​Since the mid-1960s, the Freedom of Information Act (FOIA) has allowed American citizens and civil liberties organizations to obtain unclassified documents from federal agencies, shedding light on official actions and policies. In recent years, however, the government has devised many creative ways to stall, obfuscate, and outright withhold answers to FOIA requests, while seeming to be as responsive as possible. Cato Institute scholar Patrick Eddington calls these tactics “constructive denial.”
 
For over two years, Cato filed FOIA requests to obtain FBI records on militia groups of the left and the right, including the white supremacist Patriot Front. “Groups like the Patriot Front,” Eddington writes in The Hill, “are, in the view of most Americans, a moral and political blight that the country would be far better off without. At the same time, the protection of offensive ideas and speech are at the heart of the purpose of the First Amendment.” Thus, Cato sought records to better understand the threat posed by these groups and the nature of the government’s response.
 
In defiance of FOIA’s requirement that the FBI send the requested documents to the requester himself, the FBI replied to Cato that it would eventually file the documents on an FBI website. “You will be notified when releases are available.”
 
In other words, buzz off.
 
Constructive denial can be seen in another form after PPSA filed suit against the National Security Agency, the CIA, the Department of Justice and FBI, and the Office of the Director of National Intelligence in June to compel the release of records pertaining to the possible purchase of the personal information of more than 100 current and former Members of the House and Senate Judiciary Committees from private data brokers.
 
This is understandably a sensitive question, given that current and former judiciary committee lawmakers include Chairman Jerrold Nadler, Ranking Member Jim Jordan, Chairman Dick Durbin, Ranking Member Chuck Grassley, as well as Vice President Kamala Harris and Florida Gov. Ron DeSantis. Still, it would be a matter of public interest – not to mention to these legislators themselves – if the government were buying up their personal information. Such an act could yield leverage for executive branch agencies to bully leading Members of Congress, subtly undermining democracy.
 
The agencies’ response to PPSA’s FOIA request over summer 2021 was to issue Glomar responses, a judicially invented doctrine that neither confirms nor denies that such records exist.
 
Now that PPSA has sued to enforce its request, these agencies have come back with an answer that doubles down on a government theory that it would be too dangerous to national security for these agencies to even search for such documents. At the same time, government responses strike a tone of wanting to be as cooperative as possible.
 
One choice example: PPSA asserted a “right of prompt access to requested records under the law.” The National Security Agency responded: “To the extent that a response is required, Defendant NSA denies the allegation, including the fact that NSA has wrongfully withheld records.” This is a construction worthy of Joseph Heller’s Catch-22.
 
Gene Schaerr, PPSA general counsel, responds: “The government’s answers disingenuously conflate an internal search for documents with an external response to a question. The government feels free to treat FOIA as polite supplication instead of a law that must be obeyed. PPSA will continue to press on for a serious answer in federal court.”
 
In the meantime, expect the government to come up with many new forms of constructive denial.

PPSA recently reported that prosecutors charged two Twitter employees with being spies for Saudi Arabia. One of the men fled the country. The other was convicted.
 
Now, more bad news for Americans concerned about privacy. While Twitter’s shareholders were approving the $44 billion sale of their company to Elon Musk on Tuesday, Peiter Zatko, Twitter’s former head of security, testified before the Senate Judiciary Committee about the state of security inside the social media platform. Zatko said that the FBI had informed him that at least one agent of China’s Ministry of State Security was “on the payroll inside Twitter.”
 
Zatko told the senators: “I discovered that the company had ten years of overdue critical security issues, and it was not making meaningful progress on them. This was a ticking time bomb of security vulnerabilities.” He added that he made the decision to inform the FBI, which led to his dismissal. “In those disclosures, I detail how the company leadership misled its Board of Directors, regulators, and the public. Twitter’s security failures threaten national security, compromise the privacy and security of users, and at times threaten the very continued existence of the company.”
 
In his more than two hours of testimony, Zatko described Twitter’s senior management as deliberately ignoring security issues to protect the bottom line. “It doesn’t matter who has keys if you don’t have any locks on the doors,” he said. “It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room.”
 
At least two agents for the Indian government were on the company payroll, Zatko said, as well as the one from China. Some ads sponsored by the Chinese government appeared to have been designed to specifically capture user information.
 
