When the Government Buys Sensitive Personal Data

Data Storage Racks at Pi Data Centers, August 2021. (PiDatacenters, https://tinyurl.com/46ud66xh; CC BY-SA 4.0 DEED, https://creativecommons.org/licenses/by-sa/4.0/deed.en)

Law enforcement has been buying sensitive personal data for use in investigations, but these purchases likely violate the Fourth Amendment.

The United States lacks a comprehensive data privacy statute, and most states impose only minimal legal constraints on consumer data collection. This regulatory vacuum has given rise to commercial markets in sensitive private data. In recent years, federal agencies and local police departments have begun to purchase this data from specialized brokers to track individuals’ activities over time. Buyers include the Department of Homeland Security, the Internal Revenue Service’s Criminal Investigations Division, the Defense Intelligence Agency, and police departments across the country. If a law enforcement agency were directly collecting such data from cell phone apps or internet service providers, it would generally be required to get a warrant to comply with the Fourth Amendment. But government attorneys have mostly concluded that purchasing data is a valid way of bypassing the Constitution’s restrictions. 

I examine this issue in an article forthcoming in the Wake Forest Law Review. The standard argument in favor of unfettered government purchases of private data is that such data is commercially available, and so anyone should be able to purchase it, including government officers. Some government attorneys have also contended that customers give permission to their cell phone apps to collect their information, and so they may have no reasonable expectation of privacy, and therefore no Fourth Amendment right, in the first place.

But both of these premises are questionable. First, while government officials can generally purchase items available to the public without constitutional restriction, sensitive private data about cell phone users isn’t actually available to the public. In the absence of public availability, there’s nothing special about a commercial transaction that allows the government to strip otherwise protected data of its constitutional protections. Second, while cell phone users often permit their cell phone apps to collect data, that permission doesn’t dictate the scope of Fourth Amendment consent. Plus, the explanations customers often see when an app asks for permission to access their data are often incomplete or misleading, and users typically have little meaningful control over the disclosure of their data. Because sensitive digital data is often constitutionally protected, and because purchasing the data from a private broker doesn’t strip it of its constitutional protections, government agents will generally have to obtain a warrant before buying it.

Government Officers Buying Sensitive Data

In the United States, private companies regularly collect and sell intimate consumer data, albeit typically in large, anonymized blocks. In recent years, especially after the Supreme Court prohibited the warrantless collection of cell phone location data in 2018’s Carpenter v. United States, government agencies have increasingly purchased location and other data for surveillance purposes.  Given the timing, it’s likely that Carpenter’s prohibition motivated agencies to purchase the location data they could no longer obtain for free. This data can be quite useful in criminal investigations.

For example, in 2018, U.S. Immigrations and Customs Enforcement (ICE) began purchasing access to cell phone users’ digital location data through a data brokerage company called Venntel. The data had been collected from popular cell phone apps, including weather, shopping, and video game apps. ICE used Venntel’s service to track the movements of cell phone users in areas near the United States’ southern border. At one point, ICE discovered that cell phones were moving back and forth across a closed portion of the border in a straight line. They eventually determined that the phones were traveling through what was likely an underground smuggling tunnel that ran from a private home in Mexico to a closed Kentucky Fried Chicken (KFC) restaurant in San Luis, Arizona. ICE passed this information to the local police department, which made an apparently pretextual traffic stop of Ivan Lopez, the KFC’s owner, finding large quantities of drugs. ICE officers then obtained a search warrant for the KFC and found the tunnel they already knew was there. The San Luis police kept any mention of the cell phone tracking out of their records and initially attributed their traffic stop of Lopez to an “equipment violation.” This is not abnormal. Government agents often obscure their purchases of constitutionally protected information by recreating the purchased information though more traditional and lawful means, like traffic stops.

This process, though successful, raises some obvious concerns about pervasive surveillance, deception, and the avoidance of public scrutiny. And, as with almost any surveillance technique, the innocent as well as the guilty have their lives scrutinized by the police. For example, Missouri state police built an extensive profile of the movements and activities of a murder victim’s babysitter using purchased data, only to find out later through witness testimony that the victim’s wife was responsible.

