Skip Navigation

Federal Agencies Are Secretly Buying Consumer Data

The practice undermines civil rights and circumvents the Constitution’s privacy protections.

April 16, 2021
Lasse Kristensen/Getty

The Treas­ury Depart­ment’s inspector general recently issued a report warn­ing that the IRS’s purchase of GPS loca­tion data may be uncon­sti­tu­tional in light of a land­mark 2018 Supreme Court decision requir­ing a warrant for histor­ical cell phone loca­tion data.

The IRS is not alone in circum­vent­ing the warrant require­ment by simply buying loca­tion data. The FBI, Depart­ment of Home­land Secur­ity, and Depart­ment of Defense have all been caught secretly purchas­ing cell phone loca­tion inform­a­tion, as well as other sens­it­ive consumer data. It’s time to put a stop to this prac­tice, which viol­ates the Fourth Amend­ment.

In United States v. Carpenter, the Supreme Court recog­nized that a cent­ral aim of the Fourth Amend­ment is to “place obstacles in the way of a too permeat­ing police surveil­lance.” The Court held that police need a warrant to obtain histor­ical cell site loca­tion inform­a­tion, a type of data gener­ated as a cell phone auto­mat­ic­ally connects to nearby cell towers. Federal agen­cies have argued the decision applies only to this specific type of loca­tion data, and they have taken to purchas­ing access to commer­cial data­bases contain­ing loca­tion inform­a­tion that can be used to track specific indi­vidu­als. However, as the Treas­ury Depart­ment’s inspector general recog­nized, the ruling has broader implic­a­tions when it comes to recal­ib­rat­ing Fourth Amend­ment protec­tions for the digital age.

This is because the Court’s hold­ing was premised on the under­stand­ing that tech­no­lo­gies like cell phones are indis­pens­able for parti­cip­a­tion in modern soci­ety. When these tech­no­lo­gies auto­mat­ic­ally convey sens­it­ive and reveal­ing data, without any affirm­at­ive action on the part of the user, it does not square with the Fourth Amend­ment to require Amer­ic­ans to make an impossible choice: safe­guard their privacy by giving up the use of an essen­tial tool or accept that the govern­ment will have effort­less access to detailed data about their every move. Thus, to preserve the guar­an­tees of privacy that the Founders inten­ded, the Fourth Amend­ment protects the data produced by such tech­no­lo­gies, and the govern­ment must use a warrant to get it. For example, although Carpenter did not specific­ally address GPS data, the inspector general noted that in future cases, courts may apply its logic to limit the use of GPS data without a warrant.

By buying data rather than obtain­ing it pursu­ant to a subpoena, warrant, or court order, federal agen­cies are circum­vent­ing the basic safe­guard against abus­ive poli­cing enshrined in the Fourth Amend­ment: the require­ment that police obtain a warrant from a judge before conduct­ing a search or seizure.

It is incon­gru­ous for federal agen­cies to take the posi­tion that there are few legal limit­a­tions on their purchase of loca­tion data. Congress has made it clear that proced­ural, legal safe­guards are required even for the bulk collec­tion of data. For example, in the foreign intel­li­gence context, a court order was required for the collec­tion of inform­a­tion under Section 215 of the Patriot Act prior to its expir­a­tion in March 2020. If Congress were unwill­ing to allow unreg­u­lated, bulk procure­ment of data for national secur­ity purposes, where it is gener­ally more permissive on privacy issues, why would it allow it in the domestic context? By using their purchas­ing power to obtain massive amounts of data without any judi­cial or legis­lat­ive over­sight, agen­cies are creat­ing and exploit­ing unin­ten­ded loop­holes in exist­ing privacy laws like the Stored Commu­nic­a­tions Act.