“Twitter is acting dangerously and negligently to turn its back on user safety,” Nora Benavidez, Free Press senior counsel, told The New York Times. These alleged Twitter breaches, as bad as they are, come on top of a host of similarly disturbing stories about privacy.
 
From foreign infiltration of Twitter, to potential exposure of the data of American TikTok users to Chinese intelligence, to the practice of private data brokers selling Americans’ personal information scrapped from apps to U.S. law enforcement and intelligence agencies – it is clear that we are in a privacy crisis with implications for Americans’ well-being and national security. One way that Congress can respond to that crisis is by passing the Fourth Amendment is Not for Sale Act, which would ban the sale of private data to the government. Once that bill passes, it will be a helpful achievement in creating momentum to deal with all the remaining privacy issues.
 
To quote a line from a great play, “attention must be paid.”

A growing number of House and Senate members are supporting the Fourth Amendment Is Not for Sale Act, which would require law enforcement and intelligence agencies to obtain a probable cause warrant before accessing Americans’ personal information purchased from a private-sector data broker.
 
But what about non-state actors buying our information?
 
A recent lawsuit brought against private-data broker Kochava by the Federal Trade Commission reveals the horrific exposure of Americans’ most personal data to unseen – and possibly unknown – private actors.
 
Kochava claims to have “rich geo data spanning billions of devices globally,” with location data feed that “delivers raw latitude/longitude data with volumes around 94B-plus billion geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”
 
In its filing on Aug. 29, the FTC writes that a purchaser would only need to provide Kochava a personal email address and describe the intended use as “business” to gain access to your data from Kochava.
 
“The location data provided by Kochava is not anonymized,” the FTC filing asserts. “It is possible to use the geolocation data, combined with the mobile devices MAID (Mobile Advertising ID), to identify the mobile device’s user or owner.”
 
The FTC claims:
 
“Precise geolocation data associated with MAIDs, such as the data sold by Kochava, may be used to track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.” It can identify women who visit reproductive clinics and people who attend services at Jewish, Christian, Islamic and other religious denominations’ places of worship.
 
Kochava, the FTC claims, does not employ a blacklist that removes or obfuscates data-set location signals from these sensitive locations.
 
The facts presented by the FTC, as alarming as they are, should not get mixed up in the separate debate on the Hill over restricting the government’s ability to purchase our private data. The many federal agencies that buy our data are not just violating our privacy. They are eviscerating the plain meaning of the Constitution’s Fourth Amendment, which requires government to get a warrant from a court to access our personal information.
 
The solution to private-sector access to personal information is a deep and complex debate taking place within multiple Congressional committees and stakeholders from business and consumer groups. Passing the Fourth Amendment Is Not for Sale Act in this Congress, which would close off the government’s warrantless access to Americans’ personal information, would be a strong predicate for that next step in the privacy debate.

​In a hearing over the summer, the House Judiciary Committee took a hard look at the way in which private data brokers freely sell Americans most personal information to a host of government law enforcement and intelligence agencies.
 
Chairman Jerry Nadler said that digital tracking is “so precise that officers can track individuals within specific homes and businesses … tracking your location over time, within inches, without any due process whatsoever.
 
“The end result is that, just by going about your daily life, your data may be swept up in and make you the subject of a criminal investigation … If law enforcement and intelligence agencies remain unrestrained in their ability to purchase this data, our right to privacy will be at best illusory.”
 
Ranking Member Jim Jordan said that the government continues to transform guardrails meant to protect privacy into loopholes to allow the government to do whatever it wants. Jordan said, “this is wrong and it’s un-American.”
 
Representatives of both parties expressed dismay about how freely federal agencies utilize and abuse surveillance powers in defiance of the Fourth Amendment. Rep. Zoe Lofgren detailed the many ways the U.S. Immigration and Customs Enforcement agency tracks Americans’ daily movements and extracts personal information from utility records. Rep. Andy Biggs spoke of the uses to which the government can employ geolocation tracking against Americans.
 
In short, the House Judiciary Committee did an excellent job of teeing up the issue. Now it is time to swing the club for a legislative solution.
 
On Wednesday, PPSA joined with Americans for Prosperity, Demand Progress, the Due Process Institute and Free Press Action to call on the committee to take bipartisan action and mark up the Fourth Amendment Is Not for Sale Act.

