IRS Hasn't Abused Cell Phone Tracking Data, TIGTA Says

February 18, 2021

The Honorable Ron Wyden
United States Senate
221 Dirksen Senate Office Building
Washington, DC 20510

The Honorable Elizabeth Warren
United States Senate
309 Hart Senate Office Building
Washington, DC 20510

Dear Senator Wyden and Senator Warren:

This letter is in response to your September 24, 2020, correspondence to the Treasury Inspector General for Tax Administration (TIGTA) regarding concerns about the Internal Revenue Service (IRS) Criminal Investigation's (CI) use of a database provided by a contractor named Venntel. You requested TIGTA review CI's use of commercial databases containing peoples' location information, including but not limited to information from Venntel, and examine the legal analysis that IRS lawyers performed to authorize this practice with respect to Carpenter v. United States.¹ The Carpenter decision issued in June 2018 holds that the Government must generally obtain a search warrant supported by probable cause before acquiring cell-site location information (CSLI) from a wireless carrier.

We reviewed CI's purchase and use of the Venntel web-based subscription license of location information from cell phone users. According to the purchase order, the subscription was for one year from September 9, 2017, through September 8, 2018, at the cost of $19,872. CI stated that the single-user license subscription was used exclusively by a single field office in the Cyber Crimes Unit, and Venntel was only utilized on a few specific occasions and did not produce effective results. According to CI, the last use of this database was in March 2018; however, the IRS did not track the subscription usage or maintain an access log.

Furthermore, we requested and obtained the two case files for which CI identified that its special agents used the Venntel subscription service. Our review of the CI-provided documents (which included case summaries, memoranda of interviews, communications with subjects, Currency Transaction Reports, Suspicious Activity Reports, and other information) from the two case files found no mention of the use of cell phone tracking data. Based on our review of case actions and results, we concluded that the web-based subscription access to cell phone location information did not produce useful results and was not used as a significant tool in those two investigations. Our discussion of the cases with CI officials confirmed this conclusion.

Our effort also included a review of other web-based subscription services used by CI. CI provided us a listing of nineteen web-based subscriptions or products used for open source intelligence.² We researched each subscription and reviewed the associated purchase contract, if applicable. We found the subscriptions include a wide range of tools and some potentially include cell phone location data access as part of their offered services. We specifically identified eight web-based subscription contracts that CI has in place that, based on the broad use of contract terms, could theoretically cover cell phone data, although none of these contracts explicitly indicates that CI was contracting for cell phone data. This type of web-based subscription information is being marketed increasingly to both private and government entities for location tracking. However, CI officials clearly stated during our review that they are not currently using any web-based subscription services/tools similar to Venntel and have no plans at this time for using either Global Positioning Satellite (GPS) or CSLI cell phone data.

Our research indicates that two different kinds of location data can be collected from cell phones: CSLI collected by wireless carriers and GPS data mostly collected by applications (“Apps”) running on cell phones and sold by marketers.³ The GPS cell phone data sold by marketers does not identify the owner of the phone by name or telephone number but rather by an alphanumeric code. The Venntel subscription service used by CI utilized GPS data. In contrast, the CSLI identifies the telephone number of the phone that is being tracked. In the Carpenter decision, the Court noted that while GPS data is more precise than CSLI data in terms of identifying the location of the user of the phone, the CSLI technology is rapidly approaching GPS-level precision.⁴

We requested information on IRS's legal analysis regarding the need for warrants in using the Venntel data. In response, IRS officials provided the following statement:

IRS-CI obtains a search warrant when conducting activity that would be considered a search under the Fourth Amendment. Before Carpenter, it was well-settled Supreme Court precedent that individuals could claim no legitimate expectation of privacy in information that was voluntarily turned over to a third party. With respect to the Venntel product, it is our understanding that the information available had been voluntarily turned over through individual permissions.

As noted in their statement, before the Carpenter decision, CI officials did not view GPS data, such as the information obtained from Venntel, as subject to the warrant requirement under the Fourth Amendment since the information obtained was voluntarily turned over by the phone user through individual permissions. In Carpenter, the Supreme Court rejected the use of CSLI data without a warrant for two reasons. First, the Court found that the information is not truly “voluntarily” shared as that term is commonly used since “[i]n the first place, cell phones and the services they provide are 'such a pervasive and insistent part of daily life' that carrying one is indispensable to participation in modern society.”⁵ Second, the Court found that the CSLI data is generated by virtually any activity on the cell phone (e.g., receiving e-mails and texts) and that short of turning off the cell phone, there is no way to avoid leaving a trail of CSLI. The Carpenter decision did not directly address the use of GPS data, but future courts may apply the same logic to limit the use of GPS data without a warrant.

We asked whether IRS Counsel provided CI with any written opinions or approvals related to the use of cell phone location data and were told that no such written opinions were given. We also requested the IRS's position on the impact that Carpenter has on IRS's use of commercial databases without a warrant. IRS officials stated the following:

Carpenter v. U.S. was decided in June 2018. The last known attempt to use the Venntel product was March 2018, before the Supreme Court decision. Nevertheless, it is our understanding that the Carpenter decision concerned historical Cell Site Location Information which is distinct from the opt-in app data available on the Venntel platform.

The above statement sets out CI's position that data obtained from marketers of information like Venntel is not subject to a warrant because the data is collected by Apps loaded on cell phones to which the phone users voluntarily granted access. Our concern is that the Supreme Court rejected the Government's argument in Carpenter that CSLI is truly voluntarily provided to the phone carriers. The Court's rationale was that phone users do not truly voluntarily agree to share the information given the necessity of phones in our society. Courts may apply similar logic to GPS data sold by marketers, particularly if the Government identifies ways to translate the alphanumeric code to identify the phone's owner or has other means of identifying the phone's owner.

We shared this concern with CI and recommended to the IRS a periodic review of CI's use of all types of cell phone information by the IRS's Office of Chief Counsel. CI indicated that it is no longer using any cell phone-related data from any vendor because the data proved not to be useful in investigations. Further, CI indicated that under its previous procedures, it used local Area Counsel to evaluate legal issues such as the Fourth Amendment's requirement to obtain warrants for the search and seizure of information. CI now has changed its approach and has incorporated a national office review by Criminal Tax Counsel (who reports to the Office of Chief Counsel) to review whether new investigative tools (including cell phone-related data, if CI should ever resume vendor contracts for such data) require a warrant.

In conclusion, we found no evidence that the cell phone tracking data capability was widely used. In the two cases where the technology was used, it was determined to be ineffective, and the technology did not play a material role in the cases. According to CI officials, they no longer use cell phone data from vender contracts; however, if CI should in the future resume the use of such data, CI will utilize its national office Criminal Tax Counsel to assess whether a warrant is required before obtaining the information.

If you have any questions or require further information regarding this matter, please do not hesitate to call me at (202) 622-6500, or have a member of your staff contact Michael McKenney, Deputy Inspector General of Audit, at (202) 622-6510.

Sincerely,

J. Russell George
Inspector General