Our bipartisan, public interest organization frequently files Freedom of Information Act (FOIA) requests to learn how the FBI, CIA and other intelligence and law enforcement agencies obtain warrantless access to Americans’ personal information, in defiance of the Fourth Amendment. It is, to say the least, a target-rich environment.

​Shira Ovide of The New York Times wrote a thoughtful and wide-ranging piece on the need for a broad national data privacy law – and the frustrations of parsing the technical, economic, social and legislative complexities in devising such a law.
 
For a national approach to data privacy to become law, Ovide reports, Congress would need to do more than overcome its customary state of gridlock. It would have a Gordian knot of issues to slice through. For example, Congress would either have to agree with industry’s position that any federal law should overrule state privacy laws, or override only new laws and respect existing ones, or respect state laws.
 
Ovide also notes the potential for regulation to generate pointless activity or even make things worse for consumers. She points to the experience with Europe’s General Data Protection Regulation, which annoys people around the world with pop-up notices about data-tracking cookies. Ovide adds: “The first of two of California’s digital privacy provisions in theory gives people control over how their data is used, but in practice often involves filling out onerous forms.”
 
Go too far in one direction, and data-privacy laws could break the business models of whole industries and burden consumers with pointless disclaimers and notices. Go too far in another direction, and the current status quo of what Ovide calls the “unrestrained information-harvesting economy” would be merely ratified in law.
 
Our view is that an effective data-privacy law will probably have to evolve as technology evolves, with blockchain beginning to alter the structure and privacy potential of the internet. In the meantime, there is ready-made legislation supported by bipartisan leaders in both houses of Congress that can effectively fill in a big and missing piece of the privacy puzzle now – The Fourth Amendment Is Not for Sale Act.

​The analysis in The Times concerns the potential for misuse of personal data by corporations and other private entities. How commercial entities treat data is a vital question, but it is not the only important one. Recent revelations show that many federal law enforcement and intelligence agencies are side-stepping the constitutional requirement for a probable cause warrant by buying up Americans’ personal data – gleaned from popular social media platforms and apps – from unregulated private data companies.
 
Thus, government money can give government agents instant access to our friends and contacts, the places we go, what we believe, and even our medical concerns. Commercial entities may abuse our privacy. But the Founders created the warrant requirement to restrain government because it has the power to misuse information to falsely arrest, prosecute and imprison us. Yet the government today believes it can outsmart the Founders by merely opening its wallet.
 
The Fourth Amendment Is Not for Sale Act would close this loophole in current law by preventing data brokers from selling our personal information to federal agencies without an authorization by a court. Whenever privacy is discussed, the misuse of personal information by public entities should be included.

​Earlier this year, we reported that the Central Intelligence Agency has been buying vast amounts of Americans’ personal information from private brokers who sell data in bulk. Then we learned that an agency within the Department of Homeland Security has been purchasing records of Americans’ financial transactions.
 
Now, thanks to a two-year, exhaustive study by the Center on Privacy and Technology at Georgetown Law, we now know that Immigration and Customs Enforcement (ICE) is the latest federal agency to buy up vast quantities of Americans’ personal data, in this instance from utilities and state motor vehicle departments.
 
“By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time,” write the authors of American Dragnet: Data Driven Deportation in the 21st Century.
 
After filing and studying hundreds of Freedom of Information Act requests, as well as ICE contracts and procurement tools, scholars at the Center for Privacy & Technology unearthed startling facts:

• ICE has used facial recognition technology to search through the driver’s license photographs of 1 in 3 adults in the United States.

 

• ICE has access to the driver’s license data of 3 in 4 American adults and tracks the movements of cars in cities home to nearly 3 in 4 adults.

 

• When adults in the United States connect to gas, electricity, phone or internet service in a new domicile, ICE will automatically pick up the new address of 3 out of 4 Americans.

