From your browsing history to your physical location, every aspect of your digital footprint can be tracked and used to build a comprehensive profile of your private life – including your political, religious, and family activities, as well as the most intimate details of your personal life. This information is invaluable not only to advertisers – which want to place ads in your social media feeds – but also to governments, which often have malevolent intentions.
Hostile governments might weaponize your personal digital trail for blackmail or embarrassment. Imagine a CEO or inventor being blackmailed into revealing trade secrets. Or, if you work in the military or in an agency for a contractor involved in national security, your personal data might be used to disrupt your life during the beginning of an international crisis. Imagine a CIA officer receiving what appears to be an urgent message of distress from her daughter or an Air Force officer being told in the voice of his commanding officer to not go to the base but to shelter in place. And then multiply that effect by the millions of Americans in the crosshairs of a cyberattack. Congress and the Biden Administration acted against these possibilities this spring by including in the Israel/Ukraine weapons appropriation measure a provision banning data brokers from exporting Americans' personal data to China, Russia, North Korea, and Iran. However, this ban had notable loopholes. Adversary countries could still purchase data indirectly through middlemen data brokers in third countries or establish front companies to circumvent the ban. To attempt to close these loopholes, Sens. Ron Wyden (D-OR) and Cynthia Lummis (R-WY) have offered an amendment to the National Defense Authorization Act to further tighten the law by restricting data exports to problematic countries identified by the Secretary of Commerce that lack robust privacy laws to protect Americans' data from being sold and exported to adversaries. This measure will help reduce the flow of Americans’ personal data through third-parties and middlemen ultimately to regimes that have nothing but the worst of intentions. PPSA applauds Sens. Wyden and Lummis for working to tighten the pipeline of Americans’ data flowing out into the world. Their proposal is a needed one and deserves the vocal support of every American who cares about privacy. PPSA has fired off a succession of Freedom of Information Act (FOIA) requests to leading federal law enforcement and intelligence agencies. These FOIAs seek critical details about the government’s purchasing of Americans’ most sensitive and personal data scraped from apps and sold by data brokers.
PPSA’s FOIA requests were sent to the Department of Justice and the FBI, the Department of Homeland Security, the CIA, the Defense Intelligence Agency, the National Security Agency, and the Office of the Director of National Intelligence, asking these agencies to reveal the broad outlines of how they collect highly private information of Americans. These digital traces purchased by the government reveal Americans’ familial, romantic, professional, religious, and political associations. This practice is often called the “data broker loophole” because it allows the government to bypass the usual judicial oversight and Fourth Amendment warrant requirement for obtaining personal information. “Every American should be deeply concerned about the extent to which U.S. law enforcement and intelligence agencies are collecting the details of Americans’ personal lives,” said Gene Schaerr, PPSA general counsel. “This collection happens without individuals’ knowledge, without probable cause, and without significant judicial oversight. The information collected is often detailed, extensive, and easily compiled, posing an immense threat to the personal privacy of every citizen.” To shed light on these practices, PPSA is requesting these agencies produce records concerning:
Shortly after the House passed the Fourth Amendment Is Not For Sale Act, which would require the government to obtain probable cause warrants before collecting Americans’ personal data, Avril Haines, Director of National Intelligence, ordered all 18 intelligence agencies to devise safeguards “tailored to the sensitivity of the information.” She also directed them to produce an annual report on how each agency uses such data. PPSA believes that revealing, in broad categories, the size, scope, sources, and types of data collected by agencies, would be a good first step in Director Haines’ effort to provide more transparency on data purchases. The recent passage of the Fourth Amendment Is Not For Sale Act by the House marks a bold and momentous step toward protecting Americans' privacy from unwarranted government intrusion. This legislation mandates that federal law enforcement and intelligence agencies, such as the FBI and CIA, must obtain a probable cause warrant before purchasing Americans’ personal data from brokers. This requirement closes a loophole that allows agencies to compromise the privacy of Americans and bypass constitutional safeguards.
While this act primarily targets law enforcement and intelligence agencies, it is crucial to extend these protections to all federal agencies. Non-law enforcement entities like the Treasury Department, IRS, and Department of Health and Human Services are equally involved in the purchase of Americans' personal data. The growing appetite among these agencies to track citizens' financial data, sensitive medical issues, and personal lives highlights the need for a comprehensive warrant requirement across the federal government. How strong is that appetite? The Financial Crimes Enforcement Network (FinCEN), operating under the Treasury Department, exemplifies the ambitious scope of federal surveillance. Through initiatives like the Corporate Transparency Act, FinCEN now requires small businesses to disclose information about their owners. This data collection is ostensibly for combating money laundering, though it seems unlikely that the cut-outs and money launderers for cocaine dealers and human traffickers will hesitate to lie on an official form. This data collection does pose significant privacy risks by giving multiple federal agencies warrantless access to a vast database of personal information of Americans who have done nothing wrong. The potential consequences of such data collection are severe. The National Small Business Association reports that the Corporate Transparency Act could criminalize small business owners for simple mistakes in reporting, with penalties including fines and up to two years in prison. This overreach underscores the broader issue of federal agencies wielding excessive surveillance powers without adequate checks and balances. Another alarming example is the dragnet financial surveillance revealed by the House Judiciary Committee and its Select Subcommittee on the Weaponization of the Federal Government. The FBI, in collaboration with major financial institutions, conducted sweeping investigations into individuals' financial transactions based on perceptions of their political leanings. This surveillance was conducted without probable cause or warrants, targeting ordinary Americans for exercising their constitutional rights. Without statutory guardrails, such surveillance could be picked up by non-law enforcement agencies like FinCEN, using purchased digital data. These examples demonstrate the appetite of all government agencies for our personal information. Allowing them to also buy our most sensitive and personal information from data brokers, which is happening now, is about an absolute violation of Americans’ privacy as one can imagine. Only listening devices in every home could be more intrusive. Such practices are reminiscent of general warrants of the colonial era, the very abuses the Fourth Amendment was designed to prevent. The indiscriminate collection and scrutiny of personal data without individualized suspicion erode the foundational principles of privacy and due process. The Fourth Amendment Is Not For Sale Act is a powerful and necessary step to end these abuses. Congress should also consider broadening the scope to ensure all federal agencies are held to the same standard. Now that the House has passed the Fourth Amendment Is Not for Sale Act, senators would do well to review new concessions from the intelligence community on how it treats Americans’ purchased data. This is progress, but it points to how much more needs to be done to protect privacy.
