​The Project for Privacy and Surveillance Accountability today filed a Freedom of Information Act (FOIA) lawsuit against the Office of the Director of National Intelligence (ODNI) over the refusal of the government to turn over records concerning U.S. intelligence community purchases of the private digital data of American citizens.
 
The government’s stonewalling continues well past its failure to meet any of the deadlines required by the FOIA statute. It also flies in the face of a pledge made by Director of National Intelligence Avril Haines (1:17:05 mark) in her Senate confirmation hearings on Jan. 19, 2021. When Sen. Ron Wyden, (D-OR) asked about informing the American people about purchases of their data, Haines responded:
 
“I would seek to try to publicize, essentially, a framework that helps people understand the circumstances under which we do that and the legal basis that we do that under.”
 
Haines further promised to provide transparency “so people have an understanding of the guidelines under which the intelligence community operates.”
 
In response, PPSA requested “all agency records created, altered, sent, or received in preparation for any public disclosure, as contemplated by Director Haines,” including:

• The intelligence community’s purchases of Americans’ private data

 

• The legal basis for doing so

 

• The guidelines under which the intelligence community operates in making those purchases.

 
The government acknowledged receiving PPSA’s initial FOIA request on June 2, 2021. PPSA inquired about the lack of a substantive response more than one year later. On June 23, 2022, ODNI responded: “we cannot speculat[e] on a specific response date.”

More than thirty business days later, after the ODNI failed to indicate whether it will fully comply with the FOIA request, PPSA decided to file suit.
 
“This is a golden opportunity for Director Haines to demonstrate that the intelligence community will live up to her promise to provide at least some transparency,” said Gene Schaerr, PPSA general counsel. “As Avril Haines herself stated, the American people deserve to know the circumstances in which the intelligence community purchases our personal data and the legal basis for doing so.
 
“Director Haines promises to ‘publicize’ that legal basis. I hope she does, instead of allowing her office to continue to stonewall.”

Bob Goodlatte, PPSA Senior Policy Advisor, returns to the House Judiciary Committee, which he once chaired, to explain how the government sidesteps the constitutional requirement for a probable cause warrant by simply buying our personal digital information from private data brokers. He also discusses the need to pass The Fourth Amendment Is Not for Sale Act. You can read his testimony or listen to him testify, beginning at the 14:26 mark.

Watch here:

​The American Civil Liberties Union performed an invaluable service for the American people today by releasing records from Department of Homeland Security agencies that demonstrate the sweep of the government’s routine violation of the Fourth Amendment  by purchasing Americans’ personal data from data brokers.
 
The ACLU’s Freedom of Information Act lawsuit against DHS agencies includes Customs and Border Protection, Immigration and Customs Enforcement, the U.S. Secret Service, and the U.S. Coast Guard. This lawsuit is ongoing, but these first disclosures are eyepopping.
 
The ACLU lawsuit reveals:

• Your own tax dollars are being used to expose your privacy. DHS spends millions of taxpayer dollars to buy access to cellphone location information being aggregated and sold by two “shadowy data brokers,” Venntel and Babel Street.

 

• There is some internal angst in the agencies over the legitimacy of what they are doing. One DHS employee wrote that “[l]egal, policy, and privacy reviews have not always kept pace with the new and evolving technologies.”

 

• The government entertains specious legal theories justifying this raid on cellphone location data. It maintains that everyone with a cellphone relinquishes privacy voluntarily. ACLU’s response is “that consent is fiction: Many cellphone users don’t realize that many apps on their phones are collecting GPS information, and certainly don’t expect that data to be sold to the government in bulk.”

 

• The government is after our “patterns of life.” Documents characterize cellphone location information as “digital exhaust” with no personally identifying information. Yet these documents also say that through purchased data, law enforcement can “identify repeat visitors, frequented locations, pinpoint known associates, and discover pattern of life.”

