New CDT Report Documents How Law Enforcement & Intel Agencies Are Evading the Law and Buying Your Data from Brokers

• “Data broker shared billions of location records with District during pandemic,” The Washington Post
  
• “Customs and Border Protection Paid $476,000 to a Location Data Firm,” Vice News
  
• “Data Brokers Know Where You Are — and Want to Sell That Intel,” Wired

***

These are just a few of the headlines that have appeared in recent months documenting how a growing network of data brokers is collecting vast quantities of sensitive personal information, and selling that data to a broad range of customers. Numerous government agencies are among the brokers’ customers, including law enforcement and intelligence agencies. 

Today, CDT released a new report, Legal Loopholes and Data for Dollars, exploring this data broker ecosystem, which is estimated to be worth about $200 billion, and examining how law enforcement and intelligence agencies have been evading otherwise applicable legal requirements by purchasing data from brokers. 

We reviewed the limited publicly available information on law enforcement and intelligence agency solicitations to purchase data broker products, and we analyzed examples showing the types of data these agencies generally seek to purchase from brokers, which includes granular location information and biometric data such as facial images. Although these documents clearly cover commercial purchases of personal data, unfortunately, it is difficult to discern the specific nature of many of these contracts. Indeed, it appears that by design, data broker relationships with law enforcement and intelligence agencies are not intended to be unraveled.

This lack of transparency should be of concern to all of us since the privacy implications of these practices are significant. The data that brokers collect and sell to law enforcement and intelligence agencies includes sensitive information that can reveal details about individuals’ activities, associations, communications, finances, health, patterns of travel, sexual orientation, and other information. Further, the use of such data by law enforcement may have disproportionately negative impacts on communities of color and immigrant communities.  All of this generally happens without individual consent or even awareness. Indeed, brokers typically have no direct relationship with the people whose data they collect, analyze, and sell. 

In general, when government agencies want access to Americans’ electronic information, existing statutes such as the Electronic Communications Privacy Act (ECPA) require them to seek legal process, or the Fourth Amendment of the Constitution requires them to obtain a search warrant. However, law enforcement and intelligence agencies have taken advantage of legal ambiguities to purchase data from brokers in an end-run around otherwise applicable legal requirements. In particular, ECPA effectively contains a loophole allowing data brokers to obtain “non-content” communications data, and then, because they themselves are not regulated by ECPA, to turn around and sell that information to government agencies. Similarly, although the Supreme Court’s expansive language in Carpenter v. United States suggests that the government must also obtain a warrant in order to access sensitive personal information in contexts beyond just the cell site location information at issue in that case, government agencies have adopted narrow interpretations, under which purchases of sensitive data from brokers are permitted without a warrant.

One of our findings in the new report is that government agencies often use terms like “publicly available” and “open source” in their purchase orders and contracts in a way that is misleading. The use of these terms suggests that these purchases should be permitted on the basis that people have put their personal information out into the public for anyone to see or gather – such as social media posts that people knowingly make available to the public. However, government purchase orders and contracts frequently use these terms to include information collected specifically for a given agency that is not actually available to the public or any other consumer. This broad usage of these terms undermines governmental claims that agencies are permitted to collect such information on the basis that individuals lack an expectation of privacy in such sensitive data. 

The report concludes with about a dozen recommendations designed to close existing legal loopholes and provide greater transparency and accountability for government purchases of personal information from data brokers. These recommendations include:

• Congress should enact the Fourth Amendment is Not for Sale Act, a bill introduced in Congress with bipartisan support, that would close the ECPA loophole. This would ensure that for data covered by ECPA — where the government would normally need to obtain appropriate legal process to compel a service provider to produce the information — the government cannot evade this requirement by purchasing such information from brokers;
• Law enforcement and intelligence agencies should apply Fourth Amendment standards under the Supreme Court’s analysis in Carpenter when they seek to acquire vast quantities of sensitive data. This would apply to data that may not be covered by ECPA, and therefore not covered by the Fourth Amendment is Not for Sale Act, even if Congress does enact that law; and
• Congress should enact a comprehensive consumer privacy law that includes regulation of data brokers.

Implementation of these recommendations would not solve all the problems presented by the unregulated data broker industry. But they would go a long way toward ensuring that government agencies can only access Americans’ personal data when they meet appropriate legal standards.