Instead of using search warrants to get information about people’s activities, some federal agents may just go shopping.
Taking advantage of what started as a marketing tool, federal law enforcement, intelligence and military agencies apparently are buying American and foreign citizens’ cell phone data from brokers. This allows them to get private location information, for example, without having to go through the hassle of asking judges to grant search warrants, according to published reports, records and advocates.
The data is gathered from apps as wide ranging as a popular Muslim prayer and Quran app to a Craigslist app and another used for following storms, according to a report in Vice.
Public records and news reports show that agencies, including the Drug Enforcement Administration, the FBI, the Internal Revenue Service, the Secret Service, Customs and Border Patrol and the military have contracts with companies that collect data from apps on smart phones and sell the information.
This information typically is sold to marketers for use in advertising. But government law enforcement agencies can also buy subscriptions that allow them to search through data on millions of cell phones.
Adam Schwartz, senior staff attorney with the Electronic Frontier Foundation, said the government isn’t buying data in bulk. The subscription services allow agents to make a query, such as seeking the phone numbers in a specific location or finding the location of a particular phone number.
In one instance, agents were looking for the presence of people where they wouldn’t be expected. In that example, immigration agents used the data to uncover a tunnel going under the U.S. border.
Data use is a secret
Little is known about how the government agencies use the data, although civil liberties advocates fear it is being used to circumvent the Fourth Amendment’s warrant requirement.
In an effort to learn more, the American Civil Liberties Union recently sued the Department of Homeland Security after the government failed to respond to the organization’s request for information under the Freedom of Information Act.
The lawsuit, which also names the Border Patrol and ICE, says the purchases of location information for millions of people “raise serious concerns that they are evading Fourth Amendment protections for cell phone information by paying for access instead of obtaining a warrant.”
Congress, inspector general investigating
The issue has also caught the attention of Congress and government watchdogs. The inspector general for the Department of Homeland Security has started an investigation into the Border Patrol’s warrantless tracking of phones in the U.S., following a letter from U.S. senators: Ron Wyden, D-OR; Elizabeth Warren, D-MA; Edward J. Markey, D-MA; and Brian Schatz, D-HI.
The senators say the IRS Inspector General launched an investigation into the IRS’ purchase of data from vendor Venntel. The data is provided through a commercial location tracking service.
Schwartz said public reporting has identified additional vendors selling data to government agencies: Anomaly Six, Locate XD and X-Mode.
The ACLU lawsuit also identified a company called Babel Street.
Lawyers: Government uses information to spy on us
“When the government spies on our location, it’s also spying on what we are doing, who we are with and ultimately who we are,” Schwartz said. “And history has shown when government has this power, it’s not just an invasion of privacy, but it also discourages people from going to protests and it is used in a racially discriminatory manner.
“We’ve already seen high tech spying on the Black Lives Matter movement, for example,” he added. “One of the most important ways to limit this excessive power is to say to police, ‘You can’t just do this whenever you want; you have to get a warrant.’”
A warrant, he said, requires an independent review from a judge, who considers whether a crime has been committed, whether the data being sought will help solve that crime and whether the information being requested is specific to the crime and not just a general fishing expedition targeting the general public.
Similarity to geofence warrants, but without the warrants
The data in question is similar to data obtained in another controversial way, which is through the use of geofence warrants. These warrants are signed by judges, giving law enforcement the ability to seek customer cell phone location data from Google.
ACLU attorney Nate Wessler said the type of data purchased is “fundamentally the same” as the data involved in geofence warrants. “It’s highly significant that Google is insisting on search warrants,” Wessler said. “We have questions about whether those search warrants are adequate … but at least a judge is in the mix there.”
The data purchases, on the other hand, are “a total free-for-all,” Wessler said. It’s “the exact situation the Fourth Amendment was intended to avoid when talking about people’s highly sensitive records.”
One of the companies cited, X-Mode, has a blog post on its site describing the data it sells as geofencing. Powered by such data, the blog post says, “marketers and other digital professionals are now able to enrich their offerings with a layer of real world insights. Gone are the days of spray-and-pray advertising: highly accurate SDK-sourced location data now enables marketers to target their audience with an unprecedented degree of precision.”
The post gives examples of data that can be gleaned from a particular geographic area, including “a broader understanding of users’ location data, including how long electronic devices were there and “where else the devices traveled, before and after entering the virtual boundary.”
SDK’s “suck up data” from apps
Schwartz said SDK, which stands for software development kit, appears to be the key to how this works. As Schwartz explained it, app builders use standardized parts to build apps. These parts come in the form of SDKs.
Some SDKs automatically move data from apps to third parties. Developers offer SDKs to app developers or data brokers pay to insert their SDKs into apps. And then they can harvest data from apps.
The Wall Street Journal recently reported that Apple and Google will start blocking one data broker, X-Mode Social Inc., from collecting data by telling app developers to remove the broker’s social tracking SDK from their apps.
Wyden spokesman Keith Chu confirmed to the Legal Examiner that the Wall Street Journal report is accurate.
Report details government memo
The only information so far made public about the government’s position regarding the data purchases was detailed in an article in Buzzfeed, which described the contents of an internal memo from Chad Mizelle, the top attorney for the Department of Homeland Security.
According to Buzzfeed, the memo “outlined how ICE officials can look up locations and track cellphone data activity to make decisions on enforcement.”
Buzzfeed, which didn’t publish the actual memo, added:
The agency is aware of potential legal vulnerabilities under the Fourth Amendment. Mizelle states in his memo that there are ways for CBP and ICE to “minimize the risk” of possible constitutional violations, pointing out that they could limit their searches to defined periods, require supervisors to sign off on lengthy searches, only use the data when more “traditional” techniques fail, and limit the tracking of one device to when there is “individualized suspicion” or relevance to a “law enforcement investigation.”
Buzzfeed says the letter also states that warrants aren’t required because the information being used is available on the open market.
Consumers can opt out, but it’s complicated
There are steps smartphone users can take to minimize the chances their data will be sold to the government or anyone else.
California enacted a law in 2018 known as the California Consumer Privacy Act that requires companies doing business in the state to allow people to opt out of the sale of their data or to delete their data.
Schwartz said these options are a “small, good thing.” But he suggested the idea is impractical. “How many people are going to go to a website and say, ‘Do not sell or delete my data?’ Almost no one.”
Companies, he said, shouldn’t be collecting the data in the first place unless the data is needed to provide the smartphone user what a particular app is supposed to provide and unless the consumer gives consent, or opts in.
Schwartz said EFF is lobbying for stronger consumer data privacy laws like they have in Europe that require consent and minimization of the data that’s collected “so we can dry this up at the source.”
In the meantime, he suggested people raise their awareness about data being collected by smartphone apps. “It’s very scary,” he said. “People have to be careful when they download apps and think of what is actually being collected from them.”
Contact Elaine Silvestrini at Elaine@legalexaminer.com. Follow her on Twitter at @WriterElaineS.