Avril Haines, Director of National Intelligence (DNI), released a “Policy Framework for Commercially Available Information,” or CAI. In plain English, CAI is all the digital data scraped from our apps and sold to federal agencies, ranging from the FBI to the IRS, Department of Homeland Security, and Department of Defense. From purchased digital data, federal agents can instantly access almost every detail of our personal lives, from our relationships to our location histories, to data about our health, financial stability, religious practices, and politics. Federal purchases of Americans’ data don’t merely violate Americans’ privacy, they kick down any semblance of it. There are signs that the intelligence community itself is coming to realize just how extreme its practices are. Last summer, Director Haines released an unusually frank report from an internal panel about the dangers of CAI. We wrote at the time: “Unlike most government documents, this report is remarkably self-aware and willing to explore the dangers” of data purchases. The panel admitted that this data can be used to “facilitate blackmail, stalking, harassment, and public shaming.” Director Haines’ new policy orders all 18 intelligence agencies to devise safeguards “tailored to the sensitivity of the information” and produce an annual report on how each agency uses such data. The policy also requires agencies:
Details for how each of the intelligence agencies will fulfill these aspirations – and actually handle “sensitive CAI” – is left up to them. Sen. Ron Wyden (D-OR) acknowledged that this new policy marks “an important step forward in starting to bring the intelligence community under a set of principles and polices, and in documenting all the various programs so that they can be overseen.” Journalist and author Byron Tau told Reason that the new policy is a notable change in the government’s stance. Earlier, “government lawyers were saying basically it’s anonymized, so no privacy problem here.” Critics were quick to point out that any of this data could be deanonymized with a few keystrokes. Now, Tau says, the new policy is “sort of a recognition that this data is actually sensitive, which is a bit of change.” Tau has it right – this is a bit of a change, but one with potentially big consequences. One of those consequences is that the public and Congress will have metrics that are at least suggestive of what data the intelligence community is purchasing and how it uses it. In the meantime, Sen. Wyden says, the framework of the new policy has an “absence of clear rules about what commercially available information can and cannot be purchased by the intelligence community.” Sen. Wyden adds that this absence “reinforces the need for Congress to pass legislation protecting the rights of Americans.” In other words, the Senate must pass the Fourth Amendment Is Not For Sale Act, which would subject purchased data to the same standard as any other personal information – a probable cause warrant. That alone would clarify all the rules of the intelligence community. But Who Will Fine the FBI? The Federal Communications Commission on Monday fined four wireless carriers – Verizon, AT&T, Sprint, and T-Mobile – nearly $200 million for sharing the location data of customers, often in real-time, without their consent.
The case is an outgrowth of an investigation that began during the Trump Administration following public complaints that customers’ movements were being shared in real time with third-party companies. This is sensitive data. As FCC Chairwoman Jessica Rosenworcel said, consumers’ real-time location data reveals “where they go and who they are.” The carriers, FCC declared, attempted to offload “obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained.” The telecoms complain that the fines are excessive and ignore steps the companies have taken to cut off bad actors and improve customer privacy. But one remark from AT&T seemed to validate FCC’s charge of “offloading.” A spokesman told The Wall Street Journal that AT&T was being held responsible for another’s company’s violations. Verizon spokesman told The Journal that it had cut out a bad actor. These spokesmen are pointing to the role of data aggregators who resell access to consumer location data and other information to a host of commercial services that want to know our daily movements. The spokesmen seem to betray a long-held industry attitude that when it sells data, it also transfers liability, including the need for customer consent. Companies of every sort that sell data, not just telecoms, will now need to study this case closely and determine whether they should tighten control over what happens to customer data after it is sold. But there is one glaring omission in the FCC’s statement. It glides past the government’s own culpability in degrading consumer privacy. A dozen federal law enforcement and intelligence agencies, ranging from the FBI to the ATF, IRS, and Department of Homeland Security, routinely purchase and access Americans’ personal, digital information without bothering to secure a warrant. Concern over this practice is what led the House to recently pass The Fourth Amendment Is Not For Sale Act, which would require government agencies to obtain warrants before buying Americans’ location and other personal data from these same data brokers. It is good to see the FCC looking out for consumers. But who is going to fine the FBI? The risks and benefits of reverse searches are revealed in the capital murder case of Aaron Rayshan Wells. Although a security camera recorded a number of armed men entering a home in Texas where a murder took place, the lower portions of the men’s faces were covered. Wells was identified in this murder investigation by a reverse search enabled by geofencing.
