How ICE Is Using Your Data – and What You Can Do About It

Sep 12, 2025

Updated 10:17 am PT

The U.S. Immigration and Customs Enforcement (ICE) headquarters on April 14, 2025, in Washington, D.C.  (Pete Kiehart/The Washington Post via Getty Images)

The Biden administration put ICE’s original contract with Paragon — reported to be worth $2 million according to The Guardian — under review, to make sure the partnership complied with an executive order that essentially prevents government agencies from using spyware that infringes on “forms of human rights abuses or suppression of civil liberties.”

The Trump administration lifted that pause, in a move that the Electronic Frontier Foundation’s Cooper Quintin described as “extremely troubling” — citing research that found that the hacking software was used in Italy to spy on journalists and humanitarian workers.

ICE’s access to the software — and to San Francisco’s license plate data — comes at a time when the agency’s budget has expanded significantly, as part of the Trump administration’s immigration enforcement agenda. KQED spoke to Quintin and other Bay Area technologists focused on public privacy about what people, especially immigrants, should know about the access ICE potentially has to your data.

What are the digital tools ICE is using?

As you might expect, your online activity generates multiple sources of information that immigration officials can use, like social media accounts, which the Trump administration now requires that people seeking a U.S. visa make public.

But not all of the data ICE uses is collected through your phone.

Those license plate readers can track your movements

Cities around the Bay Area, including San Francisco and San José, have installed numerous automated license plate readers: devices that are placed at traffic intersections, which take pictures of every passing car.

For example, “every single entrance and exit in the city of Piedmont” has an automated license plate reader, said Sam Smith, a Bay Area co-founder of Convocation Research and Design, a think-tank that focuses on cybersecurity and human rights. This means, Smith said, that “no one can come or go in a car in Piedmont without it being logged.”

A Flock Safety worker holds up a new Automated License Plate Reader that was being installed in East San José on Tuesday, April 23, 2024. (Joseph Geha/KQED)

Afterwards, the license plate numbers are run against a database of reported stolen vehicles or vehicles linked to suspected crimes. But using a license plate reader is also a simple way to establish someone’s patterns, like where they live, where they go to work and where they like to eat, Quintin said. This could make it easier to predict where someone will be at a certain time of the day.

Flock, a major license plate reader software used in local government, does not have a formal contract with ICE. However, a May investigation by tech outlet 404 Media found instances where local law enforcement in places like Illinois had looked up individuals in the company’s automated license plate reader system — to then pass on to ICE.

Despite California law barring local law enforcement from cooperating with ICE investigations except in cases of serious crimes, CalMatters reported that local authorities in Southern California shared license plate information with ICE more than 100 times. According to the SF Standard, San Francisco officers have allowed out-of-state law enforcement to run more than 1.6 million searches of the city’s license plate reader database — and at least 19 of those searches were related to ICE.

Flock disabled their national search tool, with the CEO Garrett Langley noting that “Some states, like California, do not allow any sharing across state borders,” and that for those states, Flock has disabled National Lookup “to make compliance easier.” The company is also currently facing scrutiny from Illinois’ state attorney general and has paused its cooperation with federal agencies.

Partnerships with federal agencies that already hold your data

In March, the Trump administration took steps to remove what it calls “unnecessary barriers” to inter-agency data sharing and expand the use of Palantir, a data analysis technology company, across the government.

In May, an agreement between the Internal Revenue Service and ICE was officialized, allowing immigration officials to receive sensitive information like names, addresses and tax data that can aid deportation efforts. Advocates like the National Immigration Forum called the agreement “unprecedented” and said that it threatened the IRS’s “longstanding commitment to taxpayer privacy.”

“What we are seeing is a huge increase of different federal agencies willfully sharing data, even when they’re not supposed to,” Quintin said. “Even if you personally are not concerned about ICE, I think it should be concerning to anybody. This is going to be used to further dragnet surveillance.”

KQED has several explainers sharing guidance for undocumented immigrants and mixed-status students filling out government forms like tax filings and student loan applications. Experts have stressed that people should always consult with an attorney who is familiar with their situation and immigration status before applying or filing for anything.

Data brokers who collect and sell your personal details

Data brokers collect your data, sell it and even create an individual profile of you that includes information that comes from public records, like marriage licenses, home purchases, even travelers’ domestic flight records.

Turner Willman’s digital security workshop demonstrates how even interacting with a weather app can lead to your information being stored with Venntel, a company that sold data to U.S. government agencies for immigration enforcement during the first Trump administration. (In 2024, Venntel was under investigation by the Federal Trade Commission under President Joe Biden.)

