICE policy has claimed to prohibit the use of face recognition technology by its ERO division for civil immigration enforcement purposes.158 However, as a practical matter, there is no sharp line separating ICE ERO’s enforcement of civil immigration law from the operations of ICE’s Homeland Security Investigations (HSI) department, which is charged with investigating criminal activity. When ICE HSI conducts criminal investigations, its efforts routinely lead to “collateral arrests” of people who were not the original targets of the investigation.159 As a result, even if those arrests constitute civil immigration enforcement, the investigations who led to them may be exempt from ICE’s stated bar on face recognition.

ICE has shrouded its use of face recognition technology on state driver’s photos in a level of secrecy more similar to what one would expect from a federal agency whose primary purpose is large-scale surveillance than from an agency that claims to be engaged in law enforcement. The FBI, one of the nation’s most powerful law enforcement agencies, has disclosed the list of each state DMV it has relied on for face recognition searches.160 It has also disclosed the memorandums of agreement underlying those efforts161 and has for years publicized statistics about its use of its own face recognition system, the Next Generation Identification (NGI) Interstate Photo System (IPS), on a monthly basis.162 Similarly, CBP has disclosed where each of its border face recognition systems has been deployed along with each of the photo databases it has relied on for face recognition searches, regularly publishing the number of face recognition searches it has conducted.163

ICE has shrouded its use of face recognition on state driver’s photos in an abnormal level of secrecy.

By contrast, while ICE acknowledges that it routinely uses face recognition technology, it has never officially disclosed how often it does so or in which states, insisting that public comment about its use of the technology would threaten unspecified “law enforcement sensitivities.”164 As of this report’s publication, ICE has still not disclosed any of those basic details. That is not to suggest that the FBI or CBP are sufficiently transparent but simply to point out that ICE’s practices do not even rise to the level of the low bar its peer agencies have set.

2. ICE directly searches state DMV databases.

In addition to contacting DMV officials directly for information, ICE also frequently queries state DMV databases for driver’s license records. To do that, the agency relies on a service called the International Public Safety and Justice Network, more commonly known as Nlets.165 Nlets, described as a “superhighway of information sharing” used by law enforcement agencies, has enabled ICE to electronically query and automatically retrieve driver’s license information collected by participating state DMVs for over 20 years.166 As of November 2020, ICE divisions representing all 50 states and the District of Columbia have obtained FBI-designated nine-digit Originating Agency Identification (ORI) Codes authorizing access to the Nlets system.167

According to a recently disclosed internal ICE memorandum, Nlets enables ICE agents to electronically query state driver’s license databases for immigration enforcement purposes in 34 states.168 Across those 34 jurisdictions, ICE may use Nlets to query the personal information of as many as 146 million drivers.169 This number is even higher when including the jurisdictions that enable ICE to query for non-immigration enforcement purposes. Using Nlets, ICE agents can electronically query state driver’s license databases for non-immigration enforcement purposes in 39 states and the district.170 Across those 40 jurisdictions, ICE may use Nlets to query the personal information of as many as 194 million drivers, including approximately 3 in 4 adults.171

Public records obtained by the Center on Privacy & Technology through Freedom of Information requests reveal that ICE issues tens of thousands of driver’s license and vehicle registration queries each month through Nlets. Records show that ICE issued 3,185 Nlets driver’s license or Nlets vehicle registration queries over a 41-day period in Wisconsin alone.172 Other records show that ICE issued 223,814 Nlets driver’s license queries between 2015 and 2020 in Texas.173 Over the same five-year period, ICE issued 83,400 Nlets driver’s license queries in Iowa.174 Evidence suggests that those queries may concern a significant number of people. In Washington in 2019, ICE submitted 67,822 Nlets driver’s license queries and retrieved records for 33,731 Washington drivers.175 That’s a rate of about one person for each pair of queries.

This partial picture of how ICE has used Nlets to reach into state driver records has only emerged by piecing together public court records with emails obtained by the Center on Privacy & Technology through Freedom of Information requests, as well as by consulting resources published by immigrant rights organizations like the NILC and Just Futures Law.176 State and federal agencies have publicized very few details about how ICE uses Nlets to access DMV driver’s license information, due to a combination of ICE’s secrecy as well as state agencies’ poor recordkeeping.

