by Anthony W. Accurso

The lack of effective privacy legislation covering the U.S.—combined with the occasional, poorly worded limitations imposed by the courts—has led to the current situation where law enforcement and other government agencies have been purchasing data about U.S. residents on the open market that they would not otherwise be able to obtain without a court order.

The European Union enacted sweeping privacy legislation (General Data Protection Regulation or GDPR) within the last decade, taking a massive step in regulating the data companies track and retain about their customers. However, despite the U.S. being home to the world’s most influential tech companies (or because of this), the U.S. has no similar law. The advertising model of the internet has led to companies large and small collecting as much data about their customers as possible, ostensibly for the purpose of enhancing the user experience and better targeting advertising and increasing sales. If better advertising is insufficient, companies have turned to selling customer data to data brokers who “anonymize” it and resell it to other entities, including government agencies.

This data can include a host of information that people usually consider private, such as purchase history, credit files, address history, phone numbers, online usernames, social media posts, internet browsing history, online sexual habits, religious affiliation, and interests, hobbies, and physical location history (because cellphones act like GPS trackers).

Government agencies, and especially law enforcement agencies, have taken advantage of this situation by treating companies as troves of discoverable evidentiary information, with a preference for location data. Until 2018, these agencies were able to obtain such data from companies through court order by simply demonstrating to a court that the data would be useful to an ongoing investigation—a ridiculously low bar.

However, a change in this arrangement occurred following the Supreme Court’s decision in Carpenter v. United States, 138 S. Ct. 2206 (2018). The Carpenter Court held that the government must obtain a warrant—and meet its concomitantly higher standard of probable cause—to get a court order requiring a cell phone company to produce location data. Since location data is currently the most valuable data from a law enforcement perspective, these agencies were loath to return to a state where they could not get such data, so they concocted a seemingly legal way to obtain the same information in another way—by purchasing it from data brokers.

The argument goes something like this: the Fourth Amendment’s warrant requirement is not absolute. One exception is based on public availability, such that accessing publicly available information does not require a warrant. Police do not need a warrant to collect items that you would willingly sell them, and thus, for example, they do not need a warrant to conduct an undercover drug buy. The second exception is that no warrant is required when a person has no reasonable expectation of privacy, and thus, for example, police do not need a warrant to obtain an item stored at a public park.

Agencies generally were not purchasing this data prior to Carpenter, so “it’s likely that Carpenter’s prohibition motivated agencies to purchase the location data they could no longer obtain for free,” wrote Matthew Toksen, a law professor at the University of Utah, for Lawfare Media.

Additionally, though the data is not explicitly linked to a person’s name when it is sold by a data broker, since Carpenter, the market has evolved to the point where some data brokers “market and sell exclusively to law enforcement and often participate in the surveillance process by helping to deanonymize cell phones or track individual users.”

Sometimes, this data can be used to solve crimes, such as when Immigrations and Customs Enforcement (“ICE”) shut down a drug smuggling operation by observing cellphone location pings crossing a closed portion of the border, discovering a tunnel from Mexico to a shuttered KFC franchise in Arizona. However, because of the ethically dubious way ICE obtained the location data, they arranged for local police to conduct a “random” traffic stop for a vehicle belonging to the KFC’s owner when it was leaving the restaurant (a process or subterfuge known as “parallel construction”). After finding drugs in his vehicle, they searched the KFC and found the tunnel they already knew to exist.

“This process, though successful, raises some obvious concerns about pervasive surveillance, deception, and the avoidance of public scrutiny,” wrote Toksen. “And, as with any surveillance technique, the innocent as well as the guilty have their lives scrutinized by police.”

Toksen argues that the legal justification for claimed exceptions to the Fourth Amendment are not valid.

First, though the data is commercially available to law enforcement, that does not mean it is “publicly available.” A private citizen could not purchase this information from a data broker. Such companies simply do not sell access to non-governmental parties.

The data brokers often go to great lengths to make sure regular people aren’t even aware that such products exist. Even when government agencies purchase access to the data, they are often required to agree not to disclose their existence to the public—shockingly, even including courts. Some agreements mandate police drop a criminal prosecution if they could be required by a court to disclose details of these services.

The circumstances are relevant when considering the Supreme Court’s decision in Kyllo v. United States, 533 U.S. 27 (2001). In Kyllo, police used a thermal imager to “see inside” a suspect’s home for the purpose of discovering an indoor marijuana farming operation. The Kyllo Court considered this a warrantless search in violation of the Fourth Amendment despite thermal imagers being commercially available to the public, because such technology was not “widely used.” Therefore, homeowners have the reasonable expectation that neither their neighbors, nor the police, would use such technology to compromise the privacy of their home.

This counter argument was successful in Cooper v. Hutcheson, Case No. 1:17-cv-00073-JAR (E.D. Mo. Dec. 3, 2020), in which a plaintiff sued a Missouri sheriff who purchased location information from Securus, a data broker.

The second exception, alleging that users have no reasonable expectation of privacy, is more blatantly cynical than the first because “the data at issue is often collected via cell phone apps that ask users permission for data collection.”

“[W]hile consumers may give apps contractual permission to collect their data,” writes Toksen, “they don’t waive their Fourth Amendment rights in their data or consent to police monitoring of their every move.” Further, he notes, “courts have indicated, Fourth Amendment law does not turn on contractual agreements.”

Courts have found that, even when permission to collect data is articulated, that “information is buried deep within a separate privacy policy document that most users don’t read and likely can’t fully understand.” Nor do privacy policies or consent screens often “mention that the app will sell the users’ location data to third-party vendors, advertisers, and marketing analysts; does not mention how long their data will be stored; and does not mention how it’s data may be combined with data from other apps and websites using a variety of tracking technologies.”

“For these reasons,” Toksen argues, “consumers do not consent in any legally relevant way to police tracking of their personalized data when they give apps permission to collect their data.”

Toksen seems optimistic that lower courts, when properly prompted by complaints such as the one in Cooper, will apply “anti-evasion principles,” possibly curtailing some abuses in lieu of comprehensive privacy legislation. He writes more extensively on this issue in a forthcoming article in the Wake Forest Law Review.  

Source: lawfaremedia.org; Tokson, Matthew J., Government Purchases of Private Data (September 17, 2023). Wake Forest Law Review, Forthcoming, University of Utah College of Law Research Paper No. 573, Available at SSRN: https://ssrn.com/abstract=4574166

Subscribe today

Already a subscriber? Login