A 2006 German film, The Lives of Others, created a vivid portrait of what it is like to live in a surveillance state – in this case, in old East Berlin under the watchful eye of the Stasi secret police. PPSA has catalogued all of the ways in which technology and thoughtless (and sometimes malign) government intentions bring us closer to living, if not exactly under the Stasi, to something closer to the panopticon in China.
A broad array of robust surveillance technologies is in use around the country – from drones, to ubiquitous private and public cameras, to purchased data owned and reviewed without warrants by government for insights into American’s relationships, location histories and communications, to the warrantless treasure trove of American data in FISA’s Section 702. All that’s lacking is the will and means to knit them all together, with AI technology to perform the menial task of constant surveillance for its human minders. With the emergence of local “fusion centers” around the country to integrate data, the United States is already well down this path. But another key element of a surveillance state, also amply demonstrated by old East Germany, was the willingness – sometimes the eagerness – of people to inform on others. Sometimes the informer was a former lover, a disgruntled neighbor, or a coworker with a grudge to settle. The Stasi was always willing to overlook the motivations of an informer if they had something good and juicy. This is not to say that the decision by financial institutions to volunteer – without any legal process – the confidential banking information of their clients to the FBI makes them Stasi informers or puts us all in Stasi land. Like almost all Americans, banking executives were appropriately horrified by the savage attack on the U.S. Capitol by a violent mob on January 6, 2021. Herein lies the danger – many loopholes in the law begin with a real, legitimate public outrage and the need to rectify it. But when major public and private institutions violate their customers’ reasonable expectations of privacy, in a way utterly outside the law, we normalize illicit behavior that can be used again in the future – and stretched beyond reason – for any purpose. Thanks to the investigations of the Judiciary Committee and its Weaponization subcommittee, we now know that major financial institutions voluntarily conducted a dragnet of vast numbers of customers and gave it apparently unprompted to the FBI and the Financial Crimes Enforcement Network (FinCEN). According to retired FBI Supervisory Intelligence Analyst George Hill, banks “with no directive from the FBI data-mined … customer base” and compiled massive information on customer transactions. Any customer who used a credit or debit card between Jan. 5 and Jan. 7, 2021, in the greater Washington, D.C. area, had their personal information swept up and sent to the FBI. Financial institutions also took an extra step to put anyone who had ever purchased a firearm on the top of that list. Documents obtained by Congressional investigators suggest that the executive branch was brainstorming informal methods – again, outside of any legal process – to obtain even more private customer information from financial institutions. No matter how heinous the acts of those who stormed the U.S. Capitol, this privately conducted dragnet relied on no law to report to the FBI the personal information of large numbers of innocent Americans with no connection whatsoever to that crime. Now Rep. Jim Jordan (R-OH), Chairman of the House Judiciary Committee, has subpoenaed Citibank for documents and communications related to violations of customer privacy. PPSA commends Chairman Jordan. Big corporations must not arrogate to themselves the ability to violate the privacy of their customers without disclosure or paying a price in the civil courts, as well as in the court of public opinion. Chairman Jordan and his committee are performing a necessary duty to nip this practice in the bud before businesses of all sorts begin to volunteer to a sometimes over-reaching government the private information we entrust to them. State legislatures are passing age-verification laws that require users to upload driver’s licenses or passports to view pornographic material. This is well-meaning – and arguably necessary – legislation to protect children from viewing hardcore pornography online. Such a solution, however, has a drawback that needs to be addressed in legislative language. It leaves the door open for potentially catastrophic data privacy breaches – not to mention granting the FBI and other government agencies immense power, in the words of a declassified government report, to “facilitate blackmail, stalking, harassment, and public shaming.”
In 2022, Louisiana passed HB 142, holding porn sites liable for failing to “perform reasonable age verification methods.” The bill sailed through the legislature with bipartisan support. Since then, six states have passed similar laws. Sixteen others have introduced them. Pornhub responded with suits against Louisiana and Utah, and has ceased doing business altogether in Arkansas, Mississippi, Utah, and Virginia. Today, if you visit Pornhub from an IP address in one of those states, the only thing you’ll see is a video message from porn star Cherie DeVille explaining why you can’t see her with her clothes off. DeVille’s message is a simplified version of arguments made by the Free Speech Coalition, a porn industry advocacy and trade group. One of the solutions offered by that group is to verify age by device. It would be child’s play, however, for hackers and government(s) to deanonymize IP addresses. Whether we adopt either age-verification solution – those of the legislators or those of the porn industry – a risk is created that hackers and the FBI can exploit adult’s private browsing histories. It’s not like there’s no appetite for government to use personal information. Documents obtained through a Freedom of Information Act request show that the Defense Intelligence Agency uses commercially available data for “cover operations.” The FBI has a team dedicated to parsing cell tower data. A multitude of federal, state, and local law enforcement – as well as intelligence agencies – regularly purchase vast troves of personal information from data brokers, and then warrantlessly search that data in flagrant violation of the Fourth Amendment. You’ll forgive us for not expecting government restraint when it is presented with an Aladdin’s Cave of mortifying search histories. Imagine, for example, a bystander in a white-collar crime investigation who gets a visit from an FBI agent seeking his cooperation as a wire-wearing, confidential informant. “By the way,” the agent says in passing, “this is neither here nor there, but I happened to notice that you frequent a website that makes creative uses of My Little Pony. Wouldn’t want that to get out, now would we?” It is likely that more legislators in more states will act out of the belief that hardcore porn seen by children is a crisis that needs to be addressed. Lawmakers should keep in mind, however, the need to include privacy measures in such legislation. One place to start would be a blanket restriction of any sale of browsing data, or warrantless access to it by government agencies. Or perhaps the sites could delete the data once approval is granted. We’re not sure what the best solution would look like, but we’ll know it when we see it. PPSA’s Gene Schaerr Appeals to Congress to Assert Its Authority to Protect Americans’ Privacy and the Fourth AmendmentEnd the “Game of Surveillance Whack-a-Mole" Gene Schaerr, PPSA general counsel, in testimony before a House subcommittee on Friday, urged Congress to assert its prerogative to interpret Americans’ privacy and Fourth Amendment rights against the federal government’s lawless surveillance.
