Instead of obtaining warrants to collect geolocation data from companies, U.S. federal law enforcement agencies have turned to simply purchasing such information—a tactic that has privacy advocates calling for Congress to enact reforms.
Law enforcement’s purchases of bulk data have been on the rise since the U.S. Supreme Court’s 2018 decision in Carpenter v. United States, when justices said law enforcement agencies need to obtain warrants before they can request geolocation data.
A Dec. 9 report from the Center for Democracy & Technology (CDT) attempts to chronicle this trend, showing that U.S. federal agencies have at least 30 contracts valued at about $86 million with various data broker services.
“The documents suggest that data obtained from brokers are employed for a variety of purposes such as pre-investigative inquiries, intelligence gathering, crime prevention, or criminal investigations,” the report reads. “Indeed, commercially acquired data feeds into the data-driven operation of modern law enforcement and intelligence, a phenomenon which scholars have called ‘big data policing.’”
Geolocation seems to be the most sought-after data point by law enforcement, according to the report. The FBI and Customs and Border Protection both have contracts with data broker Venntel, which harvests location data from a variety of sources, including ordinary apps.
“In the Venntel system, agencies can access a panel where users view the locations of smartphones over time, with data sourced from many companies and ad firms, as well as apps including weather apps,” the report reads.
The FBI also seeks certain GPS, internet, and social media footprint information from companies such as Thomson Reuters and RELX Group, according to the report.
The Drug Enforcement Administration (DEA), IRS, Immigration and Customs Enforcement, and the Secret Service have all used a company known as Babel Street. This company’s Locate X software provides a history of device location data derived from apps or online adtech services.
“The company has been secretive about the capabilities program. … One DEA contract with Babel Street for $220k merely references ‘data collection,’” the report reads.
The Marine Corps Intelligence Surveillance Reconnaissance Enterprise uses a database from Thomson Reuters that provides a “live gateway” to “cell phone data,” according to the report.
CDT blamed gaps in U.S. legislation for the situation. Government attorneys have interpreted the Fourth Amendment to allow federal agencies to purchase data from companies, while consumer protection laws don’t cover data brokers because they don’t interact directly with consumers.
“There’s a loophole in ECPA [Electronic Communications Privacy Act] allowing data brokers to obtain ‘non-content’ communications data, and then, because data brokers are not regulated by that law, to turn around and sell that information to government agencies,” CDT Policy Director Samir Jain said in a statement.
“Similarly, although the Supreme Court’s expansive language in Carpenter v. United States suggests that the government must also obtain a warrant in order to access sensitive personal information … government agencies have adopted narrow interpretations under which purchases of sensitive data from brokers are permitted without a warrant or other legal process.”
To close the legal loopholes, the CDT has endorsed the Fourth Amendment is Not for Sale Act, which was introduced in April by Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.). The measure would place warrant requirements on government purchases of bulk data and take away the U.S. attorney general’s ability to give civil immunity to companies that unlawfully sell bulk data to government agencies.
“This legislation seeks to close the ECPA loophole that, as evidenced by this report, has enabled an entire lucrative industry around government contracts for data that the government should not access without appropriate legal process,” the CDT stated.
The Fourth Amendment is Not for Sale Act has the bipartisan support of 20 cosponsors, but the measure has yet to receive a hearing.
Not everyone agrees that the government purchasing of private data is the problem that privacy activists and civil libertarians make it out to be. On the Nov. 22 episode of the Cyberlaw Podcast, former Department of Homeland Security (DHS) official Paul Rosenzweig said federal agencies should be able to make the same data transactions as private entities.
“To say that the federal government may not purchase on the open market the same products that Walmart can purchase—the government is acting as a consumer like anyone else,” said Rosenzweig, former DHS deputy assistant secretary for policy. “For privacy advocates to contend that the government as a consumer should be in a different position from any other commercial purchaser is just senseless.”