Skip Navigation

Federal Agencies Are Secretly Buying Consumer Data

The practice undermines civil rights and circumvents the Constitution’s privacy protections.

April 16, 2021

The Treasury Department’s inspector general recently issued a report warning that the IRS’s purchase of GPS location data may be unconstitutional in light of a landmark 2018 Supreme Court decision requiring a warrant for historical cell phone location data.

The IRS is not alone in circumventing the warrant requirement by simply buying location data. The FBI, Department of Homeland Security, and Department of Defense have all been caught secretly purchasing cell phone location information, as well as other sensitive consumer data. It’s time to put a stop to this practice, which violates the Fourth Amendment.

In United States v. Carpenter, the Supreme Court recognized that a central aim of the Fourth Amendment is to “place obstacles in the way of a too permeating police surveillance.” The Court held that police need a warrant to obtain historical cell site location information, a type of data generated as a cell phone automatically connects to nearby cell towers. Federal agencies have argued the decision applies only to this specific type of location data, and they have taken to purchasing access to commercial databases containing location information that can be used to track specific individuals. However, as the Treasury Department’s inspector general recognized, the ruling has broader implications when it comes to recalibrating Fourth Amendment protections for the digital age.

This is because the Court’s holding was premised on the understanding that technologies like cell phones are indispensable for participation in modern society. When these technologies automatically convey sensitive and revealing data, without any affirmative action on the part of the user, it does not square with the Fourth Amendment to require Americans to make an impossible choice: safeguard their privacy by giving up the use of an essential tool or accept that the government will have effortless access to detailed data about their every move. Thus, to preserve the guarantees of privacy that the Founders intended, the Fourth Amendment protects the data produced by such technologies, and the government must use a warrant to get it. For example, although Carpenter did not specifically address GPS data, the inspector general noted that in future cases, courts may apply its logic to limit the use of GPS data without a warrant.

By buying data rather than obtaining it pursuant to a subpoena, warrant, or court order, federal agencies are circumventing the basic safeguard against abusive policing enshrined in the Fourth Amendment: the requirement that police obtain a warrant from a judge before conducting a search or seizure.

It is incongruous for federal agencies to take the position that there are few legal limitations on their purchase of location data. Congress has made it clear that procedural, legal safeguards are required even for the bulk collection of data. For example, in the foreign intelligence context, a court order was required for the collection of information under Section 215 of the Patriot Act prior to its expiration in March 2020. If Congress were unwilling to allow unregulated, bulk procurement of data for national security purposes, where it is generally more permissive on privacy issues, why would it allow it in the domestic context? By using their purchasing power to obtain massive amounts of data without any judicial or legislative oversight, agencies are creating and exploiting unintended loopholes in existing privacy laws like the Stored Communications Act.

The government’s ability to buy sensitive location information without judicial or legislative oversight upends the time-honored balance of power between the people and the government established by the Fourth Amendment. It creates opportunities for law enforcement monitoring that would otherwise be infeasible due to resource and technical constraints, facilitating unimpeded government surveillance on a massive scale that would have been unimaginable a few decades ago.

In the absence of such oversight, federal agencies are using purchased data to target already vulnerable communities. For example, leaked documents revealed that at least two branches of DHS — Customs and Border Protection and Immigration and Customs Enforcement  — bought cell phone location data. In addition, ICE has reportedly purchased utility data, as well as information from private license plate reader databases. The agencies tracked migrant groups and targeted individuals for immigration enforcement using this information.

News reports also indicate that the FBISecret Service, and Department of Defense have acquired smartphone location data without a warrant. Defense contractors purchased location data from popular Muslim prayer and Qur’an apps and dating apps. Several members of Congress have made an official inquiry into how this data has been utilized. And cell phone data was allegedly used to track Black Lives Matter protesters over the summer. Though it is uncertain exactly how cell phone data informed the FBI’s response to the protests, it is notable that the agency renegotiated its purchase contract with a data broker around the time of the demonstrations.

The use of purchased data to target religious groups and protesters emphasizes the critical importance of the Fourth Amendment in protecting against discriminatory policing practices. It also underscores the chilling effect unrestricted surveillance has on other civil liberties, including religious freedom and the right to dissent. For example, some community leaders urged Muslims to delete their prayer apps after reports about data sales. And concerns about cell phone monitoring at protests prompted several civil liberties groups to publish “surveillance self-defense” toolkits for protesters, urging them to leave their phones at home and providing tips on shielding themselves from police monitoring.

Secrecy magnifies the problem. For example, a public records request recently revealed that although court documents suggested an arrest by federal authorities was related to a routine traffic stop, the suspect was actually apprehended using cell phone location data purchased by ICE. This lack of transparency makes it even easier for federal agencies to evade typical checks on abuses of police power because the public is unaware of the full extent of what data is being purchased, and what it is being used for.

However, judicial movement is slow, and courts are still grappling with the application of Carpenter to various technologies. In the meantime, public pressure has led to the passage of privacy protective legislation in several states. For example, over 13 municipalities and states have passed legislation limiting or banning government use of facial recognition. Surveillance technology oversight bills have been passed in multiple localities, including New York City.

Nevertheless, law enforcement continues to purchase data, evading both the Fourth Amendment and these democratic attempts to limit their surveillance capabilities. For instance, some police departments have attempted to circumvent bans on their use of facial recognition by purchasing facial recognition search results from third-party vendors. It is clear the current patchwork of privacy protections for consumer data is not robust enough.

It is up to lawmakers and the public to push for legislation ending law enforcement’s practice of purchasing consumer data. Proposals are being introduced at the federal and local level that would either ban government agencies from buying personal information from data brokers or limit the sale of cell phone location data. These are promising and necessary starts to close the loopholes in privacy laws.