How Data Brokers and Phone Apps Are Helping Police Surveil Citizens Without Warrants
Police have purchased data collected by dating and prayer apps to track people in violation of the Fourth Amendment.
Few people who register for a dating app or prayer app intend for government and law enforcement agencies to track their every move and potentially arrest them. The very idea that giving any app permission to use location data—ostensibly for the purpose of finding nearby suitors, praying in the right direction, or any number of other reasons—is effectively acquiescing to law-enforcement surveillance seems contrary to the rights to privacy guaranteed by the Constitution’s Fourth Amendment. But enabled by new commercial businesses, law enforcement entities have been surveilling people without their knowledge, even arresting and deporting some. Understanding how and where such data flows is key to creating a strategy for regulating it.
In recent years, law enforcement agencies have faced significant public outrage and distrust when they have been discovered using sophisticated new technologies to amass individuals’ sensitive personal data. It’s clear that the use of police tech tools, such as cell site simulators capable of determining individuals’ precise locations and facial recognition systems capable of scanning thousands of faces and tracking them over time, to surveil specific individuals warrantlessly runs directly counter to the Fourth Amendment. In most jurisdictions, however, no regulations or court decisions have explicitly disallowed these technologies. As a result, police continue to use these tools largely unchallenged and unchecked.
More troubling, though, is that even where there are explicit rules in place limiting police surveillance power, government entities increasingly are seeking ways to circumvent those rules—often by using discreet commercial companies known as data brokers.
Commercial data brokers are for-profit companies that aggregate private information into large datasets by scraping the web and buying the data they find from other companies (e.g., credit card companies). Many of the biggest tech scandals of the past decade—the Snowden revelations, Cambridge Analytica scandal, and Equifax data breach—called attention to the role that big technology companies play in collecting and managing user data, and what happens when they fail to adequately safeguard personal information. But away from the spotlight, pervasive and lucrative data brokers are playing a crucial role in the data supply chain: compiling and selling personal information, including people’s search histories and location data, to anyone willing to pay for it.
Data brokers are part of a rapidly growing and lucrative market, generating around $200 billion in revenue every year. While a few data brokers have become notorious—ClearviewAI, for example, has provided its facial recognition tech to the US Justice Department, the Immigration and Customs Enforcement agency (ICE), Walmart, and the National Basketball Association—many operate unnoticed in the shadows. These companies aggregate data about people’s personal lives—including whether they’re trying to lose weight, whether they’re pregnant, which medicines they take, and which businesses they frequent the most. Much of this data, especially location data, can be used to predict user movements when merged with social network data and other analytical tools, making it valuable to advertisers and, in turn, brokers. Of all the data brokers compile and sell, user location data are among the most sensitive and most profitable, leading to the growth of a new “location data economy.” Early in the coronavirus pandemic, some of these data brokers emerged with maps they claimed could show the spread of the virus, touting their use of people’s location data, and revealing how much data these unknown companies are stockpiling.
Though these data are ostensibly collected for commerce, recent reporting suggests that government law enforcement agencies are rapidly becoming major buyers. There are numerous recent examples involving location data alone. The online magazine and video channel Motherboard recently revealed that a data broker named X-mode has been compiling geolocation data from a popular Muslim prayer app (Muslim Pro) and a Muslim dating app (Muslim Mingle), then selling this extremely sensitive data to the US military through defense contractors. Likewise, according to the Wall Street Journal, the Department of Homeland Security, ICE, and Customs and Border Protection have been using a commercial database from Venntel Inc. to obtain user location data to detect undocumented immigrants and monitor cell phone activity along the border. This location information—combined with other surveillance tools—has been used to track, arrest, and even deport immigrants across the country. Reports also show that the US Internal Revenue Service has partnered with the data broker and software company Venntel to identify and monitor potential criminal suspects in money-laundering, cyber, drug, and organized crime cases.
These government purchases are beyond just concerning; they’re unconstitutional. In each of these examples, the federal government is making an end run around Supreme Court precedent set in Carpenter v. United States. As the court recognized in that 2018 case, tracking the movements of a specific individual over time is extremely invasive, and individuals have a reasonable expectation of privacy when it comes to the “all-encompassing record” of their whereabouts. For that reason, the court held that if a law enforcement agency wants to obtain location information on a particular individual for seven days or more, it must have a warrant. But in each of the above examples (of the military, DHS, and IRS) the government obtained large swaths of geolocation data without warrants, simply purchasing it through data brokers—skirting Fourth Amendment hurdles in the process.
US Senator Ron Wyden (D-OR) has called this government practice a “backdoor to throw the Fourth Amendment in the trash can.” And he’s not the only member of Congress paying attention to these egregious privacy violations. As policymakers delve deeper into understanding the ever-expanding surveillance ecosystem in the United States, they are beginning to pinpoint the especially problematic role that data brokers play.
One of the biggest barriers to understanding what data brokers are doing is the lack of transparency—not only for app users, but also for regulators. Thanks to a 2018 Vermont law that mandated that companies buying and selling third-party personal data register with the secretary of state, civil society organizations and rights advocates have been able to gain some insight into which commercial data brokers are operating in the United States. Earlier this year, the US House Committee on Oversight and Reform launched an investigation into Venntel’s practices of brokering location data to government agencies. At the same time, US Representatives Carolyn Maloney (D-NY) and Mark DeSaulnier (D-CA), together with Senators Elizabeth Warren (D-MA) and Ron Wyden, sent an oversight letter to Congress seeking information from Venntel on its data collection policies and practices. The DHS inspector general also announced this month that, in response to a request from five US senators—Wyden and Warren, along with Sherrod Brown (D-OH), Ed Markey (D-MA), and Brian Schatz (D-HI)—his office will be opening an investigation into whether DHS’s purchase of location data on Americans for law-enforcement purposes is lawful. Separately, the American Civil Liberties Union mounted a Fourth Amendment-based legal challenge against DHS for this practice. Finally, earlier this year Senator Wyden announced that together with colleagues he is planning to introduce a new privacy bill, called The Fourth Amendment Is Not For Sale, to tackle this issue.
A comprehensive federal data privacy law is a necessary first step to protect Americans’ privacy, particularly from commercial data brokers. By way of example, the European Union has enacted a privacy law, the General Data Protection Regulation, that grants its citizens the right to request access to or delete their data. In California, the California Consumer Privacy Act grants state residents access to their data, including from data brokers. But it should not be up to users to protect themselves. Because data brokers are so numerous and unknown, and also so prolific in their purchasing, compiling, and reselling of data, it can be difficult for users to take control of their own data even when granted such rights. For that reason, California passed an additional law (on top of its privacy act) that requires data brokers to register annually with the state’s attorney general for publication on the office’s website in order to operate.
Separately, as big tech companies come under increased scrutiny on the privacy front, several of the major players who helped build this new location data economy have recently taken steps to impede data brokers’ activities, to the brokers’ dismay. Apple and Google have ensured that both iPhones and Androids now allow users to opt out of ad tracking, preventing advertisers from tracking them via a unique identifier known as an “ad ID” that works across the web and between apps. So far, in the absence of legislative action, these simple company actions have likely had the biggest impact toward giving consumers control while reining in data brokers.
But these company-led efforts are not enough. Congress must institute strong safeguards to prevent data brokers and government agencies in the executive branch—especially law enforcement—from doing surveillance by skirting constitutional requirements. In addition, policymakers should enact greater transparency rules requiring data brokers to reveal more about the scope of their data collection and sale operations. Under no circumstance should the government be able to purchase data it would otherwise need a warrant to obtain.