Schaerr said the reauthorization of a major surveillance law this year is a priceless opportunity for Congress to enact many long-needed surveillance reforms. There is, Schaerr told the Members of the House Judiciary Subcommittee on Crime and Government Surveillance, no reason for Congress to defer on such a vital, national concern to the judiciary. Congress also needs to assert its authority with executive branch agencies, he said. For decades, when Congress reforms a surveillance law, federal agencies simply move on to other legal authorities or theories to develop new ways to violate Americans’ privacy in “a game of surveillance whack-a-mole.” Schaerr said: “As the People’s agents, you can stop this game of surveillance whack-a-mole. You can do that by asserting your constitutional authority against an executive branch that, under both parties, is too often overbearing – and against a judicial branch that too often gives the executive an undeserved benefit of the doubt. Please don’t let this once-in-a-generation opportunity slip away.” Schaerr was joined by other civil liberties experts who described the breadth of surveillance abuse by the federal government. Liza Goitein of the Brennan Center for Justice at NYU Law School said that FISA’s Section 702 – crafted by Congress to enable foreign surveillance – has instead become a “rich source of warrantless access to Americans’ communications.” She described a strange loophole in the law that allows our most sensitive and personal information to be sold to the government. The law prevents social media companies from selling Americans’ personal data to the government, but it does not preclude those same companies from selling Americans’ data to third-party data brokers – who in turn sell this personal information to the government. Federal agencies assert that no warrant is required when they freely delve into such purchased digital communications, location histories, and browsing records. Goitein called this nothing less than the “laundering” of Americans’ personal information by federal agencies looking to get around the law. “We’re a nation of chumps,” said famed legal scholar and commentator Jonathan Turley of the George Washington University Law School, for accepting “massive violations” of our privacy rights. He dismissed the FBI’s recent boasts that it had reduced the number of improper queries into Americans’ private information, likening that boast to “a bank robber saying we’re hitting smaller banks.” Many members on both sides of the aisle echoed the concerns raised by Schaerr and other witnesses during the testimony. Commentary from the committee indicates that Congress is receptive to privacy-oriented reforms. Gene Schaerr cautioned that Congress should pursue such a strategy of inserting strong reforms and guardrails into Section 702, rather than simply allowing this authority to lapse when it expires in December. Drawing on his experience as a White House counsel, Schaerr said the “executive branch loves a vacuum.” Without the statutory limits and reporting requirements of Section 702, the FBI and other government agencies would turn to other programs, such as purchased data and an executive order known as 12333, that operate in the shadows. Despite this parade of horribles, the hearing had a cheerful moment when it was interrupted by the announcement of a major reform coalition victory. The Davidson-Jacobs Amendment passed the House by a voice vote during a recess in the hearing, an announcement that drew cheers from witnesses and House Members alike. This measure would require agencies within the Department of Defense to get a probable cause warrant, court order, or subpoena to purchase personal information that in other circumstances would require such a warrant. Schaerr was optimistic that further reforms will come. He said: “Revulsion at unwarranted government surveillance runs deep in our DNA as a nation; indeed, it was one of the main factors that led to our revolt against British rule and, later, to our Bill of Rights. And today, based on a host of discussions with many civil liberties and other advocacy groups, I’m confident you will find wide support across the ideological spectrum for a broad surveillance reform bill that goes well beyond Section 702.” Earlier today the House Judiciary Committee voted to advance the Fourth Amendment Is Not For Sale Act out of committee by a 30-0 unanimous vote, with one abstention. PPSA applauds Chairman Jordan, Ranking Member Nadler, and the Members of the Committee for taking this important step to protect Americans’ privacy.
“Stopping the government from spying on Americans by buying their sensitive personal information from data brokers is a critical part of the government surveillance reforms Congress is working towards this year,” said Bob Goodlatte, PPSA Senior Policy Advisor and former Chairman of the House Judiciary Committee. “As Congress considers the reauthorization of Section 702 of FISA, it should hold strong to the principle that no surveillance authorities should be reauthorized without closing the data broker loophole. The Committee’s overwhelming, bipartisan, unanimous approval of the Fourth Amendment is Not For Sale Act sends a strong signal in that regard.” Our digital devices can tell everything about us – who we visit, what we like and believe, who we befriend, where we go, our medical concerns, and other personal information. The government is required by the Fourth Amendment of the U.S. Constitution to obtain a warrant before it can seize our personal information. But the government has found a workaround to the Constitution – law enforcement, intelligence, and other federal agencies spy on us by simply buying our personal information from shady data brokers. The Fourth Amendment Is Not for Sale Act will close this loophole and prevent the government from sidestepping our constitutional rights. Last month, we wrote about a surprisingly frank report from the Office of the Director of National Intelligence admitting the government’s increasing role in utilizing Commercially Available Information about United States citizens for investigative purposes. Despite the Supreme Court’s ruling in Carpenter v. United States, which held that a warrant is required before the government can seize location history from cell-site records, the report candidly reveals that the bulk collection of Americans’ private data continues unabated. Now, the Commonwealth of Massachusetts is taking steps to ban the purchase and sale of location data altogether. It’s a blunt solution to a complex issue, and a bellwether for where this debate might be headed.