A lower court upheld the geofence in this case as sufficiently narrow. It was near the location of a homicide and was within a precise timeframe on the day of the crime, 2:45-3:10 a.m. But ACLU in a recent amicus brief identifies dangers with this reverse search, even within such strict limits. What are the principles at stake in this practice? Let’s start with the Fourth Amendment, which places hurdles government agents must clear before obtaining a warrant for a search – “no warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The founders’ tight language was formed by experience. In colonial times, the King’s agents could act on a suspicion of smuggling by ransacking the homes of all the shippers in Boston. Forcing the government to name a place, and a person or thing to be seized and searched, was the founders’ neat solution to outlawing such general warrants altogether. It was an ingenious system, and it worked well until Michael Dimino came along. In 1995, this inventor received a patent for using GPS to locate cellphones. Within a few years, geofencing technology could instantly locate all the people with cellphones within a designated boundary at a specified time. This was a jackpot for law enforcement. If a bank robber was believed to have blended into a crowd, detectives could geofence that area and collect the phone numbers of everyone in that vicinity. Make a request to a telecom service provider, run computer checks on criminals with priors, and voilà, you have your suspect. Thus the technology-enabled practice of conducting a “reverse search” kicked into high gear. Multiple technologies assist in geofenced investigations. One is a “tower dump,” giving law enforcement access to records of all the devices connected to a specified cell tower during a period of time. Wi-Fi is also useful for geofencing. When people connect their smartphones to Wi-Fi networks, they leave an exact log of their physical movements. Our Wi-Fi data also record our online searches, which can detail our health, mental health, and financial issues, as well intimate relationships, and political and religious activities and beliefs. A new avenue for geofencing was created on Monday by President Biden when he signed into a law a new measure that will give the government the ability to tap into data centers. The government can now enlist the secret cooperation of the provider of “any” service with access to communications equipment. This gives the FBI, U.S. intelligence agencies, and potentially local law enforcement a wide, new field with which to conduct reverse searches based on location data. In these ways, modern technology imparts an instant, all-around understanding of hundreds of people in a targeted area, at a level of intimacy that Colonel John André could not have imagined. The only mystery is why criminals persist in carrying their phones with them when they commit crimes. Google was law enforcement’s ultimate go-to in geofencing. Warrants from magistrates authorizing geofence searches allowed the police to obtain personal location data from Google about large numbers of mobile-device users in a given area. Without any further judicial oversight, the breadth of the original warrant was routinely expanded or narrowed in private negotiations between the police and Google. In 2023, Google ended its storage of data that made geofencing possible. Google did this by shifting the storage of location data from its servers to users’ phones. For good measure, Google encrypted this data. But many avenues remain for a reverse search. On one hand, it is amazing that technology can so rapidly identify suspects and potentially solve a crime. On the other, technology also enables dragnet searches that pull in scores of innocent people, and potentially makes their personal lives an open book to investigators. ACLU writes: “As a category, reverse searches are ripe for abuse both because our movements, curiosity, reading, and viewing are central to our autonomy and because the process through which these searches are generally done is flawed … Merely being proximate to criminal activity could make a person the target of a law enforcement investigation – including an intrusive search of their private data – and bring a police officer knocking on their door.” Virginia judge Mary Hannah Lauck in 2022 recognized this danger when she ruled that a geofence in Richmond violated the Fourth Amendment rights of hundreds of people in their apartments, in a senior center, people driving by, and in nearby stores and restaurants. Judge Lauck wrote “it is difficult to overstate the breadth of this warrant” and that an “innocent individual would seemingly have no realistic method to assert his or her privacy rights tangled within the warrant. Geofence warrants thus present the marked potential to implicate a ‘right without a remedy.’” ACLU is correct that reverse searches are obvious violations of the plain meaning of the Fourth Amendment. If courts continue to uphold this practice, however, strict limits need to be placed on the kinds of information collected, especially from the many innocent bystanders routinely caught up in geofencing and reverse searches. And any change in the breadth of a warrant should be determined by a judge, not in a secret deal with a tech company. Our digital traces can be put together to tell the stories of our lives. They reveal our financial and health status, our romantic activities, our religious beliefs and practices, and our political beliefs and activities.
Our location histories are no less personal. Data from the apps on our phone record where we go and with whom we meet. Taken all together, our data creates a portrait of our lives that is more intimate than a diary. Incredibly, such information is, in turn, sold by data brokers to the FBI, IRS, the Drug Enforcement Administration, the Department of Defense, the Department of Homeland Security, and other federal agencies to freely access. The Constitution’s Fourth Amendment forbids such unreasonable searches and seizures. Yet federal agencies maintain they have the right to collect and examine our personal information – without warrants. A recent report from the Office of the Director of National Intelligence shows that:
The American people are alarmed. Eighty percent of Americans in a recent YouGov poll say Congress should require government agencies to obtain a warrant before purchasing location information, internet records, and other sensitive data about people in the U.S. from data brokers. The Fourth Amendment Is Not For Sale Act now up for a vote in the House would prohibit law enforcement and intelligence agencies from purchasing certain sensitive information from third-party sellers, including geolocation information and communications-related information that is protected under the Electronic Communications Privacy Act, and information obtained from illicit data scraping. This bill balances Americans’ civil liberties with national security, giving law enforcement and intelligence agencies the ability to access this information with a warrant, court order, or subpoena. Call your U.S. House Representative and say: “Please protect my privacy by voting for the Fourth Amendment Is Not For Sale Act.” Byron Tau – journalist and author of Means of Control, How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State – discusses the details of his investigative reporting with Liza Goitein, senior director of the Brennan Center for Justice's Liberty & National Security Program, and Gene Schaerr, general counsel of the Project for Privacy and Surveillance Accountability.
Byron explains what he has learned about the shadowy world of government surveillance, including how federal agencies purchase Americans’ most personal and sensitive information from shadowy data brokers. He then asks Liza and Gene about reform proposals now before Congress in the FISA Section 702 debate, and how they would rein in these practices. Our general counsel, Gene Schaerr, explains in the Washington Examiner how the Biden administration's recent executive order to protect personal data from government abuse falls short. Hint: It excludes our very own government's abuse of our personal data.
How to Tell if You are Being Tracked Car companies are collecting massive amounts of data about your driving – how fast you accelerate, how hard you brake, and any time you speed. These data are then analyzed by LexisNexis or another data broker to be parsed and sold to insurance companies. As a result, many drivers with clean records are surprised with sudden, large increases in their car insurance payments.
Kashmir Hill of The New York Times reports the case of a Seattle man whose insurance rates skyrocketed, only to discover that this was the result of LexisNexis compiling hundreds of pages on his driving habits. This is yet another feature of the dark side of the internet of things, the always-on, connected world we live in. For drivers, internet-enabled services like navigation, roadside assistance, and car apps are also 24-7 spies on our driving habits. We consent to this, Hill reports, “in fine print and murky privacy policies that few read.” One researcher at Mozilla told Hill that it is “impossible for consumers to try and understand” policies chocked full of legalese. The good news is that technology can make data gathering on our driving habits as transparent as we are to car and insurance companies. Hill advises:
What you cannot do, however, is file a report with the FBI, IRS, the Department of Homeland Security, or the Pentagon to see if government agencies are also purchasing your private driving data. Given that these federal agencies purchase nearly every electron of our personal data, scraped from apps and sold by data brokers, they may well have at their fingertips the ability to know what kind of driver you are. Unlike the private snoops, these federal agencies are also collecting your location histories, where you go, and by inference, who you meet for personal, religious, political, or other reasons. All this information about us can be accessed and reviewed at will by our government, no warrant needed. That is all the more reason to support the inclusion of the principles of the Fourth Amendment Is Not for Sale Act in the reauthorization of the FISA Section 702 surveillance policy. While Congress debates adding reforms to FISA Section 702 that would curtail the sale of Americans’ private, sensitive digital information to federal agencies, the Federal Trade Commission is already cracking down on companies that sell data, including their sales of “location data to government contractors for national security purposes.”
