Thanks to investigative reporting by The Wall Street Journal and other media, we know that the Department of Homeland Security, Customs and Border Protection, Immigration and Customs Enforcement, the FBI, the Department of Defense and other law enforcement and intelligence agencies are routinely buying vast amounts of our private information from data brokers.
This information is soaked up by the apps and devices we use and then sold by data merchants in a lightly regulated $200 billion market. In this way, millions of Americans lose control of data that contain what the U.S. Supreme Court has called “the privacies of life.” The legal memos released by federal agencies admit that the government is exploiting a loophole in the Electronic Communications Privacy Act (ECPA) of 1986, written before digital security was a great concern.
Some abuses arising from these purchases have been reported. The FBI, Secret Service and Department of Defense have warrantlessly acquired smartphone location data. Muslim prayer and dating apps have been used to target Americans by their religion. But our knowledge about the totality of such practices is spotty at best.
Now the Center for Democracy & Technology has shed needed light on data purchases in a new report, “Legal Loopholes and Data for Dollars: How Law Enforcement and Intelligence Agencies Are Buying Your Data from Brokers.” CDT reviewed 150 government documents about data purchases, including Requests for Proposals for 30 contracts valued at $86 million. What CDT found is not comprehensive, but it is the best look to date into this shadow world.
The collection of our personal information starts with our mobile apps, which often share our location and other personal data with third parties and brokers without our knowledge. Brokers then “scrape” or “mine” our data in violation of the terms of service of social media companies. As a result, government agencies have a sea of data in which to go fishing.
CDT reports: “Multiple forms of sensitive data, including location, communications, biometric, and license plate reader data, are sold by data brokers to law enforcement and intelligence agencies, and the practice is increasing, with multiple agencies spending upwards of tens of millions of dollars on multi-year contracts.”
Many government agencies disingenuously state in their purchase orders and contracts that the sought-after information will be from “publicly available” and “open” sources.
CDT: “The broad and misleading usage of these terms undermines governmental claims that agencies are permitted to collect such information on the basis that it is generally out there in the public and individuals therefore lack a reasonable expectation of privacy in such sensitive data.” Notably, CDT found that it is “unclear whether the FBI considers ‘open source’ to include data compiled specifically for the FBI to purchase, even when no other customer would actually be able to find or purchase that information.”
Agencies also categorize procurement contracts through opaque or technical designations that “obscure the nature of the data being purchased, the uses to which they will be put, and the privacy consequences.”
It is undeniable that when law enforcement and intelligence agencies buy personal data about Americans from data brokers – such as location data – they are evading constitutional safeguards recognized by the Supreme Court. In short, “government agencies have been able to purchase sensitive data from brokers in an end run around otherwise applicable legal requirements under ECPA and the Fourth Amendment.”
The report concludes by urging the passage of the bipartisan-supported The Fourth Amendment Is Not for Sale Act, which would close the loopholes in ECPA and end the practice of the circumvention of the Constitution through data purchases. They recommend requiring government agencies to be transparent about their procurement policies. Among CDT’s other recommendations is one that should resonate with anyone concerned about foreign surveillance capabilities – “Congress should conduct hearings to examine data brokers sales to foreign governments …”
CDT deserves the gratitude of the civil liberties community for stepping up to document these privacy abuses and to provide us a framework for thinking about them analytically. Most encouraging of all is that one of the four authors of this report is Sharon Bradford Franklin, who has recently been nominated by President Biden to chair the Privacy and Civil Liberties Oversight Board (PCLOB).
It will be interesting to see what fresh perspectives Ms. Franklin brings to her new assignment.