No agency can disclose details about ICE’s searches for Maryland drivers’ data. No agency claims responsibility for tracking that data.

At the state level, government officials have helped to preserve the secrecy of Nlets access records by essentially putting their heads in the sand. In Maryland, for example, no agency has been able to disclose details about ICE’s Nlets queries of Maryland drivers’ data because no agency claims responsibility for tracking that data. 

When the Maryland state legislature asked for information about ICE’s use of Nlets to access drivers’ records, the Maryland Department of Transportation (MDOT) said in a written testimony in January 2021 that it “does not control or monitor the access” of Nlets users.177 Instead, MDOT suggested that separate branches of government held that information. It claimed that law enforcement access to Nlets is “certified by the Maryland State Police for state and local agencies and by the Federal Bureau of Investigations for federal agencies” and that Nlets queries “occur[] via the Department of Public Safety and Correctional Services.”

However, the Department of Public Safety and Correctional Services (DPSCS) denied that, claiming that it was “not the custodian of record for” records related to ICE’s Nlets queries of Maryland driver’s information. When the Center on Privacy & Technology sent the department a request for Nlets records, it instead forwarded the request to the Maryland State Police.178 In response, the Maryland State Police just pointed back to DPSCS. A week after the DPSCS demurral, the Maryland State Police insisted that it “does not maintain anything related to” Nlets queries.179 It claimed that Nlets queries are “logged at the state message switch housed by DPSCS,” which “should be able to pull the logs.”

This finger-pointing is common. In Iowa, employees at the Department of Transportation said that “we simply make this information available” to state police and “how the fields are used is a question for” them.180 In Idaho, DMV officials said that the state police has oversight over the driver’s license and registration information made available through Nlets and that the DMV was “not involved.”181 Yet, few state police departments have kept detailed records of ICE’s Nlets requests for driver’s personal information. Like the state police in Maryland, the Colorado Bureau of Investigation said that it does not record the number of queries received from ICE or other agencies for driver’s license information.182

  • 177. Letter from Christine E. Nizer, William P. Doyle, Ricky D. Smith & Pilar Helm to Hon. William C. Smith, Chairman, Senate Judicial Proceedings Committee Re: Letter of Opposition – Senate Bill 234 – Personal Information – State and Local Agencies – Restrictions on Access (Jan. 28, 2021), https://drive.google.com/file/d/1siYx-yDkwggUQB3APZzqYmfKkg7BQHnF/view?usp=sharing.
  • 178. Maryland DPSCS, Letter to Harrison Rudolph, Jan 21, 2021 (“I am writing to inform you that the Department of Public Safety and Correctional Services (DPSCS) is not the custodian of record for the data you seek. To facilitate the processing of your request, I have forwarded your inquiry to: Maryland Department of State Police”).
  • 179. Maryland State Police, Letter to Harrison Rudolph, Jan 27, 2021 (“Upon review of your request, it was determined that the MSP does not maintain anything related to queries. All logging of queries that would be running originating in and out of state are logged at the state message switch housed by DPSCS. They should be able to pull the logs”).
  • 180. Iowa Department of Transportation, Email to Harrison Rudolph (Aug. 24, 2020), IADMV_000081 (“The Iowa Department of Transportation is the source of driver and vehicle information that is accessed and used by DPS to fulfill its obligation to NLETS. DPS has a direct connection to the Iowa Department of Transportation where they access a web service (DPSService) to obtain driver information. DPS sends in a request for a specific customer, and based on the type of request, a response is generated using the Global Justice XML Data model (GJXDM) and returned to DPS. The responses are dynamic and vary by customer and request type. What and how the fields are used is a question for DPS, we simply make this information available to DPS via the DPSService.”).
  • 181. Idaho Transportation Department, Email to Harrison Rudolph (Aug. 25, 2020), IDDMV_000009-IDDMV_000011 (“ITD possesses no such documents. ITD is required through state Administrative RULE (shown below) to send vehicle and driver information to the Idaho Law Enforcement Telecommunication Systems (ILETS) to provide vehicle and driver information to law enforcement. Idaho State Police have oversight of ILETS and how it interfaces with NLET; ITD is not involved in this process.”).
  • 182. Colorado Bureau of Investigation, Email from Kristina Gavit to Harrison Rudolph (Nov. 13, 2020), CONLETS_000019-CONLETS_000020.
“We simply make this information available … how the fields are used is a question for [the state police].”