“Location data” refers to information about the geographic locations of mobile devices like smartphones or tablets. When collected, this data can be used for relatively benign purposes like marketing – but also to identify the movements of individuals and discern their identities (a 2013 study found that only four spatio-temporal data points are required to identify someone in most circumstances). A host of companies collect this information, package it, and sell it to private actors like advertisers – and, increasingly, law enforcement agencies. The government can learn a lot about you based on your movements – and they know it. For example, the FBI has its own team dedicated to analyzing cell tower data. A growing number of states are now taking action to protect the digital privacy of their residents. Laws passed in California and Virginia require the affirmative consent of consumers before geolocation data can be used for specified purposes. The European Union has gone further, prohibiting the use of sensitive data by default unless a company can demonstrate that its use falls under a specifically enumerated exemption. In the United States, Massachusetts’ Location Shield Act (H.357|S.148) is by far the most comprehensive effort yet to protect our data from unwarranted (or warrantless) snooping. The bill’s drafters couch it within a social policy framework; it’s described as “An Act protecting reproductive health access, LGBTQ lives, religious liberty, and freedom of movement by banning the sale of cell phone location information.” Such concerns are not unfounded. As the ACLU writes, “In the aftermath of the Supreme Court’s Dobbs decision…journalists found that data brokers have continued to buy, repackage and sell the location information of people visiting sensitive locations including abortion clinics. This puts people who seek or provide care in our state at risk of prosecution and harassment, creating a vulnerability in our state’s post-Roe protections.” Beyond addressing those concerns, however, the bill does a lot to broadly reinforce our Fourth Amendment rights against unreasonable searches and seizures, implementing a warrant requirement for any law enforcement access to location data. Such restrictions would clear away some of the murk surrounding this issue in the wake of the Carpenter case, which required a warrant when accessing location data from phone companies, but which holds limited relevance when such data are readily available for commercial purchase. (Obviously, the same legal reasoning should apply.) Americans are waking up to the dangers of the $16 billion data brokerage industry. In Massachusetts, 92% of survey respondents said the government should enshrine stronger protections for consumer data – all the way back in 2017. Whether this bill makes it over the finish line or not, it’s a clear sign that Americans want comprehensive data privacy reform. And Massachusetts’ solution is one we’ll readily share. PPSA previously sent an appeal to every Member of the U.S. House urging them to vote for the Davidson-Jacobs Amendment to the National Defense Authorization Act (NDAA). It would place significant restrictions on the government’s purchase of Americans’ Fourth Amendment-protected sensitive, personal information without a warrant.
We attached to our letter the endorsement of this measure from more than 40 civil liberties allies—ranging from the ACLU to FreedomWorks, from the Brennan Center and Demand Progress to Americans for Prosperity and the Due Process Institute. The strong bipartisan support in the House led to the passage of this important measure by voice vote. “This vote is vital because our digital histories reveal our personal lives—where we’ve been, who we’ve met or communicated with, what we’ve searched for online, even our medical issues,” we wrote. “A digital portrait can be more personal and intimate than a diary. “Yet, under current practice, federal agencies purchase our most sensitive and personal information scraped from apps and sold by third-party data brokers. The general counsels of intelligence and law enforcement agencies assert a right to see our most personal information without the need to get a warrant, in flagrant disregard of the Fourth Amendment to the Constitution.” “This is the kind of practice one expects of a surveillance state, not America.” The House now officially agrees. This measure would require agencies within the Department of Defense to get a probable cause warrant, court order or subpoena to purchase personal information that in other circumstances would require such a warrant. “This amendment strikes a reasonable balance between respecting the privacy of Americans while leaving the government with the power to search for potential threats to the homeland,” says Bob Goodlatte, PPSA Senior Policy Advisor. “The Senate should respect the groundswell of bipartisan support shown in the House today for this amendment in the NDAA.” In today’s House Committee Judiciary hearing with FBI Director Christopher Wray, Rep. Pramila Jayapal (D-WA) expertly revealed the extent to which the FBI is unwilling to publicly discuss its use of commercially available information (go to 1:10:50 mark).
Rep. Jayapal asked the director about his claim before the Senate Intelligence Committee in March that the FBI had previously purchased Americans’ location data information from internet advertisers but had stopped the practice. Why, then, Jayapal asked, did a report from the Office of the Director of National Intelligence (ODNI) reveal that the government continues to purchase Americans’ personal data scraped from apps and sold to the government by third-party data brokers? The report was surprising for its frankness. An ODNI panel admitted that such data can be used to “facilitate blackmail, stalking, harassment, and public shaming.” Rep. Jayapal asked how the FBI uses such data. Director Wray responded that this is too complex to cover in a short exchange. He said there are so many precise definitions that he had best send “subject matter experts” from the FBI to give Rep. Jayapal a briefing, presumably behind closed doors and under classified rules that would prevent public discussion. Rep. Jayapal then went on to note that more than historic location data is at stake. Purchased data, she said, include biometric data, medical and mental health records, personal communications, and internet search histories and activities. She asked Director Wray: Does the FBI have a written policy on how it uses such commercially available information? Director Wray did not seem sure. He replied that he would be happy to provide a private briefing. Rep. Jayapal next asked if there is an FBI policy for using purchased information against Americans in criminal cases. Once again, Director Wray punted. After Rep. Jayapal was finished, House Judiciary Chair Jim Jordan (R-OH), said that her remarks were “well said,” and promised a bipartisan approach on the issue. Speaking for Republicans, Chairman Jordan told Rep. Jayapal, chair of the progressive caucus, “you have friends over here who want to help you with that.” We suggest that a bipartisan next step could be an open hearing with the FBI’s experts on how much purchased information is obtained and how it is used. Technology presents new challenges in the protection of Fourth Amendment rights, especially regarding expectations of privacy and warrantless searches. A key question, as the U.S. Supreme Court found in 2001, is how to preserve “that degree of privacy against government that existed when the Fourth Amendment was adopted.”