The FTC’s words follow serious action. In January, the FTC announced proposed settlements with two data aggregators, X-Mode Social and InMarket, for collecting consumers’ precise location data scraped from mobile apps. X-Mode, which can assimilate 10 billion location data points and link them to timestamps and unique persistent identifiers, was targeted by the FTC for selling location data to private government contractors without consumers’ consent. In February, the FTC announced a proposed settlement with Avast, a security software company, that sold “consumers’ granular and re-identifiable browsing information” embedded in Avast’s antivirus software and browsing extensions. What is the legal basis for the FTC’s action? The agency seems to be relying on Section 5 of the Federal Trade Commission Act, which grants the FTC power to investigate and prevent deceptive trade practices. In the case of X-Mode, the FTC’s proposed complaint highlight’s X-Mode’s statement that their location data would be used solely for “ad personalization and location-based analytics.” The FTC alleges X-Mode failed to inform consumers that X-Mode “also sold their location data to government contractors for national security purposes.” The FTC’s evolving doctrine seems even more expansive, weighing the stated purpose of data collection and handling against its actual use. In a recent blog, the FTC declares: “Helping people prepare their taxes does not mean tax preparation services can use a person’s information to advertise, sell, or promote products or services. Similarly, offering people a flashlight app does not mean app developers can collect, use, store, and share people’s precise geolocation information. The law and the FTC have long recognized that a need to handle a person’s information to provide them a requested product or service does not mean that companies are free to collect, keep, use, or share that’s person’s information for any other purpose – like marketing, profiling, or background screening.” What is at stake for consumers? “Browsing and location data paint an intimate picture of a person’s life, including their religious affiliations, health and medical conditions, financial status, and sexual orientation.” If these cases go to court, the tech industry will argue that consumers don’t sign away rights to their private information when they sign up for tax preparation – but we all do that routinely when we accept the terms and conditions of our apps and favorite social media platforms. The FTC’s logic points to the common understanding that our data is collected for the purpose of selling us an ad, not handing over our private information to the FBI, IRS, and other federal agencies. The FTC is edging into the arena of the Fourth Amendment Is Not for Sale Act, which targets government purchases and warrantless inspection of Americans’ personal data. The FTC’s complaints are, for the moment, based on legal theory untested by courts. If Congress attaches similar reforms to the reauthorization of FISA Section 702, it would be a clear and hard to reverse protection of Americans’ privacy and constitutional rights. Ken Blackwell, former ambassador and mayor of Cincinnati, has a conservative resume second to none. He is now a senior fellow of the Family Research Council and chairman of the Conservative Action Project, which organizes elected conservative leaders to act in unison on common goals. So when Blackwell writes an open letter in Breitbart to Speaker Mike Johnson warning him not to try to reauthorize FISA Section 702 in a spending bill – which would terminate all debate about reforms to this surveillance authority – you can be sure that Blackwell was heard.
“The number of FISA searches has skyrocketed with literally hundreds of thousands of warrantless searches per year – many of which involve Americans,” Blackwell wrote. “Even one abuse of a citizen’s constitutional rights must not be tolerated. When that number climbs into the thousands, Congress must step in.” What makes Blackwell’s appeal to Speaker Johnson unique is he went beyond including the reform efforts from conservative stalwarts such as House Judiciary Committee Chairman Jim Jordan and Rep. Andy Biggs of the Freedom Caucus. Blackwell also cited the support from the committee’s Ranking Member, Rep. Jerry Nadler, and Rep. Pramila Jayapal, who heads the House Progressive Caucus. Blackwell wrote: “Liberal groups like the ACLU support reforming FISA, joining forces with conservatives civil rights groups. This reflects a consensus almost unseen on so many other important issues of our day. Speaker Johnson needs to take note of that as he faces pressure from some in the intelligence community and their overseers in Congress, who are calling for reauthorizing this controversial law without major reforms and putting that reauthorization in one of the spending bills that will work its way through Congress this month.” That is sound advice for all Congressional leaders on Section 702, whichever side of the aisle they are on. In December, members of this left-right coalition joined together to pass reform measures out of the House Judiciary Committee by an overwhelming margin of 35 to 2. This reform coalition is wide-ranging, its commitment is deep, and it is not going to allow a legislative maneuver to deny Members their right to a debate. David Pierce has an insightful piece in The Verge demonstrating the latest example of why every improvement in online technology leads to a yet another privacy disaster.
He writes about an experiment by OpenAI to make ChatGPT “feel a little more personal and a little smarter.” The company is now allowing some users to add memory to personalize this AI chatbot. Result? Pierce writes that “the idea of ChatGPT ‘knowing’ users is both cool and creepy.” OpenAI says it will allow users to remain in control of ChatGPT’s memory and be able to tell it to remove something it knows about you. It won’t remember sensitive topics like your health issues. And it has a temporary chat mode without memory. Credit goes to OpenAI for anticipating the privacy implications of a new technology, rather than blundering ahead like so many other technologists to see what breaks. OpenAI’s personal memory experiment is just another sign of how intimate technology is becoming. The ultimate example of online AI intimacy is, of course, the so-called “AI girlfriend or boyfriend” – the artificial romantic partner. Jen Caltrider of Mozilla’s Privacy Not Included team told Wired that romantic chatbots, some owned by companies that can’t be located, “push you toward role-playing, a lot of sex, a lot of intimacy, a lot of sharing.” When researchers tested the app, they found it “sent out 24,354 ad trackers within one minute of use.” We would add that data from these ads could be sold to the FBI, the IRS, or perhaps a foreign government. The first wave of people whose lives will be ruined by AI chatbots will be the lonely and the vulnerable. It is only a matter of time before sophisticated chatbots become ubiquitous sidekicks, as portrayed in so much near-term science fiction. It will soon become all too easy to trust a friendly and helpful voice, without realizing the many eyes and ears behind it. Just in time for the Section 702 debate, Emile Ayoub and Elizabeth Goitein of the Brennan Center for Justice have written a concise and easy to understand primer on what the data broker loophole is about, why it is so important, and what Congress can do about it.
