Failures in Maintaining Data Privacy: How Undeveloped U.S. Policy Enables ICE’s Dehumanization of Immigrants

While performing routine updates in November 2022, ICE erroneously leaked the data of over 6,000 detained migrants, including names, birthdates, and detention locations, thereby putting them at risk of reidentification. By inadvertently publishing the migrants’ Personal Identifiable Information (PII) on the ICE detention statistics page, the Department of Homeland Security (DHS) further demonstrated its reckless disregard for comprehensive data protection measures that go past basic anonymization. If we do not fight for migrants’ data privacy rights now, data will continue to be wielded as a weapon of dehumanization that cannot be retracted. 

A majority of Americans are concerned with how the U.S. government uses their personal data and claim they lack an understanding of what the government does with the data collected. Although the fear of adversely utilized data permeates our everyday lives, and trust in government has hovered around a meager 20 percent for decades, data privacy does not even rank as a top concern for most Americans. This apparent discrepancy clarifies why detained migrants’ data privacy rights have not garnered public, government, and activists’ attention; immigrants’ right to data privacy can appear as petty and intangible compared to the lack of material welfare and civil liberties.

Contrary to this belief, however, a data breach can have disastrous consequences even with much less information than ICE revealed. Researchers at MIT’s Media Lab have found that an individual can be identified with 90% accuracy using just four pieces of random information, including indirect forms of PII such as gender, race, or birthdate. The implications of such a data leak would be unimaginable for most Americans who tend to be relatively shielded from the harms migrants often face. However, a leak as exhaustive and specific as ICE’s presents an existential threat for immigrants that have been seeking asylum from persecution, gang violence, and torture. Not only are the risks disastrously more visceral for many migrants, but the amount of information available to potential adversaries is greater than many Americans could fathom.

As redress for the data breach, ICE released 2,900 of the detainees from custody, while another 2,200 still wait to have their cases reviewed. However, ICE had already deported 100 affected migrants before rectifying the leak. ICE’s actions have not extended beyond releasing and notifying affected migrants, putting thousands of families in the U.S. and in their former countries in danger. 

ICE’s wrongdoings do not exist in isolation. ICE’s disregard for migrants’ privacy and personal data perpetuates the same systems that have enabled its indifference towards immigrants’ sexual autonomy and right to healthcare. ICE denies detained migrants access to adequate healthcare, investigates less than one percent of sexual assault complaints, and often refuses migrants access to their personal documents. These issues compound quickly and are symptoms of ICE’s core system of dehumanization as a means of alienating migrants. Therefore, this most recent leak cannot be treated as cannot be treated as a unique issue, but a reflection of the DHS’ failures in U.S. data privacy and immigration policy. 

Furthermore, ICE’s failures in data privacy intersect current geopolitical tensions and ultimately put innocent people at risk disproportionately based on their nationality. For example, while the American Immigration Lawyers Association has lauded ICE for implementing “a robust response to incidents,” it has not fulfilled its release of those affected equitably. In fact, ten affected Cuban nationals remain in ICE’s custody where they wait to undergo custody redeterminations. While 90 affected Cuban nationals were released, these ten are yet to learn whether they will remain in detention even after having direct PIIs leaked. More clearly defined data privacy policy would galvanize the protection of migrants’ sensitive personal data. As it stands, however, such comprehensive policy is dawdling in legislation.

Prohibiting companies that facilitate data collection from partnering with ICE would reduce ICE's data collection capabilities. While ICE cannot rectify the immediate damage they have caused to these families, the immigrant rights movement requires proactive measures to avoid similar situations in the future. The New York State Senate is currently deliberating the “Dignity Not Detention Act,” which would require government entities to terminate existing contracts which involve immigrants in detention facilities and prohibit the creation of new contracts. However, even if similar policies were to be enacted in border states, ICE has ensured its data collection and privatization is controlled in-house. With in-house data collection, hopes of accountability are squashed, as there are no external sources of accountability.

Namely, while ICE is known for maintaining contracts with private prisons and Service Processing Centers, the agency’s collected data is overseen by its Office of Information Governance (OIGP). The OIGP claims to “address strategic issues that affect [its] ability to collect, analyze, produce, and disseminate information relevant to the ICE mission.” The ICE Data Strategy report, released in December 2020, argues that stakeholders will set the OIGP’s priorities by “establishing an open and collaborative forum via the Data Governance Board,” as well as instituting “enduring relationships between data and information providers and consumers.” As this incident has proven, however, the principles of collaboration and openness only serve the aims of law enforcement and the DHS. This may not be surprising, considering ICE’s track record in civil liberties, but it is worth noting the dissonance between ICE's claim over its stakeholders and its inaction. Though ICE publicly stated that it “took swift action to immediately rectify the error” and is “taking all corrective actions necessary,” there has yet to be a comprehensive solution that prevents a similar breach from occurring in the future, or a system of checks and balances to hold ICE accountable.

Currently, there is no federal law governing data privacy in the U.S. The American Data Privacy Protection Act (ADPPA), the most promising bill introduced in Congress, makes no mention of immigrants and noncitizens as a protected class despite the increased risks they face. Migrants are often fleeing from harmful situations in addition to holding weaker ties to their community. These factors especially make them vulnerable to the consequences of a data leak. Similarly to other bills introduced on the federal and state levels, the ADPPA is more concerned with consumer’s rights as they pertain to private corporations. Accountability for government agencies, then, is lacking in both legislation and internal policies.The federal government has not adopted the sense of urgency necessary to protect vulnerable communities throughout the U.S. from the vulnerabilities caused by weak data privacy policy.
To expect ICE to comply with its objective of protecting privacy and civil liberties is to expect a broken system to heal itself. As long as ICE holds the power it currently does, there must be a better system of policies to hold it accountable. The realm of data privacy has remained underdeveloped and unexplored by an aging government. With a budget of 8.5 billion dollars, the only incentive our government has to understand the power of data is a financial one. While fighting against the monolith that is ICE may appear bleak, it is still necessary for Americans to understand the long-term consequences that technological dehumanization will have in the struggle for immigration rights.

Faiza Chowdhury is a Staff Writer for Columbia Political Review. She is a sophomore in Columbia College studying Urban Studies and Economics, and she is a proud New Jerseyan.