Cops Can Buy Your Data Instead of Going to Court | is this SAFE?

A new report offers a reminder you may resent: Government agencies don’t need to bother getting a warrant for your data if they can just buy it.

Tech-policy types may not find much new in “Legal Loopholes and Data for Dollars: How Law Enforcement and Intelligence Agencies Are Buying Your Data from Brokers,” released Thursday by the Center for Democracy & Technology. But its overall assessment—that data brokers continue to provide law enforcement and intelligence agencies with an efficient workaround to Fourth Amendment and other legal privacy protections—may upset many other Americans.

As this 51-page report observes in its introduction: “There is no clear limit on the potential availability of commercially acquired data that would typically require the legal process to obtain.”

Its authors—CDT staffers Sharon Bradford Franklin, Greg Nojeim, and Dhanaraj Thakur, plus human-rights lawyer and consultant Carey Shenkman—further note that this data procurement proceeds despite the Supreme Court’s 2018 ruling in Carpenter v. United States that law-enforcement agencies must get a court warrant for a suspect’s historical cell-site location information from wireless carriers.

For example, the report cites the FBI signing contracts with data broker Venntel to obtain location data for “pre-investigative activities” and Customs and Border Protection’s deals with the same firm (remember that many legal rights don’t apply at US borders).

But between vague app privacy policies, the fuzzier terms of data brokers, and deliberate opacity by government agencies about these transactions, the average citizen would struggle to learn how their data might have flowed from an app on their phone to a law-enforcement database.

(Unstated in CDT’s report but worth pondering: Other governments can also buy this data, a point the Trump administration ignored while trying to call TikTok an instrument of Chinese spying.)

The problem is a byproduct of the lucrative private market for personal data, where many companies that offer online services collect, analyze, and sell data about individuals using those services.

This data is aggregated by companies called ‘data brokers’ that typically lack any direct relationship with the individuals whose data they collect and sell, but may accumulate personal data from multiple sources with varying degrees of granularity, ranging from anonymized trends to the specific locations of individuals at specific times.

Advertisers, retailers, and other companies may then seek access to data for varied commercial purposes.

There is no clear limit on the potential availability of commercially acquired data that would typically require the legal process to obtain. In the words of one presenter to law enforcement at a location-analytics conference, “cell phone data, social media feeds, license-plate reader and automatic-vehicle locator systems are readily available to investigators” (Delaney & Beck, 2014).

Law enforcement and intelligence agencies could obtain these types of personal data from different sources, including publicly available information (e.g., public posts on the web), access to company records through the legal process (e.g., a court order directing an internet service provider to turn over information), or data brokers.

Of these various sources, we have very little insight into agencies’ engagement with data brokers.