​If you want to see what leadership looks like when it comes to protecting data privacy, head to Big Sky Country. Montana Gov. Greg Gianforte just signed a bill limiting the state’s use of personal electronic data. That makes Montana the first state to pass a version of the federal bill known as the Fourth Amendment Is Not for Sale Act.
 
The chief provisions of the new Montana law include:
​

• Government entities are prohibited from purchasing personal data without a warrant or subpoena issued by a court.
  
  
• Authorities may not access data from personal electronic devices unless the owner consents, a court agrees that there is probable cause, or the situation is a legitimate emergency.
  
  
• Courts must hold as inadmissible improperly obtained personal data.
  
  
• Service providers cannot be forced to disclose their customers’ personal data unless a court has granted permission.

There must be something in Montana’s clean, libertarian air these days, because the governor is expected to sign another pro-privacy bill soon. That bill bolsters the state’s existing consumer data privacy act, the Montana Consumer Data Privacy Act (MTCDPA), in several ways:

• Obvious (and straightforward) methods must be available for consumers to choose if they want their personal data sold or used for targeted advertising.
  
  
• Greatly increasing the number of organizations that are subject to the MTCDPA.
  
  
• The state’s Attorney General can now quickly respond to privacy act violators. No more 60-day waiting period.
  ​
  
• The new law makes transparency more transparent. For example, privacy notices have to be clearly hyperlinked from websites or within apps.

We hear Montana is beautiful this time of year. If you go, take a moment to appreciate that your data is safer there than anywhere else in the country. Let’s hope that what happened in Montana last week will inspire federal lawmakers to follow suit and pass the Fourth Amendment Is Not for Sale Act.

​“We are open for business,” declared Beth Williams, the only board member currently serving on the five-seat Privacy and Civil Liberties Oversight Board (PCLOB). “Our work conducting important oversight of the intelligence community has not ended just because we are currently sub-quorum.”
 
A more accurate description for the board would be “solum unum.” One of the first acts of the Trump Administration was to fire the Democratic PCLOB members, leaving Republican Williams by herself.
 
Perhaps anticipating this, PCLOB’s board members shortly before the election adopted new rules that would allow any remaining board members – aided by the body’s professional staff of lawyers, policy analysts, and technologists – to continue to publish its recommendations to the intelligence community, and to share those with Congress and the public.
 
In a recent speech, Beth Williams spelled out commendable goals for ongoing efforts for her PCLOB of one.
 
Censorship: “Tying disfavored speech to counter-terrorism paves the way for censorship under the guise of national security,” Williams said. She complained that the Department of Homeland Security under Secretary Alejandro Mayorkas had been slow in responding to her requests for detailed information about the activities of the department’s Orwellian-sounding “Disinformation Governance Board.” Williams added: “I am hopeful that our renewed efforts with the current Administration will yield more transparency.”
 
Facial Recognition in Airports: Williams promises to weigh the operational benefits of this technology with concerns about privacy and civil liberty concerns.
 
Debanking: As with censorship, Williams says she is concerned about the government conflating “disfavored persons” with terrorism, leading to the “debanking” of people and organizations.
 
The Consolidated Audit Trail: Without any statutory basis, the Securities and Exchange Commission under former Chairman Gary Gensler assembled a database that monitors the identity, transactions, and investment portfolios of everyone who invests in the stock market. “Government surveillance of Americans’ financial activities – especially in the name of counter-terrorism – is ripe for oversight,” Williams said.
 
Section 702: PPSA has long worked to make sure that the Fourth Amendment’s warrant requirement applies to Americans whose communications are incidentally caught up in Section 702 of the Foreign Intelligence Surveillance Act.
 
But Williams and her former colleague Richard DiZinno dissented from PCLOB’s Democratic majority support for a warrant requirement in 2023.
 
Williams has previously called for “structural and cultural reforms” to the way in which the FBI accesses Americans’ information. The FBI has since tightened Section 702 querying procedures, and Congress has enacted reforms increasing the FBI’s reporting requirements to Congress. Williams appears content that these changes are enough to rest easy on Section 702.
 
We disagree. The FBI reviewed Americans’ communications 3.4 million times a few years ago, and more than 200,000 times in the most recent report. The bureau has accessed the personal information of Members of Congress, political donors, and journalists without a warrant.
 
“Is 200,000 warrantless queries better than 3.4 million warrantless queries?” Elizabeth Goitein of the Brennan Center for Justice’s liberty and national security program said to The Washington Post in 2023. “When you ask the question, you get a sense of how warped the universe we’re in is – that somehow 200,000 warrantless searches a year are an acceptable number.”
 
At the very least, we hope Williams will see that this is a valid perspective. PPSA hopes that that Beth Williams – lacking peers as sounding boards – will reach out to the civil liberties community to hear the perspectives and the questions that would have come from her departed peers.
 
Board Member Williams, can we meet?

​The Senate confirmation of Tulsi Gabbard as DNI puts the former Congresswoman from Hawaii in the cockpit of the U.S. intelligence community. Director Gabbard will have to perceive and define evolving threats in the most hostile global environment in almost a lifetime. She will also have no lack of challenges in coordinating the mission of 18 federal agencies and refining their conclusions as actionable intelligence for the president.
 
PPSA, along with our civil liberties colleagues, hope that as Director Gabbard plunges into the myriad challenges of her new job, she will also stand true to her heritage as a champion of the U.S. Constitution. As a Congresswoman, Tulsi Gabbard stood fast to the conviction that we can have both national security and respect for the Bill of Rights. We urge Director Gabbard in her new role to demonstrate the viability of this principle. We call on her:
 

• To close the backdoor search loophole by enforcing a warrant requirement whenever the FBI singles out American citizens for a query of their personal data, collected pursuant to Section 702.

 

• To also require warrants when the government inspects Americans’ personal, digital data purchased by federal agencies from third-party data brokers.

 

• To release the full number of queries of Section 702 databases made by the FBI and other agencies to inspect the personal communications of U.S. persons, so we can understand how this authority is being used.

 

• To extend the promise made by the previous administration to restrict the authorities of the electronic communications service providers to a technical fix (widely believed to apply to cloud computing), rather than use this authority in its most expansive form, forcing practically any kind of American business to spy on their customers.

 

• To deepen Director Gabbard’s predecessor’s effort, the Policy Framework for Commercially Available Information, to guide federal intelligence agencies into developing procedures and strong guidelines in the uses of purchased data.

 
In each of these efforts, we hope Director Gabbard will demonstrate that we can protect Americans from threats from abroad while also protecting them from the prospect of an emerging surveillance state.
 
“In the military, I learned that ‘leadership’ means raising your hand and volunteering for the tough, important assignments,” Gabbard said. We are fortunate that Gabbard has volunteered for this particularly tough assignment. We urge her to find ways to extend her legacy as a defender of the American homeland and as a defender of our freedoms at home.

​A detective in Midlothian, Virginia, in 2019 asked Google to ping cellphone locations of everyone who passed within a circumscribed area within one hour of the robbery of nearly $200,000 from a credit union.
 
That order led to a sweep through a Ruby Tuesday restaurant, a Hampton Inn, an apartment complex, and a nursing home within the prescribed area. The Gordian knot of issues raised by this wide-ranging search will be examined in oral arguments in United States v. Chatrie in an en banc hearing to be held by the Fourth Circuit Court of Appeals in Richmond, Virginia, at 9 a.m. Thursday.
 
The court will consider: Does the wholesale expropriation of the cellphone and location data of a large number of people in a geofenced area amount to a modern version of the “general warrants” of the agents of the British Crown during the colonial era?
 
A lower court judge, Hannah Lauck, took her guidance from the U.S. Supreme Court in Carpenter v. United States (2018), which held that the search of a suspect’s location history from a cellphone tower came under the Fourth Amendment’s requirement for a warrant. Judge Lauck wrote “it is difficult to overstate the breadth of this [geofence] warrant” and that an “innocent individual would seemingly have no realistic method to assert his or her privacy rights tangled within the warrant. Geofence warrants thus present the marked potential to implicate a ‘right without a remedy.’”

