Skip navigation
Disciplinary Self-Help Litigation Manual - Header
× You have 2 more free articles available this month. Subscribe today.

Surveillance for Sale: The Data Broker Loophole and the Fourth Amendment After Chatrie

by Richard Resch

Jake Laperruque of the Center for Democracy and Technology offered a blunt analogy in a March 2026 NPR interview. Imagine the police want to search your home but lack a warrant. Instead of going to a judge, they hand your landlord a hundred dollars for a spare key and walk through the front door. Nobody would call that constitutional, Laperruque observed. And yet, he argued, this is functionally what federal agencies have been doing for years with Americans’ cellphone location data, i.e., paying commercial brokers for access to information they would otherwise need judicial authorization to obtain.

The numbers behind the analogy are staggering. Venntel, a data broker that has served as a primary supplier to federal agencies, has marketed a collection pool measured in hundreds of millions of devices and billions of daily location signals. In a separate 2022 procurement, the Federal Bureau of Investigation (“FBI”) entered into a contract for thousands of licenses for Babel Street’s social-media and open-source intelligence platform. Other federal buyers include U.S. Customs and Border Protection (“CBP”) and U.S. Immigration and Customs Enforcement (“ICE”), which purchased phone-location data from Venntel and Babel Street; the U.S. Secret Service, which contracted with Babel Street; and, according to official Federal Trade Commission (“FTC”) materials citing public reporting, the Drug Enforcement Administration (“DEA”) and Internal Revenue Service (“IRS”).

What did those purchases yield? In 2022, the ACLU published records obtained through a Freedom of Information Act (“FOIA”) lawsuit against the U.S. Department of Homeland Security (“DHS”) that included spreadsheets of raw location data purchased by CBP from Venntel, comprising hundreds of thousands of individual location points that the ACLU noted represented only a small fraction of the total volume available to the agency.

These figures describe a surveillance architecture that, at least at the purchase stage, operates outside advance judicial oversight. When the government uses legal process to compel a wireless carrier to disclose historical cell-site location information (“CSLI”), the Supreme Court held in Carpenter v. United States, 585 U.S. 296 (2018), that the government’s acquisition of historical CSLI is a Fourth Amendment search and that the government generally must obtain a warrant supported by probable cause before compelling such records, subject to recognized exceptions. The Court reasoned that CSLI can chronicle a person’s physical movements and reveal “the privacies of life,” and it declined to mechanically apply the third-party doctrine because CSLI is uniquely revealing and is not truly shared in the ordinary sense because cellphone location records are generated automatically, without meaningful affirmative action by the user, as an incident of carrying a device indispensable to modern life.

In Chatrie v. United States, 609 U.S. ___ (2026), the Supreme Court extended that reasoning, holding that police conducted a Fourth Amendment search when they acquired Google Location History data through a geofence warrant, as reported elsewhere in this issue. [See: CLN, Aug. 2026, p.31.] Importantly, Chatrie refused to deny Fourth Amendment protection merely because the data covered a limited time period or was stored by a third-party technology company. But neither Carpenter nor Chatrie decided the data-broker purchase question. Carpenter addressed compelled disclosure from wireless carriers; Chatrie addressed compelled production from Google under a geofence warrant. Courts still have not squarely decided whether government acquisition of brokered commercial location data is constitutionally equivalent to compelled acquisition of historical CSLI or Location History.

That unresolved issue is the data-broker loophole, and it has proved enormously useful to federal agencies. It converts the constitutional question of “Do we have probable cause for a warrant?” into the procurement question of “Do we have budget for the purchase order?” Without a warrant requirement, that purchase decision generally avoids the ex ante judicial review that the Fourth Amendment ordinarily requires before the government invades a reasonable expectation of privacy.

The consequences extend well beyond the agencies doing the buying. For the millions of Americans whose movements are captured in these datasets, the government’s access occurs without notice, without an opportunity to challenge it, and in many cases without the knowledge of defense attorneys, courts, or the public. Representative Warren Davidson, an Ohio Republican, told NPR in March 2026 that the practice amounts to collecting the kind of data “you would never get a warrant for, that kind of a broad dragnet sweep under normal warrant requirements.” Davidson’s concern reflects a bipartisan recognition that something has gone fundamentally wrong.

Whether Congress will close the data broker loophole remains uncertain, but the immediate reauthorization deadline has passed. Section 702 of the Foreign Intelligence Surveillance Act was scheduled to expire on April 20, 2026, and Congress kept it alive only through short-term extensions while lawmakers fought over warrant requirements and other reforms. Civil liberties groups urged Congress not to renew Section 702 unless it closed the loophole that permits agencies to buy Americans’ sensitive data from commercial brokers, and a bipartisan group introduced the Government Surveillance Reform Act to impose warrant requirements on that kind of acquisition. But those reforms did not make it into a bill Congress enacted.

Section 702 ultimately lapsed at midnight on June 12, 2026, after Congress failed to pass another extension. That lapse does not mean the surveillance has stopped. The Foreign Intelligence Surveillance Court approved annual Section 702 certifications on March 17, 2026, and those certifications are understood to remain in effect until about March 2027. The statute has not been reauthorized, but previously approved collection may continue under the statute’s grandfathering provision. The result is a familiar gap between the formal expiration of the statutory authority and the practical continuation of surveillance already authorized before the deadline.

What follows is an examination of how this system works, what it reveals, and what it means for the constitutional rights of every person who carries a phone, especially those already caught in the machinery of the criminal legal system. The data broker loophole is not a minor technicality. It is a structural failure in the legal architecture that is supposed to stand between the government and the private lives of the people it governs.

From Smith to Carpenter to Chatrie: The Constitutional Baseline

The data broker loophole is based on a doctrine that predates the smartphone by three decades. Understanding how the government justifies warrantless purchases of location data requires understanding where that justification comes from and where the Supreme Court has begun to pull it apart.

The third-party doctrine emerged from a pair of 1970s Supreme Court decisions. In United States v. Miller, 425 U.S. 435 (1976), the Court held that a bank depositor had no legitimate expectation of privacy in financial records maintained by his bank, because those records contained information “voluntarily conveyed” to the institution. In Smith v. Maryland, 442 U.S. 735 (1979), the Court extended the same reasoning to dialed telephone numbers, holding that a robbery suspect who dialed phone numbers through his carrier had assumed the risk that the company would reveal them to the government. The resulting principle was broad, viz., information voluntarily disclosed to a third party generally carried no reasonable expectation of privacy, and its acquisition by the government was not a “search” subject to the Fourth Amendment’s warrant requirement.

For decades, the Smith-Miller framework functioned as a broad shield for warrantless government access to records held by intermediaries. When information had been voluntarily exposed to a third party, the Fourth Amendment generally did not require the government to obtain a warrant before acquiring it.

That logic began to fracture in 2012. United States v. Jones, 565 U.S. 400 (2012), involved law enforcement agents who attached a GPS tracker to a vehicle Jones used and monitored its movements for 28 days. The majority held that the government’s physical trespass on the vehicle to obtain information, combined with its use of the device to monitor the vehicle’s movements, constituted a search for Fourth Amendment purposes, a narrow holding that sidestepped the broader privacy question. But two concurrences went further. Justice Sotomayor argued that the third-party doctrine was “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.” People disclose phone numbers, financial records, location information, and other sensitive data to service providers not because they wish to make that information public, but because modern life often requires it. Justice Alito, writing with three other Justices, raised a related concern. Long-term location monitoring is qualitatively different from short-term observation because society has expected that law enforcement agents “would not – and indeed, in the main, simply could not – secretly monitor and catalogue every single movement of an individual’s car for a very long period.” Together, the concurrences signaled that a majority of the Court recognized the constitutional significance of comprehensive digital location tracking and the difference between isolated disclosures or observations and a sustained record of a person’s movements.