Did the government lawfully purchase sensitive location data in these cases, just as anyone might purchase something in a store? It’s unlikely, in part because the data at issue is not actually publicly available for sale. To be sure, in the United States, location and other data is often collected and sold in large, anonymized blocks for marketing purposes. But this data is most often sold between commercial entities in one-to-one transactions, and in any event the raw databases at issue are impractical for individualized tracking. You and I can’t purchase data on our fellow citizens from these vendors, and the data wouldn’t be useful to most of us even if we could. Further, law enforcement tracking typically takes a different form than commercial data transactions. Government agencies purchase a license to access software that then allows them to track a certain cell phone or internet user by typing information into a search box or selecting a geographic area. The companies selling these services market and sell exclusively to law enforcement and often participate in the surveillance process by helping to deanonymize cell phones or track individual users. There’s no store where members of the public and cops can go to buy personal data about individuals. The reality is something far different and much more familiar—specialized vendors selling advanced surveillance tools to government agencies.

In fact, companies such as Venntel and Babel Street, which have sold data to several federal agencies, go to great lengths to avoid disclosing information about their services or their clients. Many such companies keep their location tracking services confidential via a series of nondisclosure clauses and other restrictions. For example, some companies contractually prohibit government entities from mentioning the company’s service at all in a legal proceeding. In other words, the government can use the data to generate leads or informally tip off local investigators, but they can’t use it in court. This helps these companies to avoid public scrutiny and, perhaps more importantly, denies courts any opportunity to review the legality of the surveillance. Rather than making their services publicly available, as some government attorneys appear to assume, these tracking companies hide from any public exposure or notice.

The nonpublic nature of this surveillance places it far outside the scope of the Fourth Amendment case law indicating that police officers can usually engage in lawful conduct that members of the public might undertake. Indeed, Supreme Court case law generally requires a surveillance practice to not only be available to the public but also be widely used, before its public nature is found to eliminate all Fourth Amendment protections. In Kyllo v. United States, the Supreme Court held that the police needed a warrant before using infrared heat cameras to surveil a suspect’s house, even though these cameras were readily available to the public for purchase or rental. This was true so long as they were not in “general public use,” which means that their use by the public was not “routine” and common. A similar analysis should apply to, for example, individualized cell phone location data purchased by the police. This data is not routinely accessed by the public; indeed, it is essentially accessed only by law enforcement officials and the vendors that work closely with them. It accordingly does not lose its Fourth Amendment protection, even if the government pays a contractor for it.

Courts also frequently apply “anti-evasion” principles to prevent parties from circumventing constitutional rules via workarounds or hypertechnical interpretations of constitutional provisions. Courts often rely on anti-evasion principles when the government uses regulations rather than direct condemnation to perform a taking, or discriminates against out-of-state commerce via a facially neutral statute, or employs putatively private actors to perform a public function. The same principles apply to purchases of cell phone location data, and potentially to other forms of protected data. Certainly, the government can’t sneak its way around Carpenter v. United States by purchasing sensitive data that it couldn’t constitutionally collect itself. The need to apply anti-circumvention principles to government purchases of location data is especially glaring, given that many government agencies, including the Department of Homeland Security and the Defense Intelligence Agency, began purchasing location data in the summer of 2018, almost immediately following the Carpenter decision. 

Courts are just beginning to address the complex question of government purchases of private data, but the first case touching on the issue suggests that the Fourth Amendment prohibits these purchases. In Cooper v. Hutcheson, a federal district court held that a plaintiff successfully stated a claim against a Missouri sheriff for his purchase of a cell phone location tracking service from Securus, a private company. The court noted that Securus’s customers were exclusively law enforcement personnel and that it sold a product designed to track individuals in criminal investigations. Because Securus was a willful participant in joint surveillance activity with the government, it could be considered a state actor for Fourth Amendment purposes. The sheriff’s use of the service accordingly violated the plaintiff’s Fourth Amendment rights under Carpenter, at least according to the facts alleged by the plaintiff at the pleading stage. In other words, the sheriff’s use of a vendor didn’t allow him to circumvent the Fourth Amendment. When vendors cater to law enforcement customers and provide them with services designed for tracking individuals, government purchases of location data are likely to require a search warrant.

