From a national security perspective, few questions are more consequential than how much power a state may exercise over its own citizens without judicial oversight. A formal letter signed by 70 US lawmakers, sent on 3 March to the Department of Homeland Security's inspector general, has put that question front and centre again, this time over the conduct of US Immigration and Customs Enforcement and its expanding appetite for commercial location data.
The lawmakers, led by Senator Ron Wyden of Oregon, are asking the inspector general to determine whether ICE and other DHS components have been illegally purchasing the phone location data of Americans without first obtaining court warrants. The request follows a pattern that should concern anyone who values institutional accountability: DHS was already found to have broken the rules once, promised to stop, and then quietly resumed the same practice.
According to The Register's reporting, an earlier inspector general probe established that ICE, Customs and Border Protection, and the Secret Service had all illegally purchased people's location data, and that programme was wound back in 2023. The same inquiry documented serious internal lapses: employees sharing accounts and passwords for phone-tracking databases, supervisors failing to request or review audit logs, and at least one instance of a DHS employee using the data to monitor colleagues. The inspector general recommended a DHS-wide policy to govern the use of commercial location data. That policy was never issued.
Into that regulatory vacuum stepped PenLink. In September 2025, DHS awarded a $2.3 million no-bid contract to the Nebraska-based surveillance company, giving ICE access to its location-tracking tool, Webloc. The lawmakers argue Webloc can be used to obtain and analyse the location data of individuals without a court warrant. Webloc gathers the locations of millions of phones by pulling data from mobile data brokers and linking it with other information about users. The Electronic Frontier Foundation has reported that ICE has spent at least $5 million to acquire Webloc and a companion social media surveillance tool called Tangles, both from PenLink.
The corporate history of PenLink adds a further layer of complexity. In July 2023, PenLink merged with Israeli surveillance contractor Cobwebs Technologies, when the latter was acquired for $200 million by private equity firm Spire Capital, which also owns PenLink. That matters because Cobwebs carries its own baggage: in December 2021, Meta removed the company from its platforms after linking it to surveillance-for-hire campaigns. Meta had identified Cobwebs as one of seven companies participating in an online surveillance-for-hire ecosystem and removed 200 accounts operated by Cobwebs and its customers. Meta's investigators found that Cobwebs customers were not solely focused on public safety activities, with frequent targeting of activists, opposition politicians, and government officials in Hong Kong and Mexico observed.
The obstruction of congressional oversight has sharpened the lawmakers' frustration. Their letter states that ICE is "stonewalling" efforts to scrutinise the PenLink contract. Wyden's office requested a briefing with ICE on the contract; a meeting was scheduled for 10 February, and the agency cancelled it the day before with no explanation and no offer to reschedule. DHS did not respond to requests for comment from The Register.
It is worth pausing to consider the genuine arguments on the other side. Law enforcement agencies make a defensible case that commercial data, already collected by private companies and sold on open markets, is not subject to the same constitutional protections as a government wiretap. A PenLink spokesperson told 404 Media that its tools "exclusively use publicly or commercially available data" and are used to advance criminal investigations and save lives, and that the company "operates under strict compliance, due diligence, and responsible-use standards." The ACLU's Nathan Freed Wessler has conceded that the legal framework governing the sale of mobile location data to third parties remains, as he put it, "a whole kind of core of issues that the law just hasn't caught up to." That is an honest assessment, and it cuts both ways.
Even so, the procurement record gives legitimate cause for concern that goes beyond ideology. An ICE document justifying the no-bid contract described PenLink as the only company capable of compiling, processing, and validating "billions of daily location signals from hundreds of millions of mobile devices." Lawmakers have warned that location data can reveal intimate details of a person's life, including where they live, work, worship, and seek medical care, and that DHS could use these tools to identify individuals for targeting based solely on their presence in certain locations, without a warrant or probable cause, and regardless of their citizenship or residency status.
The strategic implications of this debate extend well beyond US borders. Australia's own intelligence and law enforcement agencies operate within an allied framework that shares technology, legal interpretations, and, increasingly, data. The Five Eyes alliance creates real pathways for surveillance practices developed in Washington to influence what becomes acceptable in Canberra. If the legal threshold for warrantless location tracking shifts downward in the United States, pressure will follow in allied jurisdictions to align or, at minimum, to avoid friction with American partners.
The core tension here is not easily resolved. Effective immigration enforcement and serious criminal investigation do require timely access to information, and the pace of technological change has outrun the legal frameworks designed to govern it. Those are genuine constraints, not excuses. But the record in this case shows a pattern: rules were broken, a remedial policy was recommended, the policy was never enacted, and the same practice resumed at greater scale with a no-bid contract to a company whose prior conduct had been flagged by one of the world's largest technology platforms. Reasonable people can debate where exactly to draw the line between operational necessity and civil liberty. What is harder to defend is the refusal to draw any line at all.