Six years later, the Court confronted that difference directly. Carpenter involved Timothy Carpenter, convicted of participating in a string of armed robberies. Prosecutors obtained 127 days of historical CSLI from Carpenter’s wireless carriers under the Stored Communications Act, 18 U.S.C. § 2703(d), which requires only “specific and articulable facts” showing “reasonable grounds to believe” the records are relevant and material to an ongoing criminal investigation, a standard significantly less demanding than probable cause. The CSLI placed Carpenter’s phone near four of the robbery locations at the relevant times.

Writing for a five-Justice majority, Chief Justice Roberts explained that the government’s acquisition of this data constituted a Fourth Amendment search. The Court held that the government generally must obtain a warrant supported by probable cause before compelling historical CSLI. The opinion declined to extend the third-party doctrine to CSLI. Roberts offered several reasons. Cellphone location data is “deeply revealing,” providing “an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’” Its collection is “inescapable and automatic,” generated whether or not the phone’s owner takes any affirmative action “beyond powering up.” And because virtually everyone carries a phone, the resulting surveillance approaches what the Court called “near perfect surveillance, as if it had attached an ankle monitor to the phone’s user.”

Carpenter is a landmark decision that established that at least some categories of digital records held by third parties retain Fourth Amendment protection and broke the third-party doctrine’s previously unqualified logic. But the decision’s limitations are as important as its holding, because those limitations are precisely what the data broker practice exploits.

The Court was explicit that Carpenter did not overrule Smith or Miller. Roberts described the decision as a “narrow one,” explaining that the Court was not “disturb[ing] the application of Smith and Miller” or “call[ing] into question conventional surveillance techniques and tools.” At the time, the holding applied to historical CSLI, and the opinion instructed courts to focus on the “unique nature of cellphone location records” rather than treating all third-party-held records alike. But that limitation no longer means the doctrine is confined to CSLI. In Chatrie, the Court extended Carpenter’s reasoning to Google Location History data obtained through a geofence warrant, explaining that Carpenter refused to apply the third-party doctrine to CSLI and that “no good reason exists to reach a different result for Location History.” Together, the decisions leave Smith and Miller formally intact while making clear that the third-party doctrine does not automatically strip Fourth Amendment protection from sensitive digital location records simply because they are held by a technology company.

This deliberate narrowness left a critical question unanswered. Carpenter addressed compelled disclosure in which the government used a court order to demand records from a wireless carrier. It said nothing about what happens when the government bypasses the carrier and purchases comparable, and in some respects potentially more precise, location data from a commercial broker. The Fourth Amendment does not regulate a data broker’s private collection or sale of location data as such, absent agency direction or other state-action facts. The unresolved question is whether the government’s acquisition of that data by purchase is a Fourth Amendment search when the purchased records are functionally equivalent to location information the government could not compel without a warrant.

As of this publication, no court appears to have squarely resolved whether the government violates the Fourth Amendment when it buys brokered commercial location data on the open market rather than compelling comparable data from a carrier or platform. However, courts have engaged related digital-location questions. The Fifth Circuit in United States v. Smith, 110 F.4th 817 (5th Cir. 2024), described geofence warrants as general warrants categorically prohibited by the Fourth Amendment, while affirming denial of suppression under the good-faith exception. The en banc Fourth Circuit in United States v. Chatrie, 136 F.4th 100 (4th Cir. 2025), affirmed denial of suppression in a one-sentence per curiam judgment after the court divided evenly on whether a Fourth Amendment search had occurred. The Supreme Court granted certiorari in Chatrie v. United States, No. 25-112, on January 16, 2026, heard argument on April 27, 2026, and on June 29, 2026, vacated and remanded after holding that police conducted a Fourth Amendment search when they acquired Google Location History data through the geofence warrant.

Writing for a five-Justice majority, Justice Kagan concluded that police officers conducted a Fourth Amendment search when they acquired Chatrie’s Google Location History data through a geofence warrant. The Court reasoned that Location History warrants at least as much constitutional protection as the cell-site records in Carpenter because it is more precise, records a phone’s location roughly every two minutes, can reveal elevation, enables effortless retrospective surveillance, and resembles private materials – such as emails, photographs, and calendars – that users reasonably view as their own even when stored on Google’s servers.

The Court also rejected two arguments central to the data-broker debate. First, it refused to recognize a duration threshold below which location surveillance escapes Fourth Amendment scrutiny, explaining that even a short window of location data can reveal private associations and activities. Second, it refused to apply the third-party doctrine merely because the data was held by Google, rejecting the view that users forfeit Fourth Amendment protection by enabling ordinary smartphone services without meaningful disclosure of how frequently and precisely their movements will be recorded or how that information may be provided to the government. The Court remanded for the Fourth Circuit to decide whether the warrant satisfied the Fourth Amendment’s probable-cause and particularity requirements at each step of the search process.

Justice Jackson, joined by Justice Sotomayor, concurred but would have gone further, concluding that at least the warrant’s second and third steps were constitutionally deficient because they left too much discretion to law enforcement without adequate magisterial oversight. Justice Gorsuch concurred in the judgment, agreeing that a search occurred but grounding that conclusion in a property-based understanding of the Fourth Amendment rather than the Katz reasonable-expectation-of-privacy framework. Justice Alito, joined in part by Justices Thomas and Barrett, dissented, arguing that the majority improperly extended Carpenter beyond its stated limits and issued what he characterized as an advisory opinion on a now-obsolete geofence procedure. Justice Barrett filed a separate dissent.

Chatrie is a significant digital-surveillance decision, but it does not resolve the data-broker question directly. The case concerned compelled production from Google under a geofence warrant, not the government’s purchase of equivalent or comparable location data from a commercial broker on the open market. No court appears to have squarely resolved that specific practice.

The doctrinal gap is not accidental. Carpenter’s reasoning points strongly toward the conclusion that commercially purchased location data should receive the same protection as carrier-held CSLI. Much of the data can be comparably revealing, comparably comprehensive, and obtained under consent conditions that are difficult to describe as meaningful. In many cases, broker data is more precise, derived from GPS coordinates rather than cell-tower proximity, and covers longer time periods. If 127 days of cell-tower records required a warrant, the logic of Carpenter suggests that years of GPS-derived location tracking should demand no less. Chatrie now strengthens that logic considerably. The Court has held that high-precision Location History data, part of the same broad category of mobile location information that data brokers collect and sell, is constitutionally protected even when the government seeks only a short window of data, and that users do not forfeit that protection merely because they enabled ordinary smartphone services without meaningful disclosure of how frequently and precisely their movements will be recorded or how that information may be provided to the government. If the government cannot compel two hours of Location History from Google without triggering Fourth Amendment scrutiny, the case for allowing it to purchase months or years of comparable commercial location data from a broker without a warrant or ex ante judicial authorization is more difficult to sustain than it was before Chatrie was decided.

The Brennan Center states the underlying point directly. Agencies are relying on the argument that Carpenter applies to compelled disclosure but not to purchases, and the Supreme Court has not yet clarified the purchase issue. Chatrie did not reach that question, but its reasoning narrows the doctrinal space in which the government’s distinction can survive.

But this doctrinal uncertainty has not stopped the government. Federal agencies have purchased bulk commercial location data while maintaining, or benefiting from, the argument that the practice falls outside Carpenter’s reach because the government is buying data rather than compelling its disclosure. The result is a constitutional gap in which protection can turn less on the sensitivity of the information than on the mechanism by which the government acquires it. Location data that would require a warrant if compelled from a wireless carrier may be obtainable without one when acquired as commercially available data from a broker or broker-linked platform.

That distinction is the crack in the constitutional foundation. Everything that follows – the pipeline, the purchases, the secrecy – flows through it.

How the Loophole Works: From App to Broker to Government

The constitutional arguments explored in the preceding section take on a different weight once you see the machinery. The data broker loophole is not an abstraction. It is an engineered, layered, and opaque supply chain that can convert the ordinary act of checking a weather forecast, searching for directions, or opening a coupon app into data available for government surveillance. Understanding how it works requires tracing the data from the moment it leaves your phone to the moment an agency analyst queries your movements.