A recent case out of Maryland goes a long way in enshrining critical protections for personal data in that state, striking a bold contrast with other recent decisions that degrade privacy. The Fourth Amendment to the United States Constitution guarantees the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” [emphasis added] Since the advent of the digital age, courts around the country have analogized personal data to the founding-era concept of personal papers, which the Supreme Court has long held to be safeguarded against unwanted intrusion. Yet, the Court has gone further in recent years, finding that digital information implicates “privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.” After all, any thorough search of a citizen’s digital data is bound to turn up troves of personal information – from banking information to private correspondence – unrelated to the particularities of a warrant. It makes sense that our digital footprints would merit enhanced protection. Despite this seeming clarity, much ambiguity persists surrounding the protection of digital data. State of Maryland v. Daniel Ashley McDonnell presents a novel question of law and fact unresolved at the national level: Does a reasonable expectation of privacy exist in the contents of a copied computer hard drive after consent to search that hard drive has been revoked? The Supreme Court of Maryland found that it does. Here’s the background: Daniel Ashley McDonnell granted investigating officers’ consent to search his computer. Police subsequently made a forensic copy of McDonnell’s hard drive and proceeded to analyze its data even after McDonnell withdrew his consent. For its part, the state argued that McDonnell lost any reasonable expectation of privacy once he allowed his data to be copied. In constitutional law, warrantless searches of person or property are considered unreasonable unless certain exceptions apply – if a person lacks any reasonable expectation of privacy, for example, or if consent is granted to perform a search. Generally, when that consent is revoked, authorities may not conduct a search by relying on the prior consent. In this case, the Supreme Court of Maryland found that McDonnell had a privacy interest in his data itself – not in the hard drive copy made by investigating authorities. Had the police examined the hard drive data while consent was in effect, McDonnell would have lost any reasonable expectation of privacy in that data. But given that consent was withdrawn prior to the search, he maintained that expectation absent an independent search justification. The court wrote: “To accept the State’s stance--i.e., that Mr. McDonnell irrevocably lost all privacy interest in the data on his hard drive when he allowed [police] to copy it—would be to permit a limitless search through vast quantities and a varied array of personal data that the Supreme Court of the United States has characterized as consisting of more information than would be found in an exhaustive search of a person’s home.” In a similar case, the U.S. District Court for the Middle District of Florida came to a different conclusion, finding that “revocation of consent does not require the suppression of evidence already lawfully obtained.” However, the preponderance of case law and legal scholarship suggests the Supreme Court of Maryland struck the right balance. Its opinion is consistent with recent scholarship by law professor Orin Kerr, who argues that “the same Fourth Amendment rules that apply to searching a suspect’s computer should also apply to searching the government’s copy.” It is further consistent with the U.S. Supreme Court’s warnings in Riley v. California, which noted the potential of a cell phone search to reveal “[t]he sum of an individual’s private life.” The Supreme Court of Maryland’s decision is a win for data privacy. To quote the amicus brief from our friends at Restore the Fourth, absent such protections the government could “copy and indefinitely detain every private paper on a person’s hard drive (i.e., millions of documents) at minimal cost—except to the Fourth Amendment.” The Maryland decision was well reasoned and well done. The digital trail you leave behind can be used to create a profile of you by your race, religion, gender, sexual orientation, financial issues, personal medical history, mental health, and your physical location.
PPSA has long warned against the routine sale of our personal and sensitive information scraped from apps and sold to U.S. federal agencies by data brokers. The general counsels of these law enforcement and intelligence agencies claim that they are not violating the Fourth Amendment prohibition against warrantless search and seizure because they are not seizing our data at all. They’re just buying it. That is galling enough, but what about hostile governments accessing your most personal information? They have no guardrails and would surely have no scruples in using your information against you and, for those in the military or other sensitive positions, the United States. Under Chinese law, China’s technology companies are obligated to share their data with Chinese intelligence. Imagine all the data Chinese military, intelligence, and commercial actors have on the 80 million American users of TikTok. Then multiply that by all the data China acquires through legal, commercial means. “Massive pools of Americans’ sensitive information – everything from where we go, to what we buy and what kind of health care services we receive – are for sale to buyers in China, Russia and nearly anyone with a credit card,” said Sen. Ron Wyden, (D-OR), sponsor of the Protecting Americans’ Data from Foreign Surveillance Act of 2023. “The privacy and security of our data is essential to the freedoms we hold dear,” said co-sponsor Sen. Cynthia Lummis (R-WY). “If foreign adversaries can access our data, they can control it.” Their bill is also supported in the Senate by Sens. Sheldon Whitehouse (D-RI), Bill Hagerty (R-TN), Martin Heinrich (D-NM), and Marco Rubio (R-FL). It is supported in the House by Rep. Warren Davidson (R-OH) and Rep. Anna Eshoo (D-CA). This bill would apply tough criminal and civil penalties to prevent employees of foreign corporations like TikTok from accessing U.S. data from abroad. “Freedom surrendered is rarely reclaimed,” said Rep. Davidson. PPSA agrees and supports this bill. “The need to address foreign exploitation of Americans’ data is urgent,” said Bob Goodlatte, former House Judiciary Committee Chairman and Senior Policy Advisor to PPSA. “This legislation should also prompt us to get our own house in order. Members should address exploitation of our personal information by our government. I hope every member who signs on to this bill supports requiring the U.S. government to obtain a warrant when it wishes to inspect our commercially acquired information, as well as data from Section 702 of the Foreign Intelligence Surveillance Act.” PPSA today announced the filing of a Freedom of Information Act (FOIA) request with the Department of Justice asking for documents and records showing whether DOJ ensures it has probable cause before issuing administrative subpoenas to seize Americans’ private electronic data.