Local law enforcement agencies have been caught using a cheap new cell phone tracking tool called Fog Reveal. (A hat tip to The Associated Press for compiling this story). The tool gives police agencies “the power to follow people’s movements months back in time,” according to The Associated Press.
 
Fog Reveal has been used since at least 2018 in criminal investigations, can search billions of records from 250 million mobile devices, and is possibly a potent workaround of the 4th Amendment. It is no wonder why police rarely mention Fog Reveal “in court records, something that defense attorneys say makes it harder for them to properly defend their clients in cases in which the technology was used.”
 
Fog Reveal “relies on advertising identification numbers, which Fog officials say are culled from popular cell phone apps such as Waze, Starbucks, and hundreds of others” according to police emails obtained by The Associated Press. That information is then sold to companies including Fog, further demonstrating the role of data brokers in undermining the digital privacy of Americans.
 
“The capability that it had for bringing up just anybody in an area whether they were in public or at home seemed to me to be a very clear violation of the Fourth Amendment,” said Davin Hall, a former crime data analysis supervisor for the Greensboro, North Carolina, Police Department.
 
Congress must investigate the use of Fog Reveal by law enforcement agencies and bolster legal protections against such 4th Amendment violations. Congress could begin by passing The Fourth Amendment Is Not for Sale Act, which would block data brokers from selling our personal information to law enforcement and intelligence agencies without authorization by a court. Congress must work to ensure the privacy of all Americans is safe and secure.

​“To exist in 2022 is to be surveilled, tracked, tagged and monitored — most often for profit.” It might sound like an exaggeration, but it’s far from it. When nearly every American is carrying a tracking device, audio and video recorder, and all their personal data in their pocket, nobody is truly private.
 
The cracks in our digital privacy are getting wider, allowing an almost unfiltered ocean of our most sensitive data to flow into anyone’s hands. As Alex Kingsbury writes in The New York Times:
 
“Consider just last week: Apple released a surprise software update for its iPhones, iPads and Macs meant to remove vulnerabilities the company says may have been exploited by sophisticated hackers. The week before that, a former Google engineer discovered that Meta, the parent company of Facebook and Instagram, was using a piece of code to track users of the Facebook and Instagram apps across the internet without their knowledge. In Greece the prime minister and his government have been consumed by a widening scandal in which they are accused of spying on the smartphones of an opposition leader and a journalist.
 
And this month Amazon announced that it was creating a show called “Ring Nation” — a sort of ‘America’s Funniest Home Videos’ made up of footage recorded by the company’s Ring doorbells.”
 
Just one of these examples should be cause for concern to any American, but the problem is simply too big for individuals to handle. As Kingsbury states, “there are simply too many tech companies, government entities, data brokers, internet service providers and others tracking everything we do.” Congress must take bold action to protect Americans from predatory data collectors and misusers.
 
Legislation like the Fourth Amendment is Not for Sale Act is a step in the right direction. It would prohibit law enforcement and other government agencies from purchasing bulk data from data brokers. In the wake of renewed state battles over the future of abortion rights, the My Body, My Data Act would tighten rules around personal health information. Absent these reforms, “we’re about to find out what happens when that privacy has all but vanished.” PPSA will continue to monitor these issues and fight for privacy in Congress and the courts.

Earlier this month, former Vice-President Mike Pence called out criticism of the FBI lodged by members of his own party. In his speech, Pence stated “I … want to remind my fellow Republicans we can hold the attorney general accountable for the decision that he made without attacking the rank-and-file law enforcement personnel at the FBI..” While the intent of Pence’s statement is certainly laudable, it comes at a time when the public is increasingly distrustful of the agency’s activities.
 
Pence’s comments have been received so poorly because they dismiss the credible concerns emanating from all sectors of the American public. The distrust towards the agency turned into full-blown outrage when the FBI raided former President Trump’s Mar-a-Lago estate earlier this month on August 8th. It has been weeks since the raid, and there has been little official explanation provided. What information we do have has been pieced together from an unsealed warrant and source leaks. From the warrant, the search was related to potential violations of three laws including the Espionage Act. Attorney General Merrick Garland said during remarks on August 11 that he would not explain why he personally signed off on seeking a search warrant. Even though documents were recovered, distrust of the agency has become so severe, that swaths of the American public may choose to believe that the evidence seized was forged and planted.
 