ICE, for its part, acknowledges that it “generally” retrieves state DMV driver’s license information using the Nlets service,183 but the full details surrounding DHS’ use of Nlets to access DMV information have historically been a tightly kept secret. In 2020, the U.S. House of Representatives Homeland Security Committee launched a rare investigation into senior DHS officials for allegedly lying to Congress about the matter.184

  • 183. Document 43-1, filed Apr. 24, 2020, in Lewis-McCoy, et al. v. Wolf, et al., Case 1:20-cv-01142-JMF, S.D.N.Y (“Generally, DMV information is retrieved through the National Law Enforcement Telecommunication System (Nlets)”); Public records back that up. One immigration agent asked the Georgia Department of Driver Services for assistance verifying a driver’s license only after the agent was “unable to verify [it] in Nlets.” Georgia DDS, DHS Email to Georgia DDS (May 24, 2019), GADMV_000436 (“Please advise if [redacted] has a valid GA DL or state ID. I'm unable to verify in NLETS.”). Other public records show that another ICE agent asked the Illinois Secretary of State for driver’s license information (including a photograph) only after attempting an Nlets search. Illinois Secretary of State, Email from ICE HSI Requesting Driver Records (Jul. 17, 2019), ILDMV_000207-ILDMV_000209 (“Homeland Security Investigations is requesting assistance in obtaining the DMV information and photo of the following individual ... NLETS returned the following results ... [Redacted] RES-PID CLASS/NONE DL/IP STA/VALID TDL/TIP STA/SEE /LOLNHELP CDL STA/SEE ILOLNHELP DIGITAL ISSUE ... Subject is a possible witness in an ongoing criminal investigation. In violation of 21 USC § 848, continuing criminal enterprise.”).
  • 184. Adam Comis & Stuart Malec, Thompson and Rice Announce Investigation After Administration Gave Inaccurate Testimony to Congress About Political Attack on New York, Committee on Homeland Security (July 25, 2020), https://homeland.house.gov/news/press-releases/thompson-and-rice-announce-investigation-after-administration-gave-inaccurate-testimony-to-congress-about-political-attack-on-new-york.

3. ICE taps DMV records held by private data brokers.

ICE agents also use driver’s license records sold by DMVs to private data brokers. ICE acknowledges that records obtained from those sources are often “incomplete, incorrect, or outdated” but claims that, with “the expenditure of additional time and effort,” agents may be able to use them to uncover information such as a driver’s home address.185

State DMVs frequently sell driver’s license information to data brokers and other private entities, often generating millions of dollars in revenue in the process.186 In Washington, for example, the Department of Licensing earned over $26 million in 2017 by selling driver’s license and vehicle records to multiple data brokers, including LexisNexis.187 While LexisNexis is a well-known legal research provider, it is also part of a vast information services enterprise that aggregates huge quantities of data and sells government agencies access to that data.188 One of its subsidiaries, LexisNexis Risk Solutions, draws more than 10% of its $400 million annual revenue from sales of “data and advanced analytics” services to government and health care entities.189

Since March 2021, ICE has paid LexisNexis Risk Solutions $3.9 million to access driver’s license information and other records to aid in the “in-depth exploration of persons of interest and vehicles.”190 The terms of ICE’s contract with LexisNexis remain confidential, although LexisNexis has acknowledged in purchase agreements with DMVs that it sells its driver’s license and vehicle registration records to homeland security and law enforcement customers.191 As of this report’s publication, more than 11,000 ICE agents may be able to conduct investigations by querying the LexisNexis Risk Solutions service.192