The chain begins with apps. Weather apps, navigation tools, fitness trackers, coupon apps, dating apps, and games routinely request access to a phone’s location. Some need that access to function. Many do not. But once an app has permission to read GPS coordinates, that data can enter the commercial location-data market through two major channels identified by the Electronic Frontier Foundation (“EFF”) and by a DHS Privacy Threshold Analysis for CBP’s AdID Efficacy Pilot: software development kits and real-time bidding.

Data brokers pay app developers to embed Software Development Kits (“SDKs”), small pieces of code, into their applications. These kits can allow the broker to collect location data when the app has access to it, including in some cases background access when the app is not actively open. The app user sees nothing. The developer gets paid. And the data enters a commercial pipeline with no meaningful connection to whatever the app was supposed to be doing. As the EFF documented in a 2022 investigation, some brokers collect data through SDKs embedded in hundreds of apps simultaneously, creating vast pools of location records tied to individual devices.

The second channel is real-time bidding (“RTB”). When ad space is sold through RTB, an automated auction takes place in milliseconds. The bid request may include a device’s advertising ID, GPS coordinates, IP address, device details, and the app or website being used. That information is broadcast to many potential ad buyers and intermediaries, and participants can collect bidstream data even if they do not win the auction. A March 2026 EFF article, relying on a CBP document obtained by 404 Media, reported that CBP acknowledged that its commercially available marketing-location data was sourced in part from RTB. The implications are striking. Data brokers participating in RTB need no direct relationship with app developers. They can obtain location information through advertising infrastructure already connected to large parts of the app and web ecosystem.

Once collected, the location data enters a layered brokerage system. Direct collectors include companies like X-Mode (now Outlogic), which gather data through SDKs embedded in apps, and RTB exchanges yielding bidstream location data. Aggregators then compile data from multiple suppliers and package it into products. Gravy Analytics, one of the major aggregators, was alleged by the FTC to have obtained location data from other data suppliers, including suppliers that themselves obtained data from other suppliers, the mobile advertising marketplace, or mobile applications. Gravy Analytics and Venntel described a collection operation of enormous scale, drawing on billions of daily signals from devices worldwide. Gravy Analytics focused on commercial customers. Its wholly owned subsidiary, Venntel, sold location-data products and enhanced tools to public-sector customers, including government contractors.

Venntel has served as a major government-facing pipeline through which commercial location data reaches federal agencies. Its marketing materials, obtained by the ACLU through FOIA litigation, pitched government clients on a collection pool including more than 250 million mobile devices and generating upward of 15 billion location points every day. Venntel marketed the ability to “identify devices observed at places of interest” and construct surveillance profiles from the data, language describing a surveillance platform, not a commercial advertising service.

Another government-facing layer of this supply chain is Babel Street, a Virginia-based data analytics company with deep ties to government, military, and intelligence customers. Babel Street operationalized the data through a product called Locate X. As an October 2024 Krebs on Security investigation documented by reviewing screen recordings of the tool in use, Locate X allows a user to draw a digital fence around any location on a map, identify every mobile device that entered that area during a specified time period, and trace those devices backward and forward in time to map their movements over weeks or months. In functional terms, the tool’s capabilities are indistinguishable from what a court order for historical location tracking would produce, except that no court is involved.

Venntel has been identified in public reporting as a primary data source for Locate X. The relationship illustrates the supply chain’s layered architecture. Gravy Analytics collects and aggregates the data, Venntel packages it for government consumption, and Babel Street provides the query interface. Few entities in this chain disclose their upstream sources, and the layering has the practical effect of creating distance between the app on someone’s phone and the analyst examining their movements.

The identifier that ties all of this together is the Mobile Advertising ID (“MAID”), sometimes called an “AdID.” Every smartphone is assigned a unique alphanumeric identifier designed to let advertisers track users across apps without relying on names or phone numbers. The MAID was designed for commercial ad targeting, not law enforcement use. But it has become a linchpin of government access to commercial location data because location signals collected through these channels are commonly associated with a MAID rather than a name.

Government agencies and their vendor partners have argued that what they are purchasing is not personal information at all, merely anonymized data associated with a string of letters and numbers. The weakness of that argument will be explored in a later section. For now, it is enough to note what the data itself reveals. A MAID associated with a device that travels from a specific residential address to a specific workplace, drops a child at a specific school, and visits a specific house of worship on Sundays is not anonymous in any meaningful sense.

Publicly reported terms for Locate X have stated that the data “may not be used as the basis for any legal process in any country, including as the basis for a warrant, subpoena, or any other legal or administrative action” and may not be cited in a court or investigation-related document. Whatever the contractual purpose of that language, its practical effect is to warn government users not to put the data at the center of the evidentiary record.

The scale of this system resists easy comprehension. When a single app on a single phone pings its GPS coordinates and shares them with an SDK, that data point may pass through three, four, or five commercial intermediaries before landing in a government query tool. The person whose phone generated the data point has no knowledge that it left the app, no knowledge that it was sold or aggregated, and no knowledge that it was queried by a federal agent. There is no notice, no practical way for that person to stop the downstream resale and government use of the data, and no point in the purchase chain where a judge is asked whether the government should have access.

This is the machinery. It runs continuously, it feeds on the ordinary rhythms of daily life, and it has been engineered so that no single participant bears responsibility for the final product. The app developer can say it only shared data with an advertising partner. The broker can say it only sold commercially available data. The agency can say it only purchased what was offered on the open market. Each link in the chain points to the next, but none points to a warrant.

The Brokers and the Buyers

The previous section traced the pipeline. This section puts names and dollar figures to the entities at each end, the companies that sell the data and the agencies that buy it.

On the supply side, Venntel has occupied a central position in the government location-data market. Its marketing materials, disclosed through the ACLU’s FOIA litigation against DHS, framed Venntel’s capabilities in operational surveillance terms; the specific marketing language is examined in the next section. The company’s pitch was not simply an advertising product adapted for government use; it was location intelligence marketed for government surveillance functions.

Babel Street provided another government-facing layer through Locate X. As a DHS internal document obtained by Motherboard revealed, Babel Street “re-hosts” location data sourced from Venntel, meaning that, for at least some government users, Locate X functioned as a query interface for data Venntel had assembled. Babel Street’s orientation toward the national security market is reflected in its leadership. FedScoop reported in April 2022 that the company was then led by Jeffrey Chapman, a former Treasury Department official who previously served as a White House aide and intelligence officer at the Department of Defense.

The documented buyer list is extensive, compiled from ACLU FOIA disclosures, public procurement records, agency oversight materials, and investigative reporting. CBP entered into contracts with Venntel in 2019 and 2020 totaling more than $2 million, and a renewal subscription with Babel Street in 2020 cost the agency nearly $3 million. The Secret Service entered into a 12-month Babel Street contract for more than $600,000 in 2019. The FBI purchased 5,000 licenses for Babel X through Virginia-based Panamerica Computers, with the award potentially worth up to $27 million. ICE and the IRS have both been documented as Venntel customers, and the DEA paid Venntel $25,000 in 2018 for a software license before quickly terminating the contract. The Department of Defense also entered the market. U.S. Special Operations Command bought access to Locate X for overseas mission requirements, and Motherboard later reported that the 132d Wing of the Iowa Air National Guard purchased a one-year Locate X subscription for just over $35,000.

One feature of this market deserves particular attention, namely the secrecy built into the product itself. Locate X’s terms of service warn government users not to introduce the data in legal proceedings, a restriction whose implications for criminal defendants are examined later.

The financial picture, while incomplete, tells its own story. The documented contracts total well into the tens of millions of dollars across multiple agencies. And these figures represent only what has surfaced through FOIA litigation, Inspector General reports, and investigative journalism. The full scope of federal spending on commercial location data remains unknown, in part because agencies have treated these purchases as routine procurement rather than as surveillance capabilities warranting public disclosure. 