 
Activists are upset that undocumented people are being conned into giving up personal information, despite state promises it won’t be used against them. Here’s how it works: Sixteen states and the District of Columbia allow undocumented people to apply for driver’s licenses, giving the undocumented reason to trust that their information will not be accessed. In many of these states, however, ICE gets the information anyway. In Oregon, for example, state lawmakers passed a law cutting off state data disclosures to ICE. But ICE still gets that data by buying it from Thomson Reuters and LexisNexis Risk Solutions.
 
Some might say, well and good – these are illegal aliens after all, so let ICE go after them. But the larger implications of recent disclosures should alarm every American. Consider that, between the purchases of Americans’ data by DHS and CIA, the Department of Defense spying into religious apps, and the recent revelation that the FBI has conducted 3.4 million warrantless searches, it is clear that the federal government is weaving together the infrastructure for the kind of total surveillance that exists in the People’s Republic of China.
 
One doesn’t have to believe that this is happening because the federal government is executing an evil plan. Each agency is just looking for the best, off-the-shelf technology to make it easier to fulfill its mission. But thread by thread, the infrastructure for a total surveillance state is coming together. And if we’ve learned anything from decades of experience with surveillance, if a capability exists – even if it contrary to the Constitution, the law, and the expectations of Americans – someone will misuse it.
 
All the more reason for Congress to hold hearings this year on the extent of federal purchases of Americans’ personal information – and pass the Fourth Amendment Is Not for Sale Act.

The art of trying to visualize federal activities with the use of Freedom of Information Act (FOIA) requests is somewhat like taking a dozen photos of a city scene through a straw. Some objects can be seen. Some can be inferred. A few can be surmised.
 
Thus it is with the results of our FOIA request filed more than a year ago asking the Department of Justice to release records on its use of cell-site simulator technology. These are devices that give the government the ability to conduct sweeping dragnets of the metadata, location, text messages and more from the cellphones of people within a geofenced area.
 
We know, thanks to the work of the American Civil Liberties Union, that as of 2018 at least 14 federal agencies and 75 state and local agencies were using these cell-site simulators, often called “stingrays.” Our FOIA request confirmed that there was a flurry of activity with the Department of Justice handing out Justice Assistance Grants (JAG) to enable municipalities to acquire stingrays beginning a decade ago. We saw that JAG grants for cell-site simulators went to large entities, like Miami/Dade County and the Milwaukee Police Department, as well as to smaller cities like Fresno and Victorville in California.
 
What popped out at us were all the other Fourth Amendment-compromising technologies being subsidized. Local governments received:

• Eighteen facial recognition devices
• Forty GPS trackers
• Five aerial surveillance units, three drones and six UAV (unmanned aerial vehicles).
• And some 721 grants for “video observation” (use your imagination), 34 “surveillance equipment” units, 28 closed-circuit TV systems, 56 pole cameras, and two “fiber optic scopes.”

 
Like taking photos through a straw, these are only the objects that can be seen. Many of these reports are old, dating back to 2011. DOJ has yet to respond to PPSA’s request for non-disclosure agreements that restrict the ability of state and local law enforcement agencies to reveal the source of evidence obtained from a cell-site simulator, even in court.
 
But the findings of this FOIA request are significant.
 
“We can infer, just from these glimpses, that the federal government has long been intent on supplying state and local police with the means to follow Americans from the air, from camera networks that go from block to block, by the GPS beacons in our phones, while using software to identify us by our faces,” said Gene Schaerr, PPSA general counsel. “Add to all that the highly personal data that can be swept from our cellphones, and we can see that the federal government is working through state and local law enforcement to create a near-ubiquitous national surveillance network.”

Kudos to the American Civil Liberties Union, which won a legal settlement filed in court Monday against Clearview AI, the secretive facial surveillance company that claims to have captured more than 10 billion “faceprints” scrapped from online photos.
 
Once a judge approves the settlement, the company must adhere to the Illinois Biometric Information Privacy Act (BIPA). This law requires companies that collect, capture, or obtain a biometric identifier of an Illinois resident to first notify that person and obtain his or her written consent. This law has teeth. A BIPA lawsuit in Illinois led to Facebook’s agreeing to pay $650 million to settle allegations it used photo face-tagging and other biometric identifiers without the permission of users.
 