Protections for Cell Phone App Data

Government attorneys defending the constitutionality of government purchases of private information have noted that the data at issue is often collected via cell phone apps that ask users’ permission for data collection. Accordingly, the argument goes, these cell phone app users have no reasonable expectation of privacy in their data.

This is a potentially powerful argument—it would largely eliminate data privacy for cell phone users. But, while consumers may give apps contractual permission to collect their data, they don’t waive their Fourth Amendment rights in their data or consent to police monitoring of their every move. Rather, as the Supreme Court and other courts have indicated, Fourth Amendment law does not turn on contractual agreements

Another problem with the idea that app permissions are sufficient to waive constitutional rights is that app permission screens are typically incomplete or misleading. A typical permission screen might provide a single, generic sentence about how the app will use one’s data. For example,  the Weather Channel app displays this message to its users: “You’ll get personalized local weather data, alerts, and forecasts.” This screen does not mention that the app will sell the user’s  location data to third-party vendors, advertisers, and marketing analysts; does not mention how long their data will be stored; and does not mention how its data may be combined with data from other apps and websites using a variety of tracking technologies. That information is buried deep within a separate privacy policy document that most users don’t read and likely can’t fully understand. And some uses of information, such as the Weather Channel app’s use of location data to analyze foot traffic for commercial purposes, may not be disclosed at all.

There are other problems as well. Customers can’t be reasonably expected to read or comprehend the detailed privacy policies of every app or service they encounter. Very few consumers even attempt to do so, in practice. Many privacy policies are so vague or so confusingly or poorly written, that no reader could understand all of their terms. And even the rare, sophisticated user who understands all the ramifications of granting app permissions is not consenting to police tracking. A user who permits anonymized, automated data processing does not also agree to being de-anonymized and tracked by government agents; the two things are qualitatively different. For these reasons and more, consumers do not consent in any legally relevant way to police tracking of their personalized data when they give apps permission to collect their data.

In the absence of consent to search, sensitive consumer cell phone data is likely protected by the Fourth Amendment. Much like the cell phone location information in Carpenter, this data is often collected automatically, without any affirmative act by the user. Consumers also have little choice in the modern world but to own a cell phone and use apps, which often don’t function without access to user data. Moreover, the data collected is often deeply revealing about the lives and activities of those involved, and apps regularly collect data in large volumes. For all of these reasons, the Fourth Amendment is likely to apply to many forms of digital cell phone data. 

Potential Solutions 

Judges should rule that the Fourth Amendment prohibits government purchases of otherwise protected data. But given the efforts of specialized data brokers to obscure their activities from legal and public scrutiny, many of these purchases may never be revealed in court cases. As a result, transparency litigation under the Freedom of Information Act or its state-law equivalents may be necessary to bring these practices to light. Or courts might hold that the Fourth Amendment or due process requires notice to defendants of all the searches that led to the introduction of evidence against them, not just the most recent search. 

Still, given the difficulty of effective judicial oversight in this area, legislative or regulatory solutions might be necessary. There are a wide variety of potential laws or regulations that might address government purchases of private data, from comprehensive restrictions on data collection and storage to targeted laws that specifically prohibit government agencies from purchasing data. Laws that require express consumer consent for each use of collected user data, similar to those already in place in the EU, would also likely eliminate downstream data sales to any entity, especially a law enforcement agency. Whatever path they choose, the time has come for lawmakers to recognize the unique threat to privacy posed by government entities buying citizens’ personal data.

– Matthew Tokson is a Professor of Law at the University of Utah S.J. Quinney College of Law, writing on the Fourth Amendment and other topics in criminal law and procedure; Published courtesy of Lawfare.

No Comments Yet

Leave a Reply

Your email address will not be published.

©2024. Homeland Security Review. Use Our Intel. All Rights Reserved. Washington, D.C.