And, as every law student knows, a right without a remedy is no right at all.
 
The Fourth Circuit panel, however, reversed that ruling, holding that no warrant at all was required in this case. The court reasoned that the limits on location tracking from Carpenter applied only to longer-term tracking. The Eleventh Circuit in Atlanta, in a similar case, agreed. Then the Fifth Circuit in New Orleans held – correctly in our view – that not only is there an expectation of privacy in location data, but broad geofence warrants are inherently unconstitutional. As a result, the appellate courts are not just split, they look like the spaghetti tangle of tracks in a railway yard.
 
Such tangles are usually untangled by the U.S. Supreme Court. But after PPSA filed an amicus brief in favor of an en banc hearing by the full Fourth Circuit court, that court agreed to allow all the judges to weigh the constitutional equities in this case.
 
We asked the court to consider that if the government can request the location of all the individuals within a geofenced area. For example, could it request all photos in the cloud that were taken within that same area? After all, AI can now estimate, with astonishingly high accuracy, the location of a photograph. Invoking Carpenter, we asked the court if we have to leave the public’s Fourth Amendment rights to “the mercy of advancing technology.”
 
To hear the court’s oral argument, go to the court’s calendar and search for “Chatrie.” Or just wait and we will give you a digest of answers to the judges’ questions and their apparent leanings. This is an exceptionally important case for the Fourth Amendment. Stay tuned.

Suppose you have a next-door neighbor you trusted to help you sell some items online, in exchange for a share of the profits. You give him a key for easy access, and all seems to go well. Sometime later, you can’t remember the combination to your safe, so the locksmith opens it, and you discover your cash is gone. You suspect your neighbor and report him. The police raid his home and collect his cellphone along with other evidence. Law enforcement then obtains a warrant to search the phone, and finds it contains incriminating text messages. A conviction is obtained on that basis.
 
This scenario is based on Michigan v Carson. The warrant in question initially appeared to restrict the phone search to data pertaining to larceny and safe-breaking. So far, so good. But subsequent clauses in the warrant contained language that effectively negated any sensible limitation. The additional language was so expansive as to give authorities carte blanche to search every single piece of data the phone could offer up.
 
What began as a reasonable search within the Constitution’s guardrails for particularity morphed into a broad search amounting to a general warrant.
 
For this reason, PPSA filed an amicus brief before the Michigan Supreme Court showing that the contents of a phone are equivalent to physical documents and other items in a home. Both are personal property and therefore protected from exploratory searches by the Fourth Amendment, which requires that the “things to be seized” be described in very specific terms. This requirement is in fact the heart of the Fourth Amendment – the prohibition of unencumbered search and seizure regularly visited on colonial citizens by British authorities.
 
Searching all data on a modern smartphone is the 21st-century equivalent of ransacking homes and personal property without restriction, only worse.
 
The language in the Carson warrant is something that should give every American just as much pause. The police, it said, could “seize and search” all data on the phone and SIM card, and “all records or documents which were created, modified, or stored in electronic or magnetic form and any data, image, or information that is capable of being read or interpreted by a cellular phone or a computer.”
 
The warrant also contradicted itself by further authorizing the seizure of other physical items, rendering it unconstrained. In the colonial era, this amounted to a writ of assistance, another insidious form of search and seizure that, along with general warrants, were top of mind when the Fourth Amendment was crafted.
 
Whether electronic information or physical belongings, personal “effects” are subject to the same privacy principles. One could painstakingly reconstruct a target’s entire private life using the contents of their phone. It’s arguably a far more intrusive violation than rummaging through the documents in a dwelling.
 
Just think about the contents of your own smartphone for a moment and how you would feel if it was all exposed. It is for this reason that the U.S. Supreme Court held that cellphones contain “the privacies of life.”
 
When it comes to any warrant, its degree of particularity can vary greatly depending on the specifics of the case. But the intent of the Fourth Amendment is that every warrant must be limited in some sensible way.
 
The warrant being challenged in Michigan v Carson contained no limits. Its scope was unbounded and that is why we demonstrated to the Michigan Supreme Court that this search was unconstitutional.

​The unanimous U.S. Supreme Court opinion upholding the forced sale of TikTok is a necessary first step toward reining in the wholesale exploitation of Americans’ data. But it is only a first step. Gaping vulnerabilities remain.
 
Let’s first consider this ruling, its reasoning and implications:
 
The Supreme Court’s Thinking:
TikTok is owned by ByteDance, a Chinese company that is obligated to share all of its data with the regime in Beijing. Consider that any data collected by TikTok is ready-made material for blackmail, corporate espionage, and weaponization by the Chinese state.
 
What’s at risk, specifically? Just ask the Court, which affirmed that TikTok’s “data collection practices extend to age, phone number, precise location, internet address, device used, phone contacts, social network connections, the content of private messages sent through the application, and videos watched.”
 
But the issue is even bigger. In his concurrence, Justice Neil Gorsuch wrote: “The record before us establishes that TikTok mines data both from TikTok users and about millions of others who do not consent to share their information … TikTok can access ‘any data’ stored in a consenting user’s ‘contact list’ – including names, photos, and other personal information about unconsenting third parties.”
 
It is for these reasons that the Court unanimously found that “the Act is sufficiently tailored to address the Government’s interest in preventing a foreign adversary from collecting vast swaths of sensitive data about the 170 million of U.S. persons who use TikTok.”
 
The Court’s Respect for the First Amendment
Justice Gorsuch’s concurrence showed great deference to the First Amendment. “Too often in recent years,” he wrote, “the government has sought to censor disfavored speech online, as if the internet were somehow exempt from the full sweep of the First Amendment.”
 
Justice Gorsuch noted that in this case the Court “rightly refrains from endorsing the government’s asserted interest in preventing ‘the covert manipulation of content’ as a ‘justification for the law before us … One man’s ‘covert content manipulation’ is another’s ‘editorial discretion.’ Journalists, publishers, and speakers of all kinds routinely make less-than-transparent judgments about what stories to tell and how to tell them.”
 
As we’ve written before, it would be a violation of the First Amendment to close a newspaper that ran Chinese disinformation and propaganda. In that instance, policymakers would have to rely both on other media to expose that newspaper and on the good sense of the American people. But if a newspaper came with newsprint that seeped into the fingertips of readers to release a carcinogen, closure would be lawful, necessary, and proper. The Protecting Americans from Foreign Adversary Controlled Applications Act is a law in that vein – and the Court was right to uphold it.
 
Justice Gorsuch also praises the Court for declining to consider the government’s classified evidence, which was withheld from TikTok and its lawyers. He wrote: “Efforts to inject secret evidence into judicial proceedings present obvious constitutional concerns.”
 
Americans Still Data-Naked Before the World
The People’s Republic of China is a unique threat to Americans’ privacy. And it is far from contained. Outgoing FBI Director Christopher Wray has warned that Chinese-controlled shell companies can also gain access to our data.
 
But China is far from the only threat. As a foreign entity, one thing China cannot do is smash your door open with a battering ram at 4 a.m., pull you out of bed and prosecute you on the basis of evidence that you will never see and that will never be presented in court.
 
But U.S. domestic law enforcement can do that. The FBI does this by purchasing your personal information from third-party data brokers and examining it without a warrant. This is the very same “backdoor loophole” acknowledged by Pam Bondi in her confirmation hearing as attorney general. Other agencies, ranging from the IRS to the DEA to the Department of Homeland Security are also purchasing and using our data – information that is often more personal than a diary.
 
Today’s Court ruling suggests there are next steps to protecting Americans’ privacy. One would be to take Justice Gorsuch’s constitutional concerns about injecting secret evidence into judicial proceedings and applying them to the State Secrets privilege. That insidious, time-weary doctrine has long prevented defendants from knowing the evidence against them when gleaned by government surveillance.
 
The Bottom Line
The upholding of the TikTok law mandating a sale was a good first step toward securing digital privacy for Americans. But much more needs to be done to protect Americans. Another needed action would be final passage of the Fourth Amendment Is Not for Sale Act, which would require U.S. federal agencies to obtain a warrant before inspecting our purchased data. The House passed this legislation in 2024. It should pass this Congress and go to the president’s desk for signature this year.
 
