“To exist in 2022 is to be surveilled, tracked, tagged and monitored — most often for profit.” It might sound like an exaggeration, but it’s far from it. When nearly every American is carrying a tracking device, audio and video recorder, and all their personal data in their pocket, nobody is truly private.
The cracks in our digital privacy are getting wider, allowing an almost unfiltered ocean of our most sensitive data to flow into anyone’s hands. As Alex Kingsbury writes in The New York Times:
“Consider just last week: Apple released a surprise software update for its iPhones, iPads and Macs meant to remove vulnerabilities the company says may have been exploited by sophisticated hackers. The week before that, a former Google engineer discovered that Meta, the parent company of Facebook and Instagram, was using a piece of code to track users of the Facebook and Instagram apps across the internet without their knowledge. In Greece the prime minister and his government have been consumed by a widening scandal in which they are accused of spying on the smartphones of an opposition leader and a journalist.
And this month Amazon announced that it was creating a show called “Ring Nation” — a sort of ‘America’s Funniest Home Videos’ made up of footage recorded by the company’s Ring doorbells.”
Just one of these examples should be cause for concern to any American, but the problem is simply too big for individuals to handle. As Kingsbury states, “there are simply too many tech companies, government entities, data brokers, internet service providers and others tracking everything we do.” Congress must take bold action to protect Americans from predatory data collectors and misusers.
Legislation like the Fourth Amendment is Not for Sale Act is a step in the right direction. It would prohibit law enforcement and other government agencies from purchasing bulk data from data brokers. In the wake of renewed state battles over the future of abortion rights, the My Body, My Data Act would tighten rules around personal health information. Absent these reforms, “we’re about to find out what happens when that privacy has all but vanished.” PPSA will continue to monitor these issues and fight for privacy in Congress and the courts.
Earlier this month, former Vice-President Mike Pence called out criticism of the FBI lodged by members of his own party. In his speech, Pence stated “I … want to remind my fellow Republicans we can hold the attorney general accountable for the decision that he made without attacking the rank-and-file law enforcement personnel at the FBI..” While the intent of Pence’s statement is certainly laudable, it comes at a time when the public is increasingly distrustful of the agency’s activities.
Pence’s comments have been received so poorly because they dismiss the credible concerns emanating from all sectors of the American public. The distrust towards the agency turned into full-blown outrage when the FBI raided former President Trump’s Mar-a-Lago estate earlier this month on August 8th. It has been weeks since the raid, and there has been little official explanation provided. What information we do have has been pieced together from an unsealed warrant and source leaks. From the warrant, the search was related to potential violations of three laws including the Espionage Act. Attorney General Merrick Garland said during remarks on August 11 that he would not explain why he personally signed off on seeking a search warrant. Even though documents were recovered, distrust of the agency has become so severe, that swaths of the American public may choose to believe that the evidence seized was forged and planted.
Also worried is Michael Horowitz, Inspector General of the U.S. Department of Justice. Across multiple reports, Horowitz details the abuses, noncompliance, and mishandling that is currently ongoing within the FBI. For a few examples, in September of 2021, the office of the Inspector General released a report stating that there “was widespread non-compliance with the Woods Procedures,” a set of procedures to ensure factual accuracy in FISA applications. In August of 2019, the office of the Inspector General released a report detailing the multiple rules violations by former FBI Director James Comey, indicating a culture of secrecy and noncompliance at the highest level in the chain of command. There are multiple reports detailing commercial sex, accepting illegal gifts from the media, the violation of ethics rules, and a “lack of candor.”
When American citizens display “a lack of candor,” they can be fired from their jobs. When senior officials at the FBI do it, prosecution is declined and the offending party is “reassigned to a nonsupervisory role.”
In 2019, the Foreign Intelligence Surveillance Court criticized the FBI for misleading it in applications to wiretap former Trump campaign aide, Carter Page. Inspector General Horowitz found that the FBI had omitted facts and provided false statements to the FISA court when the FBI filed for a warrant to conduct surveillance on Page. FISA court presiding Judge Rosemary Collier stated in her opinion that “The FBI’s handling of the Carter Page applications, as portrayed in the OIG report, was antithetical to the heightened duty of candor described above…”
So, not only is the public concerned, but so is the office of the Inspector General and the FISA courts, two organizations which either oversee or directly liaise with the FBI.