What is clear is that federal agencies have built a substantial commercial relationship with the data-broker and Open Source Intelligence (“OSINT”) surveillance industry, one designed to provide access to intimate, comprehensive location data of the kind the Supreme Court in Carpenter recognized as deeply revealing of the privacies of life. The agencies are buying. The brokers are selling. And the purchase occurs without the advance judicial review that would ordinarily attend government-compelled acquisition of comparable location records.

What the Government Bought: The ACLU’s DHS Records

The evidentiary foundation for much of what is publicly known comes from the ACLU, which filed a FOIA lawsuit against DHS in December 2020 after learning that ICE and CBP had been buying bulk access to cellphone location information harvested from smartphone apps. The litigation has produced two major rounds of disclosures in July 2022 and January 2026, and the records tell a story of acquisition without restraint, compliance without enforcement, and institutional appetite that survives every promise of reform.

The 2022 disclosure was staggering in its specificity. Among the records CBP produced were seven spreadsheets containing a small subset of the raw location data the agency had purchased from Venntel. The spreadsheets contained approximately 336,000 individual location points. Roughly 113,654 of those points came from a single three-day window in one region of the Southwestern U.S., more than 26 data points logged per minute. And even this, the ACLU stated, was only a sliver of the data available to the agency, redacted in part but revealing enough to illustrate the scale of what CBP could access.

The marketing materials Venntel sent to DHS, also disclosed through the litigation, reinforced the operational framing described earlier, promising the ability to “identify repeat visitors, frequented locations, pinpoint known associates, and discover pattern of life.” Separate internal documents described the data as enabling “pattern of life analysis to identify persons of interest.” This is the vocabulary of intelligence tradecraft applied to data collected from ordinary smartphone apps used by millions of Americans who have no reason to suspect their movements are being catalogued for government consumption.

Throughout the disclosed records, government officials and vendors sought to minimize the privacy implications. The location information was characterized as mere “digital exhaust.” Venntel’s marketing materials assured prospective clients that the data was “100 percent opt-in” and collected with the “permission of the individual.” The data was described as containing no “personally identifying information” because it was tied to Mobile Advertising IDs rather than names. These characterizations were designed to create legal distance between the product being purchased and the constitutional protections that would attach to equivalent data obtained through compulsory process.

But not everyone inside DHS accepted the framing. The disclosed records revealed significant internal dissent. A senior director of privacy compliance flagged that the DHS Office of Science and Technology appeared to have purchased access to Venntel even though a required Privacy Threshold Analysis had never been approved. Several email threads showed confusion in the agency’s privacy office and potential oversight gaps. The situation grew serious enough that all projects involving Venntel data were temporarily halted by the acting privacy officer because of unanswered privacy and legal questions, constituting an acknowledgment, from within the department’s own compliance apparatus, that the agency had moved faster than its legal and policy framework could keep up with.

The agency kept moving anyway. DHS components continued pursuing and using commercial location-data tools despite the unresolved concerns. The internal objections did not stop the procurement. The machinery continued to run even as the department’s own compliance apparatus recognized that legal and policy reviews had not kept pace.

The DHS Inspector General confirmed this pattern in a September 2023 report, the most authoritative government assessment of how DHS components handled commercial telemetry data. The Inspector General found that CBP, ICE, and the Secret Service did not adhere to DHS privacy policies before procuring and using Commercial Telemetry Data (“CTD”). The report found that the components failed to ensure they had approved CTD Privacy Impact Assessments when required, assessments that, under DHS policy, must be completed before privacy-sensitive technology is developed or procured. The failures occurred because the components lacked sufficient internal controls, including shared accounts and ad hoc recordkeeping, and because the DHS Privacy Office did not follow or enforce its own policies and guidance.

The report’s details were damning beyond the headline finding. CBP had six contracts for access to two CTD databases during fiscal years 2019 and 2020, with audit logs showing more than 55,000 queries. ICE had nine contracts for access to two CTD databases during the same period, with logs from its fiscal year 2020 provider showing more than 16,000 queries. In at least one documented case, unrelated to any investigation, a CBP employee used CTD to track coworkers, an abuse that the Inspector General found was unlikely to have been discovered given the lack of oversight policies. The Inspector General recommended that CBP and ICE discontinue use of CTD until their Privacy Impact Assessments were completed and that DHS develop a department-wide policy governing the technology’s use. As of April 2023, DHS’s commercial data working group had not issued such a policy, and the Inspector General’s recommendation that DHS develop and implement a department-wide commercial telemetry data policy remains listed as open.

The institutional response followed a familiar trajectory. Under congressional and public pressure, DHS components announced in 2023 and 2024 that they were backing away from CTD. CBP claimed it had discontinued its CTD contract after fiscal year 2023. ICE told FedScoop in January 2024 that it had stopped using the technology.

The ACLU’s January 2026 FOIA update revealed a different reality, but the PenLink point came through recent reporting that the ACLU highlighted rather than through the FOIA documents alone. In the ACLU’s assessment, ICE was “getting back in the business” through a $2.3 million contract signed in the fall of 2025 with PenLink, a Lincoln, Nebraska-based digital intelligence company, for access to surveillance tools including Webloc, which allows users to search mobile-phone location data and track devices over time. PenLink acquired its surveillance capabilities in 2023 when it purchased Cobwebs, a cyber intelligence firm founded by former Israeli intelligence agents. PenLink’s Tangles tool, described as AI-powered open-source intelligence software, mines social media and the open, deep, and dark web. Webloc allows searching mobile-phone location data and tracking devices over time. EFF, in a separate January 2026 analysis, placed the PenLink contracts within a broader picture: ICE’s 2025 budget of $28.7 billion, nearly triple its 2024 allocation, was funding what EFF described as a surveillance shopping spree.

The January 2026 ACLU disclosure also included new documentary evidence of how DHS sought to justify the practice internally, including a heavily redacted ICE legal memo providing the agency’s most detailed attempt to distinguish purchased location data from the data at issue in Carpenter.

Taken together, the two rounds of FOIA disclosures, the Inspector General report, and subsequent reporting reveal a pattern that cannot fairly be described as self-correction. DHS’ own privacy officials flagged the practice as legally questionable. The Inspector General found privacy-policy violations and insufficient controls. Members of Congress demanded answers. DHS components represented that they were stepping back. Then reporting indicated that ICE had returned to the same capability through a different vendor, under a different contract, with the same result of having access to commercially available location data without a warrant.

Why “Anonymous” Does Not Mean Harmless

A recurring defense runs through nearly every government justification for purchasing commercial location data, and that is the claim that the data is not personal information. It is tied to Mobile Advertising IDs rather than names, Social Security numbers, or phone numbers. Because no one’s name appears in the dataset, the argument goes, no one’s privacy is implicated, and the constitutional concerns raised by Carpenter do not apply. The FTC has rejected that argument. The Brennan Center has dismantled it. And the data itself refutes it every time it is used.

When the FTC filed its complaint against Gravy Analytics and Venntel in December 2024, it stated bluntly that the location data these companies sold “identifies individual consumers and is not anonymized.” The complaint documented how Gravy Analytics used geofencing to identify consumers who visited specific churches and health-related events and then sold or provided lists and audience segments associating MAIDs with sensitive characteristics. Gravy Analytics described its location data as “deterministic,” language that, in context, touted observed location behavior from real devices rather than mere statistical modeling. The company also offered “psychographic analysis” designed to reveal consumers’ “values, interests, and lifestyles” based on where they went and when. This was not an incidental feature of the product. It was the product’s purpose.

The mechanics of re-identification illustrate why the anonymity claim fails. A Mobile Advertising ID does not carry a name, but it does not need one. A device that travels from the same residential address every morning to the same office building, drops a child at the same school, visits the same pharmacy, and attends the same house of worship follows a pattern traceable to one person even before a name is appended. A 2013 study found that four spatiotemporal points were enough to uniquely characterize 95 percent of individuals in a 1.5-million-person dataset, and subsequent GPS-mobility research found similarly high uniqueness from very few points, including as few as three in some datasets. A daily commute pattern is, in practical terms, as distinctive as a fingerprint.

