Skip Navigation

The Government Can’t Seize Your Digital Data. Except by Buying It.

New technology has rendered both Supreme Court rulings on privacy and federal laws moot.

Last Updated: April 28, 2021
Published: April 28, 2021

This origin­ally appeared in the Wash­ing­ton Post

Three years ago, the Supreme Court issued a ruling that appeared to reaf­firm Amer­ic­ans’ right to privacy in the digital age. The court had long held that the Fourth Amend­ment does not protect inform­a­tion we volun­tar­ily disclose to others — includ­ing to phone compan­ies (this encom­passes, by the court’s defin­i­tion of “volun­tary,” the numbers we call). But when police tried to force a cell­phone company to turn over several weeks’ worth of precise loca­tion inform­a­tion for a customer they suspec­ted of robbing elec­tron­ics stores, the court said that was a bridge too far. Noting that loca­tion inform­a­tion can be used to determ­ine a person’s asso­ci­ations, habits and even beliefs, the court ruled, in Carpenter v. United Statesthat the govern­ment needs a warrant to compel compan­ies to produce such sens­it­ive data.

It turns out that all the govern­ment really needs is cash and a data broker. Govern­ment agen­cies — as several public­a­tions have repor­ted — have discovered ways around what seemed to be robust consti­tu­tional protec­tions for sens­it­ive loca­tion inform­a­tion. They are enga­ging in creat­ive legal inter­pret­a­tions and secretly exploit­ing gaps in the law to buy Amer­ic­ans’ personal inform­a­tion from inter­me­di­ar­ies. This prac­tice of buying Amer­ic­ans’ data has become routine, effect­ively hollow­ing out both Carpenter and privacy safe­guards enacted by Congress

Key to this activ­ity is the prolif­er­a­tion of entit­ies that collect, pack­age and sell Amer­ic­ans’ inform­a­tion. The govern­ment no longer needs to compel the produc­tion of loca­tion data from Veri­zon or T-Mobile, because there are innu­mer­able cell­phone apps that gather and track precise geoloca­tion coordin­ates (along with a wealth of other personal data). Some apps, such as e-weather fore­cast­ing tools, might have a legit­im­ate need for loca­tion inform­a­tion; others collect it simply because the app compan­ies know they can, and they know the data’s worth. The compan­ies then sell the inform­a­tion to brokers, which in turn sell it to govern­ment agen­cies.

On its face, the govern­ment’s obtain­ing loca­tion inform­a­tion from data brokers without a warrant would seem to viol­ate Carpenter. The court’s ruling, after all, turned on the sens­it­iv­ity of the inform­a­tion, not the type of company hold­ing it. But govern­ment agen­cies have inter­preted the case to apply only when the govern­ment forces a company to turn over data. When the govern­ment simply incentiv­izes the disclos­ure — by writ­ing a large check — the warrant require­ment evap­or­ates. Under this view, the govern­ment may consti­tu­tion­ally buy not only the loca­tion records of crim­inal suspects but also entire data­bases of loca­tion inform­a­tion unre­lated to any crim­inal invest­ig­a­tion.

This inter­pret­a­tion is certainly vulner­able to legal chal­lenge, but it could be years before the courts resolve the issue. The Fourth Amend­ment is there­fore side­lined for the time being, and so we must rely on the laws that Congress has passed to protect Amer­ic­ans’ privacy. Unfor­tu­nately, these laws, too, have lost much of their force, having entirely failed to keep up with tech­no­logy.

The most relev­ant stat­ute, the Elec­tronic Commu­nic­a­tions Privacy Act, has not been mean­ing­fully updated since its enact­ment in 1986. It limits data disclos­ures by compan­ies that provide certain types of commu­nic­a­tions and comput­ing services — those that were avail­able when Congress wrote the law. Because many app developers provide services that didn’t exist at the time, the law simply does­n’t apply to them. These compan­ies are there­fore free to sell whatever inform­a­tion they can acquire, subject only to the law of supply and demand.