 

• The project to pinpoint Americans’ location is on an astronomical scale. One data broker, Venntel, sent marketing materials to DHS claiming to collect 15 billion location points from over 250 million cellphones and other mobile devices every day.

 
“ACLU’s findings should concern every American with a cellphone,” said Bob Goodlatte, former Chair of the House Judiciary Committee and now Senior Policy Advisor to PPSA. “ACLU’s determined effort to expose the scale of government intrusion into our privacy is a monumental public service. With the House and Senate now holding hearings into these practices, Congress has every reason to require warrants to intrude into our digital lives by passing the Fourth Amendment Is Not for Sale Act.”
 
Bob Goodlatte will testify on the government’s practice of buying Americans’ personal data tomorrow before the House Judiciary Committee.

​The U.S. House of Representatives passed a major transparency measure by voice vote tonight. This amendment to the National Defense Authorization Act, offered by Rep. Sara Jacobs (D-CA) and Rep. Warren Davidson (R-OH), will require the Department of Defense to report the number of times it purchases the internet browsing and phone location data of Americans from private data brokers. The report will also include a general accounting of how the government uses this information.

• “This is a major victory for surveillance reform,” said Gene Schaerr, general counsel of PPSA. “We’ve long known that many agencies have been sidestepping the Fourth Amendment’s requirement for probable cause warrants by buying our data. Today’s amendment will alert Congress and the American people to the scope of this practice in the largest department of the government. This amendment will set the stage for a needed debate over the propriety of our own government spying on us all without a warrant.”

• Bob Goodlatte, former Chairman of the House Judiciary Committee, and a Senior Policy Advisor to PPSA, said: “As Americans learn about the depth and breadth of the government’s tracking of our digital lives – what we search for, where we go – they are taking this as a strong step in the right direction into this debate and over other government surveillance reforms.”

PPSA commends Reps. Jacobs and Davidson on their steady leadership and articulate advocacy. Tonight’s success should provide momentum for the passage of the Fourth Amendment Is Not for Sale Act.

​Last February, PPSA reported that NSO Group, the Israeli cybersecurity company that produced the malware Pegasus, had been placed on a U.S. Commerce Department blacklist. Pegasus is to malicious spyware what a supercomputer is to a calculator. It penetrates smartphones remotely, without requiring any security mistakes or phishing attempts. Once inside a smartphone, Pegasus extracts all its information. Then it reconfigures the smartphone into a tracking and recording device.
 
The U.S. blacklist heavily restricts the ability of American companies to do business with NSO Group. Despite the ban, the FBI purchased Pegasus in 2019 and stores it under lock and key. It has long been an open question whether a U.S. administration would succumb to the temptation to use Pegasus for domestic surveillance purposes.
 
Now, we have some idea of the degree of U.S. government interest in Pegasus.
 
It has been revealed that L3Harris, an American military contractor, had been in recent talks to purchase NSO Group. It is hard to imagine that occurring without the secret blessing of at least some U.S. intelligence officials. People familiar with the negotiations said the technology has been of interest to the FBI and the CIA for several years. The negotiations continued well after the Commerce Department’s blacklist was issued and were only discovered in June when the proposal was leaked to the press. Since then, the Biden White House has signaled outrage over the potential sale and vowed to challenge any deal. Although L3Harris has since withdrawn from negotiations, the role of U.S. intelligence officials raises several questions.

• The role of U.S. intelligence officials in the planned NSO Group acquisition is troubling. Does this attempt to buy NSO Group mean that the U.S. national security apparatus has changed its mind about using Pegasus?

 

• If so, how seriously were some in the government contemplating deploying Pegasus for U.S. domestic surveillance?

 

• Given the fierce response from the White House against L3Harris, was this a case of poor internal communication, or was the U.S. intelligence community and L3Harris intending to do a runaround of the blacklist?

