Full Report
ICE has used Mobile Fortify to identify immigrants and citizens alike over 100,000 times, by one estimate. It wasn't built to work like that—and only got approved after DHS abandoned its own privacy rules.
Analysis Summary
# Main Topic
Misuse and questionable approval of the DHS face-recognition application, Mobile Fortify, by U.S. Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP), resulting in over 100,000 identity verification attempts on immigrants and citizens alike, despite the tool not being designed for such functionality and being approved after DHS abandoned internal privacy rules.
## Key Points
- The face-recognition application, Mobile Fortify, has been used by ICE agents over 100,000 times to "determine or verify" identities.
- The tool was reportedly not built to function reliably for street-level identification in the manner it is being used.
- The deployment of Mobile Fortify occurred after the Department of Homeland Security (DHS) abandoned its own privacy rules concerning such technology rollouts.
- Deployment began in the spring of 2025 by DHS agents across the US.
## Threat Actors
- **Primary User/Operator:** U.S. Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP).
- **Contextual Actor:** Department of Homeland Security (DHS) for approving/overseeing the deployment.
## TTPs
- **Technology Exploitation:** Utilization of the Mobile Fortify application for identity verification/determination in field operations.
- **Regulatory Circumvention:** Deployment of identity verification technology without historical privacy scrutiny, following the abandonment of internal privacy rules by DHS.
- **Mass Querying:** Application used to query individuals, resulting in over 100,000 identity checks on both immigrants and citizens.
## Affected Systems
- **Application:** Mobile Fortify (a face-recognition app).
- **Users/Victims:** Immigrants and U.S. citizens encountered by federal immigration agents during stops or detentions.
- **Operating Environment:** Mobile devices used by ICE/CBP agents in towns and cities across the US.
## Mitigations
- **Policy Remediation:** Reinstating and enforcing stringent privacy rules that historically governed the rollout of identity-impacting technologies within DHS.
- **Deployment Review:** Immediate halt and detailed technical review of Mobile Fortify use cases, given it was not designed for its current application scope.
- **Usage Auditing:** Implementing strict auditing to ensure the application is only used for its intended purpose, preventing scope creep against the civilian population.
## Conclusion
The use of Mobile Fortify by ICE and CBP represents a significant surveillance and privacy risk. The application is being used far beyond its intended design (over 100,000 verifications on the general public) and was approved under relaxed policy conditions that waived prior privacy safeguards. Stakeholders must demand greater accountability and technical rigor regarding the deployment and scope of identity verification tools used by federal law enforcement against the domestic population.