Big Brother Is Watching: How Private Sector Data Brokers are Selling Intimate Information on the Public to the Government
Everyone who has a smartphone has seen the notification pop up about allowing the apps you’re using to track your data. Likewise, websites may ask you to enable cookies to “enhance” your experience while using the website. These apps and websites are tracking your data, collecting that information, and selling it to a type of company called a “data broker.”[1] The amount of highly detailed and personal information data brokers are collecting is incredible and they can sell to just about whoever they’d like. The sale of this data to one of the most prominent customers, the United States government, raises concerning revelations about the state of law enforcement and our protections as citizens under the Fourth Amendment.
There is not one commonly accepted definition of what or who exactly counts as a data broker. [2]In 2016, the Open Society Foundation defined a data broker as a “company or business unit that earns its primary revenue by supplying data or inferences about people gathered mainly from sources other than the data subjects themselves.”[3] This definition is helpful because it includes not only companies whose sole purpose is to collect and sell data, but other companies who have other major departments as well, such as LexisNexis and Thomson Reuters.[4]
The scale which data brokers are able to collect, store, analyze, and compartmentalize is astonishing. Large data brokers are able to collect highly detailed information on millions, and in some cases billions, of people.[5] These companies collect this information, often by buying it from third parties (such as apps and websites) via a licensing, sharing agreement, or outright purchase.[6] They also “scrape” publicly available information from every corner of the internet in order to build a massive, highly detailed dataset.[7] Consumers often do not have much of a say in whether their data, containing sometimes intimate details about their lives, is collected and sold.[8]
These companies then turn around and sell that data set, or parts of that data set tailored into different sub-attributes, to customers who may have a use for that information.[9]These sub-attributes can list information that either show or predict a slew of different details about a person: their sex, location, political affiliation, religion, sexual orientation, parental status, purchase preferences, whether or not they have a major disease, and the list goes on.[10]Unique datasets can be assembled based on the customer as well. Some subsets might be “fun” such as “Bungee Jumpers.” [11] Others, not as light-hearted, such as “Very Low Buyers” or “Military PTSD.”[12] Whatever the data set, clients of all kinds buy this aggregated data for a variety of reasons. One of the most significant customers of this data is, of course, the United States government.
Federal law enforcement agencies such as the FBI, ICE, and the IRS have purchased data from data brokers for use in a variety of areas, such as criminal investigations and deportations. [13] Most of this data is bought without a warrant, public disclosure, or strong oversight into the data and its uses.[14] The government uses data brokers to gather intelligence abroad as well, but the extent to which intelligence agencies do so cannot be known because such contracts are mostly classified.[15] Records have shown that Customs and Border Patrol (“CBP”) has paid the company Venntel, a major data broker, hundreds of thousands of dollars to gain access to its database containing location information drawn from normal apps such as games, weather, and shopping apps.[16] The CBP also purchased $1.1 million for licenses to other kinds of software, aside from the Venntel location data.[17] While CBP has claimed that the information collected is made anonymous, it is very easy for anyone, especially an entity with as many resources as CBP, to connect anonymous data to individuals.[18] CBP uses that information to detect undocumented immigrants and others who might have unlawfully entered the United States.[19]
Branches of the military have also purchased location-focused datasets. U.S. Special Operations Command (“USSOCOM”), a branch which focuses on counterterrorism and counterinsurgency, purchased data from a company called Babel Street, which produces a product called “Locate X” and another product from the company X-mode.[20] USSOCOM has claimed that the information it purchases is used for special operations overseas.[21] However, there are some particularly odd features of the data that USSOCOM has purchased, especially from X-Mode. One of the apps that X-Mode collects data from is Muslim Pro, a prayer app which reminds its users of when to pray and points to direction of Mecca.[22] The app has been downloaded 98 million times over all platforms across the world, including in the United States.[23] Another app called Muslim Mingle, which had been downloaded over 100,000 times, also sent data to X-Mode.[24] These apps specifically sent pinpoint geolocation data and Wi-Fi network information to the company, which it then turned around and sold to USSOCOM.[25]
The obvious question must be begged: how is any of this legal? The answer is actually rather murky. In 2018, the Supreme Court dealt with the issue of the government obtaining cellphone location data from telecommunications companies in Carpenter v. United States. [26] In that case, the FBI used cellphone data to determine the location of Timothy Carpenter, who was eventually charged with robbery.[27] The data was obtained under the Stored Communications Act which allows the Government to compel the disclosure of some telecommunications data when it “offers specific and articulable facts showing that there are reasonable grounds to believe” that the records sought “are relevant and material to an ongoing criminal investigation.”[28] Carpenter moved to suppress evidence based on the data, claiming that it had been obtained without a warrant in violation of the Fourth Amendment.[29]
In the modern age, technology is constantly advancing and increasing the ability for law enforcement to intrude into the privacy of the average citizen. In light of this, the Supreme Court has stated that the degree of privacy that the government expected when the Fourth Amendment was adopted must be preserved.[30] However, there are a number of considerations poured into what is considered “private” for the purposes of the Fourth Amendment. One such consideration is the third-party doctrine. Under the third-party doctrine, a citizen does not have an expectation of privacy for information he or she voluntarily gives to a third-party.[31] This is true even where the information is given on the assumption that it will be used for limited purposes.[32] The Court in Carpenter, however, did not extend the third-party doctrine to cellphone location data given the wide scope of cellphone users and the extreme accuracy with which the Government could track anyone with a cellphone.[33] It then held that this search required a warrant, since typically warrantless searches by law enforcement to discover criminal wrongdoing are unreasonable, and the requirements of the Stored Communications Act fell short of the probable cause needed for a warrant.[34] Importantly, though, this decision is narrow and does not extend to other areas such as information collection concerning foreign affairs and national security.[35]
Though at first glance it seems that Carpenter gives us all the answers to the data brokers problem, it’s not clear that it does. When the government buys data, whether it be data on our location, affiliations, preferences, etc., it buys it from a third-party broker rather than obtaining the data from the source which would presumptively be protected by the Fourth Amendment under Carpenter.[36] Government lawyers have interpreted the purchase from data brokers as a work around to the warrant requirement and concluded that Carpenter does not apply.[37] In that view, the government is just another commercial purchaser.[38] The courts have yet to deal with the problem of whether this interpretation actually is a workaround to the Fourth Amendment.[39] Until then, it seems that the government will continue to collect this data to do as they please as long as they pay for it with taxpayer money. It is a frustrating state of affairs, but it may be what we are stuck with for the time being.
Footnotes