Evidence indicates that ICE has purchased access to DMV driver’s license information through LexisNexis Risk Solutions. Records show that LexisNexis has purchased driver’s license information directly from DMVs in 12 states and the district: Arizona,193 California,194 the District of Columbia,195 Florida,196 Illinois,197 Minnesota,198 Nebraska,199 Nevada,200 North Carolina,201 Oregon,202 South Carolina,203 Tennessee204 and Wisconsin.205 In total, this indicates that ICE may access driver’s license information purchased by LexisNexis for 88 million drivers, including 1 in 3 adults.206

ICE and LexisNexis have sought to keep the public in the dark about the terms of their relationship. For example, ICE withheld an overview of its March 2021 contract with LexisNexis Risk Solutions, claiming that it was “law enforcement sensitive and not for public release.”207 LexisNexis Risk Solutions has been more forthcoming about its agreements with the FBI, issuing a press release announcing the contract that gave the FBI access to its Accurint Virtual Crime Center service.208 The FBI itself publicly disclosed that it uses LexisNexis Risk Services to access residence information, among other data as well.209 As of this report’s publication, however, ICE and LexisNexis have never disclosed those basic details about services rendered under their contract.

B. Federal and state laws have proved insufficient against ICE searches—and evasion.

State DMVs frequently promise strong state and federal protections for drivers’ personal privacy,210 but this report illustrates that ICE has been able to obtain wide-ranging access to driver’s record information despite legal protections. That is because ICE takes advantage of weaknesses in federal and state driver privacy laws, which often still enable the agency to obtain driver information through one or more of its three main pipelines of access.

1. The federal DPPA of 1994 did not anticipate use of driver data by federal immigration enforcement.

DPPA, a federal law regulating state DMVs’ sharing of driver’s record information, passed through Congress in 1994. In the words of then-Senator Joe Biden, one of the major proponents of the DPPA at the time, this legislation was intended to thwart stalkers and harassers by protecting the “privacy [of] addresses and telephone numbers” provided to the DMV.211 But neither the senator nor other members of Congress considered whether the law should protect Americans from privacy invasions at the hands of federal immigration enforcement. At the time, immigration enforcement operations were comparatively rare, and Congress likely did not foresee the problems that might arise if that changed.212 The DPPA expressly allows state DMVs to share driver’s information with government agencies as well as private data brokers who make it available to government agencies.213

ICE has operated within that blindspot in federal law to gain access to Americans’ driver’s license information. Without meaningful federal privacy protections that regulate how DMVs share driver data with government agencies and private companies, ICE has been able to persistently search driver’s license information, even in states that have allowed and encouraged immigrants to apply for driver’s licenses.

2. Most state laws protecting driver data have proved insufficient. ICE has evaded several of the few laws offering meaningful protection.

In the absence of strong federal regulations around ICE’s access to driver data, many state and local lawmakers have enacted executive orders, agency policies, statutes and ordinances to resist ICE’s expansion of surveillance capacities. But ICE has circumvented even the strongest policies that states have enacted to safeguard their drivers’ information.

Oregon has one of the strongest driver privacy laws to protect driver information from ICE access. In 2017, at the urging of Governor Kate Brown, the legislature passed a law prohibiting the dissemination of address information and other data by government agencies for civil immigration enforcement purposes.214 At first, the legislation seemed to work; after the law was passed, ICE requests for Oregon drivers’ information fell off a cliff. Oregon DMV records that the Center on Privacy & Technology obtained show that the number of direct requests from ICE for driver’s address information declined from 35 requests in 2015 and 40 requests in 2016 to three requests in 2018 and zero requests in 2019.215 The spigot on direct requests for DMV information had been turned off. Only in August 2019, after that steep decline in ICE’s direct requests, did Oregon pass H.B. 2015, the Equal Access to Roads Act, to expand driver’s license eligibility to people without documentation.216

Gov. Kate Brown stands at a podium as she announces an executive order protecting Oregon immigrants.
Governor Kate Brown announces a February 2, 2017 executive order to protect immigrants in the state. (Photo: Gordon Friedman/Oregon Live)

Just six months later, the Oregon DMV signed agreements to sell its driver’s license records to the data brokers Thomson Reuters and LexisNexis Risk Solutions, granting the companies permission to disseminate it to “government agenc[ies] for use in carrying out [their] governmental functions.”217 Whether the Oregon DMV realized it or not and regardless of whether earlier contracts predated the law, the DMV appeared to be allowing immigrant drivers’ information to end up in ICE’s hands, despite the state’s strong laws intended to prevent just that.