“This company’s approach was effectively a Silicon Valley mentality of let’s break things first and then figure out how to clean up the mess later in order to try to make a profit,” ACLU’s Nathan Freed Wessler told AP. “They broke through a very strong taboo that had kept tech companies like Google and others from building the same product that they had the technological capability to do.”
 
Though most states lack a biometric privacy law, this settlement in Illinois prohibits Clearview AI from making its faceprint database available to most businesses and individuals nationwide. It must pay for advertising to point consumers toward an opt-out request form on Clearview’s website, so Illinois consumers can have their faceprints blocked from appearing in Clearview search results. In Illinois, the company will cease to sell access to its database to state and local police for five years.
 
However, under this deal, Clearview AI will not be required to stop selling its services to federal intelligence and law enforcement agencies. That is one reason we joined with 70 other civil liberties organizations to urge Department of Homeland Security Secretary Alejandro Mayorkas to order his agencies to discontinue, or at least clarify, how they use Clearview AI data.
 
Last year, the Project for Privacy and Surveillance Accountability reported that as many as 3,000 law enforcement organizations may be accessing Clearview AI’s software for investigations. Still, the Illinois settlement should significantly limit the threat to Americans’ privacy posed by this company.  
 
There is much left to do. But ACLU and its plaintiffs have achieved something significant this week.

The House Judiciary Committee recently passed – on a unanimous and bipartisan basis – the Protect Reporters from Exploitive State Spying (PRESS) Act. This measure would establish a federal statutory privilege that would shield journalists from being compelled to reveal confidential sources and would protect those sources from federal law enforcement subpoenas.
 
This is popular legislation – sure to pass by a wide margin should it come to the House floor. Most Members of Congress, like the voters who elected them, understand that the ability of journalists to grant confidentiality to whistleblowers and other sources enables the exposure of hidden abuses by the powerful. This practice, well in place since the Pentagon Papers, refreshes democracy, stimulating reform, debate and improvement.
 
This practice sounds great to most everyone, until it is one’s own ox that gets gored by someone whose politics you dislike.
 
Consider Project Veritas. When we criticized the FBI for its lengthy, intrusive violation of Project Veritas’ notes, emails, calls, and confiscation of their digital devices, some of our liberal friends raised an eyebrow. Project Veritas exists at the intersection of conservative activism and journalism, prompting liberal targets into admitting things in private they’d never say in public.
 
Many liberals continue to argue Project Veritas should be investigated in the case of the missing diary of President Biden’s daughter, though the group insists it reported the diary to the authorities.
 
Now, it is the turn of many conservatives to demand a strenuous investigation into the leaking of Justice Samuel Alito’s draft opinion overturning Roe v. Wade. For the record, we agree that the Marshal of the Supreme Court should investigate and expose the person who leaked this opinion to Politico. That was a vile act, one that undermines the Court’s professional culture of civility. The leaker deserves to be punished.
 
The danger in this case is that the Court’s urgent need to find the leaker, and the anger of many powerful conservatives, could persuade the FBI it has carte blanche to secretly examine phone logs and old emails traded by journalists Josh Gerstein and Alexander Ward with their source.  
 
Using such a subpoena might expose a wrongdoer working in the Supreme Court. It would also have the effect of degrading the ability of journalists in the future to protect their sources.
 
Admittedly, there is a thin and uncomfortable line between trying to catch a leaker on the administrative side, while protecting that same person when he or she becomes a source on the journalistic side. It is also a difficult line to walk when you despise the politics of the side that benefits from the leak. But it is a line that must be respected for the sake of us all, on all sides of every debate.
 
“Our liberty depends on the freedom of the press,” Thomas Jefferson said, “and that cannot be limited without being lost.”
 
The surest way to ensure we don’t have to continually face these temptations to intrude into the freedom of journalists is to pass the PRESS Act.