The FTC complaint supplied a concrete and devastating example of what re-identification looks like in practice. It alleged that a Catholic priest was outed and forced to resign after location data collected from his mobile device was sold to a group that used it to track priests’ movements. Contemporary reporting described the episode as involving a religious publication’s use of commercially available app or location data correlated to the priest’s device, including visits to gay bars and private residences. Whether or not the priest’s name appeared in the original dataset, the pattern was enough to identify him and expose intimate facts about his life.

Beyond individual re-identification, an entire commercial enrichment industry exists to connect MAIDs to named individuals. As the Krebs on Security investigation documented, companies specialize in assembling lists of advertising identifiers “enriched” with personal information such as names, email addresses, home addresses, and demographic profiles. Government agencies purchasing MAID-linked location data can cross-reference it against their own records, public databases, or enrichment services to identify the device owner. Venntel’s own tooling underscores how little protection vendor-specific identifiers provide. The FTC complaint alleged that Venntel offered a tool converting its proprietary IDs into MAIDs and vice versa, a feature the complaint said “does not provide protections for consumers.”

It was against this backdrop that the ACLU’s January 2026 analysis described a heavily redacted, two-page ICE legal memo as the agency’s attempt to justify purchasing sensitive location information without a warrant. According to the ACLU, the memo claimed the purchased data was different from the cellphone location data at issue in Carpenter because it was tied to MAIDs, rather than phone numbers or names. In that account, ICE treated the advertising identifier as a constitutional distinction.

That distinction is difficult to align with Carpenter’s reasoning, which turned not on the label attached to the data but on what it revealed, i.e., its “deeply revealing nature,” its “depth, breadth, and comprehensive reach,” and the “inescapable and automatic nature of its collection.” Those concerns apply reasonably to GPS-derived location data purchased from brokers, even when the data is tagged with an advertising ID rather than a subscriber name or phone number. The ACLU made the identifier point directly in discussing the ICE memo, a conclusion consistent with the Brennan Center’s analysis of the broader loophole.

Commissioner Alvaro Bedoya, then serving on the FTC, made the constitutional connection explicit in a December 2024 statement accompanying the FTC’s action against Gravy Analytics and Venntel. Citing Carpenter, Bedoya observed that consumers whose location data was collected by Venntel had in no way voluntarily “assume[d] the risk” of disclosing their geolocation information in the manner contemplated by the third-party doctrine. He also wrote that Carpenter and the data at issue in the FTC matter involved “basically the same data” and that the respondents’ data was in some ways more invasive. That statement was not a judicial holding, but it reflected the view of a federal commissioner participating in the enforcement action that the constitutional logic of Carpenter reaches the kind of location data the government has been buying.

The anonymity argument, stripped of its technical veneer, amounts to the government claiming it did not invade anyone’s privacy because it tracked a number instead of a name. But the number goes everywhere the person goes. It sleeps where the person sleeps. It visits the doctor the person visits and the lawyer the person consults.

The Intimacy of Location Data

The previous section explained why the government’s anonymity defense is technically hollow because advertising IDs fail to protect identity in any meaningful sense. But the re-identification problem is only half the story. The deeper constitutional concern is not merely that the government can figure out who you are from location data. It is what the data reveals about you once it does.

A single location point tells the government very little. A person was at a particular latitude and longitude at a particular moment. But the commercial location products at issue are not limited to isolated points. They can contain repeated, timestamped signals tied to the same identifier, which is enough to trace a device over time and compose a portrait of a life.

The FTC’s December 2024 complaint against Gravy Analytics and Venntel alleged that the companies claimed to collect, process, and curate more than 17 billion signals from approximately a billion mobile devices daily; offered customers regular batch deliveries, API access, and historical data; and provided tools that could geofence locations or continuously track a single device. The complaint identified sensitive-location risks involving places of religious worship, locations that may reveal LGBTQ+ identification, domestic abuse shelters, medical facilities, political activity, and welfare and homeless shelters and alleged that Gravy Analytics used geofencing to create lists of MAIDs visiting specific churches and health-related events while Venntel sold public-sector tools for government uses. The resulting FTC order defined sensitive locations to include medical facilities such as family planning centers and mental health and substance abuse facilities, religious organizations, social-service shelters, and military installations. These were not hypothetical concerns; they were the categories the FTC alleged and then addressed in its order.

The locations on that list are not constitutionally interchangeable with a trip to the grocery store. A visit to a mosque, church, or synagogue may reflect the exercise of First Amendment rights. A visit to a defense attorney’s office during an active criminal case may implicate the Sixth Amendment right to counsel and attorney-client confidentiality concerns. A visit to a reproductive health clinic, a substance abuse treatment facility, or a domestic violence shelter reflects decisions that are among the most intimate a person can make. When Chief Justice Roberts wrote in Carpenter that location data reveals a person’s “familial, political, professional, religious, and sexual associations,” what he was alluding to is that the places people go disclose the beliefs they hold, the conditions they suffer from, the relationships they seek to protect, and the help they need.

The data broker industry has not merely stumbled into this sensitivity. It has monetized it. In a separate enforcement action, the FTC’s complaint against InMarket Media alleged that the company used consumers’ location histories, cross-referenced with advertising-related points of interest, to sort consumers into “audience segments” for targeted advertising, categories including “Christian church goers,” “wealthy and not healthy,” and “parents of preschoolers.” InMarket classified audiences based on past behavior and predictions derived from it and could combine location history with attributes purchased from other sources. The FTC alleged that InMarket’s collection, use, and retention of consumers’ location data constituted unfair practices under Section 5 of the FTC Act, and the consent order prohibited InMarket from selling or licensing location data and from using or sharing products or services that categorize or target consumers based on sensitive location data.

The InMarket action illustrates a point that extends well beyond advertising. If a commercial data company can use location histories and related data to infer or sell access to segments reflecting religion, health, and family status, a federal law enforcement agency with access to comparable location data can likely draw similar inferences.

An October 2024 investigation by Krebs on Security brought this risk into sharp focus with documented examples of the real-world consequences. The investigation described how Atlas Privacy’s investigator obtained trial access to Babel Street’s Locate X platform and used it to examine visitors to high-risk targets such as mosques, synagogues, courtrooms, and abortion clinics. In one example, the investigator isolated mobile devices seen in a New Jersey courtroom parking lot reserved for jurors and tracked one likely juror’s phone to a home address over several days. In another, Atlas Privacy said its investigator geofenced an abortion clinic and identified a likely employee by following the device’s daily route between the clinic and the person’s home. These were not speculative scenarios constructed by privacy advocates. They were reported uses of commercially available location tools built from the same mobile advertising ecosystem that feeds data products available to public- and private-sector buyers.

People on pretrial release, probation, or parole may be subject to government-mandated location monitoring through court orders, supervision conditions, or other legal processes with defined terms and at least some opportunity to challenge or seek modification. Commercially purchased location data threatens to create a parallel layer of monitoring that is not tied to a warrant, probation order, parole condition, or supervision term. A supervision officer’s authority is limited by statute, conditions, and agency rules. An analyst querying Locate X or a comparable tool may be able to search historical app-derived location data across locations and timeframes not defined by those terms. If that data captures a visit to a defense attorney’s office during an active case, attendance at a political rally, or a stop at a methadone clinic, it may become available as investigative intelligence without contemporaneous notice to the person tracked and, unless later used or disclosed in a proceeding, without any practical opportunity to challenge it.

The surveillance also falls unevenly. People with time, money, and technical knowledge can reduce their exposure by limiting app permissions, deleting or resetting advertising identifiers where possible, avoiding invasive free apps, and navigating opt-out tools, though they cannot eliminate the risk entirely. People with fewer resources, less technical fluency, or dependence on free app-based services have less practical ability to limit the data generated by a phone that supports work, transportation, court dates, medical care, and family contact. That is significant in the criminal legal context because communities already subject to disproportionate law-enforcement and immigration scrutiny are least able to absorb another opaque layer of tracking. The data broker loophole does not surveil everyone equally. It risks falling hardest on people least positioned to know about it and least equipped to resist it.