Under current U.S. privacy laws, people’s sensitive data, such as marriage licenses, home purchases and even travelers’ domestic flight records, are not as protected as one might think. (traffic_analyzer/Getty Images)

“[ICE has] contracts with data brokers and with tech companies to gain access to our personal data,” Willman said. “Some of that is more obvious stuff, like our contact info, our addresses. But it’s also our social media accounts and our online activity. It’s our location data that’s coming from our cell phones.”

“Typically, we’re supposed to have constitutional protections around our privacy. There are legal steps to gain access to us, to search us, to surveil us,” Willman said. But through what they call the U.S.’s “unregulated and weak” data privacy laws, “we don’t have those same kind of protections,” Willman said.

Facial recognition software that can recognize and track you 

Facial recognition software, which often scrapes information from public sources like social media accounts, is also a commonly used tool by local law enforcement to identify possible suspects. Software like Clearview AI is used by hundreds of police departments across the country, like the El Cerrito Police Department in Contra Costa County. Clearview AI is expected to engage in a deeper collaboration with ICE in the future.

Advocates have long expressed concerns about the use of facial recognition by law enforcement, citing privacy concerns and the documented inaccuracies this technology generates when identifying people with darker skin and women.

California has more robust legal protections around this technology than other states. Police officers in the state are prohibited from pairing footage from their body cameras with facial recognition technology, and cities like San Francisco, Oakland and Berkeley have also banned the use of facial recognition technology by city agencies. San Francisco’s police department has nonetheless attempted to circumvent the ban, according to an investigation by The Washington Post.

404 Media has also reported that ICE is using a mobile app called Mobile Fortify, which can identify someone by pointing a camera at their face — similar to the type of technology used at airports and borders.

“That’s very dangerous for people who are maybe out in the street or bystanders to ICE kidnappings,” Willman said.

So what steps can you take for better privacy?

Willman admits that even digital security experts like them are overwhelmed by news like ICE’s partnership with the IRS.

It’s why it’s important to focus on guidance that can feel achievable and within someone’s grasp, Willman said — while acknowledging that “there’s no such thing as being 100% secure or safe.” Rather, “when we use digital security, we are reducing harm and risk,” they said.

The Facebook and WhatsApp applications’ icons. Facebook purchased WhatsApp in 2014. (Gabriel BouysAFP/Getty Images)

Start with small steps

One example Willman gave: People could move their conversations from WhatsApp — a messaging platform that “is very popular in diasporic communities and immigrant communities,” but may be vulnerable to spyware — to Signal, “which has a much better track record and collects way, way less data on us.”

It’s also worth noting that each person’s situation is different — and avoiding technology is almost impossible for daily life, Quintin said.

At Willman’s workshop, attendees are asked to pose a series of questions to themselves to assess their own risks and figure out how best to perceive with their own digital hygiene practices:

• “What or who do I want to protect?”
• “Who do I want to protect it from? Who are my adversaries?”
• “How motivated and capable are they to get it?”
• “What happens if they do get it?”
• “What am I willing to do to prevent that?”

Consider removing your information from data brokers

CalMatters has a guide on deleting your information from data broker websites or “opting out.”

A data broker’s opt-out link tends to be at the bottom of the page, and the process can look something like filling out a form or emailing the company.

It may be hard to even find this opt-out information, though, and many data brokers are facing criticism from elected officials for hiding their opt-out pages from Google search to purposely make it harder for users to find them.

In this 2016 photo, a man holds up his iPhone during a rally in support of data privacy outside the Apple store in San Francisco. (Eric Risberg/AP)

You can also use a third-party app such as Permission Slip to help you or paid services like DeleteMe or EasyOptOuts.

While opting out can also be a lengthy process, the broker must respond within 90 days according to California law.

For preventive measures, both Quintin and Willman said you should visit your phone’s settings to see which apps you’re already allowing to access your data, under “Permissions.”

Quintin said that it can also be helpful to outright minimize the number of apps on your phone, including restaurant apps. “Deleting a lot of those will help reduce your attack surface,” he said.

The California Consumer Privacy Act will allow you to request a report of all your data that any company has and delete it, Quintin said.

“I definitely recommend that people exercise their California consumer privacy rights,” he said.

Keep your phone’s software up to date 

In the EFF statement regarding Paragon, Quintin states that the company’s spyware “isn’t magical — it’s still just malware.”