This report was also authored by Carey Shenkman, an independent consultant and Human Rights Attorney.
Introduction
Typically, government agencies seeking access to the personal electronic data of Americans must comply with a legal process to obtain that data. That process can be mandated by the Constitution (the Fourth Amendment’s warrant and probable cause requirement) or by statute (such as the federal Electronic Communications Privacy Act, or various state laws). This report examines the concerning and rising practice of federal agencies sidestepping these legal requirements by obtaining data on Americans through commercial purchases from data brokers.
Our research for this report involved interviewing experts on this issue and reviewing approximately 150 publicly available documents covering awards, solicitations, requests for proposals, and related information on contracts. We found significant evidence of agencies exploiting loopholes in existing law by purchasing data from private data brokers. The practice has prompted scrutiny from government watchdogs as well as members of Congress (Tau, 2021a; Wyden, 2021).
The problem is a byproduct of the lucrative private market for personal data, where many companies that offer online services collect, analyze, and sell data about individuals using those services. This data is aggregated by companies called ‘data brokers’ that typically lack any direct relationship with the individuals whose data they collect and sell, but may accumulate personal data from multiple sources with varying degrees of granularity, ranging from anonymized trends to the specific locations of individuals at specific times. Advertisers, retailers, and other companies may then seek access to data for varied commercial purposes.
As our research demonstrates, law enforcement and intelligence agencies are among the customers of some data brokers, spending millions of dollars to gain access to private sector databases which often contain very sensitive and very personal information on individuals.
One recent example of this pattern is the Department of Justice’s use of commercially aggregated data in prosecutions surrounding the Capitol Breach of 2021. The Justice Department indicated in a federal court filing that it had utilized “[l]ocation history data for thousands of devices present inside the Capitol (obtained from a variety of sources including Google and multiple data aggregation companies),”(Grand Jury Action No. 21-20 (BAH), 2021). In another filing, the Justice Department indicated that data was obtained from “searches of ten data aggregation companies,” (United States v. Perretta, 2021). The filings did not indicate who those aggregation companies were.
There is no clear limit on the potential availability of commercially acquired data that would typically require legal process to obtain. In the words of one presenter to law enforcement at a location-analytics conference, “cell phone data, social media feeds, license-plate reader and automatic-vehicle locator systems are readily available to investigators” (Delaney & Beck, 2014). Law enforcement and intelligence agencies could obtain these types of personal data from different sources, including publicly available information (e.g., public posts on the web), access to company records through legal process (e.g., a court order directing an internet service provider to turn over information), or data brokers. Of these various sources, we have very little insight into agencies’ engagement with data brokers.
This report seeks to shed light on the nature and scale of the data broker to federal law enforcement and intelligence pipeline, and how law enforcement and intelligence agencies are relying on such purchases in situations where they should be required to obtain a warrant or other formal legal process to compel disclosure of the data. The report concludes with a series of recommendations to address these findings. Most critically, Congress should act to close the loophole that is permitting government agencies to evade requirements that they obtain a warrant or other legal process by instead purchasing sensitive information from data brokers.
Key Findings
- Multiple forms of sensitive data, including location, communications, biometric, and license plate reader data, are sold by data brokers to law enforcement and intelligence agencies, and the practice is increasing, with multiple agencies spending upwards of tens of millions of dollars on multi-year contracts.
- Government agencies seeking to purchase data frequently use terms like ‘open source’ and ‘publicly available’ in their purchase orders and contracts, suggesting that they are only seeking information such as public social media posts that people knowingly make available to the public. However, government purchase orders and contracts frequently use these terms to include information collected specifically for a given agency that is not actually available to the public or any other consumer. The broad and misleading usage of these terms undermines governmental claims that agencies are permitted to collect such information on the basis that it is generally out there in the public and individuals therefore lack an expectation of privacy in such sensitive data.
- Law enforcement and intelligence agencies often categorize procurement contracts through opaque or technical designations that obscure the nature of the data being purchased, the uses to which they will be put, and the privacy consequences.
- The Electronic Communications Privacy Act effectively contains a loophole allowing law enforcement to acquire communications data commercially from data brokers and evade otherwise applicable requirements that they must use legal process to obtain data directly from service providers. The Fourth Amendment Is Not for Sale Act would address this critical shortcoming and close this loophole, which was implemented three decades before data broker practices became widespread. Congress should act now to pass this legislation.
- In the 2018 landmark case Carpenter v. United States, the Supreme Court held that the government must obtain a warrant in order to collect cell site location information (CSLI) for seven days or more, recognizing that people have a “reasonable expectation of privacy” in certain digital information. The broad language of the opinion suggests that the government must also obtain a warrant in order to access sensitive personal information in contexts beyond the facts of the case. Thus, when law enforcement and intelligence agencies purchase certain personal data about Americans from data brokers, they are evading Fourth Amendment safeguards as recognized by the Supreme Court. These agencies should comply with Fourth Amendment standards and cease purchasing sensitive data that reveal the “privacies of life” under the Supreme Court’s analysis in Carpenter.
- Privacy policies of data brokers are often broadly drafted and do not offer meaningful transparency or protection against direct or downstream sale of data to government agencies. Consumers are also typically unaware what brokers possess their data—and hence what policies even apply. Thus, in addition to regulations limiting the ability of law enforcement and intelligence agencies to purchase information from data brokers, federal law should regulate data broker collection and processing of information, and provide consumers with the ability to understand what information data brokers have collected about them and with a meaningful ability to have the information deleted, obscured, or corrected.
Browse the repository of publicly sourced documents cited in CDT’s report.