Just this week, the escapades of the FBI were on full display during a trial to convict two men involved in the 2020 plan to kidnap Michigan Governor Gretchen Whitmer. The already high-profile nature of the case was catapulted into the stratosphere when the FBI revealed there were at least five informants or undercover agents embedded among the suspected planners. Defense attorneys have argued there were at least twelve. The involvement of FBI agents and informants was so significant, that a trial for a separate set of suspected planners failed to get a single conviction. One informant became second-in-command of a militia. Another undercover agent offered to provide explosives to the group. It calls into question whether the FBI was engaged in entrapment.
FBI agents assigned to the case became subjects of scrutiny themselves. As the New York Times reports, “one F.B.I. agent on the case was fired last year after being charged with domestic violence, and another agent, who supervised a key informant, tried to build a private security consulting firm based in part on some of his work for the F.B.I.…” That FBI agents so close to an ongoing plan to kidnap a governor were themselves so compromised is very chilling.
It seems obvious from the last several years that the FBI is in need of both oversight and reform. An agency with significant investigatory and enforcement powers, Congress can and should do more to monitor the activities of the agency.
If you think HIPAA medical privacy laws mean your medical data is secure, think again. Digital health companies have been caught funneling sensitive data that patients have shared with them to Facebook/Meta to help target advertisements.
A recent study by the data privacy research group Light Collective surveyed the actions of five health companies and found that third-party ad trackers used by those companies followed patients online and marketed to them based on their activities. Three of the companies went against their own privacy policies in the process, raising concerns about HIPAA violations.
Four of the five digital health companies did not respond to requests by Forbes for comment. The authors of the study said that after they disclosed their findings to the five companies, only two responded: Ciitizen and Invitae. Both said they were investigating the matter.
Andrea Downing, cofounder of the Light Collective, said that poor health data privacy is “one of the biggest threats to online patient communities.” The study is indicative of larger data-sharing trends across digital health and social media. An investigation published earlier this summer by The Markup showed that hospital websites are currently using data trackers to gather and share sensitive patient information with Facebook for marketing. Facebook’s parent company, Meta, has said that sharing such information is a violation of the company’s rules.
This is a concerning development for digital health privacy. Digital health companies are allegedly violating their own privacy rules and possibly the law. It also demonstrates the failure of the government to ensure critical patient health data is safe and secure.
A lot has been written about a provision of the upcoming Inflation Reduction Act, which will provide an additional $80 billion in funding to the Internal Revenue Service. Most of this funding will go to bolstering enforcement work, meaning more audits.
While this is bad news for millions of taxpayers, and good news for the makers of Tums Antacid Products for Fast Heartburn Relief, the creation of a new army of auditors is bound to significantly warp the already warped privacy landscape in America.
Big numbers for new IRS hires have been estimated. A Treasury Department report from May 2021 estimated that the agency would be able to hire roughly 87,000 employees by 2031 with the additional funding, more than doubling the agency’s staff dedicated to enforcing tax laws. But even media defenses of the plan, which have tried to downplay the number, still estimate anywhere between twenty to thirty thousand new employees.
At either number, the IRS expansion will undoubtedly expand the capability of the agency to investigate American citizens. Jonah Goldberg put it best recently when he wrote:
“Unlike normal law enforcement, the IRS doesn’t require probable cause to investigate you. It can choose people at random or investigate people based on a theory or a hunch—often sanitized by saying it was the algorithm that made the call. Even if you did nothing wrong, the process itself is punishing and often expensive. One of the bedrocks of our constitutional order, most obviously enshrined in the Fourth Amendment, is the idea that citizens should not be subjected to unreasonable searches without probable cause. Stop and frisk was canceled because it was seen as an outrageous and demeaning affront to civil liberties. I’m conflicted on that. But I certainly get the objections, and I would never say, ‘If you did nothing wrong, you have no reason to complain about being frisked.’ Well, an audit is a forensic frisking of virtually everything you did for a year. What did you spend money on? Where did you spend it? How did you get the money? Show us your receipts. Prove you’re not guilty.”
Also concerning are the new methods and technologies the IRS could deploy against the whole country. In February, we reported on the bipartisan resistance to the IRS’s plan to implement facial recognition technology. Under this plan, the IRS would require taxpayers to submit to digital facial recognition scans to obtain tax transcripts and other records. The plan was halted amid significant pushback noting the privacy and technological flaws of facial recognition, but not before 7 million Americans surrendered their biometric data to the IRS and a third-party verification company, ID.me.
