Full Report
Built to combat terrorism, fusion centers give US Immigration and Customs Enforcement a way to gain access to data that’s meant to be protected under city laws limiting local police cooperation with ICE.
Analysis Summary
# Incident Report: Data Sharing Undermining Sanctuary City Protections via Fusion Centers
## Executive Summary
This report details how US Immigration and Customs Enforcement (ICE) leverages federally established "fusion centers"—originally designed for counterterrorism—to bypass local sanctuary city laws restricting cooperation with federal immigration authorities. The operation relies on extensive data sharing pipelines accessing sensitive local records, effectively creating a persistent data access channel for ICE regardless of local protections.
## Incident Details
- Discovery Date: November 19, 2024 (Date of public reporting on the mechanism)
- Incident Date: Ongoing (Mechanism has been in place for years post-9/11)
- Affected Organization: Fusion Centers, Local Law Enforcement Agencies in Sanctuary Cities, US ICE/DHS
- Sector: Government/Law Enforcement/Immigration Enforcement
- Geography: United States
## Timeline of Events
### Initial Access
- Date/Time: Post-September 11, 2001 (Establishment of Fusion Centers)
- Vector: Institutional mechanism (Fusion Centers)
- Details: Fusion centers were created as counterterrorism initiatives to integrate federal, state, and local intelligence, providing a central point for data aggregation.
### Lateral Movement
- N/A (This is a data access/information sharing issue, not a traditional network intrusion; the "movement" is data flow through established legal/administrative channels)
- Details: ICE agents routinely lean on fusion centers to obtain data elements such as suspect photos, license plate location data, and other records aggregated from local sources (utility records, DMV, schools).
### Data Exfiltration/Impact
- Details: Access to data protected by sanctuary policies, facilitating immigration enforcement actions potentially leading to deportations against the intent of sanctuary city legislation.
### Detection & Response
- Date/Time: Research published by Surveillance Technology Oversight Project (STOP) revealed the mechanism.
- Response Actions: Research highlighted the systemic bypass of local laws, prompting calls for transparency and scrutiny of fusion center operations by pro-privacy groups. ICE was contacted for comment but did not immediately respond.
## Attack Methodology
- Initial Access: Institutional collaboration facilitated by the structure of Fusion Centers (DHS-run).
- Persistence: The long-standing operational framework of Fusion Centers ensures persistent access to integrated data streams.
- Privilege Escalation: Bypassing local policy restrictions (sanctuary laws) by utilizing federal oversight inherent in the fusion center model.
- Defense Evasion: The cooperation occurs outside the visible investigative pipelines typically scrutinized under sanctuary policies, leveraging a system intended for counterterrorism.
- Credential Access: Not applicable (Data access via authorized system integration).
- Discovery: Utilizing local data sources (DMV, schools, utility records) aggregated within the fusion centers.
- Lateral Movement: Data flow from local agencies, through fusion centers, to ICE.
- Collection: Gathering data points like photos and license plate location data.
- Exfiltration: Secure data transfer channels established within the inter-agency framework.
- Impact: Circumvention of local governance regarding immigration cooperation.
## Impact Assessment
- Financial: $400 million spent by fusion centers in 2021 (operating costs cited, not direct breach costs).
- Data Breach: Sensitive personal data (photos, location data, utility/school records) accessible to ICE, potentially leading to enforcement actions.
- Operational: Undermining the legislative intent and authority of "sanctuary cities."
- Reputational: Increased scrutiny on federal/local data sharing mechanisms; questioning the effectiveness of privacy policies versus federal mandates.
## Indicators of Compromise
- Network indicators: Specific fusion center IPs or URLs are not listed in the provided context (URLs are defanged).
- File indicators: N/A
- Behavioral indicators: Routine requests made by ICE to fusion centers for aggregated data records (e.g., license plate scans, utility data).
## Response Actions
- Containment measures: Not detailed (As this is a systemic policy/oversight issue, immediate technical containment is complex).
- Eradication steps: Not detailed.
- Recovery actions: Not detailed (Emphasis is on future oversight and policy adjustments).
## Lessons Learned
- Fusion centers, while ostensibly for counterterrorism, have matured into broad data-sharing hubs that can be repurposed by federal agencies to circumvent local jurisdictional restrictions.
- Cooperation with federal agencies can be highly "profitable" for local entities, leading to voluntary information sharing that faces less public scrutiny when hidden behind counterterrorism initiatives.
- The effectiveness of sanctuary city policies is significantly diminished when data access bypasses local police cooperation requirements via centralized federal/state hubs.
## Recommendations
- Mandate stringent auditing of data requests made by ICE to fusion centers to ensure compliance with local sanctuary laws.
- Increase transparency regarding the types of data shared through fusion centers, especially data sourced from non-criminal local entities (schools, utilities).
- Review the counterterrorism mandate of fusion centers to ensure funds are not diverted to substantially support routine immigration enforcement activities.