What the government has purchased, in other words, is not just a dataset. It is a window into the intimate lives of millions of people, including their faiths, their struggles, their legal consultations, their medical decisions, their political beliefs. The Fourth Amendment was adopted to keep the government from peering through that window without a warrant. The data broker market has installed a door.

The Middleman Strategy: How Law and Policy Failed to Catch Up

The previous two sections documented what commercially purchased location data reveals and why its supposed anonymity provides no real protection. The question those findings raise is the one any reader paying attention would ask: How is any of this legal? The short answer is that the federal statute Congress wrote to regulate government access to stored communications and customer records was enacted in 1986, long before today’s commercial data broker market existed at scale, and Congress has not updated it to account for the market that has since emerged. The longer answer involves a structural gap in the law that is now fully visible and that government agencies and vendors have used to route access to sensitive data through private purchases rather than legal process.

The Electronic Communications Privacy Act (“ECPA”), enacted in 1986 as an update to federal wiretapping law, includes the Stored Communications Act, which provides the principal statutory framework for government access to stored communications and customer records held by covered providers. Section 2702 restricts covered providers from voluntarily disclosing the contents of customer communications and, as to government entities, certain customer records. Section 2703 establishes the legal processes, including subpoenas, court orders, and warrants through which the government may compel those providers to produce communications and records. Before Carpenter, the government obtained historical CSLI through § 2703(d) orders, which require “specific and articulable facts showing that there are reasonable grounds to believe” the records are “relevant and material to an ongoing criminal investigation.” Carpenter ruled that standard “falls well short” of probable cause. Thus, after Carpenter, the government generally needs a probable-cause warrant for historical CSLI, subject to case-specific exceptions such as exigent circumstances.

ECPA’s restrictions apply primarily to covered communications and remote-computing providers – wireless carriers, internet service providers, email platforms, and similar services – when they disclose covered contents or customer records. These providers generally cannot simply hand customer records to the FBI because the FBI asks. Unless a statutory exception applies, the government must use the legal process Congress specified.

But entities such as Venntel and many other data brokers are not, when acting in that broker capacity, electronic communication service providers or remote computing services. They do not carry phone calls or store emails for subscribers. They are commercial entities that acquire data from other market participants, aggregate it, package it, and resell access to willing buyers. ECPA was not written with this business model in mind because, in 1986, the model did not exist at scale. The statute restricts Verizon from voluntarily handing the government its customers’ covered records except through statutory exceptions or legal process. It does not impose the same restriction on a broker selling government access to functionally similar location data obtained through a different commercial channel.

The Brennan Center for Justice has described this gap with a precision that is difficult to improve upon. In a March 2026 analysis urging Congress to incorporate the Fourth Amendment Is Not For Sale Act or similar legislation into any Section 702 reauthorization, the Brennan Center observed that companies barred from selling data directly to the government can sell to data brokers instead, and the brokers can then sell the same data to the government. According to the Brennan Center, the data is “effectively laundered through a middleman.” The analogy to money laundering is deliberate. The effect of the intermediary is to sanitize the transaction. Data that the government could not lawfully obtain from the original source without legal process becomes available through a commercial channel existing law has not reached.

Elizabeth Goitein, writing separately for the Brennan Center, placed the middleman problem in a broader surveillance-law context. Federal surveillance law has not kept pace with the commercial data economy, she argued. ECPA does not cover app developers or data brokers because they did not exist in 1986, and the resulting gap permits an “easy end-run” in which companies sell to brokers and brokers resell to the government. The older framework assumes the government will compel data from a covered provider subject to statutory process. Modern location-data flows do not work that simply. Information may pass through apps, advertising exchanges, aggregators, and resellers before reaching a government-facing tool. By the time the government enters the picture, it is making a purchase from a vendor, not compelling disclosure from a communications provider. And that purchase is not a transaction ECPA was drafted to cover.

The Electronic Privacy Information Center, in a joint comment submitted with the Brennan Center, Demand Progress, S.T.O.P., and other organizations to the Office of Management and Budget, identified the same structural failure from a different angle. The commenters argued that law enforcement and intelligence agencies have increasingly purchased commercially available information, including geolocation data, in ways that evade Fourth Amendment and statutory requirements. Agencies have treated commercial availability as a method to bypass legal process, thus conflating availability in the marketplace with legal authority to acquire and use the information. The fact that a private company is willing to sell information does not resolve whether the government’s acquisition constitutes a search under the Fourth Amendment.

What makes this statutory gap especially durable is that the practice it enables can avoid the institution most likely to close it case by case, namely the courts. Judicial review requires a case. A case usually requires a defendant who knows what happened. And brokered location-data tools may be used as investigative intelligence without appearing in the record that would allow a defendant to challenge the acquisition. Locate X’s terms of service, which include language stating that the data “may be unsuitable for use in legal or administrative proceedings,” send a clear signal to government users that they should not introduce this data in court. If the data never appears in a prosecution file, the defense never learns it was used. If the defense never learns it was used, no motion to suppress is filed. If no suppression motion is filed, no court evaluates whether the acquisition violated the Fourth Amendment. The constitutional question that would force a reckoning with the data broker loophole never reaches a judge, so the loophole persists precisely because it does not.

This self-insulating quality distinguishes the data broker problem from other surveillance controversies that eventually produced legal reform. Wiretapping, pen registers, and cell-site location tracking generated case law because evidence derived from those techniques appeared in criminal prosecutions, where defense attorneys could challenge its legality. Brokered location data functions differently by informing investigations without necessarily appearing in proceedings where its origin would be subject to scrutiny. The result is a practice operating in a persistent blind spot, too invisible to litigate and therefore too invisible to regulate through standard Fourth Amendment suppression litigation.

Congress has the authority to close this gap legislatively. But the failure of existing law to prevent the government from purchasing what it cannot compel is not merely a drafting oversight from 1986. It is a gap that has been identified, documented, and left unresolved despite repeated warnings from privacy advocates, civil society groups, and members of Congress. The middleman strategy works because the law has not caught up and because the institutions that benefit from the gap have little incentive to force the judicial test that might narrow or close it.

Secrecy and Parallel Construction

Everything described in the preceding sections converges on a single question for anyone facing criminal prosecution in the U.S.: was commercially purchased location data used in my case, and will I ever be told? The honest answer is that the data may have been used, and the defendant may never find out.

The practice of parallel construction, which consists of rebuilding an evidentiary trail from an independent starting point to conceal the true origin of an investigative lead, is not a theoretical concern. It is a documented government technique with a long institutional history, and the data broker market is well suited to the same concealment because brokered location data can function as an investigative lead without ever appearing in the evidentiary record.

Human Rights Watch examined this problem in a 2018 report that remains one of the most detailed public accounts of how secret investigative sources can be laundered into criminal cases. The report documented evidence that parallel construction was used to conceal the true origins of investigative leads, particularly through the DEA’s Special Operations Division and related “wall stop” or “whisper stop” practices. Leads derived from intelligence, surveillance, informants, or large databases could be passed to agents who then developed an alternative evidentiary trail as though the information had been discovered independently. The original source could disappear from the investigative record. Prosecutors could present evidence to courts and juries without disclosing that the investigation began with information that might have been subject to legal challenge. Defense attorneys, unaware of what had been concealed, had no basis to raise the issue. And judges, presented with a clean-looking record, had no reason to inquire further.

The parallel construction problem is not confined to national security investigations or classified intercepts. Federal and local law enforcement agencies also concealed the use of cell-site simulators (commonly referred to as “Stingrays”), devices that mimic cell towers to force nearby phones to connect and reveal identifying and location-related information. For years, agencies using Stingrays operated under restrictive nondisclosure arrangements required by Harris Corporation and the FBI that limited what could be revealed to courts, defendants, and the public. Reporting and litigation showed that prosecutors were sometimes pressured to drop charges, dismiss evidence, or reconstruct the investigative trail rather than reveal the technology’s role as part of a broader pattern of secrecy, obfuscation, and misdirection around Stingray use.