Civil libertarians have long suspected that the DOJ often uses such administrative subpoenas to circumvent the probable-cause requirement for searching Americans’ records. This is particularly troubling, since such subpoenas, issued without a court order or judicial oversight, are often used to collect bulk data rather than targeting information from an identifiable target. “It may be likened to a fishing expedition, with Americans as the fish,” said Gene Schaerr, PPSA general counsel. PPSA’s FOIA request covers all the components of the Department of Justice, including the Executive Office for United States Attorneys, the FBI, the Drug Enforcement Administration, the DOJ’s Criminal Division, and the Bureau of Alcohol, Tobacco, Firearms and Explosives. PPSA is seeking:
“We are not asking about sources or methods or anything else that would trigger a Glomar response that would shut off all disclosure,” Schaerr said. “We seek topline information necessary for Congress to conduct oversight and for the American people to understand how our government uses our most personal and sensitive information.” Happy World Press Freedom Day! If you are a journalist heading out to do an interview, please be careful in your movements, your digital security, and the protection of your sources. In some countries, you might want to check under your car before starting the ignition.
But be advised that even these safety measures may not be enough to protect you. Like many declarations of the United Nations, the 30th anniversary of World Press Freedom Day is observed in the breach in many UN member countries. The UN Secretary General Antonio Guterres said that the number of journalists killed in 2022 was 50 percent higher than the previous year. UNESCO reports that in all, 86 journalists were killed last year. That’s a reporter killed every four days. In Mexico, where many journalists have been murdered, the government and the cartels are the most prolific users of Pegasus, surveillance software that can transform any smartphone into a comprehensive 24/7 surveillance device. This spyware reveals one’s texts, emails, images, and calendar, while turning a smartphone’s microphone and camera against its owner. The New York Times reports that Mexico’s federal spy agency has “targeted more cellphones with the spyware than any other government agency in the world.” And, of course, criminal actors have full use of this technology in much of the world. Cartels used Pegasus to track down journalist Cecilio Pineda Birto hours after he accused the state police force and local politicians of conspiring with violent criminals. He was gunned down while waiting for his car to come out of a carwash. Twenty-six Mexican journalists were targets of interest by a buyer of this technology in recent years. This is in keeping with Secretary Guterres’ statement that “90 percent of the journalists killed” are “covering local issues, human rights violation, corruption, illegal mining, environment problems.” He added that many of the killers “are not only state actors, they are organized crime, drug lords, environmental criminals.” In some parts of the world, the line between state actors and thuggery is nonexistent. Witness the ordeal of Evan Gershkovich of The Wall Street Journal, arrested on specious charges of being an American spy by the judicial puppets of the Vladimir Putin regime. Or Jimmy Lai, the Hong Kong publisher who bravely defied the Chinese Communist Party and has disappeared behind bars. In other parts of the world, journalists are intimidated by online attacks and loose libel laws that keep journalists legally and psychologically intimidated. Throughout, the marriage of increasingly potent surveillance technology and illiberal regimes is making the practice of journalism more difficult. This is true even in the United States. A Texas journalist was arrested for – get this – “misuse of official information.” A Wall Street Journal reporter in Arizona was arrested for doing man-on-the-street interviews. The press can often come at the truth with a slant or a sensational angle. The press can just get a story wrong. But the free and open practice of journalism is in the long run the only way for a free society to self-correct and sift out the truth. As the founders insisted, freedom of the press safeguards society against official corruption, malfeasance, and the lawless exercise of power. Now the free practice of journalism globally, and even at home, can be compromised by powerful spyware. It is also threatened by our government’s possession of our communications and online activity through Section 702 of the Foreign Intelligence Surveillance Act, as well as the bulk purchase of Americans’ digital information from data brokers. While 49 U.S. states have press shield laws, there is no federal law that protects the notes and sources of a journalist from being seized by a federal prosecutor. All the more reason to celebrate World Press Freedom in America by asking Congress to get behind the PRESS Act, which would extend these basic protections to the federal government. New draft rules from Beijing require Alibaba, Baidu, and other Chinese social media companies to include “socialist values” in their versions of the generative AI software. This will likely broaden Washington’s debate about which Chinese platforms to ban other than TikTok.
