HN Debrief

ICE Appears to Be Buying Immigrants' Tax Identifiers from a Data Broker

  • Privacy
  • Security
  • Regulation
  • Economics

The article argues that ICE appears to be purchasing immigrants’ tax identifiers from a data broker, specifically ITINs, which are used by people who need to file taxes but are not eligible for a Social Security number. That lands in a larger pattern people already recognize: governments leaning on commercial surveillance markets to get access to data they would face more friction collecting directly. The strongest reaction was not shock that brokers have this data. It was anger that the state can route around legal and political constraints by buying it.

If your company handles sensitive personal data, assume regulators and law enforcement may eventually try to buy or subpoena adjacent datasets from brokers even when direct access would face legal limits. For policy and risk planning, the important line is no longer only what government can collect itself, but what private intermediaries can collect and resell.

Discussion mood

Strongly negative and cynical. People saw this as a predictable abuse of the data broker ecosystem, a legal workaround for surveillance limits, and a move that could deter tax compliance while enriching private intermediaries.

Key insights

  1. 01

    Tax law already weakens self-incrimination protections

    Tax filing has long carved out an uncomfortable exception to the intuition people have about the Fifth Amendment. You still have to report income tied to illegal conduct, and commenters noted that tax records can become evidence once investigators have an independent basis to reach them. That makes the ITIN story feel less like a novel breach and more like an expansion of an old pressure point where tax compliance and criminal exposure have never been cleanly separated.

    Do not treat tax data as protected by the same social or legal expectations as ordinary confidential paperwork. If you advise vulnerable users or workers, assume tax records can become enforcement infrastructure once linked into other datasets.

      Attribution:
    • SilasX #1
  2. 02

    Undocumented tax revenue creates a perverse dependency

    A key economic point was that the US benefits from a system where undocumented immigrants contribute huge tax revenue while remaining politically and legally exposed. Using ITIN-linked data for deportation or targeting undercuts a pipeline that currently produces labor and tax receipts at the same time. The argument is not just moral. It is that ICE may be damaging a system the broader state quietly relies on.

    Watch for second-order effects when enforcement policy touches data tied to participation in formal systems. If people conclude compliance increases risk, they exit the visible economy and the state loses both revenue and observability.

      Attribution:
    • dkobia #1
  3. 03

    Cellphone location doctrine is the obvious legal template

    The cleanest legal framing borrowed from Carpenter v. United States. The point is that when modern life forces people to generate data held by third parties, the government should not be able to sidestep warrant requirements just because a private company has the records first. Applying that logic beyond cell-site location data would hit the core issue here more directly than piecemeal outrage about one agency or one broker.

    If you work on privacy policy or compliance, track efforts to extend third-party data protections beyond telecom records. The next important battles are about categories of commercially held data, not just specific agencies.

      Attribution:
    • estearum #1
    • wat10000 #1
  4. 04

    Data removal services only touch the shallow layer

    Comments drew a sharp line between people-search sites and the institutional broker stack. Services that send opt-out requests can help with swatting or casual doxxing, and Privacy Guides was cited as a practical starting point, but the dangerous records sit in systems like LexisNexis, credit bureaus, insurance registries, healthcare data brokers, and other hard-to-escape databases. In jurisdictions with GDPR-like rules, persistent manual requests may work better than US users expect, but nobody suggested this is a real fix for the highest-value datasets.

    Set expectations correctly if you offer or buy privacy tooling. Consumer cleanup products can reduce nuisance exposure, but they do not solve institutional data brokerage or government access to those markets.

      Attribution:
    • yabones #1
    • Cider9986 #1 #2
    • pimterry #1

Against the grain

  1. 01

    The identifier itself may be less sensitive

    One commenter pushed back on the instinct that an ITIN is the most alarming part of the story. The sharper concern, in that view, is not the bare identifier but the much richer preference, behavior, and profile data that governments or companies can use to shape treatment, services, or punishment. That does not excuse ITIN sales, but it reframes them as one component in a broader surveillance system rather than the deepest risk by itself.

    When ranking privacy risks, separate identifiers from the datasets they unlock or correlate with. The bigger threat often comes from joined profiles, not from any single field in isolation.

      Attribution:
    • MikePlacid #1
  2. 02

    Broker opt-outs work better outside the US

    Against the fatalism around data removal, one commenter argued that brokers in GDPR-like jurisdictions often do comply when pushed through formal legal channels. The claim was not that you can erase yourself from intelligence agencies or malicious actors. It was that large commercial data holders usually follow the letter of privacy law when customers cite the right statute and keep pressing.

    If you operate internationally, do not assume privacy remediation is equally hopeless everywhere. Jurisdiction materially changes what individuals can get removed and what brokers must honor.

      Attribution:
    • pimterry #1

In plain english

Carpenter v. United States
A 2018 U.S. Supreme Court case that limited warrantless government access to historical cellphone location records held by telecom companies.
cell-site location data
Records generated by mobile phones connecting to cell towers, which can reveal where a person has been over time.
DMV
Department of Motor Vehicles, the state agency that handles driver licenses, vehicle registration, and related records.
Fifth Amendment
Part of the U.S. Constitution that includes protection against being forced to incriminate yourself.
GDPR
General Data Protection Regulation, the European Union privacy law that gives people rights over how organizations collect, use, and delete personal data.
ICE
U.S. Immigration and Customs Enforcement, the federal agency that enforces immigration laws and investigates cross-border crime.
ITIN
Individual Taxpayer Identification Number, a U.S. tax processing number for people who must file taxes but are not eligible for a Social Security number.
LexisNexis
A large commercial data and analytics company that provides background, legal, risk, and identity data to businesses and governments.
Social Security number
A U.S. government-issued personal identification number widely used for taxes, employment, and financial records.

Reference links

Policy and legal reform

Background on undocumented tax payments

Data broker overviews

Privacy removal tools and guides