Today’s ruling is a fine start. But we’ve got a long way to go to restore privacy and the Fourth Amendment to American life.

​A recent Wired story about digital coordinates that track U.S. soldiers and spies to brothels and nuclear vaults in Germany might have attracted almost as many eyeballs as the record-shattering premiere of the Kardashians on Hulu. The Wired mashup of atom bombs and visits to an establishment called SexWorld certainly had a Strangelovian allure.
 
As Dhruv Mehrotra and Dell Cameron reported, the more than 3 billion phone coordinates collected by one U.S. data broker alone follows U.S. military personnel as they go about their business – from home, to dropping off children at school, to intelligence and nuclear facilities, to, yes, illicit nocturnal activities. These journalists tracked hundreds of thousands of signals inside sensitive U.S. installations in Germany that are legally collected for digital advertising. One signal tracked an employee inside a secret, windowless National Security Agency building with a metal exterior called the Tin Can.  
 
Such tracking does more than risk hostile actions from adversary nations and terrorists. The problem with a big stream of personal data is that it is like a dandelion – it wants to go everywhere. Take China’s vast surveillance state that links facial recognition, comprehensive tracking of digital searches, communications, and location history. It was built to give the Chinese Communist Party unprecedented control of that nation’s populace – where people go, their contacts, their messages, their private beliefs. But even one of the most tyrannical regimes on earth cannot control its own surveillance. Another Wired exposé by Andrew Greenberg demonstrates that corrupt officials are selling big chunks of data on China’s citizens to black market operators and scammers as a “side hustle.”
 
This is in keeping with the ethos of the shady world of online digital auctions. The Consumer Financial Protection Bureau recently took a step toward fleshing out a Biden administration executive order restricting foreign data sales. While the Federal Trade Commission and the Consumer Financial Protection Bureau have commendably tried to place some restrictions on the sale of Americans’ data, the global and shadowy nature of the online data-auction market guarantees that these actions will enjoy limited success. Departing FBI Director Christopher Wray has warned it will be very difficult to keep the mass sale of Americans’ data to domestic and foreign data brokers from the hands of adversaries. Just as spies don’t walk around with CIA badges, so too buyers for China, Russia, Iran, and North Korea don’t advertise themselves as such. Many companies, Director Wray said, appear on the up-and-up but, through the use of ownership shell games, are in fact controlled by Chinese intelligence.
 
The potential for blackmail and interference in NATO’s response to aggression virtually guarantees that there will be legislative action in Congress to end the tracking of service members and intelligence agents. As Congress begins to research such a bill, however, it should take stock of just how wide and dangerous the tracking threat is to all Americans.
 
As Congress and the Pentagon look into safeguarding the digital data of Americans serving our nation abroad, they would do well to extend those protections to Americans at home by embracing the Fourth Amendment Is Not for Sale Act. Requiring probable cause warrants for the collection of Americans’ most personal information would be a good way to help further restrict the treasure trove of data – by telling the government not collect that data in the first place.

​As Americans become aware – and concerned – about how our most sensitive and private digital information is sold by data brokers, there are stirrings within the federal government to place at least some guardrails on the practice.
 
In a unanimous, bipartisan vote last week by the commissioners of the Federal Trade Commission, that agency cracked down on two data brokers, Mobilewalla and Gravy Analytics/Venntel, for unlawfully tracking and selling sensitive data. FTC declared that this data “not only compromised consumers’ personal privacy, but exposed them to potential discrimination, physical violence, and other harms …”
 
Such practices included matching consumers’ identities with location data from health clinics, religious organizations, labor union offices, LGBTQ+-related locations, political gatherings, and military installations. By conducting real-time bidding exchanges, these brokers combined data from these auctions with data from other sources, to identify users at these locations by their mobile advertising IDs.
 
Just days before, the Consumer Financial Protection Bureau proposed a rule that would prevent data brokers from collecting and selling sensitive personal information such as phone numbers and Social Security numbers, as well as personal financial information outside of relevant contexts, like a mortgage application. CFPB’s action also seeks to prevent the sale of the information of Americans in the military or involved in national security to “scammers, stalkers, and spies.”
 
We applaud these bold bipartisan moves by FTC and CFPB, but we must keep in mind that these are first steps. These actions will only marginally address the vast sea of personal information sold by data brokers to all sorts of organizations and governments, including our own. There is throughout our government a failure to fully appreciate just how intrusive the mass collection of personal data actually is.
 
Consider the reaction of Republican FTC Commissioner Andrew Ferguson. While mostly voting with the majority, Ferguson dissented on the breadth of the majority’s take on sensitive categories. Ferguson sees no distinction between the exposure of one’s digital location history and what can be learned by a private detective following a target across public spaces, a practice that is perfectly legal.
 
Ferguson reasoned that many people are an open book about their health conditions, religion, and sexual orientation. “While some of these characteristics often entail private facts, others are not usually considered private information,” Ferguson wrote. “Attending a political protest, for example, is a public act.”
 
We beg to differ.
 
“A private detective could find this out” is too weak a standard to apply to the wealth of digital data on the privacies of millions of people’s lives. Data is different. As the Supreme Court explained in Riley v. California, “a cell phone search would typically expose to the government far more than the most exhaustive search of [even] a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form – unless the phone is.”
 
That was true when it was written in 2014, and it is even more true today. Nowadays, artificial intelligence can analyze data and reveal patterns that no gumshoe could put together. In the case of a political protest, a high school student might attend, say, a trans rights event but be far from ready to let his parents or peers know about it. Or an adherent of one religion may attend services of an entirely different religion with conversion in mind but be far from willing to tell relatives.
 
Worse, deeply personal information in the hands of prosecutors completely bypasses the letter and the intent of the Fourth Amendment, which requires the government to get a probable cause warrant before using our information against us. The government lacks appreciation of its own role in sweeping in the sensitive data of Americans. Venntel’s customers include the Department of Homeland Security, the Drug Enforcement Administration, the FBI, and the IRS. In all, about a dozen federal law enforcement and intelligence agencies purchase such data from many brokers and hold it for warrantless inspection.
 
The FTC deserves credit for taking this step to tighten up the use of sensitive information. But the next step must be passage of the Fourth Amendment Is Not for Sale Act, which would require the government to obtain probable cause warrants before obtaining and using our most personal information against us.

​The nomination of Tulsi Gabbard to serve as Director of National Intelligence promises to be contentious. One thing cannot be disputed: The former Congresswoman from Hawaii and lieutenant-colonel in the U.S. Army Reserve, with experience in Iraq and other dangerous countries, would bring a combination of responsible handling of secrets along with a solid record of surveillance reform.
 
Gabbard voted for the USA RIGHTS Act and other measures that would require warrants for the government to access Americans’ data and to protect personal use of encrypted apps. Rep. Gabbard also filed an amendment to the National Defense Authorization Act in 2019 to prohibit government purchases of body cameras equipped with facial recognition and other biometric devices.
 
In these and many other ways, Gabbard has compiled the record of a surveillance-reform leader. While in Congress, Gabbard served on the Homeland Security, Armed Services, and Foreign Relations Committees. A former Vice-Chair of the DNC, Gabbard made a long journey from being a staunch Democrat to supporting Donald Trump’s presidential campaign. As a private citizen, Gabbard is arguably a victim of surveillance abuse herself.
 
Her record on surveillance reform is enough to send shivers down the backs of officials in the FBI and other intelligence organizations long used to warrantless access to Americans personal information. Not surprisingly, Gabbard is now being attacked in a whisper campaign by nameless sources for being a flake who has taken pro-Russian and pro-Syria positions. Gabbard is articulate in responding to these charges, portraying herself as foreign-policy realist. We hope the Senate will keep an open mind and listen to Tulsi Gabbard’s defense.
 