But the dramatic handwringing on Capitol Hill about Chinese social media weaponizing the data of American citizens is only part of the story. The fact is that with or without your subscribership to TikTok or any other Chinese social media platforms, the People’s Republic of China probably already knows a lot about you. This is true for the same reason that U.S. federal agencies, ranging from the FBI to the Department of Homeland Security, to the IRS and the Pentagon, also have all your most personal data at their fingertips. Whether Washington or Beijing, governments get the skinny on our private lives in the same way: they buy it from third-party data brokers, who in turn purchase our most sensitive, personal information scraped from popular apps and social media platforms. In this way, data brokers compile a profile of you that includes your race, ethnicity, religion, gender, sexual orientation, and income level; major life events like pregnancy and divorce; medical information like drug prescriptions and mental illness; where you’ve been according to your real-time smartphone location history; details about your family and friends; what you search for online; and your politics and beliefs. There is a reason why data brokers – shadowy players you’ve likely never heard of – are often called the “middlemen of surveillance capitalism.” They scrape and sell thousands of data points on billions of people, creating profiles of our financial, cultural, and private lives. The primary customers for this data are businesses that want to show you ads. But there is nothing to keep China from buying this information, too. In fact, PPSA has it on good authority that China does just that through intermediaries. Klon Kitchen of the American Enterprise Institute calls China’s purchases of Americans’ data a gaping vulnerability that is “grossly underappreciated.” And Kitchen notes that what China doesn’t buy, it steals. He quotes FBI Director Christopher Wray who said last year, “If you are an American adult, it is more likely than not that China has stolen your personal data.” Now is not the right time for Capitol Hill to deal with this complex issue. As efforts to counter Chinese penetration and exploitation of American data ramp up, it is important for Congress to make an immediate priority to address problems with U.S. government surveillance of its own citizens. But Congress is going to have to deal with China and other governments purchasing our data in the near future. As politicians debate the dangers of TikTok, we should keep in mind how much of our personal information China already buys from the middlemen of surveillance. The New York Times broke the story that a front company in New Jersey signed a secret contract with the U.S. government in November 2021 to help it gain access to the powerful surveillance tools of Israel’s NSO Group.
PPSA previously reported that the FBI had acquired NSO’s signature technology, Pegasus, which can infiltrate a smartphone, strip all its data, and transform it into a 24/7 surveillance device. Mark Mazzetti and Ronen Bergman of The Times now report that the FBI in recent years had performed tests on defenses against Pegasus and “to test Pegasus for possible deployment in the bureau’s own operations inside the United States.” An FBI spokesperson told these journalists the FBI’s version of the software is now inactive. The secret contract also grants the U.S. government access to NSO’s powerful geolocation tool called Landmark. Mazzetti and Ronen report that such NSO technology has been used thousands of time against targets in Mexico – and that Mexico is named as a venue for the use of NSO technology. Two sources told the journalists that the “contract also allows for Landmark to be used against mobile numbers in the United States, although there is no evidence that has happened.” This story is catching the Biden Administration flat-footed, which had declared this technology a national security threat while placing NSO on a Commerce Department blacklist. In light of these new revelations, Members of Congress should ask the Directors of National Intelligence, the CIA, FBI, and DEA:
This breaking story will likely force the Biden White House to promulgate new rules limiting the use of NSO technology by federal law enforcement and intelligence agencies. As it does, Congress should be involved every step of the way. This technology is frightening because NSO tools can be installed remotely on smartphones with the most updated security software, and without the user succumbing to phishing or any other obvious form of attack. The need for a detailed policy limiting the use of these tools is urgent. NSO technology is to ordinary surveillance what nuclear weapons are to conventional weapons. Because nuclear weapons are hard to make, Washington, D.C. had time to plan and enact a global non-proliferation regime that delayed their proliferation. In the case of Pegasus and Landmark, however, this technology easily proliferated in the wild before Washington was even fully aware of its existence. Pegasus has been used by drug cartels to track down and murder journalists. It has been used by an African government to listen in on conversations between the daughter of a kidnapped man and the U.S. State Department. It was famously used to plan the murder of Adnan Khashoggi. Does anyone doubt that Russian and Chinese intelligence have secured their own copies? Now Washington is both racing to catch up with foreign adversaries and limit the use of this technology at the same time. NSO, through its amoral proliferation of dangerous technology, has made the world a riskier place. As federal agencies seek to get their hands on this technology, Congress should paint a bright red line – DO NOT USE DOMESTICALLY, EVER. “Why Elon Musk’s Idea of ‘Free Speech’ Will Help Ruin America,” reads a headline in the liberal The New Republic. Bottom line – the sale of Twitter to Elon Musk “means that lies and disinformation will overwhelm the truth and the fascists will take over.” “Stop the Twitterverse – I Want to Get Off,” writes Debra Saunders in the conservative American Spectator a few weeks before Elon Musk’s acquisition of Twitter became inevitable. From left and right, cynicism is the dominant reaction to the potential of Twitter under Elon Musk’s direction. The left hates Twitter because it can be abused by noxious personalities with extreme politics. The right hates Twitter because of a perception among conservatives that Twitter takes out the magnifying glass only when evaluating conservative speech. Both sides have become so used to distortion and the failure of public enterprises and personalities that they have come to welcome it. We’ve even started to root for failure. There is an emotional comfort to always assuming the worst will happen – you will never be disappointed. E.K. Hornbeck, the journalist character in Inherit the Wind, captured the mentality of our times in a play written by Jerome Lawrence half-a-century before the emergence of social media: “Cynical? That's my fascination. Social media has elevated Hornbeckism and taught us not just expect the worst, but to celebrate it. We should pause, then, to take note that on the day Elon Musk visited the headquarters of Twitter as he assumes ownership, the billionaire released a surprisingly sweet note to advertisers about the direction the platform will take.