The law does apply to phone compan­ies and Inter­net services providers, and it prohib­its them from volun­tar­ily disclos­ing Amer­ic­ans’ personal inform­a­tion to govern­ment agen­cies. But Congress failed to fore­see the phenomenon of digital data brokers. For many types of inform­a­tion, the law contains no bar against divul­ging the data to nongov­ern­ment entit­ies. Phone and Inter­net compan­ies can thus sell the inform­a­tion to brokers, which can resell the same inform­a­tion to the govern­ment, essen­tially laun­der­ing Amer­ic­ans’ data through a middle­man.

The govern­ment has taken full advant­age of these work­arounds. Federal agen­cies that have bought and used Amer­ic­ans’ cell­phone loca­tion inform­a­tion include the Internal Revenue Service, the Drug Enforce­ment Admin­is­tra­tion, the FBI, the Home­land Secur­ity and the Defense Depart­ment. Since 2017, Immig­ra­tion and Customs Enforce­ment and Customs and Border Protec­tion alone paid more than $1 million to Venntel, a company that describes itself as a “pion­eer in mobile loca­tion inform­a­tion." (Venntel obtains its data from apps, includ­ing games and weather apps.) State and local law enforce­ment have also been caught buying inform­a­tion about social media users from data vendors.

Besides privacy red flags, this phenomenon raises civil rights concerns. When govern­ment offi­cials don’t have to show prob­able cause of crim­inal activ­ity — or provide any inform­a­tion at all to a judge — they’re much more likely to fall back on conscious or subcon­scious preju­dices, target­ing people of color and other margin­al­ized communit­ies. Last Novem­ber, Vice News discovered that the Defense Depart­ment had been purchas­ing “gran­u­lar loca­tion data” harves­ted from a popu­lar Muslim prayer app used by 98 million people around the world, includ­ing Amer­ic­ans, as well as similar data gener­ated by a Muslim dating app.

Agen­cies have revealed little about how they use the data they purchase. The possible uses, however, are mani­fold — as are the possible misuses. Loca­tion data can be used to identify people who atten­ded a Black Lives Matter protest to oppose racial injustices or who attend a specific mosque. And while most of the known purchases to date have involved geoloca­tion inform­a­tion, apps can gather other equally personal inform­a­tion that could be subject to sale, such as contact lists, demo­graphic inform­a­tion avail­able from user profiles or even health data gleaned from wear­able devices. The inform­a­tion may not be expli­citly linked to the user’s iden­tity, but it is child’s play for the govern­ment to match a set of data to its owner.

Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) and 18 other senat­ors intro­duced a bill last week, dubbed “The Fourth Amend­ment Is Not For Sale Act,” that would end these prac­tices. It would bar law enforce­ment and intel­li­gence agen­cies from purchas­ing Amer­ic­ans’ geoloca­tion data, the content of their commu­nic­a­tions or other sens­it­ive inform­a­tion from any company that collects them — whether a cell­phone company, an app developer or a data broker.

The bill could be strengthened. Because it prohib­its only data purchases, it leaves a small but import­ant loop­hole for app developers and data brokers to disclose sens­it­ive data to govern­ment agen­cies without a warrant or payment. There are vari­ous reas­ons profit-seek­ing compan­ies might make such “gratis” disclos­ures, such as curry­ing favor to avoid regu­la­tion or to obtain govern­ment contracts for other services. The legis­la­tion nonethe­less iden­ti­fies a major prob­lem and goes a long way toward solv­ing it.

Advances in tech­no­logy have eroded Fourth Amend­ment protec­tions as well as created major gaps in our privacy laws. The Supreme Court has made clear, however, that we don’t forfeit our consti­tu­tional privacy rights simply because so much of our personal inform­a­tion lies in the hands of compan­ies. To prevent the govern­ment from buying its away around those rights, we need to rewrite privacy rules for the age of apps.