Above all, we hope the Senate will consider the need to bring balance back to the intelligence community, which often helps itself to the purchased personal data of American citizens without bothering to seek a warrant. As a candidate, Donald Trump promised to reform FISA. Appointing Tulsi Gabbard to lead the intelligence community shows he’s serious about that. The next Director of National Intelligence should be someone who can restore a balance between the need to respect the constitutional rights of Americans and the need to keep America safe.

​The incoming Trump administration has an unparalleled opportunity to achieve historic surveillance reform. Donald Trump made campaign pledges to:
 

• Make every Inspector General’s office independent and physically separated from the departments they oversee. This would enhance the objectivity of those who oversee surveillance operations by giving them a bit of distance.

 

• Work to ban federal bureaucrats from taking jobs at the companies they deal with and that they regulate. This measure would help ensure that when surveillance requests are made by government to the private sector, agendas remain clean and separate.

 

• Reform FISA courts. This measure could bring in qualified amici, seasoned experts with high-level security clearances, to provide the court with – to paraphrase Hemingway – built-in, shock-proof, BS detectors.

 

• Ask Congress to establish an independent auditing system to continually monitor our intelligence agencies to ensure they are not spying on our citizens or running disinformation campaigns against the American people. This leads to a sweet spot shared by surveillance reformers of all stripes – the need to impose a warrant requirement on federal agencies, ranging from the FBI to the IRS, that buy the private and intimate data of Americans from third-party data brokers.

 
The Trump agenda on surveillance reform presages monumental and much needed reforms, from Section 702 reform to passage of the Fourth Amendment Is Not For Sale Act by both houses of Congress. The stars are aligning with the incoming administration. The 119th Congress must make the most of this historic opportunity.

​Ever have the uncanny feeling that as soon as you voice an interest in a consumer item – a vacation destination, a tie or a scarf, an exotic coffee – an ad for that very item appears in your social media feed? Are our phones listening to us and reporting what we say in private conversations to advertisers?
 
The Electronic Frontier Foundation explores this question in this short video along with a factsheet. While EFF says our phones are probably not listening to us, the mechanisms behind this phenomena of coincidental ads are no less disturbing:

​As EFF observes, it isn’t just advertisers that are buying our digital lives from data brokers. The federal government is also buying this same intrusive data gleaned from our social media interests and apps. This is the worst violation of our privacy, one that comes from a federal government that has the power to raid our homes and charge us with crimes on the basis of personal information acquired without a warrant.
 
All the more reason to urge your U.S. Senators to follow the example of the U.S. House of Representatives and pass The Fourth Amendment Is Not For Sale Act, which would require federal intelligence and law enforcement agencies to obtain probable cause warrants – as required by the U.S. Constitution – before examining our purchased data.

​The Consumer Financial Protection Bureau (CFPB) is warning businesses that use of “black-box AI” or algorithmic scores about workers must be consistent with the rules of the Fair Credit Reporting Act. This means employers must obtain workers’ consent, provide transparency when data is used for an adverse decision, and make sure that workers have a chance to dispute inaccurate reports.
 
That’s a good move for privacy, as far as it goes. The problem is, it doesn’t go nearly far enough because the federal government doesn’t impose these same standards on itself.
 
First, PPSA agrees with the tightening of employers’ use of digital dossiers and AI monitoring. Whenever someone applies for a job, the prospective employer will usually perform a search about them on a common background-check site. It is not surprising that businesses want to know about applicants’ credit histories, to check on their reliability and conscientiousness, and if they have a possible criminal past.
 
But third-party consumer reports offer much more than those obvious background checks. Some sites, for example, are used to predict the likelihood that you might favor union membership. More invasive still are apps that many employers are requiring new employees to install on personal phones to monitor their conduct and assess their performance. The decision to reassign employees, promote or demote them, or fire them are coming from automated systems, decisions made by machines that often lack context or key information.
 
Federal agencies, from the CFPB to the Federal Trade Commission, have not been shy about calling out privacy violations like these of some businesses for years now. Too bad our government cannot live up to its own high standards. The government freely acknowledges that a dozen agencies – ranging from the FBI to the IRS, Department of Homeland Security, and the Pentagon – routinely buy the most intimate and personal data of Americans scraped from our apps and sold by shadowy data brokers.
 
The data the government collects on us is far more extensive than anything a commercial data aggregator could find. The government can track our web browsing, those we communicate with, what we search for online, and our geolocation histories. This is far more invasive and intrusive than anything private businesses are doing in screening applicants and monitoring employees.
 
Worse, the government observes no obligation to reveal how this data might be used to compile evidence against a criminal defendant in a courtroom, or if agencies are using purchased data to create dossiers on Americans to predict their future behavior. There is no equivalent of the Fair Credit Reporting Act when it comes to the government’s use of our data. But there is the Fourth Amendment Is Not For Sale Act, a bill that would require the government to obtain a probable cause warrant – as required by the Constitution – before inspecting our digital lives.
 
The Fourth Amendment Is Not For Sale Act passed the House this year and awaits action in the U.S. Senate. Passing it in the coming lame-duck session would be one way to remove the hypocrisy of the federal government on the digital surveillance of American workers, consumers, and citizens.

​Digital data, especially when parsed through the analytical lens of AI, can detail almost every element of our personal lives, from our relationships to our location histories, to data about our health, financial stability, religious practices, and political beliefs and activities.
 
A new blog post from the White House details a Request for Information (RFI) from OMB’s Office of Information and Regulatory Affairs (OIRA) seeking to get its arms around this practice. The RFI seeks public input on “Federal agency collection, processing, maintenance, use, sharing, dissemination, and disposition of commercially available information (CAI) containing personally identifiable information (PII).”
 
In plain language, the government is seeking to understand how agencies – from the FBI to the IRS, the Department of Homeland Security, and the Pentagon – collect and use our personal information scraped from our apps and sold by data brokers to agencies. This request for public input follows last year’s Executive Order 14110, which represented that “the Federal Government will ensure that the collection, use, and retention of data is lawful, is secure, and mitigates privacy and confidentiality risks.”
 
What to make of this? On the one hand, we commend the White House and intelligence agencies for being proactive for once on understanding the privacy risks of the mass purchase of Americans’ data. On the other hand, we can’t shake out of our heads Ronald Reagan’s joke about the most terrifying words in the English language: “I’m from the government and I’m here to help.”
 
The blog, written by OIRA administrator Richard L. Revesz, points out that procuring “CAI containing PII from third parties, such as data brokers, for use with AI and for other purposes, raises privacy concerns stemming from a lack of transparency with respect to the collection and processing of high volumes of potentially sensitive information.” Revesz is correct that AI elevates the privacy risks of data purchases. The government might take “additional steps to apply the framework of privacy law and policy to mitigate the risks exacerbated by new technology.”
 
Until we have clear rules that expressly lay out how CAI is acquired and managed within the executive branch, you’ll forgive us for withholding our applause. This year’s “Policy Framework for Commercially Available Information” released by Director of National Intelligence Avril Haines, ordered all 18 intelligence agencies to devise safeguards “tailored to the sensitivity of the information” and produce an annual report on how each agency uses such data.
 
It is hard to say if Haines’ directive represents a new awareness of the Orwellian potential of these technologies, or if they are political theater to head off legislative efforts at reform. Earlier this year, the U.S. House of Representatives passed the Fourth Amendment Is Not For Sale Act, which would subject purchased data to the same standard as any other personal information – a probable cause warrant. The Senate should do the same.
 
The government’s recognition of the sensitivity of CAI and accompanying PII is certainly a step in the right direction. It is also clear that intelligence agencies have every intention of continuing to utilize this information for their own purposes, despite lofty proclamations and vague policy goals about Americans’ privacy.
 
To quote Ronald Reagan again, when it comes to the promises of the intel community, we should “trust but verify.”

​A disturbing new report from the Wall Street Journal reveals the staggering extent to which a Chinese hacker group recently gained access to US critical infrastructure, including systems belonging to AT&T, Lumen, and Verizon that the federal government uses for wiretapping investigations. It’s a wakeup call, and a reminder that commercial encryption free of backdoor government access is increasingly paramount given the apparent susceptibility of the surveillance state to outside intrusion.
 