Also worried is Michael Horowitz, Inspector General of the U.S. Department of Justice. Across multiple reports, Horowitz details the abuses, noncompliance, and mishandling that is currently ongoing within the FBI. For a few examples, in September of 2021, the office of the Inspector General released a report stating that there “was widespread non-compliance with the Woods Procedures,” a set of procedures to ensure factual accuracy in FISA applications. In August of 2019, the office of the Inspector General released a report detailing the multiple rules violations by former FBI Director James Comey, indicating a culture of secrecy and noncompliance at the highest level in the chain of command. There are multiple reports detailing commercial sex, accepting illegal gifts from the media, the violation of ethics rules, and a “lack of candor.”
 
When American citizens display “a lack of candor,” they can be fired from their jobs. When senior officials at the FBI do it, prosecution is declined and the offending party is “reassigned to a nonsupervisory role.”
 
In 2019, the Foreign Intelligence Surveillance Court criticized the FBI for misleading it in applications to wiretap former Trump campaign aide, Carter Page. Inspector General Horowitz found that the FBI had omitted facts and provided false statements to the FISA court when the FBI filed for a warrant to conduct surveillance on Page. FISA court presiding Judge Rosemary Collier stated in her opinion that “The FBI’s handling of the Carter Page applications, as portrayed in the OIG report, was antithetical to the heightened duty of candor described above…”
 
So, not only is the public concerned, but so is the office of the Inspector General and the FISA courts, two organizations which either oversee or directly liaise with the FBI.
 
Just this week, the escapades of the FBI were on full display during a trial to convict two men involved in the 2020 plan to kidnap Michigan Governor Gretchen Whitmer. The already high-profile nature of the case was catapulted into the stratosphere when the FBI revealed there were at least five informants or undercover agents embedded among the suspected planners. Defense attorneys have argued there were at least twelve. The involvement of FBI agents and informants was so significant, that a trial for a separate set of suspected planners failed to get a single conviction. One informant became second-in-command of a militia. Another undercover agent offered to provide explosives to the group. It calls into question whether the FBI was engaged in entrapment.
 
FBI agents assigned to the case became subjects of scrutiny themselves. As the New York Times reports, “one F.B.I. agent on the case was fired last year after being charged with domestic violence, and another agent, who supervised a key informant, tried to build a private security consulting firm based in part on some of his work for the F.B.I.…” That FBI agents so close to an ongoing plan to kidnap a governor were themselves so compromised is very chilling.
 
It seems obvious from the last several years that the FBI is in need of both oversight and reform. An agency with significant investigatory and enforcement powers, Congress can and should do more to monitor the activities of the agency.

​If you think HIPAA medical privacy laws mean your medical data is secure, think again. Digital health companies have been caught funneling sensitive data that patients have shared with them to Facebook/Meta to help target advertisements.
 
A recent study by the data privacy research group Light Collective surveyed the actions of five health companies and found that third-party ad trackers used by those companies followed patients online and marketed to them based on their activities. Three of the companies went against their own privacy policies in the process, raising concerns about HIPAA violations.
 
Four of the five digital health companies did not respond to requests by Forbes for comment. The authors of the study said that after they disclosed their findings to the five companies, only two responded: Ciitizen and Invitae. Both said they were investigating the matter.
 
Andrea Downing, cofounder of the Light Collective, said that poor health data privacy is “one of the biggest threats to online patient communities.” The study is indicative of larger data-sharing trends across digital health and social media. An investigation published earlier this summer by The Markup showed that hospital websites are currently using data trackers to gather and share sensitive patient information with Facebook for marketing. Facebook’s parent company, Meta, has said that sharing such information is a violation of the company’s rules.
 
This is a concerning development for digital health privacy. Digital health companies are allegedly violating their own privacy rules and possibly the law. It also demonstrates the failure of the government to ensure critical patient health data is safe and secure.

A lot has been written about a provision of the upcoming Inflation Reduction Act, which will provide an additional $80 billion in funding to the Internal Revenue Service. Most of this funding will go to bolstering enforcement work, meaning more audits.
 