The data broker market presents similar incentives for concealment, with fewer built-in pressure points for discovery. Locate X’s terms of service discourage reliance on brokered data as courtroom evidence. Whether such language is a binding prohibition or a broader caution about reliability, its practical effect is the same. If a federal agent queries Locate X or a comparable tool, identifies a device near a crime scene, determines the device owner’s identity through enrichment or cross-referencing, and then develops the case through conventional investigative steps such as interviewing witnesses, pulling public records, or conducting physical surveillance, the resulting prosecution file may contain no trace of the original query. The lead has been laundered. The data broker has been scrubbed from the narrative. And the defendant confronts an evidentiary record that appears to rest entirely on traditional law enforcement work.

This dynamic implicates constitutional obligations that cannot be avoided merely by keeping the investigative source out of the visible case file. The first is Brady v. Maryland, 373 U.S. 83 (1963), under which the prosecution has a constitutional duty to disclose favorable evidence material to guilt or punishment. Kyles v. Whitley, 514 U.S. 419 (1995), makes clear that the duty extends to favorable evidence known to others acting on the government’s behalf in the case, including the police. That duty is not limited to evidence the prosecution plans to introduce. If commercially purchased location data shows that a defendant’s phone was miles from a crime scene at the time of the offense, that information may be favorable and material. The government’s withholding of that information could violate Brady even if the raw data itself is not introduced at trial, particularly if it would lead to admissible exculpatory evidence or materially assist the defense. Vendor terms or agency practices that discourage courtroom use do not eliminate the obligation to disclose favorable, material information covered by Brady, but they may make it far less likely that the obligation is honored because the data may exist in a system designed to remain invisible to the defense.

Brian Chen explored this collision between big data and prosecutorial disclosure duties in a 2024 article in the New York University Law Review. Chen argued that the expanding volume of digital information available to law enforcement has created serious practical difficulties for prosecutors tasked with identifying exculpatory or otherwise favorable evidence. Police may pass terabytes of data to prosecutors, prosecutors may struggle to determine what is favorable, and open-file disclosure may simply shift the burden to defense counsel, who are no better positioned to find the needle in the haystack. When an agency purchases access to billions of location data points, some of those points may contain favorable information in a pending case. But unless someone asks the right question of the right database, the material may stay buried. The constitutional obligation exists in theory. The institutional architecture makes it difficult to satisfy in practice.

The second implication is suppression. As of publication, it appears that no court has yet squarely ruled on whether the government’s purchase of brokered location data is constitutionally equivalent to compelling comparable location data from a carrier or provider. But the doctrinal foundation for a suppression motion is stronger after Chatrie. Carpenter held that historical CSLI remains protected even when held by wireless carriers. Chatrie held that Google Location History remains protected even when stored by a third-party technology company, even when the government obtains only a short window of data and even when the user enabled the service. Together, those cases support the argument that high-precision commercial location data is not outside the Fourth Amendment merely because the government bought it from a broker rather than compelled it from a provider. If acquisition by purchase is a Fourth Amendment search conducted without a warrant or recognized exception, evidence derived from that search may be subject to suppression, subject to ordinary exclusionary-rule limitations such as good faith, independent source, attenuation, and inevitable discovery. But the threshold obstacle remains the same. That is, the defense must first establish that the search occurred. Suppression requires knowledge, and knowledge is precisely what the system is designed to conceal.

The third implication is discovery. This is where the analysis becomes most immediately practical for defense attorneys. The National Association of Criminal Defense Lawyers published an Omnibus Tech Discovery List in January 2026, designed to assist defense counsel in identifying undisclosed surveillance technologies used in criminal investigations. The list reflects a growing recognition that the government’s surveillance toolkit has expanded well beyond what standard discovery requests are calibrated to uncover, with sample requests covering facial recognition, device extractions, geofence warrants, CSLI, cell-site simulators, tower dumps, ALPR systems, and drones. A boilerplate request for “all surveillance conducted in connection with this investigation” may not uncover a brokered-location query if the investigative report does not mention the vendor or platform by name. Defense attorneys need to ask with greater specificity.

The indicators that should prompt closer inquiry are often found in the gaps rather than in what is disclosed. An investigation that produces precise location-based leads without any documented source for those leads – no confidential informant, no physical surveillance log, no pen register order, no cell-site warrant – raises the question of how the agents knew where to look. A timeline that shows law enforcement arriving at a suspect’s undisclosed location without an explanation in the record suggests a possible data source that has been stripped from the file. Requests for information about the agency’s contracts with data brokers, its access to commercial location platforms, its audit logs, its analyst queries, and its policies on the use of commercially acquired data in criminal investigations can help establish whether the practice is in play. Specific vendor and product names documented in public reporting such as Venntel, Babel Street, Locate X, PenLink, and Webloc should appear in discovery requests where there is reason to believe commercial surveillance data may have been involved.

None of this guarantees disclosure. Agencies and vendors that have kept data broker usage out of court proceedings are unlikely to volunteer the information in response to generic discovery requests. But specific requests create a record. A targeted request that goes unanswered or is met with a denial creates a foundation for further litigation, and if the truth emerges later, a basis for challenging the conviction. Defense attorneys cannot challenge what they do not know about. But they can make clear that they are asking, and they can document the government’s response.

The secrecy surrounding data broker surveillance is not a peripheral concern or a procedural inconvenience. It is a structural threat to the adversarial process. Effective assistance of counsel depends on counsel having a meaningful opportunity to investigate and challenge the government’s case. In practice, the Fourth Amendment’s protection against unreasonable searches depends on courts having a chance to evaluate whether a search was lawful. Parallel construction undermines both premises. It allows the government to benefit from surveillance it may not have been entitled to conduct, while making it far less likely that the legality of that surveillance will ever be tested. For as long as the data broker loophole remains open and the secrecy that surrounds it remains intact, defendants may face prosecutions shaped by evidence they cannot see and derived from searches they cannot challenge.

The FTC Steps In But Only Partway

The preceding sections have described a practice operating in the absence of judicial oversight, comprehensive statutory prohibition, and meaningful disclosure. Beginning in 2024 and continuing with the Gravy/Venntel and Mobilewalla actions announced in late 2024 and finalized in January 2025, the FTC moved to fill part of that vacuum by using Section 5 of the FTC Act to challenge the collection, use, sale, and disclosure of sensitive location data without adequate consent, safeguards, or verification of consent. The enforcement actions are significant. They are also, by the FTC’s own design and statutory limitation, incomplete.

In December 2024, the FTC announced an action against Gravy Analytics and Venntel, alleging that the companies unfairly sold sensitive consumer location data and collected and used consumers’ location data without obtaining verifiable consent for commercial and government uses. The complaint alleged that Gravy Analytics used geofencing to identify and sell lists of consumers who attended events related to medical conditions and places of worship and that the companies exposed consumers to harms involving health or medical decisions, political activity, and religious practices. The final order’s sensitive-location definition was more expansive, covering categories such as medical facilities, religious organizations, schools or childcare facilities, shelters serving homeless people, domestic abuse survivors, refugees, or immigrants, and military installations.

The FTC finalized its consent order against Gravy Analytics and Venntel on January 14, 2025. The order’s terms were sweeping by the standards of FTC enforcement in this space. The companies were prohibited from selling, licensing, transferring, sharing, disclosing, or otherwise using sensitive location data associated with sensitive locations identified through the order’s sensitive-location program, subject to limited exceptions for data conversion and direct consumer relationships involving affirmative express consent. The order excluded from its definition of “Location Data” certain data used for security purposes, national security purposes conducted by federal agencies, and law enforcement responses to an imminent risk of death or serious bodily harm. The companies were required to delete or destroy historical location data and data products derived from it unless they obtained required consent records or rendered the data deidentified or non-sensitive, and to implement supplier-assessment and sensitive-location-data programs to ensure documented consumer consent and prevent prohibited uses going forward.