These authors note that in this age of “surveillance capitalism” – with a $250 billion market for commercial online data – brokers are compiling “exhaustive dossiers” that “reveal the most intimate details of our lives, our movements, habits, associations, health conditions, and ideologies.” This happens because data brokers “pay app developers to install code that siphons users’ data, including location information. They use cookies or other web trackers to capture online activity. They scrape from information public-facing sites, including social media platforms, often in violation of those platforms’ terms of service. They also collect information from public records and purchase data from a wide range of companies that collect and maintain personal information, including app developers, internet service providers, car manufacturers, advertisers, utility companies, supermarkets, and other data brokers.” Armed with all this information, data brokers can easily “reidentify” individuals from supposedly “anonymized” data. This information is then sold to the FBI, IRS, the Drug Enforcement Administration, the Department of Defense, the Department of Homeland Security, and state and local law enforcement. Ayoub and Goitein examine how government lawyers employ legal sophistry to evade a U.S. Supreme Court ruling against the collection of location data, as well as the plain meaning of the U.S. Constitution, to access Americans’ most personal and sensitive information without a warrant. They describe the merits of the Fourth Amendment Is Not For Sale Act, and how it would shut down “illegitimately obtained information” from companies that scrape photos and data from social media platforms. The latter point is most important. Reformers in the House are working hard to amend FISA Section 702 with provisions from the Fourth Amendment Is Not For Sale Act, to require the government to obtain warrants before inspecting our commercially acquired data. While the push is on to require warrants for Americans’ data picked up along with international surveillance, the job will be decidedly incomplete if the government can get around the warrant requirement by simply buying our data. Ayoub and Goitein conclude that Congress must “prohibit government agencies from sidestepping the Fourth Amendment.” Read this paper and go here to call your House Member and let them know that you demand warrants before the government can access our sensitive, personal information. From Gene Schaerr, general counsel of the Project for Privacy and Surveillance Accountability:
“For months, the House Intelligence Committee warned that failure to reauthorize Section 702 would subject the American homeland to unprecedented danger. “Now the Intelligence Committee has caused the bill to be pulled rather than allow the House to work its will and vote on a few reasonable and important reform amendments. “They are now willing to endanger Section 702 in its entirety unless they get everything they want. “Think about it – the intelligence community and deep state are so determined to maintain the ability to spy on Americans that they are willing to put at risk the very authority they claim they need to protect us against foreign threats.” The word from Capitol Hill is that Speaker Mike Johnson is scheduling a likely House vote on the reauthorization of FISA’s Section 702 this week. We are told that proponents and opponents of surveillance reform will each have an opportunity to vote on amendments to this statute.
It is hard to overstate how important this upcoming vote is for our privacy and the protection of a free society under the law. The outcome may embed warrant requirements in this authority, or it may greatly expand the surveillance powers of the government over the American people. Section 702 enables the U.S. intelligence community to continue to keep a watchful eye on spies, terrorists, and other foreign threats to the American homeland. Every reasonable person wants that, which is why Congress enacted this authority to allow the government to surveil foreign threats in foreign lands. Section 702 authority was never intended to become what it has become: a way to conduct massive domestic surveillance of the American people. Government agencies – with the FBI in the lead – have used this powerful, invasive authority to exploit a backdoor search loophole for millions of warrantless searches of Americans’ data in recent years. In 2021, the secret Foreign Intelligence Surveillance Court revealed that such backdoor searches are used by the FBI to pursue purely domestic crimes. Since then, declassified court opinions and compliance reports reveal that the FBI used Section 702 to examine the data of a House Member, a U.S. Senator, a state judge, journalists, political commentators, 19,000 donors to a political campaign, and to conduct baseless searches of protesters on both the left and the right. NSA agents have used it to investigate prospective and possible romantic partners on dating apps. Any reauthorization of Section 702 must include warrants – with reasonable exceptions for emergency circumstances – before the data of Americans collected under Section 702 or any other search can be queried, as required by the U.S. Constitution. This warrant requirement must include the searching of commercially acquired information, as well as data from Americans’ communications incidentally caught up in the global communications net of Section 702. The FBI, IRS, Department of Homeland Security, the Pentagon, and other agencies routinely buy Americans’ most personal, sensitive information, scraped from our apps and sold to the government by data brokers. This practice is not authorized by any statute, or subject to any judicial review. Including a warrant requirement for commercially acquired information as well as Section 702 data is critical, otherwise the closing of the backdoor search loophole will merely be replaced by the data broker loophole. If the House declines to impose warrants for domestic surveillance, expect many politically targeted groups to have their privacy and constitutional rights compromised. We cannot miss the best chance we’ll have in a generation to protect the Constitution and what remains of Americans’ privacy. Copy and paste the message below and click here to find your U.S. Representative and deliver it: “Please stand up for my privacy and the Fourth Amendment to the U.S. Constitution: Vote to reform FISA’s Section 702 with warrant requirements, both for Section 702 data and for our sensitive, personal information sold to government agencies by data brokers.” Government Agencies Pose as Ad Bidders We’ve long reported on the government’s purchase of Americans’ sensitive and personal information scraped from our apps and sold to federal agencies by third-party data brokers. Closure of this data broker loophole is included in the House Judiciary Committee bill – the Protect Liberty and End Warrantless Surveillance Act – legislation that requires probable cause warrants before the federal government can inspect Americans’ data caught up in foreign intelligence under Section 702 of the Foreign Intelligence Surveillance Act. Of no less importance, the bipartisan Protect Liberty Act also requires warrants for inspection of the huge mass of Americans’ data sold to the government.