Across the country, immigrant communities have pressed policymakers to pass laws to prevent this kind of abuse, and thanks to their organizing and advocacy, multiple states have tried to enact legislation to prevent ICE from warrantlessly accessing driver information. After Marylanders discovered multiple pathways of ICE access to its driver’s license information, the immigrant rights group CASA led a campaign to pass the Maryland Driver Privacy Act, prohibiting any access to Maryland’s driver’s license information for immigration enforcement purposes.218 The law passed in April 2021, and although the governor vetoed it a month later, the Maryland General Assembly overrode the veto in December and the law will go into effect in 2022.219 Similar laws have passed in other states. When Californians discovered that the agency was using a state system to view driver’s license information, the state passed AB 1747, prohibiting ICE access to the system for civil immigration enforcement purposes.220 After Utahns learned about ICE using face recognition technology to scan their license photos, Utah passed S.B. 34, prohibiting the use of face recognition technology on government databases for civil immigration enforcement purposes.221

State laws to protect driver privacy often fail to protect against all three pipelines for ICE access.

But these laws often fail to block all three of the above described pipelines for ICE access for driver information or come up short in other ways. In the words of San Diego Assemblywoman Lorena Gonzalez, “Every time we create a law in California, ICE figures out a way to get around [it].”222

        a. State Driver Privacy Protection Scorecard

The Center on Privacy & Technology has conducted an analysis of driver privacy laws and policies in each of the 16 states that offer undocumented immigrants the ability to apply for a driver’s license or its equivalent, along with the district, which has the same policy. We evaluated the strength of each jurisdiction’s regulations on ICE access to driver’s information through its three main pipelines of access, assigning each jurisdiction a rating according to the following criteria. A jurisdiction received: 

  • a green score when it prohibits dissemination of driver data to ICE without a warrant, access to driver data by ICE without a warrant, or when no such data is available for access or dissemination in the state;
  • a yellow score when it prohibits access by or dissemination of driver data to ICE for civil immigration enforcement purposes; and 
  • a red score when no such protections appeared to apply to the access by or dissemination of driver data to ICE for civil immigration enforcement purposes.

We also rated jurisdictions along the same criteria based on whether they adopted protections against warrantless ICE face recognition searches.

A table depicts the Driver Privacy Protection Scorecard among 17 states.
Figure 3State Driver Privacy Protection Scorecard

The scorecard seen at Figure 3 shows a clear pattern emerging. Our review found that among the 17 jurisdictions, six have no meaningful restrictions on direct request pipelines,223 seven have no meaningful restrictions on government database pipelines,224 and seven have no meaningful limits on data broker pipelines.225 Five states have no meaningful restrictions on face recognition searches.226 When state restrictions on certain pipelines for drivers’ data do exist, they may accomplish little if laws allow ICE agents to access that information through other pipelines.

Several states have adopted weak protections that do not require ICE to have a warrant to request driver’s personal information if the request is predicated on a criminal investigation. Our review found that among the seventeen jurisdictions that grant driver’s license eligibility to people without documentation, six states have weak restrictions on direct request pipelines;227 seven states have weak restrictions on government database pipelines;228 and six states have weak limits on data broker pipelines.229 Five states have no meaningful restrictions on face recognition searches.230 Without a warrant requirement, a criminal investigation predicate is little more than a parchment barrier between ICE and a driver’s personal information.

State driver privacy protection laws typically contain one or more significant weaknesses. Typically, weak laws only limit the disclosure of driver’s license information:

  • by the licensing agency, without a general prohibition on disclosures of the underlying data. Privacy protections that only apply to the licensing agency allow federal immigration enforcement to leverage other state employees to access and disseminate driver data.
  • to certain recipients, without a general prohibition on disseminations intended for immigration enforcement purposes. Dissemination restrictions that only apply to specific recipient agencies allow federal immigration enforcement to leverage other federal employees to access and disseminate driver data.
  • when biographical information is directly requested by a federal immigration agent, without prohibitions on indirect access or biometrics. Privacy protections that only apply to direct requests for biographical data allow federal immigration enforcement to access driver’s license information using electronic databases and face recognition searches.
  • for civil immigration enforcement purposes, without prohibitions on dissemination for investigation of punishable immigration offenses. Privacy protections that only apply to requests for civil immigration enforcement purposes allow federal immigration enforcement to access driver information to engage in enforcement activities related to punishable immigration violations, such as the two federal border crossing offenses.
  • unless it’s requested by law enforcement. Privacy protections that contain overbroad law enforcement exceptions allow ICE to leverage local, state and federal law enforcement to access and disseminate driver data.