In May, we reported on the Transparency and Accountability in Service Providers Act, a draft bill circulating that would have deputized millions of “financial gatekeepers” into spying on their clients for the federal government. Virtually the entire financial services industry would be required to report any “suspicious” activity to the government. If the Act were to pass, and the 7.6 million employees of the financial services sector were “deputized,” there would be one informer for every 43 Americans.
Where there is a will, there is a way. The IRS is already trying to spy on you. With this new funding, the IRS now has a way.
On Tuesday, House Judiciary Committee Chairman Jerrold Nadler and House Homeland Security Committee Chairman Bennie Thompson sent a letter to the heads of key agencies demanding answers to questions about their use of data brokers.
It is no secret that agencies ranging from the FBI to the DEA have been circumventing the Fourth Amendment by purchasing the data of millions of Americans from private data brokers. This letter is the latest sign Congress is waking up to the privacy and surveillance threat posed by data brokers contracting with the federal government.
Reps. Nadler and Thompson wrote Attorney General Merrick Garland, FBI Director Christopher Wray, Homeland Security Secretary Alejandro Mayorkas, as well as the heads of Customs and Border Protection, the Bureau of Alcohol, Tobacco, Firearms and Explosives, Immigration and Customs Enforcement and the Drug Enforcement Administration.
The two chairmen noted:
“In a recent hearing before the House Judiciary Committee, a witness stated that materials provided by data brokers ‘turn policing from a suspect-focused search into a constant, intrusive surveillance system that surveils all of us. Rather than focusing on particular suspects, data policing tools are dragnets, sifting through all of our data.’”
The letter demanded each agency provide four sets of documents:
This is a step in the right direction, and PPSA looks forward to further work by Congress on the subject. What we learn from these requests should prompt Congress to pass the Fourth Amendment Is Not For Sale Act.
Courts throw out cases in which the government violated the Fourth Amendment to gain evidence obtained illegally. Prosecutors, dreading such a rebuke, have sometimes resorted to “parallel construction” – using illicitly gained knowledge to turn up evidence from a source acceptable in court.
Suppose, for example, that an illegal wiretap by federal investigators reveals that a target will deliver drugs to a certain street corner. They could then alert local police to decide that specific corner is a good place for a spot-check with drug-sniffing dogs.
In this way, evidence obtained by illicit surveillance can be laundered. This seems to be especially prone to happen when law enforcement relies on “stingrays” – the common name for cell-site simulators, equipment that mimics a cellphone tower to ping the location of a cellphone.
The FBI, in 2014, after providing the Oklahoma City police with stingray technology, sent that department a memo telling the police that the stingray is for “lead purposes” only and “may not be used as primary evidence in any affidavits, hearings or trials.” Instead, the FBI required the police to use “additional and independent investigative means and methods, such as historical cellular analysis, that would be admissible at trial” to corroborate information obtained using the stingray. The Cato Institute’s Adam Bates analyzed such agreements and concluded that “law enforcement uses some surreptitious and, perhaps, constitutionally dubious tactics to generate a piece of evidence. In order to obscure the source of that evidence, police will use the new information as a lead to gather information from which they construct a case that appears to have been cracked using routine police work.”
Perhaps because of reporting like Cato’s analysis, formal FBI agreements to sell stingrays to local law enforcement – at least those released to the public – appear to be missing this language.
But what about informal agreements?
In two responses to PPSA’s Freedom of Information Act requests, the FBI has used similar language in 2015 and 2020 deals to allow police to use stingrays. To be fair, these may be one-off situations. Both cases seem to have been loaner deals, in which stingrays were deployed in “exigent” or emergency circumstances.
For example, one 2015 email chain shows that an agency agreed to the FBI’s request that “it is required to use additional and independent investigative means and methods, such as [redacted] that would be admissible at trial to corroborate information concerning the location of the target obtained through the use of this equipment.”
Comparing this redacted language to the unredacted provisions imposed on the Oklahoma City police, it appears that the FBI continues to push local law enforcement to hide their stingray use from the courts. On the other hand, this language is missing from other NDA forms PPSA has obtained. Has the FBI abandoned this practice? Or is it continuing “off the books” in some fashion to encourage local law enforcement to launder evidence?
Amazon continues its relentless growth as a private data behemoth. On August 5, Amazon announced it will buy iRobot Corp., the maker of the famous Roomba vacuum. While Amazon has an interest in promoting and selling the autonomous vacuum cleaner, it might be far more interested in what the vacuum can collect – and no, it’s not the dirt on your floors.