According to WSJ, “[t]he surveillance systems believed to be at issue are used to cooperate with requests for domestic information related to criminal and national security investigations.” The hack, per the paper’s sources, appears “to be geared towards intelligence collection….” In other words, it’s a way to snoop on those in our government who doing the snooping on foreign adversaries like China.
 
The fact that China-backed hackers can access our own investigative channels should make the hair on the back your neck stand up. But it’s an unfortunate inevitability when governments demand backdoors into encrypted commercial communications. As we wrote back in August:
 
“Congress should … resist the persistent requests from the Department of Justice to compel backdoors for commercial encryption, beginning with Apple’s iPhone. The National Public Data hack reveals that the forced creation of backdoors for encryption would create new pathways for even more hacks, as well as warrantless government snooping.”
 
A recent article at BGR puts a finer point on it, noting that, “[p]lacing a backdoor in any product … [invites] even more scrutiny from the hacking community. First, you [won’t] be able to keep it a secret. Second, if there’s a locked door to something, someone can always find the keys.”
 
Outside of the national security implications at play here, the hack also implicates the data privacy of millions of Internet customers, which is already at enough risk domestically. (Reminder to the Senate: pass the Fourth Amendment Is Not for Sale Act.)
 
Apple and all other telecom companies should stand strong in resisting federal efforts to gain access to their encrypted systems. And both law enforcement and policymakers should think again about creating backdoors that only bad actors can access.

​The Customs and Border Patrol (CBP) has little respect for the Fourth Amendment. From international airports to border stations, Americans returning from abroad often fall prey to the routine CBP practice of scanning their laptops, mobile phones, and other digital devices without a warrant.
 
As if that were not enough, CBP also scans people’s faith, violating their First Amendment rights as well.
 
Consider the case of Hassan Shibly, a U.S. citizen and student at the University of Buffalo Law School. When he returned to the United States in 2010 with his wife, a lawful permanent resident, and their seven-month-old son, from a religious pilgrimage and family visit in the Middle East, Shibly was taken aside by CBP agents. A CBP officer asked him: “Do you visit any Islamist extremist websites?” And: “Are you part of any Islamic tribes?” And then the kicker: “How many gods or prophets do you believe in?”
 
Other returning Muslim-Americans are interrogated about the mosques they attend, their religious beliefs, and their opinions about the U.S. invasion of Iraq and support for Israel. One New Jerseyan, Lawrence Ho, attended a conference in Canada and returned to the United States by car. He was asked: “When did you convert?” Ho does not know how the agent knew he had converted to Islam.
 
A group of Muslim-Americans, fed up by this treatment, are now being represented by the American Civil Liberties Union in a suit before the Ninth Circuit Court of Appeals against CBP for civil rights violations. The plaintiffs are correct that subjecting Americans to deep questions about their faith – as a condition to reentry to their home – violates their First Amendment rights, as well as the Religious Freedom Restoration Act (RFRA).
 
Ashley Gorski, senior staff attorney with ACLU’s National Security Project, said that “this religious questioning is demeaning, intrusive, and unconstitutional. We’re fighting for our clients’ rights to be treated equally and to practice their faith without undue government scrutiny.”
 
To be fair, CBP has its work cut out for it when it comes to screening the border for potential terrorists. And we should not avert our eyes to the fact that there are sick and dangerous ideologies at work around the world. But we are also fairly confident that actual terrorists would not be stumped by the kind of naïve and unlawful interrogations CBP has imposed on these returning Americans.
 
Heavy-handed questions about adherence to one of the great world religions doesn’t seem to be a useful security strategy or a demonstration that our government is familiar with its own Constitution.

​A Federal Trade Commission staff report released last week got huge play in the media. We were bombarded by stories about the FTC’s report that Meta, YouTube, and other major social media and video streaming companies are lax in controlling and protecting the data privacy of users, especially children and teens.
 
There is much in this report to consider, especially where children are concerned. But there was also a lot that was off-target and missing.
 
The FTC’s report blithely recommended that social media and video streaming companies abandon their practice of tracking users’ data. This would be no small thing. Without the tracking that allows Facebook to know that you’re an aficionado of, say, old movie posters, you would not receive ads in your feed trying to sell you just that – old movie posters. Forbid the trade-off in which we give away a bit of our privacy for a free service, and overnight large social media companies would collapse. Countless small businesses would lose the ability to go toe-to-toe with big brands. Trillions of dollars in equity would evaporate, degrading the portfolio of retirees and putting millions of Americans out of work.
 
In a crisply written concurring and dissenting statement, FTC Commissioner Andrew Ferguson notes that the FTC report “reveals this mass data collection has been very difficult to avoid. Many of these products are necessities of modern life. They are critical access points to markets, social engagement, and civil society.”
 
Ferguson looks beyond what the advertising logarithms of Meta or Google do with our data. He looks to how our data is combined with information from a host of sources, including our location histories from our smartphones, to enable surveillance. It is this combination of data, increasingly woven by AI, that creates such comprehensive portraits of our activities, beliefs and interests. These digital dossiers can then be put up for sale by a third-party data broker to any willing buyer. Ferguson writes:
 
“Sometimes this information remains internal to the company that collected it. But often, they share the information with affiliates or other third parties, including entities in foreign countries like China, over which the collecting company exercises no control. This information is often retained indefinitely, and American users generally have no legal right to demand that their personal information be deleted. Companies often aggregate and anonymize collected data, but the information can often be reassembled to identify the user with trivial effort.
 
“This massive collection, repackaging, sharing, and retention of our private and intimate details puts Americans at great risk. Bad actors can buy or steal the data and use them to target Americans for all sorts of crimes and scams. Others, including foreign governments who routinely purchase Americans’ information, can use it to damage the reputations of Americans by releasing, or threatening to release, their most private details, like their browsing histories, sexual interests, private political views, and so forth.”
 
We would add that the FBI, IRS, and a host of other federal law enforcement and intelligence agencies also purchase our “dossiers” and access them without warrants. As dangerous as China is, it cannot send a SWAT team to break down our doors at dawn. Only our government can do that.
 
The FTC report ignores this concern, focusing on the commercial abuses of digital surveillance while ignoring its usefulness to an American surveillance state. It is no small irony that a federal government report on digital surveillance doesn’t concern itself with how that surveillance is routinely abused by government.
 
This insight gives us all the more reason to urge the U.S. Senate to follow the example of the House and pass the Fourth Amendment Is Not For Sale Act. This legislation requires the FBI and other federal agencies to obtain a warrant before they can purchase Americans’ personal data, including internet records and location histories.
 
It is also time for Congress to shine a bright light on data brokers to identify all the customers – commercial, foreign, and federal – who are watching our digital lives.

​This year, the coalition of surveillance reformers in Washington, D.C., mounted the most spirited, bipartisan campaign in legislative history.
 
The reform coalition fought to require warrants for FISA Section 702, which authorizes the government to surveil foreign threats on foreign soil but is often used to spy on Americans. The House also passed the Fourth Amendment Is Not For Sale Act, which would forbid the warrantless collection of Americans’ personal, digital information.
 
How did we do? The Section 702 fix was lost to a single, tie-breaking vote in the House. The Fourth Amendment Is Not For Sale Act remains stuck behind last-minute business in the Senate.
 
It is easy for surveillance reformers to feel like Sisyphus, rolling legislative stones up Capitol Hill only have them come tumbling back down. But national reformers should take heart from the example set by Utah, which proves that surveillance reform is popular and that reasonable compromises can be set into law.
 
Start with geofence warrants, which use a reverse search technique to pluck the identities of criminal suspects out of pools of data extracted from a given area. The federal Fifth and Fourth Circuit Courts of Appeal have taken starkly opposite views over whether geofence warrants can be allowed. The Fifth Circuit finds them to be inherently unconstitutional. The Fourth Circuit finds them to raise no Fourth Amendment issues at all.
 
Meanwhile, the intrusion of government snooping grows. Google reports that requests for geofence warrants grew by 9,000 in 2019 to 11,500 in 2020. That number is surely much higher today.
 