Thanks to Ben Lovejoy of the 9 to 5 Mac, we now know of the magnitude of the need for a legislative solution to this privacy vulnerability. Apple’s 2020 move to require app makers to notify you that you’re being tracked on your iPhone has been thoroughly undermined by a workaround through the technology of device fingerprinting. Add to that Patternz, a commercial spyware that extracts personal information from ads and push notifications so it can be sold. Patternz tracks up to 5 billion users a day, utterly defeating phone-makers’ attempts to protect consumer privacy. How does it work? 404 Media demonstrated that Patternz has deals with myriad small ad agencies to extract information from around 600,000 apps. In a now-deleted video, an affiliate of the company boasted that with this capability, it could track consumers’ locations and movements in real time. After this article was posted, Google acted against one such market participant, while Apple promises a response. But given the robustness of these tools, it is hard to believe that new corporate policies will be effective. That is because technology allows government agencies to pose as ad buyers to turn adware into a global tracking tool that federal agencies – and presumably the intelligence services of other governments – can access at will. Patternz can even install malware for more thorough and deeper penetration of customers’ phones and their sensitive information. It is almost as insidious as the zero-day malware Pegasus, transforming phones into 24/7 spy devices. Enter Patrick Eddington, senior fellow of the Cato Institute. He writes: “If you’re a prospective or current gun owner and you use your smartphone to go to OpticsPlanet to look for a new red dot sight, then go to Magpul for rail and sling adapters for the modern sporting rifle you’re thinking of buying, then mosey on over to LWRC to look at their latest gas piston AR-15 offerings, and finally end up at Ammunition Depot to check out their latest sale on 5.56mm NATO standard rounds, unless those retailers expressly offer you the option ‘Do not sell my personal data’ … all of your online browsing and ordering activity could end up being for sale to a federal law enforcement agency. “Or maybe even the National Security Agency.” The government’s commercial acquisition of Americans’ personal information from data sales contains troubling implications for both left and right – from abortion-rights activists concerned about women being tracked to clinics, to conservatives who care about the implications of this practice for the Second Amendment or free religious expression, to Americans of all stripes who don’t want our personal and political activities monitored in minute detail by the government. In January, the NSA admitted that it buys our personal information without a warrant. The investigative work performed by 404 Media and 9 to 5 Mac should give Members of Congress all the more reason to support the Protect Liberty Act. While Congress is locked in spirited debate over the limits of surveillance in America, large technology companies are responding to growing consumer concerns about privacy by reducing government’s warrantless access to data.
For years, police had a free hand in requesting from Google the location histories of groups of people in a given vicinity recorded on Google Maps. Last month, Google altered the Location History feature on Google Maps. For users who enable this feature to track where they’ve been, their location histories will now be saved on their smartphone or other devices, not on Google servers. As a result of this change, Google will be unable to respond to geofenced warrants. “Your location information is personal,” Google announced. “We’re committed to keeping it safe, private and in your control.” This week, Amazon followed Google’s lead by disabling its Request for Access tool, a feature that facilitated requests from law enforcement to ask Ring camera owners to give up video of goings on in the neighborhood. We reported three years ago that Amazon had cooperative agreements with more than 2,000 police and fire departments to solicit Ring videos for neighborhood surveillance from customers. By clicking off Request for Access, Amazon is now closing the channel for law enforcement to ask Ring customers to volunteer footage about their neighbors. PPSA commends Google and Amazon for taking these steps. But they wouldn’t have made these changes if consumers weren’t clamoring for a restoration of the expectation of privacy. These changes are a sure sign that the mounting complaints of civil liberties advocates are moving the needle of public opinion. Corporations are exquisitely attuned to consumer attitudes, and so they are listening and acting. In the wake of Thursday’s revelation that the National Security Agency is buying Americans’ location data, we urge Congress to show similar sensitivity. With polls showing that nearly four out of five Americans support strong surveillance reform, Congress should respond to public opinion by passing The Protect Liberty Act, which imposes a warrant requirement on all personal information purchased by government agencies. Late last year, Sen. Ron Wyden (D-OR) put a hold on the appointment of Lt. Gen. Timothy Haugh to replace outgoing National Security Agency director Gen. Paul Nakasone. Late Thursday, Sen. Wyden’s pressure campaign yielded a stark result – a frank admission from Gen. Nakasone that, as long suspected, the NSA purchases Americans’ sensitive, personal online activities from commercial data brokers.
The NSA admitted it buys netflow data, which records connections between computers and servers. Even without the revelation of messages’ contents, such tracking can be extremely personal. A Stanford University study of telephone metadata showed that a person’s calls and texts can reveal connections to sensitive life issues, from Alcoholics Anonymous to abortion clinics, gun stores, mental and health issues including sexually transmitted disease clinics, and connections to faith organizations. Gen. Nakasone’s letter to Sen. Wyden states that NSA works to minimize the collection of such information. He writes that NSA does not buy location information from phones inside the United States, or purchase the voluminous information collected by our increasingly data-hungry automobiles. It would be a mistake, however, to interpret NSA’s internal restrictions too broadly. While NSA is generally the source for signals intelligence for the other agencies, the FBI, IRS, and the Department of Homeland Security are known to make their own data purchases. In 2020, PPSA reported on the Pentagon purchasing data from Muslim dating and prayer apps. In 2021, Sen. Wyden revealed that the Defense Intelligence Agency was purchasing Americans’ location data from our smartphones without a warrant. How much data, and what kinds of data, are purchased by the FBI is not clear. Sen. Wyden did succeed in a hearing last March in prompting FBI Director Christopher Wray to admit that the FBI had, in some period in the recent past, purchased location data from Americans’ smartphones without a warrant. Despite a U.S. Supreme Court opinion, Carpenter (2018), which held that the U.S. Constitution requires a warrant for the government to compel telecom companies to turn over Americans’ location data, federal agencies maintain that the Carpenter standard does not curb their ability to purchase commercially available digital information. In a press statement, Sen. Wyden hammers home the point that a recent Federal Trade Commission order bans X-Mode Social, a data broker, and its successor company, from selling Americans’ location data to government contractors. Another data broker, InMarket Media, must notify customers before it can sell their precise location data to the government. We now have to ask: was Wednesday’s revelation that the Biden Administration is drafting rules to prevent the sale of Americans’ data to hostile foreign governments an attempt by the administration to partly get ahead of a breaking story? For Americans concerned about privacy, the stakes are high. “Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship,” FTC Chair Lina Khan said in a statement. “The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data. By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.” As Sen. Wyden’s persistent digging reveals more details about government data purchases, Members of Congress are finding all the more reason to pass the Protect Liberty Act, which enforces the Constitution’s Fourth Amendment warrant requirement when the government inspects Americans’ purchased data. This should also put Members of the Senate and House Intelligence Committees on the spot. They should explain to their colleagues and constituents why they’ve done nothing about government purchases of Americans’ data – and why their bills include exactly nothing to protect Americans’ privacy under the Fourth Amendment. More to come … Well, better late than never. Bloomberg reports that the Biden Administration is preparing new rules to direct the U.S. Attorney General and Department of Homeland Security to restrict data transactions that sells our personal information – and even our DNA – to “countries of concern.”