​Today’s news that the FBI conducted almost 3.4 million warrantless searches using the identities of people inside the United States from Dec. 1, 2020, to Nov. 30, 2021, comes with a lot of caveats from officialdom.
 
Here are the excuses the intelligence community gave to The Wall Street Journal over this latest scandal.

• The real count of warrantless searches is undoubtedly lower, given the complexities in counting what is and isn’t a search.

 

• Any time the name, telephone number, email address or social security number of a “U.S. person” is used as a query term, it counts as a “search.”

 

• More than one-half of the searches were related to the threat of Russian hacking and its threat to U.S. national security.

 
The days of taking the FBI on its word, however, ended when Efrem Zimbalist Jr. (yes, we’re dating ourselves) quit driving down Constitution Avenue to HQ. The FBI has lost the right to uncritical acceptance of its claims after:

• Judge James E. Boasberg of the secretive Foreign Intelligence Surveillance Court took the rare step of publicly rebuking the FBI for abusing its Section 702 authority – which grants the FBI ability to review data in relation to a foreign intelligence investigation.

 

• In 2019, the Inspector General of the Department of Justice examined the actions of the FBI in the politically charged Crossfire Hurricane investigation, finding the agency guilty of “serious performance failures.” One of them was the criminal act by an FBI lawyer who submitted falsified evidence for the FISA court.

 

• Now the Department of Justice and FBI are stonewalling a properly filed Freedom of Information Act request asking if the agency has spied on Members of Congress who publicly question its surveillance and unmasking practices.

 
Next year, Congress must consider the reauthorization of Section 702, the post 9/11 law passed to give the National Security Agency power to collect intelligence from international communications. The House and Senate Judiciary Committees should hold hearings to ask:

• When any supposedly extraneous cases described by the FBI are excluded, what is the real number for warrantless searches of Americans’ data?

 

• Have there been programmatic changes to how 702 data is being collected between the NSA and the FBI?

 

• How long is the data of Americans retained?

 

• Has the FBI used this data to perform backdoor searches – using leads from seized data to surreptitiously begin the investigation of Americans for crimes? If so, this would mean that criminal charges could be based on warrantless searches in defiance of the Fourth Amendment.

 
We’ve long called on the House and Senate Judiciary Committees to hold hearings into this and similar surveillance practices. We need to learn about the scope of potential abuses long before we begin to debate 702 reauthorization in 2023.

​In February, the IRS announced it would transition from using ID.me, a third-party, verification company that uses face scans to authenticate people seeking to access their IRS accounts.
 
ID.me has contracts with 10 federal agencies and 30 state governments. And as it expands, lawmakers continue to question the disparity between its comforting statements and its record.
 
The initial IRS turn away from ID.me was prompted, in part, by a letter from 15 leading Republican U.S. Senators who were concerned about the protection of “confidential taxpayer information and fundamental civil liberties.” They noted that ID.me requires a “trove of personal information” that can variously include a government-issued photo ID, a passport, a birth certificate, form W-2, social security card, a utility or insurance bill and a recorded video interview with an ID.me employee. People seeking to contact the IRS may be required to take a “selfie,” in which the applicant must submit his or her face to be digitized into a “faceprint.”
 
The senators expressed concern that the IRS, which has suffered massive data breaches and the leak of confidential taxpayer information, might leave millions vulnerable to identity theft. Moreover, ID.me, a commercial company not subject to government oversight, would possess a rich ocean of data on millions of Americans that it pinky-swears not to monetize.
 
Rep. Carolyn B. Maloney, chairwoman of the Committee on Oversight and Reform, and Rep. James Clyburn, Chairman of the Select Subcommittee on the Coronavirus Crisis, recently wrote to Blake Hall, CEO of ID.me, asking for documentation in support of their questions about ID.me during this period of transition from the IRS.
 
Revelations from their letter include:

• ID.me had, the two chairs wrote, promised to use one-to-one facial identification, instead of one-to-many. The latter uses an algorithm to match faces to a large database, a process prone to many false results. In a press release in January, ID.me stated it does not use one-to-many facial recognition, “which is more complex and problematic.” Yet leaked company messages reportedly discuss uses of one-to-many technology, including in IRS authentication.

