The Nlets loophole
How states can shut down ICE’s access to DMV data, and what you can do to help
DEAR EXPOSEUR—I want to open with a deep sense of gratitude, not just because it is seasonally appropriate, but because so many of you reached out with your support and good ideas stemming from my previous article. I wanted to provide you with a quick follow-up this week to give an answer to the question I received the most: what can actually be done about this. Fair question. There’s so much that can be done, and finding the right place to start is no doubt daunting. Here’s my recommendation.
The Nlets problem.
On November 12th, Senator Wyden and 38 other members of congress sent a letter to Democratic governors alerting them to something most people (including most elected officials) don’t know. ICE has direct, real-time access to your state’s DMV database. They don’t need to request access or obtain a warrant. They have direct access right now, and they’re using it. By the way, Maryland is one of those states, and I find it concerning that none of our elected representatives co-signed the letter.
This happens through a system called Nlets (now known as the International Justice & Public Safety Network), managed by state police agencies. In the year prior to October 1, 2025, ICE made 292,114 queries for DMV data through Nlets. Homeland Security Investigations made another 605,116 queries. These aren’t requests your state reviews — indeed, these are automated searches that happen without any state oversight.
Forty-one states share drivers’ license photos through this system, which can be analyzed using facial recognition software. ICE agents in the field now use an app called Mobile Fortify that can instantly identify individuals using over 200 million photos. According to press reports, Mobile Fortify can access data from Nlets. ICE’s deputized 287g partners at the state level have similar access to biometric data through Mobile Fortify’s sister app, Mobile Identify.
Whether knowingly or not, our states chose this. Each state decides what data it makes available through Nlets, what queries it permits, and which specific agencies can access its data. And each state can change those decisions.
So what does ICE likely do with this access? Customs and Border Protection just launched a massive $1.9 million contract for access to the tool in FY2026, and DHS spends an additional $264,837 for subscriptions managed at the headquarters level to provide NLETS access across multiple DHS components. That data most likely doesn’t sit in isolation. Driving records, photos, and more can flow from Nlets directly into the surveillance infrastructure I documented in my last post.
Your state’s DMV photos, for instance, could feed Clearview AI’s facial recognition system ($9.2 million in ICE spending), which scrapes photos from social media and other public records to identify individuals across the internet and across states. Your drivers’ license data, including vehicle registration and license plate data, can be cross-referenced in Palantir’s Investigative Case Management platform ($72.9 million), which aggregates information from social media scraping tools (PEN-LINK Cobweb and Tangles, $2 million), skip tracing services ($7 million), commercial data brokers, and forensic device extractions.
According to the American Immigration Council, Palantir’s ImmigrationOS uses AI to pull multi-source information to identify and target people. DMV data would give this system highly accurate identity verification, reliable biographic matching, and current address information that could strengthen targeting across all these platforms. More than that, when combined with the other data sources feeding into these systems, DMV records could help build what intelligence analysts call a “pattern of life” profile: where you go, how frequently, at what times, and with whom — a conglomeration of the kinds of data that turn a mere name and address into a complete picture of someone’s daily routines and social connections.
As I detailed last week, under NSPM-7’s expanded authorities, that ecosystem of data can be used to investigate anyone deemed to hold “extremist” views on migration, race, or gender.
Only four states have blocked ICE’s access to DMV data through Nlets: Illinois, New York, Massachusetts, and Minnesota. Washington state just announced it has done the same. Oregon is working on legislation now.
While many more states have laws or policies that claim to restrict DMV data sharing with immigration authorities, these policies often don’t work because they only apply to DMV employees, not the state police who actually connect to and configure Nlets. Or they might restrict data sharing “for immigration purposes,” but ICE queries don’t indicate their purpose, so there’s no way to trigger the restriction. Or they assume a human reviews each request, when in reality the entire system is automated.
Senator Wyden’s letter makes this clear:
“Because of the technical complexity of Nlets’ system, few state government officials understand how their state is sharing their residents’ data with federal and out-of-state agencies. Critically, it seems apparent that elected officials accountable to voters, including governors, attorneys general, and legislators have not been fully briefed on the current scale of state information sharing.”
So what can we actually do about this?
Writing your elected state officials is always a good first step. The fastest way to take action on that front is to use this Resist Bot tool I made to send a message directly to your state governor and legislators asking them to block ICE’s access to your state’s DMV data through Nlets. When you sign it, you can choose to email, fax, or mail a copy to your elected officials. It takes less than two minutes and automatically routes your message to the right officials. If you don’t like what I wrote, no worries — you can use the data to write your own.
A letter might not seem like much, but every bit of momentum to push our government to close these loopholes is a step that protects everyone’s privacy.
If you want to take a more customized approach, contact your state legislators and governor’s office directly by phone and ask them three specific questions:
How many Nlets queries did ICE and HSI make of our state’s DMV database in 2024 and 2025?
Has our state implemented technical blocks to prevent DHS agencies (ICE, HSI, Border Patrol) from accessing our DMV database through Nlets?
If not, why not?
You can also request that your state get a detailed briefing from your state’s Nlets coordinator, publish aggregate statistics on data requests and disclosures to ICE and HSI, implement technical blocks preventing data sharing with DHS agencies, and consider extending those blocks to other federal agencies now working on immigration enforcement.
Make this crystal clear for them. When ICE purchases cell-site simulators, facial recognition platforms (like Clearview AI), and AI analytical systems (like Palantir’s ICM), they’re building integrated surveillance infrastructure for the current anti-immigration blitz and the law enforcement operations that will most assuredly come in the years ahead.
That infrastructure becomes exponentially more powerful when ICE has direct access to your state’s DMV photos for facial recognition matching, can cross-reference license plate data with location tracking, and can identify individuals without your state even knowing about it.
Under NSPM-7, Joint Terrorism Task Forces can now coordinate with DHS and request operational assistance when investigating “extremism on migration, race, and gender.” Your state’s DMV database becomes a resource for federal agencies investigating anyone they deem to be engaged in “radicalization” on these topics.
The technical fix exists. Blocking unfettered access doesn’t stop law enforcement from obtaining information for serious cases; it simply requires state employees to review requests from blocked agencies first. That is accountability and oversight — the things a democratic society must demand of its government.
Six states have already figured this out. Your state — and mine — can too. Most legislatures are in session or are about to be, which makes this the moment to act. If you care about the surveillance infrastructure I outlined in my last post, this is one thing you can do right now. Our states control this data, and our elected officials can change these policies… but only if we apply enough pressure to show we’re paying attention.
P.S. If your state is one of the few that has already blocked ICE access to Nlets, congratulations. Now ask your legislators to extend those blocks to other federal agencies operating under NSPM-7’s expanded authorities, and to make public the aggregate data on historical ICE/HSI queries so residents understand the scale of what was happening before the block.
A very special thank you.
I don’t want you to think that I’m doing all this work alone. I am working alongside a sharp, passionate, and dedicated team of volunteers representing a diverse background of skills to analyze this data and get it into the hands of the people and organizations who can action it for good. Many don’t want their identities known for a variety of reasons, but I want my readers to know that they are there, and what I’m publishing here would not be possible without them.
Again, thank you. And also, just in terms of security, is there a preference on how you want your writing to be shared to get the word out more?
Grrrr. It’s so frustrating and scary, what is happening with the DMV data, not to mention the use of powerful Palintir and AI tools to paint that picture of people’s daily lives. I also assume that Musk’s DOGE team also scraped people’s data (voting, health, insurance, etc?) and who knows how that could be being used.
Thank you so much for your (and everyone else’s) hard work to investigate and inform. There needs to be very strong pushback for sure…