 

• On the other hand, given Pegasus’ abilities, could the case be made that the purchase of NSO Group by a U.S. firm might be the most reasonable option? Is it wise to leave such a powerful piece of malware in the hands of those who have sold it around the world, with the risk Pegasus will become the security equivalent of the Covid-19 pandemic?

 
Unless or until there is another leak or an enterprising journalist digs deeper, we can only ask these questions.

New amicus briefs supporting the petition for certiorari filed by PPSA in Torcivia v. Suffolk County urge the U.S. Supreme Court to hear the case. The Torcivia case asks whether the police can, citing a special need, gain warrantless access to a home. One of the briefs is a clear statement of principle, the other a fascinating history of the ancient, colonial, and early U.S. law upholding the inviolability of the home.
 
The case involves a New York State man, Wayne Torcivia, who was sent for a psychiatric evaluation after a domestic disturbance call. Torcivia had no history of mental illness, violence, or suicide attempts, but was nevertheless sent to a hospital for a psychological evaluation. When he was cleared to return home by psychiatrists, Torcivia had to negotiate with police to give them warrantless access to his gun safe.
 
The Second Circuit Court of Appeals upheld the warrantless entry under a “special needs exception.”
 
The amicus brief from the New Civil Liberties Alliance neatly summarizes the essence of this case. The NCLA brief notes that the Second Circuit distinguished the “special needs exception” from the similar “community caretaker” warrant exception in Caniglia v. Strom. Late last term, the Supreme Court in a 9-0 decision struck down that justification. NCLA writes:
 
“As in Caniglia, officers have made home entries and seizures when there was time to obtain the review, and authorization, of a magistrate.”
 
NCLA noted there was no “exigency” or emergency circumstances. Torcivia was in the hospital and his guns were locked in his safe, posing no immediate danger to himself or to others. NCLA concludes:
 
“The ‘special needs’ concept is unnecessary and the source of confusion. The rule consistent with the Fourth Amendment’s right of the people to be secure in their homes is straightforward and clear: absent exigency or homeowner consent, the executive may not enter a home and seize property without a warrant—which ensures authorization from a neutral and detached magistrate.”
 
Another brief, from the Firearms Policy Coalition and FPC Action Foundation, offers a review of the history of the concept of the sanctity of the home, starting with the Roman lawyer and political philosopher Marcus Tullius Cicero. Cicero asked: “What is more sacred, what more inviolably hedged about by every kind of sanctity, than the home of every individual citizen?”
 
FPC traces the Castle Doctrine to a case in 1499, the first decision to assert that a man’s home is his castle. The brief goes on to trace colonial resistance – sometimes violent – to the intrusions of sheriffs, constables, and British tariff officials. And it documents the intense debate by the framers of the Constitution of the need for a Bill of Rights, including what we now call the Fourth Amendment.
 
Together, the two briefs combine to make a perfect argument. One upholds the immediate and logical conclusion that the Second Circuit’s decision flies directly in the face of Caniglia, while the other details the philosophical underpinnings of the Fourth Amendment.

A must read opinion piece in Real Clear World by our President, Erik Jaffe. 

You might think that, given the severe restrictions on sharing Americans’ private health information under HIPAA, it would be illegal to sell data concerning your personal health information. You might also think, that given the need for a warrant imposed on cellphone location data by the U.S. Supreme Court in the Carpenter decision, it is also illegal to sell your location history tracked by your cellphone.
 
And, of course, you’d be wrong.
 
The $200 billion private data industry routinely sells not only your location information, but also your health data collected by apps and social media platforms. Not only can a large ecosystem of corporations buy your data, so can – and does – the government.  From the FBI to the IRS, Department of Homeland Security and other law enforcement and intelligence agencies, the government routinely buys this data.
 
Now Democratic senators are rushing to make this practice illegal under the Health and Location Data Protection Act, sponsored by Sen. Elizabeth Warren (D-MA), and co-sponsored by Sen. Ron Wyden (D-OR), Sen. Patty Murray (D-WA), Sen. Sheldon Whitehouse (D-RI), and Sen. Bernie Sanders (D-VT).
 