Musk wrote that he bought Twitter “because it is important to the future of civilization to have a common digital town square, where a wide range of beliefs can be debated in a healthy manner, without resorting to violence. There is currently great danger that social media will splinter into far-right wing and far-left wing echo chambers that generate more hate and divide our society.” He wrote that the “relentless pursuit of clicks” of traditional and social media fuels caters to polarized extremes. Musk admits that failure is real possibility for him and that he must allow some degree of content moderation to keep Twitter from becoming a “free-for-all-hellscape.” Musk and his team face many granular decisions between statements that are edgy and even offensive to many, and those that are over the line. That line will probably waver back and forth as Twitter experiments with a broader array of speech and speakers. Security will also need to be addressed. A fired former senior executive of Twitter, Peiter “Mudge” Zatko, testified before the Senate Judiciary Committee that there are “no locks on the doors” at Twitter when it comes to securing users’ data. Twitter, he said, had been infiltrated by foreign spies, including actors on behalf of the People’s Republic of China, seeking Americans’ personal data. It will be up to Musk to assess and if necessary correct security flaws. He will lead a team that must be capable of executing operations while bringing a more open-minded ethos to the Twitterverse. We can be certain that there will be mistakes, embarrassments, policies made and revoked. But Elon Musk’s rockets exploded on the launchpad before he got SpaceX right. Maybe the same will happen this time. We should all hope so. As Twitter evolves, stumbles, evolves some more, we should remain calm and continue to cheer for the platform’s success. There’s nothing quite like it. And if Twitter fails because we cannot as a nation manage a dialogue, then we will all fail as well. Chris Gilliard in Atlantic describes a day of “luxury surveillance” – what an affluent consumer experiences by being willing to have his heartbeat, sleep, fitness, mood, digital orders, and daily queries continuously tracked.
This is not, Gilliard writes, a dystopian vision. In Gilliard’s “day in the life” description all the services and devices are current Amazon products endowed with what the company calls “ambient surveillance.” They could just as easily be Apple Watches, Apple, Samsung or Google smartphones, or Google Nest devices. What could be wrong, then, with consumers by the millions opting into ambient surveillance? Gilliard sees a lot wrong. He offers a cautionary note from personal experience: “Growing up in Detroit under the specter of the police unit STRESS – an acronym for ‘Stop the Robberies, Enjoy Safe Streets’ – armed me with a very specific perspective on surveillance and how it is deployed against Black communities. A key tactic of the unit was the deployment of the surveillance in the city’s ‘high crime’ areas. In two and a half years of operation during the 1970s, the unit killed 22 people, 21 of whom were Black.” Now, Gilliard writes, “think of facial recognition falsely incriminating Black men, or the Los Angeles Police Department requesting Ring-doorbell footage of Black Lives Matter protests.” We would add that one problem with luxury surveillance is that all this data being compiled on us can be easily acquired by local law enforcement, as well as by federal agencies ranging from the Department of Defense to the Department of Homeland Security. It is one thing to be surveilled in order to have an ad slipped into your social media feed. It is something else to find a SWAT team knocking down your door at dawn. Luxury surveillance is a boon for consumers until it isn’t. All the more reason why Americans should support the Fourth Amendment Is Not for Sale Act, which would at least constrain the ability of the government to get around the Constitution by buying our most personal information. Samantha Murphy Kelly of CNN Business news has a snappy take on Amazon’s recent product press event. The company, she wrote, “knows when you’re in and out of the room. A gadget that monitors your breathing pattern while you sleep. An enhanced voice assistant that highlights just how much it knows about your everyday life.”
She notes another event where Amazon introduced drones and Astro, a dog-like robot that can patrol the home when you’re gone. Will consumers be deterred by the creep factor of giving so much of our personal information taken from the intimacy of our homes? Kelly quotes a consumer analyst who said that “negative consumer attitudes” about data collection is lessened by the service, price, and convenience of these products. It is easy to see why consumers are sanguine about sharing data with a company that sells products and services they like. All Amazon wants to do is to sell us even more products. Dangers emerge, however, when consumer data migrates beyond the company you’re doing business with. Amazon, for its part, says that “information about our customers is an important part of our business, and we are not in the business of selling our customers’ personal information to others.” The company does share information with third parties, such as vendors whose goods are sold through Amazon. A recent FTC filing against the data broker Kochava shows that Amazon Web Services Marketplace allows companies to buy consumers’ IP addresses and precise geolocation histories. Amazon also encourages its Ring customers to share their data with police agencies across the country – creating a national surveillance network stitched together from more than three million cameras. Whatever the limits of Amazon’s privacy policies, most of the other major social media platforms freely sell consumer data to brokers. Among the major customers of this data, as PPSA has endlessly reported, are the intelligence and law enforcement agencies of the U.S. government – reason why PPSA has joined with almost fifty other civil liberties organizations to call for the passage of the Fourth Amendment Is Not for Sale Act. Your dog may follow you around the house, but she will never judge you. Not so with the many devices that are infiltrating into our lives. Last week, PPSA reported on Fog Reveal, a product from Fog Data Science that sells billions of data points extracted from apps on 250 million mobile devices to local police departments. An unlimited-use, one-year subscription costs a department only $7,500.