Consider that much of the U.S. healthcare system relies on Chinese companies to sequence patients’ genomes. Under Chinese law, such companies are required to share their data with the government. The Office of the Director of National Intelligence warns that “Losing your DNA is not like losing a credit card. You can order a new credit card, but you cannot replace your DNA. The loss of your DNA not only affects you, but your relatives and, potentially, generations to come.” The order is also expected to crack down on data broker sales that could facilitate espionage or blackmail of key individuals serving in the federal government; it could be used to panic or distract key personnel in the event of a crisis; and collection of data on politicians, journalists, academics, and activists could deepen the impact of influence campaigns across the country. PPSA welcomes the development of this Biden rule. We note, however, that just like China, our own government routinely purchases Americans’ most sensitive and personal information from data brokers. These two issues – foreign access to commercially acquired data, and the access to this same information by the FBI, IRS, Department of Homeland Security, and other agencies – are related but separate issues that need to be addressed separately, the latter in the legislative process. The administration’s position on data purchases is contradictory. The administration also opposes closing the data-broker loophole in the United States. In the Section 702 debate, Biden officials say we would be at a disadvantage against China and other hostile countries that could still purchase Americans’ data. This new Biden Administration effort undercuts its argument. We should not emulate China’s surveillance practices any more than we practice their crackdowns against freedom of speech, religion, and other liberties. Still, this proposed rule against foreign data purchases is a step in the right direction, in itself and for highlighting the dire need for legislation to restrict the U.S. government’s purchase of its own citizens’ data. The Protect Liberty Act, which passed by the House Judiciary Committee by an overwhelming 35-2 vote to reauthorize Section 702, closes this loophole at home just as the Biden Administration seeks to close it abroad. So when the new Biden rule is promulgated, it should serve as a reminder to Congress that we have a problem with privacy at home as well. No sooner did the Protect Liberty and End Warrantless Surveillance Act pass the House Judiciary Committee with overwhelming bipartisan support than the intelligence community began to circulate what Winston Churchill in 1906 politely called “terminological inexactitudes.”
The Protect Liberty Act is a balanced bill that respects the needs of national security while adding a warrant requirement whenever a federal agency inspects the data or communications of an American, as required by the Fourth Amendment. This did not stop defenders of the intelligence community from claiming late last year that Section 702 reforms would harm the ability of the U.S. government to fight fentanyl. This is remarkable, given that the government hasn’t cited a single instance in which warrantless searches of Americans’ communications proved useful in combating the fentanyl trade. Nothing in the bill would stop surveillance of factories in China or cartels in Mexico. If an American does become a suspect in this trafficking, the government can and should seek a probable cause warrant, as is routinely done in domestic law enforcement cases. No sooner did we bat that one away than we heard about fresh terminological inexactitudes. Here are two of the latest bits of disinformation being circulated on Capitol Hill about the Protect Liberty Act. Intelligence Community Myth: Members of Congress are being told that under the Protect Liberty Act, the FBI would be forced to seek warrants from district court judges, who might or might not have security clearances, in order to perform U.S. person queries. Fact: The Protect Liberty Act allows the FBI to conduct U.S. person queries if it has either a warrant from a regular federal court or a probable cause order from the FISA Court, where judges have high-level security clearances. The FBI will determine which type of court order is appropriate in each case. Intelligence Community Myth: Members are being told that under the Protect Liberty Act, terrorists can insulate themselves from surveillance by including a U.S. person in a conversation or email thread. Fact: Under the Protect Liberty Act, the FBI can collect any and all communications of a foreign target, including their communications with U.S. persons. Nothing in the bill prevents an FBI agent from reviewing U.S. person information the agent encounters in the course of reviewing the foreign target’s communications. In other words, if an FBI agent is reading a foreign target’s emails and comes across an email to or from a U.S. person, the FBI agent does not need a warrant to read that email. The bill’s warrant requirement applies in one circumstance only: when an FBI agent runs a query designed to retrieve a U.S. person’s communications or other Fourth Amendment-protected information. That is as it should be under the U.S. Constitution. As we face the renewed debate over Section 702 – which must be reauthorized in the next few months – expect the parade of untruths to continue. As they do, PPSA will be here to call them out. The American Civil Liberties Union, its Northern California chapter, and the Brennan Center, are calling on the Federal Trade Commission to investigate whether Meta and X have broken commitments they made to protect customers from data brokers and government surveillance.