This bill would ban data brokers from selling or transferring location data and health data under rules to be promulgated by the Federal Trade Commission. It would empower the FTC, state attorneys general and individuals to bring suits to enforce the provisions of the law. And it would add $1 billion in funding to the Federal Trade Commission budget.
 
So will this bill pass in this Congress? Not a chance. Since the Dobbs opinion from the U.S. Supreme Court that overturned Roe v. Wade, the Health and Location Data Protection Act has been spun by Democrats as a means of protecting women seeking abortions. It would protect, in Sen. Murray’s words, women from “extremist Republican lawmakers [who] work around the clock to criminalize essential health services.” From the pro-choice point of view, it is natural to include women’s reproductive freedom in the bill. From the pro-life point of view, supporting a bill that is being touted by others as a protection for reproductive freedom could be seen as supporting abortion.
 
Before Dobbs, such a bill would have had an excellent chance of securing bipartisan support and passage. Now that it is caught up in abortion politics, it has become a partisan talking point. It seems unlikely that either party will relent, and that the larger issue of our lack of privacy in health and location will remain caught up in the tug of war between pro-choice and pro-life forces.
 
The constructive course of action, one that can be taken by members of both parties, is to pass the Fourth Amendment Is Not for Sale Act, which has strong bipartisan support in both the House and Senate. This bill would at least require the government to obtain a probable cause warrant before examining our private information purchased from data brokers.

The New York Times today reports that a hacker who calls himself ChinaDan is offering to sell the personal data of more than 1 billion Chinese citizens collected by the government for 10 Bitcoin, or about $200,000.
 
We’ve often commented on the Chinese Panopticon, in which the government is integrating facial recognition software and location tracking with pervasive surveillance of social media posts and social connections to assemble complete digital dossiers on China’s people. This does not mean, however, that the Chinese state is a monolith of competence. “Although the country has been at the forefront of collecting masses of information on its citizens, it has been less successful in securing and safeguarding that data,” The Times reports. It added that the Chinese government is deeply concerned about its “leaky data industry.”
 
This is a solid story in which Times reporters diligently tested a large sample of the data, including making phone calls to households targeted by the leak to verify that the sample is accurate. But there is one major perspective missing from this story.
 
ChinaDan broke Chinese law by hacking a Shanghai police database to get this data. In China’s oppressive regime, he is likely risking his life for a payout. But if he were an American citizen, ChinaDan could own a private data brokerage company that could legally buy this data from major apps and social media companies and then sell our personal information to any private entity, or to any number of agencies of the United States government. He might also be able to legally sell Americans’ personal data in the other direction, to China.
 
Sensitive data points sold on digital markets include Americans’ location, our browsing histories, and demographic details, all captured to update a precise digital portrait of our interests, beliefs, actions, and movements. This information is then shared with hundreds of bidders in a digital auction.
 
Companies use this “bidstream” data to create a digital dossier that can predict our behaviors, map our past actions, and reveal our personal relationships.
 
In the United States, no hacking into a police database is necessary to obtain this data on the open market. By opening the federal wallet, the Defense Intelligence Agency, the Department of Homeland Security, the IRS, and other agencies enjoy warrantless access to our most personal information. The government asserts that the Fourth Amendment’s requirement for a probable cause warrant need not be respected if the government simply buys our data.
 
While The Times worries about the security of Chinese citizens, we might take a moment to realize that in this one respect things at home are even worse.

PPSA congratulates Justice Ketanji Brown Jackson on her swearing in. We look forward to seeing how she brings her experience and scholarship to bear in deciding the many novel issues embedded in cases involving surveillance and privacy. We are hopeful that Justice Jackson will distinguish herself in protecting Fourth Amendment rights, and in so doing taking a stand for greater personal liberty and privacy.