The document justifying Immigration and Customs Enforcement’s (ICE) use of Customs and Border Protection’s (CBP) Mobile Fortify app is just strong enough to move fast, but not nearly strong enough to withstand sustained congressional or judicial scrutiny once its internal contradictions are forced into the open.
Mobile Fortify is a smartphone application that was developed by CBP but has been made available to ICE agents operating in the field. CBP is supporting ICE as a technical service provider, according to the Department of Homeland Security (DHS).
At the center of the issue is the joint ICE/CBP Mobile Fortify Privacy Threshold Analysis (PTA), a required first step review used by DHS to determine whether a new system that collects personal data triggers deeper legal obligations, in particular a full Privacy Impact Assessment (PIA) and a public System of Records Notice (SORN) as required by the U.S. Privacy Act of 1974 as amended.
In the case of Mobile Fortify, the PTA quietly acknowledges that the app allows ICE agents to capture facial images and contactless fingerprints of people encountered in the field, attach geolocation data to those encounters, and store the resulting biometric records for up to fifteen years, even when no match is found and even when the individual is a U.S. citizen.
Yet, the same document is also being used to justify ICE’s apparent decision not to publish a standalone PIA for the app, and not to issue a new SORN explaining how those biometric records are created, retained, shared, or challenged as federal law requires.
This despite the PTA stating that “the CBP and ICE Privacy Officers find that the Mobile Fortify Application is privacy sensitive and requires a Privacy Impact Assessment and a System of Records Notice.”
Ordinarily, that kind of mismatch would draw scrutiny from the Privacy and Civil Liberties Oversight Board (PCLOB), the independent watchdog Congress created after 9/11 to examine national security and law enforcement programs that implicate constitutional rights.
But under President Trump’s second term, the PCLOB has been virtually incapacitated, its membership hollowed out, its authority undermined, and its ability to conduct sustained oversight sharply curtailed.
The result is a regulatory vacuum in which programs like Mobile Fortify can advance on the strength of minimal justification without facing the probing review that the federal privacy framework was designed to ensure.
That gap between what the Privacy Threshold Analysis admits about Mobile Fortify’s real world operation and what ICE claims about its legal and privacy compliance is now the central fault line.
If the app were challenged in court or subjected to a serious review by the DHS Inspector General, Government Accountability Office (GAO), or a reconstituted PCLOB, the discrepancy would be difficult to reconcile.
That contradiction is sharpened by DHS’s own internal rules governing mobile surveillance tools. The Privacy Policy for DHS Mobile Applications referenced by the PTA makes clear that a PTA is not meant to serve as final authorization, but as an initial screening step to determine whether deeper privacy compliance is required.
Under that policy, mobile apps that collect sensitive personally identifiable information including biometric identifiers and geolocation data are expected to trigger a full Privacy Impact Assessment public notice under the Privacy Act, and ongoing privacy compliance reviews.
The policy also requires notice at the point of collection and transparency about how data is used, retained, and shared. In the case of Mobile Fortify, the PTA acknowledges the collection of facial images, fingerprints, and location data without notice or consent, yet is still being treated as sufficient to deploy and expand the app, placing ICE’s practice in direct tension with DHS’s own written privacy framework.
According to the PTA that was completed in February, the app allows agents to photograph individuals encountered during enforcement operations and to conduct facial recognition searches against CBP’s Traveler Verification Service.
If no facial match is returned, agents can capture contactless fingerprints using the phone’s camera, which are then searched against DHS’s Automated Biometric Identification System maintained by the Office of Biometric Identity Management.
The app collects new biometric data, tags that data with geolocation metadata, and returns biographic information that can include a person’s name, date of birth, Alien Registration Number, possible overstay status, possible citizenship status, and family relationships.
The PTA makes clear that this is not a consent-based system. “ICE does not provide the opportunity for individuals to decline or consent to the collection and use of biometric data/photograph collection,” the PTA states. Additionally, no Privacy Act Statement or notice is given at the time photographs or fingerprints are taken.
Every encounter – regardless of whether a match is found – is treated as a record and stored in the Automated Targeting System for fifteen years, a retention period more commonly associated with border crossing records than with domestic street encounters.