This concern goes back to 2016 when it came to light that Facebook and Twitter helped police target Black Lives Matter activists. As a result of protests by the ACLU of Northern California and other advocacy groups, both companies promised to strengthen their anti-surveillance policies and cut off access to social media surveillance companies. Their privacy promises even became points of pride in these companies’ advertising. Now ACLU and Brennan say they have uncovered commercial documents from data brokers that seem to contradict these promises. They point to a host of data companies that publicly claim they have access to data from Meta and/or X, selling customers’ information to police and other government agencies. ACLU writes: “These materials suggest that law enforcement agencies are getting deep access to social media companies’ stores of data about people as they go about their daily lives.” While this case emerged from left-leaning organizations and concerns, organizations and people on the right have just as much reason for concern. The posts we make, what we say, who our friends are, can be very sensitive and personal information. “Something’s not right,” ACLU writes. “If these companies can really do all that they advertise, the FTC needs to figure out how.” At this point, we simply don’t know with certainty which, if any, social media platforms are permitting data brokers to obtain personal information from their platforms – information that can then be sold to the government. Regardless of the answer to that question, PPSA suggests that a thorough way to short-circuit any extraction of Americans’ most sensitive and personal information from data sales (at least at the federal level) would be to pass the strongly bipartisan Protect Liberty and End Warrantless Surveillance Act. This measure would force federal government agencies to obtain a warrant – as they should anyway under the Fourth Amendment – to access the data of an American citizen. WSJ Graphical Roadmap: How Your Personal Information Migrates from App, to Broker, to the Government12/5/2023
A report in The Wall Street Journal does a masterful job of combining graphics and text to illustrate how technology embedded in our phones and computers to serve up ads also enables government surveillance of the American citizenry.
The WSJ has identified and mapped out a network of brokers and advertising exchanges whose data flows from apps to Defense Department, intelligence agencies, and the FBI. The WSJ has compiled this information into several illustrative animated graphs that bring the whole scheme to life. Here’s how it works: As soon as you open an ad-supported app on your phone, data from your device is recorded and transmitted to buyers. The moment before an app serves you an ad, all advertisers in the bidding process are given access to information about your device. The first information up for bids is your location, IP address, device, and browser type. Ad services also record information about your interests and develop intricate assumptions about you. Many data brokers regularly sell Americans’ information to the government, where it may be used for cybersecurity, counterterrorism, counterintelligence, and public safety – or whatever a federal agency deems as such. Polls show that Americans are increasingly concerned about their digital privacy but are also fatalistic and unaware about their privacy options as consumers. According to a recent poll by Pew published last month, 81 percent of U.S. adults are concerned about how companies use the data they collect. Seventy-one percent are concerned about how the government uses their data, up from 64 percent in 2019. There is also an increasing feeling of helplessness: 73 percent of adults say they have little to no control over what companies do with their data, while 79 percent feel the same towards the government. The number of concerned Americans rises to 89 percent when the issue of children’s online privacy is polled. Crucially, 72 percent of Americans believe there should be more regulation governing the use of digital data. Despite high levels of concern, nearly 60 percent of Americans do not read the privacy policies of apps and social media services they use. Most Americans do not have the time or legal expertise to carefully study every privacy policy they encounter. Given that one must accept these terms or not be online, it is simply impractical to expect Americans do so. Yet government agencies assert that it is acceptable to collect and review Americans’ most personal data without a warrant because we have knowingly signed away our rights. There is good news. In the struggle for government surveillance reform currently taking place on Capitol Hill – and the introduction of the Protect Liberty and End Warrantless Surveillance Act – Americans are getting a better understanding of the costs of being treated as digital chattel by data brokers and government. Every now and then, even with an outlook jaded by knowledge of the many ways we can be surveilled, we come across some new outrage and find ourselves shouting – “no, wait, they’re doing what?”
The final dismissal of a class-action lawsuit law by a federal judge in Seattle on Tuesday reveals a precise and disturbing way in which our cars are spying on us. Cars hold the contents of our texts messages and phone call records in a way that can be retrieved by the government but not by us. The judge in this case ruled that Honda, Toyota, Volkswagen, and General Motors did not meet the necessary threshold to be held in violation of a Washington State privacy law. The claim was that the onboard entertainment system in these vehicles record and intercept customers’ private text messages and mobile phone call logs. The class-action failed because the Washington Privacy Act’s standard requires a plaintiff to approve that “his or her business, his or her person, or his or her reputation” has been threatened. What emerged from this loss in court is still alarming. Software in cars made by Maryland-based Berla Corp. (slogan: “Staggering Amounts of Data. Endless Possibilities”) allows messages to be downloaded but makes it impossible for vehicle owners to access their communications and call logs. Law enforcement, however, can gain ready access to our data, while car manufacturers make extra money selling our data to advertisers. This brings to mind legislation proposed in 2021 by Sens. Ron Wyden (D-OR) and Cynthia Lummis (R-WY) along with Reps. Peter Meijer (R-MI) and Ro Khanna (D-CA). Under their proposal, law enforcement would have to obtain a warrant based on probable cause before searching data from any vehicle that does not require a commercial driver’s license. Under the “Closing the Warrantless Digital Car Search Loophole Act,” any vehicle data obtained in violation of this law would be inadmissible in court. Sen. Wyden in a statement at the time said: “Americans’ Fourth Amendment rights shouldn’t disappear just because they’ve stepped into a car.” They shouldn’t. But as this federal judge made clear, they do. The Government Surveillance Reform Act (GSRA) Four bipartisan champions of civil liberties – Sen. Ron Wyden (D-OR), Sen. Mike Lee (R-UT), Rep. Warren Davidson (R-OH) and Rep. Zoe Lofgren (D-CA) – today introduced the Government Surveillance Reform Act (GSRA), legislation that restores force to overused Capitol Hill adjectives like “landmark,” “sweeping,” and “comprehensive.”
“The Government Surveillance Reform Act is ambitious in scope, thoughtful in its details, and wide-ranging in its application,” said Bob Goodlatte, former Chairman of the House Judiciary Committee and PPSA’s Senior Policy Advisor. “The GSRA is a once-in-a-generation opportunity for wide-ranging reform.” The GSRA curbs the warrantless surveillance of Americans by federal agencies, while restoring the principles of the Fourth Amendment and the policies that underlie it. The authors of this bill set out to achieve this goal by reforming how the government uses three mechanisms to surveil the American people.
The GSRA will rein in this ballooning surveillance system in many ways.
“The GSRA enjoys widespread bipartisan support because it represents the most balanced and comprehensive surveillance reform bill in 45 years,” Goodlatte said. “PPSA joins with a wide-ranging coalition of civil liberties organizations to urge Congress to make the most of this rare opportunity to put guardrails on federal surveillance of Americans. “We commend Senators Wyden and Lee, and Representatives Davidson and Lofgren, for writing such a thorough and precise bill in the protection of the constitutional rights of every American.” |
Categories
All
|