When the U.S. Supreme Court inevitably wades into this issue to resolve the circuit split, the Justices would well to consider the example set by Utah. Last year, Utah passed HB57, which balances law enforcement’s protection of public safety with the privacy rights of Utahans in law enforcement’s use of geofencing.
 
Leslie Corbly of the Libertas Institute in Utah reports that as a result of this new law, police must now submit requests for geofence data to a judge for a warrant application. This new law also mandates that warrant applications must “include a notification to judges regarding the nature of a geofence search by way of a map or written description showing the size of the virtual geofence.” Results from the search must be specified and reported to the court, including not just the identification of criminal perpetrators, but also people not involved in a crime.
 
Armed with enough information to evaluate the merits of a warrant request, judges remain involved with geofence warrants throughout the process. Finally, state law enforcement agencies must report the number of geofence warrants requested, the number approved by a judge, the number of investigations that used information obtained through a geofence warrant, and the number of electronic devices used for this collection.
 
Mike Maharrey of the Tenth Amendment Center reports that Utah has “chipped away at the surveillance state,” passing laws limiting surveillance of all kinds. These include:
 

• License Plate Readers: In 2013, Utah put modest limits on Automatic License Plate Readers, keeping this data out of the market for digital information and a requirement for a warrant or disclosure order for state police to access it.

 

• Warrants for Data: Utah’s 2014 Electronic Information Privacy Act makes any electronic data obtained by law enforcement without a warrant inadmissible in a criminal trial. In addition to state-collected information, that law imposes the same constraint on data derived from the NSA and super-secret fusion centers. In 2019, Utah expanded this law to ban warrantless access to data stored in the cloud. In 2021, the state again expanded this law to require police to get warrants to search data held by communication service provider networks.

 

• Drones: In 2014, Utah slapped a search warrant requirement on data obtained from a drone. In 2022, the state expanded restrictions on drone surveillance to also include “radar, sonar, infrared, or other remote sensing or detection technology.”

 

• Geofencing: And then in February 2023, Utah passed its limits and warrant requirements on geofencing.

 
Utah demonstrates to Congress and the Supreme Court that we can place limits on surveillance while accepting reasonable access to information agencies need to protect the public. Gary Herbert, a former governor of Utah who signed many of these measures into law, said “Utah is no longer a flyover state.” When it comes to surveillance reform, Utah is a state that should lead the nation.
 
And Utah should be an inspiration to reformers in Congress to keep pushing those boulders all the way to the top of the Hill.

​While partisan control of the U.S. Senate balances on a knife’s edge, also at stake is whether that body will have more surveillance reformers and protectors of privacy, or more defenders of the government surveillance status quo.
 
We find no partisan correlation between the reformers and the defenders. Some of the most liberal/progressive and conservative candidates support reform of government surveillance programs to protect the Fourth Amendment rights of Americans and their privacy. The same diversity exists among those who stoutly defend the government’s supposed “right” to warrantlessly surveil Americans.
 
You can review the PPSA Scorecard to see how your Senators (and Representative) fare in our ratings. We rate candidates on a grading scale from F to A+ (see details below). Here we apply these grades to eight of the closest or most-watched races for the U.S. Senate in 2024. We usually rate only the incumbent in each race because most opponents either have no voting record to score or, if an opponent was previously a Member of Congress, his or her votes are usually too far in the past to be relevant.

​***Not pictured above is Former Rep. Debbie Mucarsel-Powell (D) who scored a D the 116th Congress (2019-2021).

We should note that the last Senate candidate has an exceptionally troubling record on privacy and government surveillance. Rep. Adam Schiff, former House Intelligence Committee Chairman, is now running for the open Senate seat in California and polls show him with a comfortable lead. Should Schiff come to represent all the people of California, we hope he will “see the light” and become an advocate for his constituents’ privacy. 
 
In all races, voters, volunteers and campaign donors select their candidates by their stances on many positions. PPSA hopes that, in the coming election, you will consider your candidates’ stance on vital issues of surveillance and privacy. These include:

• The Fourth Amendment Is Not for Sale Act, a measure that passed the House this year that would restrict government purchasing of Americans’ most sensitive and personal data by data brokers

 

• A commitment to vote for a requirement for warrants when government agencies look at Americans’ personal communications caught up under programs authorized by FISA Section 702. This measure comes up for debate when Section 702 authority faces renewal in 2026.

 

• The House-passed PRESS Act, which would place reasonable limits on the ability of federal prosecutors to rifle through reporters’ notes and expose their sources. Such laws work well in 49 states, balancing the needs of public safety with those of a free society.

 
Again, please refer to our Scorecard for the records of other Members.
 
As the 20th century Chicago columnist Sidney J. Harris observed: “Democracy is the only system that persists in asking the powers that be whether they are the powers that ought to be.”
 
Here are the details of our grading system:
 
“A+” = Members who voted for every major pro-privacy amendment or bill
“A” = Members who voted for privacy on 80 to 99 percent of the votes
“B” = Members who voted for privacy on 60 to 79 percent of the votes
“C” = Members who voted for privacy on 40 to 59 percent of the votes
“D” = Members who voted for privacy on 20 to 39 percent of the votes
“F” = Members who voted for privacy on 0 to 19 percent of the votes

​The year is far from over and the U.S. House of Representatives has already had a banner year on privacy and surveillance reform.
 
The House passed the Fourth Amendment Is Not for Sale Act, which would curb the purchases of Americans’ data by government agencies. It also passed the PRESS Act, which gives reporters and their sources protection from the prying of eyes of prosecutors. Finally, the House came within one vote of passing a measure to require the government to obtain a warrant before accessing Americans’ personal communications caught up in the global trawl of foreign surveillance programs authorized by FISA Section 702.
 
But will the House of the 119th Congress be able to improve on these bold, pro-privacy stands? In our PPSA Scorecard we rate how all representatives (and senators) have voted on pro-privacy amendments or bills. Below are incumbents’ ratings from the 22 closest House races:

​​Here is how evaluated these Members by their votes:

• “A+” = Members who voted for every major pro-privacy amendment or bill
• “A” = Members who voted for privacy on 80 to 99 percent of the votes
• “B” = Members who voted for privacy on 60 to 79 percent of the votes
• “C” = Members who voted for privacy on 40 to 59 percent of the votes
• “D” = Members who voted for privacy on 20 to 39 percent of the votes
• “F” = Members who voted for privacy on 0 to 19 percent of the votes

 
PPSA hopes that in the coming election, you will consider your candidates’ stance on vital issues of surveillance and privacy. Please refer to our Scorecard for the records of other Members. And don’t be shy about expressing your views on privacy and surveillance reform with your candidates.
 
As Abraham Lincoln said: “If the people turn their backs to a fire they will burn their behinds, and they will just have to sit on their blisters.”

In George Orwell’s Nineteen Eighty-Four, the walls of every domicile in Oceania bristle with microphones and cameras that catch the residents’ every utterance and action. In 2024, we have done Big Brother’s work for him. We have helpfully installed microphones and cameras around the interior of our homes embedded in our computers, laptops, smartphones, and tablets. Might someone be selling our conversations to companies and the federal government without our consent?
 
Few worry about this because of explicit promises by tech companies not to enable their microphones to be used against us. Google, Amazon, Meta are firm in denying that they eavesdrop on us. For example, Meta states that “sometimes ads can be so specific, it seems like we must be listening to your conversations through our microphones, but we’re not.”
 
Still, many of us have had the spooky sensation of talking about something random but specific – perhaps a desire to buy a leather couch or take a trip to Cancun – only to find our social media feeds littered with ads for couches and resorts in Cancun. The tech companies’ explanation for this is that we sometimes perform online searches for things, forget about them, and then mistakenly attribute the ads in our social media feeds to a conversation.
 
We hope that’s the case. But now we’re not so sure.
 