Based on our review, two states have enacted robust privacy protections for driver’s license information. Maryland’s Driver Privacy Act blocks warrantless sharing of data with “any federal agency” seeking access for the purpose of “enforcing federal immigration law.”231 New York’s Driver’s License Access and Privacy Act (“Green Light Law”) paired its expansion of driver’s license eligibility with a categorical prohibition on the DMV disclosing or making accessible “in any manner” driver’s license records or information to federal immigration enforcement.232 The passage of Green Light was the result of a multiyear campaign by a broad cross-sectoral coalition led by immigrant rights and workers rights groups from all across the state. One key consequence of New York’s law was that state police started to cut off ICE access to driver’s license information using Nlets. (The New York State Police prohibited ICE’s FBI-designated ORI Codes from querying New York’s driver’s license information.233) Another key consequence was that the New York DMV began to prohibit buyers of the DMV’s driver’s license information from disseminating it to ICE.234 With those protections, New York State has successfully protected its driver’s license information from ICE surveillance and overreach.

  • 223. Dissemination of driver data to ICE for civil immigration enforcement purposes is not prohibited by law in Connecticut, Delaware, Illinois, New Mexico, Nevada, and Utah.
  • 224. Nlets access by ICE for civil immigration enforcement purposes is not prohibited by law in Connecticut, Delaware, Hawaii, Illinois, New Mexico, Nevada, and Utah.
  • 225. Sales of driver’s data to data brokers and subsequent resale to ICE for civil immigration enforcement purposes is not prohibited at law in the District of Columbia, Colorado, Hawaii, Illinois, New Jersey, Nevada, and Vermont.
  • 226. Face recognition searches of driver data for civil immigration enforcement purposes are not prohibited by law in Connecticut, Delaware, Hawaii, New Mexico, and Nevada.
  • 227. Warrantless dissemination of driver data to ICE for non-civil immigration enforcement purposes is not prohibited by law in California, Colorado, New Jersey, Oregon, Vermont, and Virginia.
  • 228. Warrantless Nlets access by ICE for non-civil immigration enforcement purposes is not prohibited by law in California, Colorado, New Jersey, Oregon, Vermont, Virginia, and Washington State.
  • 229. Sales of driver data to data brokers and subsequent resale to ICE for non-civil immigration enforcement purposes is not prohibited at law by California, Connecticut, Delaware, Virginia, and Washington State.
  • 230. Warrantless face recognition searches of driver data for non-civil immigration enforcement purposes are not prohibited by law in Colorado, the District of Columbia, Illinois, New Jersey, Utah, and Virginia.
  • 231. See The Maryland Driver Privacy Act, H.B. 23 §4-320(g)(2) (2021) (restricting sharing of driver data “to a federal agent or federal agency for the purpose of federal immigration enforcement”); id. at  §4-320.1(B)(1) & (B)(2) (restricting access to face recognition systems by “any federal agency seeking access for the purpose of enforcing federal immigration law”).
  • 232. Driver's License Access and Privacy Act (“Green Light Law”), S.B. S1747B, 2019 Leg. Sess. (N.Y. 2019), https://www.nysenate.gov/legislation/bills/2019/s1747.
  • 233. Doc 71-1, filed Jun. 17, 2020, in Lewis-McCoy, et al. v. Wolf, et al., Case 1:20-cv-01142-JMF, S.D.N.Y, https://www.nyclu.org/sites/default/files/wysiwyg/1_-_completed_administrative_record_public.pdf.
  • 234. New York State Department of Motor Vehicles, Request for Certified DMV Records, https://dmv.ny.gov/forms/mv15.pdf.