Despite these admissions, ICE has not published a standalone PIA for Mobile Fortify. Instead, the agency has pointed to the May 2019 Privacy Impact Assessment for the Enforcement Integrated Database (EID) as the privacy documentation that purportedly covers the app. The problem is that EID was never designed to govern the kind of activity Mobile Fortify now enables.
The EID PIA covers systems and data used in ICE enforcement and removal operations and addresses biometrics only for individuals already known to ICE, not random individuals encountered in the field via a mobile face recognition tool. Its biometric discussion is framed around identity verification within those preexisting workflows.
Mobile Fortify, on the other hand, is built to generate new encounters in the field by scanning people whose identities may be entirely unknown to ICE at the time their biometrics are captured. That distinction is not academic; the law requires a separate PIA and SORN.
Under the Privacy Act, a system of records exists when an agency maintains information about individuals that is retrieved by a personal identifier and used to make determinations about them. Mobile Fortify does exactly that.
The PTA confirms that the app creates new biometric records, associates them with geolocation data, stores them for years, and uses them to populate identity profiles that can drive enforcement decisions. Calling this merely an extension of EID stretches the concept of “coverage” past recognition.
The document itself reflects that strain. While the PTA states that Mobile Fortify “does not retain records on the app itself,” it immediately clarifies that CBP saves every photograph and fingerprint in backend systems for fifteen years.
From a legal standpoint, where the data is stored is irrelevant. What matters is that new records are created, retained, and retrievable by identifiers such as facial images, fingerprints, names, or A-numbers. That is the very scenario the Privacy Act’s notice and transparency requirements were designed to address.
The authority cited for this collection – the Immigration and Nationality Act and the Illegal Immigration Reform and Immigrant Responsibility Act – also sits uneasily with the technology that is being deployed.
Those statutes authorize immigration enforcement and identity verification, but they predate mobile facial recognition, contactless fingerprinting, and real-time biometric searches against databases containing hundreds of millions of images.
Nothing in the PTA though suggests that Congress contemplated warrantless biometric scanning of people on U.S. streets, including citizens, as a default investigative technique. Yet the document acknowledges that U.S. citizens and lawful permanent residents may be scanned, that no opt-out exists, and that the resulting data will be retained alongside records of noncitizens.
The operational context only heightens the stakes. The PTA explicitly links Mobile Fortify to President Trump’s January 20, 2025, executive order on immigration enforcement, framing the app as part of a broader “Fortify the Border” effort to identify removable individuals inside the United States.
In practice, reporting has already documented ICE agents using the app during street encounters, sometimes treating a biometric match as definitive even when individuals present documentary proof of citizenship.
Those incidents underscore how quickly a mobile identity tool can become a determinative enforcement mechanism rather than a supplemental check.
What makes Mobile Fortify especially vulnerable to scrutiny is that the PTA itself provides much of the evidence critics would need. It confirms that sensitive biometric and location data are collected without notice, that records are retained for extended periods, and that the app operates across multiple backend systems originally built for border screening and targeted enforcement.
At the same time, the agency maintains that no new system of records exists and that no standalone PIA or SORN is required. That mismatch between the app’s acknowledged capabilities and the narrow compliance framework ICE relies upon is where serious oversight would inevitably focus.
A GAO review would likely ask why a tool that creates long-lived biometric records of people encountered in public does not trigger new Privacy Act obligations. A PCLOB inquiry would examine how a system built on border authorities migrated into domestic policing without clear guardrails, notice, or consent.
A federal court, faced with a wrongful detention or Fourth Amendment challenge, would scrutinize whether statutory immigration authorities can reasonably be read to authorize suspicionless biometric scanning and long-term data retention.
For now, Mobile Fortify continues to operate in that gray space, propelled by justifications that are procedurally sufficient to deploy but substantively thin.
The PTA reads less like a comprehensive privacy analysis than a document drafted to clear an internal hurdle as quickly as possible. It acknowledges the risks in plain language but stops short of grappling with their legal consequences.
Once the mismatch is forced into the open by litigation, congressional inquiry, or an independent oversight body, the same admissions that allowed the app to move fast could become the evidence that stops it.
Article Topics
biometric matching | biometrics | CBP | DHS | facial recognition | ICE | live facial recognition | mobile app | Mobile Fortify | real-time biometrics