404 Media has acquired a slide deck from Cox Media Group (CMG) that claims its “Active-Listening” software can combine AI with our private utterances captured by 470-plus sources to “improve campaign deployment, targeting and performance.” One CMG slide says, “processing voice data with behavioral data identifies an audience who is ‘ready to buy.’”
 
CMG claims to have Meta’s Facebook, Google, and Amazon as clients. After this story broke, the big tech companies stoutly denied that they engage in this practice and expressed their willingness to act against any marketing partner that eavesdrops. This leaves open the possibility that CMG and other actors are gathering voice data from microphones other than from those of their big tech clients.
 
What these marketers want to do is to predict what we will want and send us an ad at the precise time we’re thinking about a given product. The danger is that this same technology in the hands of government could be used to police people at home. This may sound outlandish. Yet consider that a half-dozen federal agencies – ranging from the FBI to the IRS – already routinely purchase our geolocation, internet activity, and other sensitive information we generate on our social media platforms – and then access it freely, without a warrant. Considering what our government already does with our digital data, the addition of our home speech would be an extension of what is already a radical new form of surveillance.
 
Congress should find out exactly what marketers like CMG are up to. As an urgent matter of oversight, Congress also should also determine if any federal agencies are purchasing home voice data. And while they’re at it, the Senate should follow the example of the House and pass the Fourth Amendment Is Not For Sale Act, which would stop the practice of the warrantless purchasing of Americans’ personal, digital information by law enforcement and intelligence agencies.

​When we’re inside our car, we feel like we’re in our sanctuary. Only the shower is more private. Both are perfectly acceptable places to sing the Bee Gee’s Staying Alive without fear of retribution.
 
And yet the inside of your car is not as private as you might think. We’ve reported on the host of surveillance technologies built into the modern car – from tracking your movement and current location, to proposed microphones and cameras to prevent drunk driving, to seats that report your weight. All this data is transmitted and can be legally sold by data brokers to commercial interests as well as a host of government agencies. This data can also be misused by individuals, as when a woman going through divorce proceedings learned that her ex was stalking her by following the movements of her Mercedes.
 
Now another way to track our behavior and movements is being added through a national plan announced by the U.S. Department of Transportation called “vehicle-to-everything” technology, or V2X.
 
Kimberly Adams of marketplace.org reports that this technology, to be deployed on 50 percent of the National Highway System and 40 percent of the country’s intersections by 2031, will allow cars and trucks to “talk” to each other, coordinating to reduce the risk of collision. V2X will smooth out traffic in other ways, holding traffic lights green for emergency vehicles and sending out automatic alerts about icy roads.
 
V2X is also yet one more way to collect a big bucket of data about Americans that can be purchased and warrantlessly accessed by federal intelligence and law enforcement agencies.
 
Sens. Ron Wyden (D-OR) and Cynthia Lummis (R-WY), and Rep. Ro Khanna (D-CA), have addressed what government can do with car data under proposed legislation, “Closing the Warrantless Digital Car Search Loophole Act.” This bill would require law enforcement to obtain a warrant based on probable cause before searching data from any vehicle that does not require a commercial license.
 
But the threat to privacy from V2X comes not just from cars that talk to each, but also from V2X’s highway infrastructure that enables this digital conversation. This addition to the rapid expansion of data collection of Americans is one more reason why the Senate should follow the example of the House and pass the Fourth Amendment Is Not For Sale Act, which would end the warrantless collection of Americans’ purchased data by the government.
 
We can embrace technologies like V2X that can save lives, while at the same time making sure that the personal information about us it collects is not retained and allowed to be purchased by snoops, whether government agents or stalkers. 

​Was your Social Security number and other personal identifying information among the 2.9 billion records that hackers stole from National Public Data?
 
Hackers can seize our Social Security numbers and much more, not only from large commercial sites like National Public Data, but also from government sites and the data brokers who sell our personal information to federal agencies. Such correlated data can be used to impersonate you with the financial services industry, from credit card providers to bank loan officers. And once your Social Security number is stolen, it is stolen for life.
 
To find out if your Social Security number and other personal information was among those taken in the National Public Data hack, go to npd.pentester.com.
 
It has been obvious for more than a decade now that the Social Security number is a flawed approach to identification. It is a simple nine-digit number. A fraudster who knows the last few digits of your Social Security number, what year you were born, and where, can likely calculate your number. Because your Social Security number is so often used by dozens of institutions, it is bound to be hacked and sold on the dark web at some point in your life. Yet this insecure form of identification, taken in many high-profile hacks, is still the go-to ID every time you apply for a credit card, a student loan, a mortgage, and unemployment insurance.
 
Is there a better way? Sophie Bushwick asked this question in a 2021 Scientific American article. She reported that one proposed solution is a cryptographic key, those long strings of numbers and symbols that we all hate to use. Or a USB could be plugged into your computer to authenticate you as its owner. Scans of your fingerprints, or face, could also authenticate your identity.
 
The problem is that any one of these methods can also be hacked. Even biometrics is vulnerable since this technology reduces your face to an algorithm. Once the algorithm for your face or fingerprint (or even worse, your iris, which is the most complex and unique biometric identifier of them all) is stolen, your own body can be used against you.
 
There are no perfect solutions, but multifactor identification comes the closest. This technique might combine a text of a one-time passcode to your phone, require a biometric identifier like a fingerprint, and a complex password. Finding and assembling all these elements, while possible, would be a prohibitively difficult chore for many if not most hackers.
 
Strengthening consumer identification, however, is only one part of the problem. Our personal information is insecure in other ways. A dozen federal agencies, including the FBI, IRS, Department of Homeland Security and Department of Defense, routinely purchase Americans’ personal data. These purchases include not just our identifying information, but also our communications, social media posts, and our daily movements – scraped from our apps and sold by data brokers.
 
How secure is all the data held by those third-party brokers? How secure is the government’s database of this vast trove of personal data, which contains the most intimate details of our lives?
 
These are urgent questions for Congress to ask. Congress should also resist the persistent requests from the Department of Justice to compel backdoors for commercial encryption, beginning with Apple’s iPhone. The National Public Data hack reveals that the forced creation of backdoors for encryption would create new pathways for even more hacks, as well as warrantless government snooping.
 
Finally, the Senate should follow up on the House passage of the Fourth Amendment Is Not For Sale Act, which would prohibit government collection of our personal information without a warrant. Protect your data by calling or emailing your senators: Tell them to pass the Fourth Amendment Is Not For Sale Act.
 
Our data will only become more secure if we, as consumers and citizens, demand it.

​U.S. intelligence agencies justify tens of thousands of warrantless backdoor searches of Americans’ communications by claiming an exception to the Fourth Amendment for “defensive” purposes.
 
In testimony to Congress, FBI Director Christopher Wray has said that such defensive searches are absolutely necessary to protect Americans in real time who may be potential victims of foreign intelligence agents or cyberattacks. On this basis, the FBI and other agencies every year conduct tens of thousands of warrantless “backdoor” searches of Americans’ communications with data extracted from programs authorized by FISA Section 702 – even though this program was enacted by Congress not to spy on Americans, but to authorize U.S. agencies to surveil foreign spies and terrorists located abroad.
 
Noah Chauvin, Assistant Professor of Law at Widener University School of Law, in a 53-page paper neatly removes every leg of the government’s argument. He begins with the simple observation that there is no “defensive” exception in the Fourth Amendment. Indeed, an analogous claimed exception for “community caretaking” was rejected by the U.S. Supreme Court in the 2021 decision on Caniglia v. Strom, holding that the government could not enter a home without a warrant based on the simple, non-exigent claim that the police needed to check on the homeowner’s well-being. Whether for community caretaking or for surveillance, the “we are doing this for your own good” excuse does not override the Fourth Amendment.
 
In surveillance, the lack of constitutional validity makes the government’s position “a political argument, not a legal one.” Chauvin adds: “It would be perverse to strip crime victims of the Fourth Amendment’s privacy protections – a person should not lose rights because they have been violated.”
 
It is apparently on the basis of such a “defensive search,” for example, that the FBI violated the Fourth Amendment rights of Rep. Darin LaHood (R-Ill). In that case, the FBI was concerned that Rep. LaHood was being unknowingly targeted by a foreign power. If the FBI can secretly violate the rights of a prominent and respected Member of Congress, imagine how blithely it violates your rights.
 