For this price, Fog Reveal offers a powerful capability, the ability to track hundreds of millions of Americans in their daily movements. It allows police to locate every device in a given geo-fenced area. It also allows police to trace the location history of a single device (and therefore, its user) over months or years. Fog Data Science claims that it is respectful of privacy because it does not reveal the names or addresses of individual users. But a slide show from Fog Data Science prepared for police highlights how this technology can easily be used to track a suspect to his or her “bed-down” over a 180-day period. (Hat tip to the Electronic Frontier Foundation, which helpfully added yellow highlights to significant passages of Fog documents.) It is more than a stretch then to call this data “anonymized” when it follows people to their homes, as well as to their houses of worship, meetings with friends or lovers, trips to health or mental health clinics, journalists meeting with whistleblowers, or other locales that reveal sensitive and personal information. For those in law enforcement who go through the motions of filing a warrant, Fog Data Science offers a template warrant. Such warrants are misbegotten. They can be employed to follow a number of people in the vicinity of a crime or track everyone who attended a political protest. The Fourth Amendment requires “probable cause” in which a warrant describes “the place to be searched, and the persons or things to be seized.” It makes a mockery of the Constitution’s requirement for particularity when the police have at their fingertips a whole ocean of data involving many people. How can such a requirement be fulfilled when Fog technology allows police to go on a fishing expedition in that ocean, with any American potentially being a catch? It is through technologies such as Fog Reveal that our country, device by device, is moving steadily toward becoming a full-fledged surveillance state. Such details should spur Congress to investigate the uses of this technology. It should also inspire Congress to pass the Fourth Amendment Is Not for Sale Act, which would block the auctioning of our private, personal information to all government agencies. Agencies Avoid Answering Questions About the Purchase of Private Information of Members of CongressSince the mid-1960s, the Freedom of Information Act (FOIA) has allowed American citizens and civil liberties organizations to obtain unclassified documents from federal agencies, shedding light on official actions and policies. In recent years, however, the government has devised many creative ways to stall, obfuscate, and outright withhold answers to FOIA requests, while seeming to be as responsive as possible. Cato Institute scholar Patrick Eddington calls these tactics “constructive denial.”
For over two years, Cato filed FOIA requests to obtain FBI records on militia groups of the left and the right, including the white supremacist Patriot Front. “Groups like the Patriot Front,” Eddington writes in The Hill, “are, in the view of most Americans, a moral and political blight that the country would be far better off without. At the same time, the protection of offensive ideas and speech are at the heart of the purpose of the First Amendment.” Thus, Cato sought records to better understand the threat posed by these groups and the nature of the government’s response. In defiance of FOIA’s requirement that the FBI send the requested documents to the requester himself, the FBI replied to Cato that it would eventually file the documents on an FBI website. “You will be notified when releases are available.” In other words, buzz off. Constructive denial can be seen in another form after PPSA filed suit against the National Security Agency, the CIA, the Department of Justice and FBI, and the Office of the Director of National Intelligence in June to compel the release of records pertaining to the possible purchase of the personal information of more than 100 current and former Members of the House and Senate Judiciary Committees from private data brokers. This is understandably a sensitive question, given that current and former judiciary committee lawmakers include Chairman Jerrold Nadler, Ranking Member Jim Jordan, Chairman Dick Durbin, Ranking Member Chuck Grassley, as well as Vice President Kamala Harris and Florida Gov. Ron DeSantis. Still, it would be a matter of public interest – not to mention to these legislators themselves – if the government were buying up their personal information. Such an act could yield leverage for executive branch agencies to bully leading Members of Congress, subtly undermining democracy. The agencies’ response to PPSA’s FOIA request over summer 2021 was to issue Glomar responses, a judicially invented doctrine that neither confirms nor denies that such records exist. Now that PPSA has sued to enforce its request, these agencies have come back with an answer that doubles down on a government theory that it would be too dangerous to national security for these agencies to even search for such documents. At the same time, government responses strike a tone of wanting to be as cooperative as possible. One choice example: PPSA asserted a “right of prompt access to requested records under the law.” The National Security Agency responded: “To the extent that a response is required, Defendant NSA denies the allegation, including the fact that NSA has wrongfully withheld records.” This is a construction worthy of Joseph Heller’s Catch-22. Gene Schaerr, PPSA general counsel, responds: “The government’s answers disingenuously conflate an internal search for documents with an external response to a question. The government feels free to treat FOIA as polite supplication instead of a law that must be obeyed. PPSA will continue to press on for a serious answer in federal court.” In the meantime, expect the government to come up with many new forms of constructive denial. A growing number of House and Senate members are supporting the Fourth Amendment Is Not for Sale Act, which would require law enforcement and intelligence agencies to obtain a probable cause warrant before accessing Americans’ personal information purchased from a private-sector data broker.
But what about non-state actors buying our information? A recent lawsuit brought against private-data broker Kochava by the Federal Trade Commission reveals the horrific exposure of Americans’ most personal data to unseen – and possibly unknown – private actors. Kochava claims to have “rich geo data spanning billions of devices globally,” with location data feed that “delivers raw latitude/longitude data with volumes around 94B-plus billion geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.” In its filing on Aug. 29, the FTC writes that a purchaser would only need to provide Kochava a personal email address and describe the intended use as “business” to gain access to your data from Kochava. “The location data provided by Kochava is not anonymized,” the FTC filing asserts. “It is possible to use the geolocation data, combined with the mobile devices MAID (Mobile Advertising ID), to identify the mobile device’s user or owner.” The FTC claims: “Precise geolocation data associated with MAIDs, such as the data sold by Kochava, may be used to track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.” It can identify women who visit reproductive clinics and people who attend services at Jewish, Christian, Islamic and other religious denominations’ places of worship. Kochava, the FTC claims, does not employ a blacklist that removes or obfuscates data-set location signals from these sensitive locations. The facts presented by the FTC, as alarming as they are, should not get mixed up in the separate debate on the Hill over restricting the government’s ability to purchase our private data. The many federal agencies that buy our data are not just violating our privacy. They are eviscerating the plain meaning of the Constitution’s Fourth Amendment, which requires government to get a warrant from a court to access our personal information. The solution to private-sector access to personal information is a deep and complex debate taking place within multiple Congressional committees and stakeholders from business and consumer groups. Passing the Fourth Amendment Is Not for Sale Act in this Congress, which would close off the government’s warrantless access to Americans’ personal information, would be a strong predicate for that next step in the privacy debate. |
Categories
All
|
© COPYRIGHT 2023. ALL RIGHTS RESERVED. | PRIVACY STATEMENT