Great value rests in the Roomba’s ability to map your house, enabled by a technology called Smart Maps. According to iRobot Corp., Smart Maps allow your robot to remember the layout of the inside of your home so you can tailor your house cleaning. Over time as your Roomba develops a detailed map of the layout of your house, the kinds of objects it interacts with can provide critical data about you, your life, and anyone else in your home.
For example, Bloomberg reports that “the size of your house,” which Roomba can detect, “is a pretty good proxy for your wealth. A floor covered in toys means you likely have kids. A household without much furniture is a household to which you can try to sell more furniture. This is all useful intel for a company such as Amazon which, you may have noticed, is in the business of selling stuff.”
As Amazon continues to develop its smart home line of products, the data Roomba can acquire is the linchpin for further product integration. By themselves, current smart home products can’t really discern all that much about your house. As Bloomberg states, a smart home, “only knows that your Philips Hue lightbulbs and connected television are in your sitting room because you’ve told it as much. It certainly doesn’t know where exactly the devices are within that room. The more it knows about a given space, the more tightly it can choreograph the way they interact with you.”
Nothing creepy about that.
With the 2018 acquisition of Ring home security cameras, Amazon now has an unparalleled ability to monitor your home. At best, it means Amazon will be able to finely tailor advertisements to each individual consumer. At its worst, this kind of data could provide interested parties – perhaps through third-party brokers – with invasive information about you.
We have already seen how Amazon has made agreements with thousands of police departments across the country to share video data from Ring cameras and to enable monitoring of entire neighborhoods. Who knows what can be done with the information Roomba can provide about the interior of your home?
A federal jury this week in San Francisco convicted Ahmad Abouammo, 44, who managed partnerships in the Middle East and Africa for Twitter, of six charges related to accusations that he spied on the company’s users for Saudi Arabia. During the two years that Abouammo worked for Twitter, he developed close relationships with advisors close to Saudi Arabia’s crown prince, Mohammed bin Salman. The deal? The jury found that Abouammo sold private information and data about dissident accounts to the Saudi government in exchange for bribes that included luxury watches and $300,000 in cash.
This case highlights just one way in which the political, financial, health, and personal information of Americans is at enormous risk of falling into the hands of foreign governments, as well as our own government.
Abouammo, who worked at Twitter from 2013 to 2015, wasn’t arrested until 2019. Another former Twitter employee who was also charged in the scheme fled the country before he could be arrested. This human intelligence approach to spying, however, may be dwarfed by the scale of corporate infiltration and commercial surveillance by governments.
China leads the pack in deploying the most sophisticated methods to infiltrate U.S. companies, capabilities recently described by FBI Director Christopher Wray:
"China often disguises its hand in order to obtain influence and access where companies don’t suspect it. Outside of China, their government uses elaborate shell games to disguise its efforts from foreign companies and from government investment-screening programs like CFIUS, America’s Committee on Foreign Investment in the U.S.”
Foreign infiltration operations are not the only way in which Americans’ personal data is hemorrhaging. Even if the U.S. government and companies could effectively catch spies and corporate infiltrators, countries around the globe might legally circumvent the FBI by simply buying our data from data brokers. “The present risks of our citizens’ data being sold to foreign governments are grossly underappreciated,” wrote Klon Kitchen and Bill Drexel at the American Enterprise Institute.
As PPSA has previously reported, data brokers gather a trove of highly personal data about you and sell it to interested parties. Even if the U.S. can enact effective reforms to stop foreign infiltration, governments, including our own, can simply purchase our data.
It is more important than ever that Congress and American businesses tackle the many threats to data privacy. As Congress debates a privacy bill, the scope of foreign government purchases of our information – perhaps through shell companies – should be the subject of deep inquiry. Addressing this vulnerability will require a lot of study by the relevant Congressional committees and social media companies to ensure that any proposed solution works without unintended consequences.
In the meantime, there is one gap that can be closed immediately – the warrantless access of Americans’ personal information by U.S. law enforcement and intelligence agencies, in defiance of the Constitution’s Fourth Amendment.
The government’s surveillance apparatus continues to focus on communities it regards as problematic, from conservative critics of school boards to progressive protestors of the police, to Americans who are devout Muslims.
A recent report by the Arab American Action Network (AAAN) spotlights the ongoing surveillance of Chicago and Illinois’ Muslim and Arab communities. It reads: “A new analysis of over 200 Illinois and Chicago police documents reveals that Suspicious Activity Reports (SARs) have demonstrably criminalized Arabs and Muslims across Illinois under the guise of ‘public safety,’ while vastly expanding local, state, and federal systems of racialized surveillance.” The report was conducted in collaboration with the Policing in Chicago Research Group at the University of Illinois Chicago.