While this is bad news for millions of taxpayers, and good news for the makers of Tums Antacid Products for Fast Heartburn Relief, the creation of a new army of auditors is bound to significantly warp the already warped privacy landscape in America.
 
Big numbers for new IRS hires have been estimated. A Treasury Department report from May 2021 estimated that the agency would be able to hire roughly 87,000 employees by 2031 with the additional funding, more than doubling the agency’s staff dedicated to enforcing tax laws. But even media defenses of the plan, which have tried to downplay the number, still estimate anywhere between twenty to thirty thousand new employees.
 
At either number, the IRS expansion will undoubtedly expand the capability of the agency to investigate American citizens. Jonah Goldberg put it best recently when he wrote:
 
“Unlike normal law enforcement, the IRS doesn’t require probable cause to investigate you. It can choose people at random or investigate people based on a theory or a hunch—often sanitized by saying it was the algorithm that made the call. Even if you did nothing wrong, the process itself is punishing and often expensive. One of the bedrocks of our constitutional order, most obviously enshrined in the Fourth Amendment, is the idea that citizens should not be subjected to unreasonable searches without probable cause. Stop and frisk was canceled because it was seen as an outrageous and demeaning affront to civil liberties. I’m conflicted on that. But I certainly get the objections, and I would never say, ‘If you did nothing wrong, you have no reason to complain about being frisked.’ Well, an audit is a forensic frisking of virtually everything you did for a year. What did you spend money on? Where did you spend it? How did you get the money? Show us your receipts. Prove you’re not guilty.”
 
Also concerning are the new methods and technologies the IRS could deploy against the whole country. In February, we reported on the bipartisan resistance to the IRS’s plan to implement facial recognition technology. Under this plan, the IRS would require taxpayers to submit to digital facial recognition scans to obtain tax transcripts and other records. The plan was halted amid significant pushback noting the privacy and technological flaws of facial recognition, but not before 7 million Americans surrendered their biometric data to the IRS and a third-party verification company, ID.me.
 
In May, we reported on the Transparency and Accountability in Service Providers Act, a draft bill circulating that would have deputized millions of “financial gatekeepers” into spying on their clients for the federal government. Virtually the entire financial services industry would be required to report any “suspicious” activity to the government. If the Act were to pass, and the 7.6 million employees of the financial services sector were “deputized,” there would be one informer for every 43 Americans.
 
Where there is a will, there is a way. The IRS is already trying to spy on you. With this new funding, the IRS now has a way.

​On Tuesday, House Judiciary Committee Chairman Jerrold Nadler and House Homeland Security Committee Chairman Bennie Thompson sent a letter to the heads of key agencies demanding answers to questions about their use of data brokers.
 
It is no secret that agencies ranging from the FBI to the DEA have been circumventing the Fourth Amendment by purchasing the data of millions of Americans from private data brokers. This letter is the latest sign Congress is waking up to the privacy and surveillance threat posed by data brokers contracting with the federal government.
 
Reps. Nadler and Thompson wrote Attorney General Merrick Garland, FBI Director Christopher Wray, Homeland Security Secretary Alejandro Mayorkas, as well as the heads of Customs and Border Protection, the Bureau of Alcohol, Tobacco, Firearms and Explosives, Immigration and Customs Enforcement and the Drug Enforcement Administration.
 
The two chairmen noted:
 
“In a recent hearing before the House Judiciary Committee, a witness stated that materials provided by data brokers ‘turn policing from a suspect-focused search into a constant, intrusive surveillance system that surveils all of us. Rather than focusing on particular suspects, data policing tools are dragnets, sifting through all of our data.’”
 
The letter demanded each agency provide four sets of documents:

1. Documents and communications related to contracts with companies that aggregate and provide personal data on Americans, including internal documents and communications.
   
   
2. Documents and communications related to any legal analysis of the acquisition and/or use of brokered data in investigations, prosecutions, and other agency/department work.
   
   
3. Documents and communications related to the consideration of contracts for access to brokered data, including but not limited to funding, requests for proposals, or assessment of data provided.
   ​
4. Documents and communications related to stipulating the parameters of and limitations to use of brokered data materials and databases by agency/department personnel.

 
This is a step in the right direction, and PPSA looks forward to further work by Congress on the subject. What we learn from these requests should prompt Congress to pass the Fourth Amendment Is Not For Sale Act.