 

• Americans trying to access their IRS accounts are still subject to ID.me if they fail to opt-out for the IRS system’s video selfie and facial recognition approval process. ID.me is still collecting Americans’ biometric information that is not subject to new retention requirements.

 

• By the time of the IRS announcement, 7 million Americans had already turned over their biometric data to ID.me and IRS.

 

• Applicants in Colorado faced up to 10-hour waits for help with the company’s verification process. In Nevada, it could be up to eight hours a day.

 

• In Florida, some applicants report they were locked out of their accounts for up to six weeks, with bills piling up in the interim.

 
Reps. Maloney and Clyburn listed document requests in the letter as the beginning of an investigation into ID.me’s practices and impacts. Worse for ID.me, their spin has made them a figure of fun in a parody talk show put together by the digital advocacy group, the Algorithmic Justice League.

Biometric data like fingerprints and iris scans are touted as the best and most secure tools for data protection and authentication. This is why so many government agencies, federal and state, are turning to vendors like ID.me to provide biometric identification. This seems sensible: Biometric data is personal and permanent. It is unique to each of us and cannot be changed.
 
These days, we often use either our face or fingerprints to access sensitive data on our devices. But new technologies are threatening to undermine the security of Americans’ biometric data. The patterns of your face, irises, and even fingerprints can now be stolen from a distance.
 
In 2017, Researchers from Japan's National Institute of Informatics developed the capability to lift exposed fingerprints from photographs. The technology then worked up to ten feet away. Researchers claimed that modern phone cameras were by then powerful enough to capture the necessary fine details of a fingerprint. This means that nearly any photograph, like those on our social media profiles where fingertips are exposed, could be vulnerable. The technology has already been deployed against terrorist organizations, but it could easily be targeted against vulnerable groups or individuals with little recourse.
 
Similar to the fingerprint technology, iris recognition software utilizes cameras to scan your personal biometric information. In 2015, researchers at Carnegie Mellon University’s CyLab Biometrics Center created recognition software that can scan and record data from a person’s iris up to forty feet away.
 
One suggested use for iris recognition technology at a distance is for police traffic stops. By scanning a driver’s iris through rearview mirrors, a police officer could know the driver’s identity and history while still sitting in a cruiser. It doesn’t take a lot of imagination to see how this technology could be weaponized by cybercriminals.
 
Also of concern is the degree to which biometric scanning is available for private use. In 2019, the popular social media platform TikTok began testing a feature in China that would allow users to search for content by scanning for people’s faces. Facebook already uses facial recognition software to automatically tag individuals in photos.
 
These technologies have undoubtedly matured in the last few years. Bottom line: The patterns in our eyes and on our fingertips can be taken at a distance. They are no longer quite “ours.”

On Friday night, PPSA filed a reply brief in our lengthy sparring with the FBI over its use of the Glomar response to thwart our Freedom of Information Act (FOIA) request for correspondence between Members of Congress and federal agencies concerning the unmasking of Senators and House Members.
 
In response, the FBI has invoked the ultimate national security trump card, the Glomar response – neither confirming nor denying the existence of such records. In fact, the FBI argues that the mere act of even internally searching for such documents – including correspondence from Members of Congress – would somehow harm national security.
 
“Clearly, the topic of congressional unmasking is not so radioactive as to require the withholding of every document” that touches on the subject, PPSA told the U.S. District Court in the District of Columbia. In several cases, Members of Congress themselves have referred to such correspondence in public.
 
PPSA noted that if the FBI’s legal theory holds, even the court filings in this case would need to be suppressed. “But because neither the FBI nor its affidavits offer a logical and plausible justification for a blanket, no-search Glomar response, this Court should hold the agency to its statutory duty” to produce all records that are disclosable.
 
PPSA states that the “FBI’s expansionist interpretation of Glomar pushes the envelope” and threatens to nullify the Freedom of Information Act as a tool for accountable government.