Senator Ron Wyden has released a letter to the U.S. Department of Homeland Security’s (DHS) Inspector General voicing his concern over a previously-unknown bulk data collection program that was carried out by Homeland Security Investigations(HSI), a unit within DHS’s U.S. Immigration and Customs Enforcement (ICE). For more than two years, HSI used administrative subpoenas to acquire millions of financial records from two companies involved in money transfers, Western Union and Maxitransfers Corporation (Maxi). This is a blatantly illegal exploitation of government subpoena power–and an all too familiar one that must stop.
Beginning in 2019, HSI sent eight administrative subpoenas to these financial services companies asking that they turn over all records for money transfers over $500 to or from California, Texas, New Mexico, Arizona, and Mexico. Each administrative subpoena sought records for six-months at a time. In response, Western Union and Maxi provided 6.2 million financial records, including personal information such as names and addresses, to HSI. All of the information was entered into a database called Transaction Record Analysis Center (TRAC), which is run by a non-profit and facilitates law enforcement access to bulk financial data for 5 years. According to Sen. Wyden, HSI terminated the program in January 2022 after his office contacted HSI about it.
This practice presents real-world harms to people who, for good reason, would like to keep private the transfer of money and the identifying information that goes with it. Sharing financial and other personally identifying records of domestic violence survivors, asylum seekers, and human rights activists could expose them to danger, particularly given that TRAC allows hundreds of law enforcement agencies unfettered access to these records.
Moreover, this kind of bulk surveillance is illegal. By statute, these administrative subpoenas must seek records “relevant” to an agency investigation. Simply put, there is no way these broad requests for bulk records would turn up only documents “relevant” to specific investigations; instead it put everyone who transferred money, including U.S. persons, under surveillance.
This is not the first time government agencies have floated overly-broad interpretations of what records are, and are not, “relevant” in order to collect as much information as possible. In 2015, after a lawsuit brought by EFF, the Drug Enforcement Administration purged a database containing billions of Americans’ international call records that had been in operation since the 1990’s. The NSA also infamously stretched the limits of what calls were and were not “relevant” to investigations when it collected hundreds of millions of call detail records from telecommunications providers, a practice that the Second Circuit called “unprecedented and unwarranted.”
U.S. Customs and Border Protection (CBP), another DHS subagency, has even been previously reprimanded for sending the exact same type of administrative subpoena as in this case to Twitter to demand the company unmask an anonymous user that ran an account critical of another DHS subagency.
What Should Be Done?
There are several things that can be done to remedy this harm and minimize the endless cycle of government agencies’ illegal collection of bulk data.
First, we reiterate Sen. Wyden’s call for an investigation into the HSI program. The public has a right to know how and why this program happened, and what steps are being taken to ensure this violation doesn’t happen again.
Second, the records collected under this illegal program must be immediately purged, both from TRAC and any other agencies that possess copies of the information.
Third, companies like Western Union and Maxi should stop caving to these overbroad administrative subpoenas for sensitive customer information by filing motions to quash. These administrative subpoenas are government requests—not official warrants, signed by a judge, that legally compel the company to hand over all of this data. Companies should answer only when compelled by law to do so. Until then, they have an obligation to protect their customers’ information, and that obligation should extend to protections from overly-broad and easily rebuttable government fishing expeditions.
Finally, lawmakers need to prioritize strong consumer data privacy legislation to prevent a situation like this one from recurring. Such privacy legislation must protect the most vulnerable among us, including the low-income, immigrant, and unbanked populations that often rely on money transfer services such as Western Union to go about their daily lives.
The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows. Visit https://www.eff.org