While making these sweeping claims of violating the Fourth Amendment to protect Americans, “the government has provided almost no public information about how these defensive backdoor searches work.” Chauvin adds: “The government has claimed it uses backdoor searches to identify victims of cyberattacks and foreign influence campaigns, but has not explained how it does so, saying only that backdoor searches have ‘contributed to’ or ‘played an important role in’ intelligence services.”
 
Also unexplained is how the government identifies potential American victims, or why it searches for victims instead of potential perpetrators. Nor does it reveal its success rate at identifying potential victims and how that compares to traditional methods of investigation. Finally, Chauvin asks: “Would obtaining permission before querying a victim compromise the investigation?”
 
It is a matter of settled law that any American can give informed consent to waive his or her Fourth Amendment rights. “It seems particularly likely,” Chauvin writes, “that would-be victims will grant the government permission to perform defensive backdoor searches.” One can easily imagine a long list of companies – from hospitals to cloud providers – that would grant such blanket permission.
 
So why not just do that?
 
Finally, Chauvin appeals to Congress not just to remedy this backdoor search loophole for Section 702. He proposes closing this loophole for Americans’ digital data that U.S. intelligence and law enforcement agencies purchase from third-party data brokers, as well as for Executive Order 12333, a non-statutory surveillance authority claimed by the executive branch.
 
At the very least, Congress should demand answers to Chauvin’s questions about how defensive searches are used and how they work. He concludes, “the government’s policy preferences should never override Americans’ constitutional rights.”

​We reported on the bold opinion of federal district Judge Mary Hannah Lauck of Virginia who ruled in 2022 that the government erred by seeking a warrant for the location histories of every personal digital device within a 17.5-acre area around a bank that had been robbed in Richmond, Virginia, in 2019.
 
To identify the suspect, Nathaniel Chatrie, law enforcement officials obtained a geofence warrant from Google, requesting location data for all devices within that large area. Swept into this mass surveillance – reminiscent of the “general warrants” of the colonial era – were people in restaurants, in an apartment complex, and an elder care facility, as well as innumerable passersby. Judge Lauck wrote that these consumers were almost all unaware that Google logs their location 240 times a day. She wrote: “It is difficult to overstate the breadth of this warrant” and that every person in the vicinity has “effectively been tailed.”
 
At times it almost seems that no good opinion goes upheld, at least where the Fourth Amendment is concerned. On July 9, the Fourth Circuit Court of Appeals reversed Judge Lauck’s decision in United States v. Chatrie. The court held that a geofence warrant covering a busy area around a bank robbery did not qualify as a Fourth Amendment search at all, a sweeping decision that has serious implications for privacy rights and law enforcement practices across the country.
 
The two-judge majority on the Fourth Circuit Court of Appeals concluded that the geofence warrant did not, after all, constitute a Fourth Amendment search because the collection of location data from such a broad geographic area, even a busy one, did not infringe upon reasonable expectations of privacy.
 
Got that?
 
Judge J. Harvie Wilkinson III, writing for the majority, emphasized that the geofence warrant was a valuable tool for law enforcement in solving serious crimes. He wrote that the use of such warrants is necessary in an era where traditional investigative methods may be insufficient to address modern criminal activities.
 
In a strongly worded dissent (beginning on p. 39), Judge James Andrew Wynn Jr. criticized the majority opinion, highlighting the potential dangers of allowing such broad warrants. Judge Wynn, with solid logic and command of the relevant precedents, demonstrated that the decision undermines the Fourth Amendment’s protections and opens the door for pervasive surveillance.
 
Judge Wynn showed that the geofence warrant lacked the necessary particularity required by the Fourth Amendment. By allowing the collection of data from potentially thousands of innocent people, the warrant was not sufficiently targeted to the suspect. He emphasized that individuals have a reasonable expectation of privacy in their location data, even in public places. The widespread collection of such data without individualized suspicion poses significant privacy concerns. And Judge Wynn warned that the majority's decision sets a dangerous precedent, ignoring the implications of the U.S. Supreme Court’s 2018 Carpenter v. United States opinion in its landmark case on location data.
 
So what, you might ask, is the harm of geofencing in this instance, which caught a suspect in a bank robbery? Answer: Enabling law enforcement to use geofence warrants in such a broad way will almost certainly lead to a variety of novel contexts, such as political protests, that could implicate Americans’ rights to free speech and freedom of assembly.
 
Judge Wynn's dissent highlights the need for a careful balance between effective law enforcement and the preservation of civil liberties. While the majority’s decision underscores the perceived necessity of geofence warrants in modern investigations, Judge Wynn's dissent serves as a poignant reminder of the constitutional protections at stake.
 
The Electronic Frontier Foundation reports that Chatrie’s lawyers are petitioning for an en banc hearing of the entire Fourth Circuit to review the case. PPSA supports that move and we hope that if it happens, there are judges who take the same broad view as Judge Lauck and Judge Wynn.

​PPSA announced today the filing of an amicus brief asking the U.S. Supreme Court to take up a case in which X Corp., formerly Twitter, objects to surveillance and gag orders that violate the First Amendment and pose a threat to the Fourth and Sixth Amendments as well.
 
When many consumers think of their digital privacy, they think first of what’s on their computers and shared with others by text or email. But the complex, self-regulating network that is the internet is not so simple. Our online searches, texts, images, and emails – including sensitive, personal information about health, mental health, romances, and finances – are backed up on the “cloud,” including data centers like X Corp.’s that distribute storage and computing capacity.
 
Therein lies the greatest vulnerability for government snooping. The growth of data centers is prolific, rising from 2,600 to 5,300 such centers in 2024. And with it, so have government demands for our data.
 
When federal agencies – often without a warrant – seek to access Americans’ personal data, more often than not they go to the companies that store the data in places like these data centers. For years, this power involved large social media and telecom companies. The power of the government to extract data, already robust, increased exponentially with the reauthorization of FISA Section 702 in April, which included what many call the “Make Everyone a Spy Act.” This provision defines an electronic communication service provider as virtually any company that merely has access to equipment, like Wi-Fi and routers, that is used to transmit or store electronic communications.
 
On top of that, the government then slaps the data center or service provider with a Non-Disclosure Order (NDO), a gag order that prevents the company from informing customers that their private information has been reviewed. One such company – X Corp. – has been pressing a constitutional challenge against this practice regarding a government demand for former President Trump’s account data. PPSA has joined in an amicus brief supporting X’s bid for certiorari, asking the Court to consider the constitutional objections to government conscription of companies that host consumers’ data as adjunct spies, while restraining their ability to speak out on this conscription.
 
In the case of X, the government has seized the company’s records on customer communications and then slapped the company with an NDO to force it to shut up about it. The government claims this secrecy is needed to protect the investigation, even though the government itself has already publicized the details of its investigation. Whatever you think of Donald Trump, this is an Orwellian practice.
 
PPSA’s amicus brief informed the Court that the gag order “makes a mockery of the First Amendment’s longstanding precedent governing prior restraints. And it will only become more frequent as third-party cloud storage becomes increasingly common for everything from business records to personal files to communications …”
 
The brief informs the Court: “NDOs can be used to undermine other constitutionally protected rights” beyond the First Amendment. These rights include the short-circuiting of Fourth Amendment rights against warrantless searches and Sixth Amendment rights to a public trial in which a defendant can know the evidence against him.
 
Partial solutions to these short-comings are winding their way through the legislative process. Sen. Mark Warner, Chairman of the Senate Intelligence Committee, introduced legislation to narrow the scope of businesses covered by the new, almost-universal dragooning of businesses large and small as government spies – though House Intelligence Chairman Mike Turner is opposing that reasonable provision. Last year, the House passed the NDO Fairness Act, which requires judicial review and limited disclosures for these restraints on speech and privacy.
 
As partial solutions wend their way through Congress, this case presents a number of well-defined concerns best defined by the Supreme Court.