Suspicious Activity Reports are submitted by individuals. These reports form the backbone of the U.S. Department of Homeland Security’s “If You See Something, Say Something” campaign. AAAN has obtained 235 SARs through FOIA requests, and claims the reports rely on and promote racial profiling of the region’s Arab and Muslim community. “See Something, Say Something” is a reasonable reaction to multiplying threats to the homeland. But SARs need proper guardrails. They can trigger FBI investigations and create a culture of fear and suspicion, chilling speech, and suppressing legitimate political activity.
According to the AAAN report, the FOIA requests show that members of the area’s Muslim and Arab communities have been reported for activities such as holding or using cameras or binoculars, speaking in foreign languages, and photographing famous buildings. All this information is received at so-called “fusion centers,” state-owned and operated facilities that serve as focal points in states and major urban areas for the receipt, analysis, gathering and sharing of threat-related information. The American Civil Liberties Union has called for “cutting off funds to fusion centers that do not have a narrowly tailored law enforcement mission…”
The presence of these fusion centers, and the broader network of surveillance aimed at Illinois’ Arab and Muslim communities, have the potential for mission-creep that should be disquieting to any liberty-loving American.
The House Intelligence Committee recently held an open hearing on commercial cyber surveillance, also known as “mercenary spyware.”
The hearing focused on new threats posed specifically by privately made, foreign-developed spyware that are bringing capabilities long associated with top-tier nation states to smaller countries and the private sector. PPSA has previously reported on one such foreign spyware, in particular the spreading “zero-click” Israeli-developed Pegasus.
Pegasus can transmit itself seamlessly into a smartphone without a single click or action from the victim. From there, it can watch you through your camera, listen to you through your microphone, copy your messages, record your calls, extract all your images, and follow your movements. In just a few years, Pegasus has been acquired by dozens of countries and entities, from Saudi Arabia to Mexican cartels, and has already been used to deadly effect against dissidents and journalists. It represents the most sophisticated and widely available form of spyware yet developed.
Among the hearing’s testimonials was John Scott-Railton, a senior researcher at The Citizen Lab of the University of Toronto's Munk School of Global Affairs & Public Policy. His testimony provided a stark picture to Congress:
Railton testified (see the 18:50 mark), “Your phone can be on your bedside table at two in the morning. One minute, your phone is clean. The next minute, the data is silently streaming to an adversary a continent away. You see nothing.” He added it was “capabilities available only to a handful of nation-states … It is too late,” he said, “to put the tech back into the bottle, and so we must take strong action now…”
Another witness was Carine Kanimba, an American citizen born in Rwanda. Her testimony (29:05) details the story of her stepfather, Paul Rusesabagina, portrayed by Don Cheadle in Hotel Rwanda. Rusesabagina was the manager of the Hôtel des Mille Collines in Kigali during the Rwandan genocide. He used the hotel to save more than a thousand refugees. Later, he and his family fled to the United States. Rusesabagina became a public speaker and was critical of the human rights violations of the Rwandan government and of the Rwandan President Paul Kagame. In August 2020, Kanimba’s stepfather was surveilled in the United States by the Rwandan government and lured from the family home in Texas. Rusesabagina was kidnapped in Dubai, transferred to Kigali, tortured, tried, and sentenced to 25 years in prison. Kanimba became a vocal and effective activist about the abduction of her stepfather.
In February 2021, Carine Kanimba was notified (33:11) by forensics experts that her smartphone had been infected by Pegasus.
“I was mortified, and I am terrified,” she said. The forensics report showed “the spyware was triggered as I walked in with my mom into a meeting with the Belgian Minister of Foreign Affairs. It was active during the calls with the U.S. Presidential Envoy for Hostage Affairs team and the U.S. State department, as well as U.S. human rights groups.”
Not only was Kanimba’s phone infected, but so was the phone of her cousin with whom she lives.
“I am frightened by what the Rwandan government will do to me and my family next,” she said. “It keeps me awake that they knew everything I was doing. Where I was, who I was speaking with, my private thoughts and actions, at any moment they wanted. Unless there are consequences for countries and their enablers which abuse this technology, none of us are safe.”
The threat by mercenary spyware companies and malware is too serious to ignore.
“It has taken us too long to have this conversation,” concluded Railton. His testimony included several suggestions for Congress (22:15):