The govern­ment’s abil­ity to buy sens­it­ive loca­tion inform­a­tion without judi­cial or legis­lat­ive over­sight upends the time-honored balance of power between the people and the govern­ment estab­lished by the Fourth Amend­ment. It creates oppor­tun­it­ies for law enforce­ment monit­or­ing that would other­wise be infeas­ible due to resource and tech­nical constraints, facil­it­at­ing unim­peded govern­ment surveil­lance on a massive scale that would have been unima­gin­able a few decades ago.

In the absence of such over­sight, federal agen­cies are using purchased data to target already vulner­able communit­ies. For example, leaked docu­ments revealed that at least two branches of DHS — Customs and Border Protec­tion and Immig­ra­tion and Customs Enforce­ment  — bought cell phone loca­tion data. In addi­tion, ICE has reportedly purchased util­ity data, as well as inform­a­tion from private license plate reader data­bases. The agen­cies tracked migrant groups and targeted indi­vidu­als for immig­ra­tion enforce­ment using this inform­a­tion.

News reports also indic­ate that the FBISecret Service, and Depart­ment of Defense have acquired smart­phone loca­tion data without a warrant. Defense contract­ors purchased loca­tion data from popu­lar Muslim prayer and Qur’an apps and dating apps. Several members of Congress have made an offi­cial inquiry into how this data has been util­ized. And cell phone data was allegedly used to track Black Lives Matter protest­ers over the summer. Though it is uncer­tain exactly how cell phone data informed the FBI’s response to the protests, it is notable that the agency rene­go­ti­ated its purchase contract with a data broker around the time of the demon­stra­tions.

The use of purchased data to target reli­gious groups and protest­ers emphas­izes the crit­ical import­ance of the Fourth Amend­ment in protect­ing against discrim­in­at­ory poli­cing prac­tices. It also under­scores the chilling effect unres­tric­ted surveil­lance has on other civil liber­ties, includ­ing reli­gious free­dom and the right to dissent. For example, some community lead­ers urged Muslims to delete their prayer apps after reports about data sales. And concerns about cell phone monit­or­ing at protests promp­ted several civil liber­ties groups to publish “surveil­lance self-defense” toolkits for protest­ers, urging them to leave their phones at home and provid­ing tips on shield­ing them­selves from police monit­or­ing.

Secrecy magni­fies the prob­lem. For example, a public records request recently revealed that although court docu­ments sugges­ted an arrest by federal author­it­ies was related to a routine traffic stop, the suspect was actu­ally appre­hen­ded using cell phone loca­tion data purchased by ICE. This lack of trans­par­ency makes it even easier for federal agen­cies to evade typical checks on abuses of police power because the public is unaware of the full extent of what data is being purchased, and what it is being used for.

However, judi­cial move­ment is slow, and courts are still grap­pling with the applic­a­tion of Carpenter to vari­ous tech­no­lo­gies. In the mean­time, public pres­sure has led to the passage of privacy protect­ive legis­la­tion in several states. For example, over 13 muni­cip­al­it­ies and states have passed legis­la­tion limit­ing or banning govern­ment use of facial recog­ni­tion. Surveil­lance tech­no­logy over­sight bills have been passed in multiple local­it­ies, includ­ing New York City.

Never­the­less, law enforce­ment contin­ues to purchase data, evad­ing both the Fourth Amend­ment and these demo­cratic attempts to limit their surveil­lance capab­il­it­ies. For instance, some police depart­ments have attemp­ted to circum­vent bans on their use of facial recog­ni­tion by purchas­ing facial recog­ni­tion search results from third-party vendors. It is clear the current patch­work of privacy protec­tions for consumer data is not robust enough.

It is up to lawmakers and the public to push for legis­la­tion ending law enforce­ment’s prac­tice of purchas­ing consumer data. Propos­als are being intro­duced at the federal and local level that would either ban govern­ment agen­cies from buying personal inform­a­tion from data brokers or limit the sale of cell phone loca­tion data. These are prom­ising and neces­sary starts to close the loop­holes in privacy laws.