This originally appeared in the Washington Post
Three years ago, the Supreme Court issued a ruling that appeared to reaffirm Americans’ right to privacy in the digital age. The court had long held that the Fourth Amendment does not protect information we voluntarily disclose to others — including to phone companies (this encompasses, by the court’s definition of “voluntary,” the numbers we call). But when police tried to force a cellphone company to turn over several weeks’ worth of precise location information for a customer they suspected of robbing electronics stores, the court said that was a bridge too far. Noting that location information can be used to determine a person’s associations, habits and even beliefs, the court ruled, in Carpenter v. United States, that the government needs a warrant to compel companies to produce such sensitive data.
It turns out that all the government really needs is cash and a data broker. Government agencies — as several publications have reported — have discovered ways around what seemed to be robust constitutional protections for sensitive location information. They are engaging in creative legal interpretations and secretly exploiting gaps in the law to buy Americans’ personal information from intermediaries. This practice of buying Americans’ data has become routine, effectively hollowing out both Carpenter and privacy safeguards enacted by Congress
Key to this activity is the proliferation of entities that collect, package and sell Americans’ information. The government no longer needs to compel the production of location data from Verizon or T-Mobile, because there are innumerable cellphone apps that gather and track precise geolocation coordinates (along with a wealth of other personal data). Some apps, such as e-weather forecasting tools, might have a legitimate need for location information; others collect it simply because the app companies know they can, and they know the data’s worth. The companies then sell the information to brokers, which in turn sell it to government agencies.
On its face, the government’s obtaining location information from data brokers without a warrant would seem to violate Carpenter. The court’s ruling, after all, turned on the sensitivity of the information, not the type of company holding it. But government agencies have interpreted the case to apply only when the government forces a company to turn over data. When the government simply incentivizes the disclosure — by writing a large check — the warrant requirement evaporates. Under this view, the government may constitutionally buy not only the location records of criminal suspects but also entire databases of location information unrelated to any criminal investigation.
This interpretation is certainly vulnerable to legal challenge, but it could be years before the courts resolve the issue. The Fourth Amendment is therefore sidelined for the time being, and so we must rely on the laws that Congress has passed to protect Americans’ privacy. Unfortunately, these laws, too, have lost much of their force, having entirely failed to keep up with technology.
The most relevant statute, the Electronic Communications Privacy Act, has not been meaningfully updated since its enactment in 1986. It limits data disclosures by companies that provide certain types of communications and computing services — those that were available when Congress wrote the law. Because many app developers provide services that didn’t exist at the time, the law simply doesn’t apply to them. These companies are therefore free to sell whatever information they can acquire, subject only to the law of supply and demand.
The law does apply to phone companies and Internet services providers, and it prohibits them from voluntarily disclosing Americans’ personal information to government agencies. But Congress failed to foresee the phenomenon of digital data brokers. For many types of information, the law contains no bar against divulging the data to nongovernment entities. Phone and Internet companies can thus sell the information to brokers, which can resell the same information to the government, essentially laundering Americans’ data through a middleman.
The government has taken full advantage of these workarounds. Federal agencies that have bought and used Americans’ cellphone location information include the Internal Revenue Service, the Drug Enforcement Administration, the FBI, the Homeland Security and the Defense Department. Since 2017, Immigration and Customs Enforcement and Customs and Border Protection alone paid more than $1 million to Venntel, a company that describes itself as a “pioneer in mobile location information." (Venntel obtains its data from apps, including games and weather apps.) State and local law enforcement have also been caught buying information about social media users from data vendors.
Besides privacy red flags, this phenomenon raises civil rights concerns. When government officials don’t have to show probable cause of criminal activity — or provide any information at all to a judge — they’re much more likely to fall back on conscious or subconscious prejudices, targeting people of color and other marginalized communities. Last November, Vice News discovered that the Defense Department had been purchasing “granular location data” harvested from a popular Muslim prayer app used by 98 million people around the world, including Americans, as well as similar data generated by a Muslim dating app.
Agencies have revealed little about how they use the data they purchase. The possible uses, however, are manifold — as are the possible misuses. Location data can be used to identify people who attended a Black Lives Matter protest to oppose racial injustices or who attend a specific mosque. And while most of the known purchases to date have involved geolocation information, apps can gather other equally personal information that could be subject to sale, such as contact lists, demographic information available from user profiles or even health data gleaned from wearable devices. The information may not be explicitly linked to the user’s identity, but it is child’s play for the government to match a set of data to its owner.
Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) and 18 other senators introduced a bill last week, dubbed “The Fourth Amendment Is Not For Sale Act,” that would end these practices. It would bar law enforcement and intelligence agencies from purchasing Americans’ geolocation data, the content of their communications or other sensitive information from any company that collects them — whether a cellphone company, an app developer or a data broker.
The bill could be strengthened. Because it prohibits only data purchases, it leaves a small but important loophole for app developers and data brokers to disclose sensitive data to government agencies without a warrant or payment. There are various reasons profit-seeking companies might make such “gratis” disclosures, such as currying favor to avoid regulation or to obtain government contracts for other services. The legislation nonetheless identifies a major problem and goes a long way toward solving it.
Advances in technology have eroded Fourth Amendment protections as well as created major gaps in our privacy laws. The Supreme Court has made clear, however, that we don’t forfeit our constitutional privacy rights simply because so much of our personal information lies in the hands of companies. To prevent the government from buying its away around those rights, we need to rewrite privacy rules for the age of apps.