The same day, the FTC finalized a parallel order against Mobilewalla, a data analytics company the commission accused of collecting and selling consumer location data obtained from real-time bidding exchanges. The Mobilewalla action was notable because it was the first time the agency alleged that collecting consumer information from online advertising auctions for purposes other than participating in those auctions was an unfair act or practice. Real-time bidding can expose user data, including location information, to auction participants. The FTC alleged that Mobilewalla collected and retained information from bid requests even when it had no winning bid. The order prohibited the company from collecting or retaining covered information accessed through advertising auctions for any purpose other than participating in those auctions and imposed separate restrictions on the use, sale, or disclosure of sensitive location data.

Together with the FTC’s earlier 2024 actions against X-Mode/Outlogic and InMarket, the Gravy/Venntel and Mobilewalla orders reinforced a regulatory principle that had only recently begun to take binding form, i.e., companies that collect, use, sell, or disclose precise location data tied to sensitive places or sensitive inferences without adequate consent, consent verification, or safeguards can face Section 5 liability and order-based restrictions. In February 2026, the FTC sent warning letters to 13 data brokers reminding them of their obligations under the Protecting Americans’ Data from Foreign Adversaries Act, signed into law in 2024, which prohibits data brokers from making available Americans’ personally identifiable sensitive data, including geolocation information, to foreign adversary countries or entities controlled by them.

These developments are important. They represent the first wave of federal enforcement actions imposing binding restrictions on the sale, disclosure, use, or collection of sensitive location data and backing those restrictions with civil penalties for order violations. For an industry that had operated for years without comprehensive federal privacy legislation, the FTC’s intervention changed the landscape of commercial risk. Data brokers could no longer assume that the absence of a location-data-specific statute meant the absence of legal liability.

But the limits of the FTC’s intervention are as important as its reach, and those limits are where the analysis must focus. The first and most fundamental limitation is jurisdictional. The FTC regulates commercial actors. It does not have authority over the government agencies that buy the data. The Gravy/Venntel order binds two companies and those in active concert or participation with them who receive actual notice, but it does not prohibit the FBI, ICE, or CBP from purchasing comparable data from a broker not subject to that order. And there are several of them. In fact, recent reporting and congressional letters concerning ICE’s 2025 PenLink/Webloc purchase show that new vendors can continue to supply government-facing location tools even after a prior vendor comes under legal or political pressure.

The second limitation is the law enforcement and national security space left open by the orders themselves. The Gravy/Venntel order’s definition of “Location Data” excludes data used for security purposes, national security purposes conducted by federal agencies, and law enforcement responses to an imminent risk of death or serious bodily harm. Those exclusions mean the FTC did not categorically prohibit all transfers or uses of location data connected to government activity, and they leave unresolved the harder constitutional question of whether Carpenter and Chatrie require a warrant or other recognized Fourth Amendment justification when the government buys commercially available location data outside those narrow categories.

The third limitation is institutional. FTC enforcement actions are administrative proceedings, not legislation. They bind the named respondents and those in active concert or participation with them who receive actual notice, and they signal how the commission may apply Section 5 in future cases. But they do not create an industrywide statutory prohibition applicable to every data broker. An unnamed broker may take guidance from the commission’s interpretation of Section 5 and adjust its practices, but it is not bound by the Gravy/Venntel order unless the order reaches it through ordinary enforcement principles. Broader prohibition would require additional FTC actions, legislation, or judicial rulings, and the FTC’s enforcement priorities are subject to change with every new commission.

The FTC’s actions against Gravy Analytics, Venntel, and Mobilewalla are real accomplishments. They have imposed costs on companies that treated Americans’ movements as a commodity to be sold without restriction. They have put the industry on notice. And the FTC’s concerns connect directly to the Fourth Amendment framework established in Carpenter and reinforced in Chatrie, as Commissioner Bedoya’s concurrence underscored, a connection that may prove influential as courts eventually confront the constitutionality of government data purchases.

But administrative enforcement is not a criminal-procedure fix. It does not give defense attorneys a right to know whether location data was used in their client’s case. It does not give courts the authority to suppress evidence derived from warrantless purchases. It does not require the government to obtain a warrant before buying what Carpenter and Chatrie suggest it cannot obtain through compulsion without satisfying the Fourth Amendment. The FTC can regulate sellers. Only Congress or the courts can restrain the buyers.

The Reform Fight

The FTC’s enforcement actions, examined in the preceding section, addressed the supply side of the data broker market. The legislative efforts now before Congress seek to restrict the government’s authority to buy, something the FTC cannot do.

The leading standalone federal vehicle was the Fourth Amendment Is Not For Sale Act, introduced in the House as H.R. 4639. The bill would have barred law enforcement and intelligence agencies from buying Americans’ data from brokers when legal process would otherwise be required, a direct statutory closure of the data broker loophole. The House passed the bill in 2024 with bipartisan support. The Senate never brought it to a vote before the congressional session ended, so the loophole remained open.

A separate effort met an even narrower fate. On April 12, 2024, the House voted on a warrant-requirement amendment offered by Representative Andy Biggs during consideration of the Foreign Intelligence Surveillance Act (“FISA”) Section 702 reauthorization bill. The amendment would have required the government to obtain a warrant before querying Section 702 databases using U.S.-person identifiers, a provision that, while distinct from the data broker question, reflected the same underlying principle that the government should not be able to access Americans’ sensitive data without judicial authorization. The vote was 212 to 212. Under House rules, a tie vote fails. The warrant requirement failed by the narrowest possible margin.

In March 2026, a bipartisan group of lawmakers introduced a broader measure. Senators Ron Wyden and Mike Lee, joined by Representatives Warren Davidson and Zoe Lofgren, introduced the Government Surveillance Reform Act, which Wyden’s office described as the most comprehensive surveillance reform legislation in nearly half a century. The bill would close the data broker loophole by prohibiting federal agencies from buying Americans’ data from brokers without a warrant. It would require a warrant to access Americans’ private communications gathered under Section 702, with emergency exceptions. And it would impose new transparency and oversight requirements on the government’s use of surveillance authorities, including Section 702 of FISA.

The bill’s sponsors framed it as an answer to the full range of concerns documented in this cover story, including warrantless purchases, the absence of judicial oversight, and the secrecy that prevents defendants from knowing how they were investigated. A coalition of more than 130 civil society organizations separately urged Congress not to reauthorize Section 702 without closing the data broker loophole and adding related privacy reforms.

The Section 702 reauthorization fight created both an opportunity and a constraint. Section 702 authorizes the intelligence community to collect communications of non-U.S. persons located abroad, but its operation also sweeps in Americans’ communications. Reauthorization votes have historically served as an opportunity for surveillance reform because they are among the few moments when Congress must affirmatively act. However, in 2026, the original April 20 sunset date arrived without a full reauthorization. Congress kept the authority alive only through short-term extensions, then failed to enact another extension before the final June 12 deadline. The statutory authority lapsed, but the surveillance did not stop. Existing FISA Court certifications approved in March 2026 are understood to allow Section 702 collection to continue until about March 2027, leaving the reform fight unresolved while the program remains operational.

The opposition to attaching reform provisions is formidable. Reporting in March and June 2026 showed the White House, the intelligence community, and congressional leadership pushing for renewal without a warrant requirement, while reformers demanded warrant and data-broker protections. At a March Senate Intelligence Committee hearing, FBI Director Kash Patel declined to commit to ending the Bureau’s purchases of Americans’ location data, telling Senator Wyden that the FBI purchases commercially available information it considers consistent with the Constitution and the Electronic Communications Privacy Act. The institutional resistance to reform is not abstract. Agencies that benefit from the loophole have shown no willingness to abandon it voluntarily.

While federal legislation stalled, congressional oversight also intensified outside the reauthorization debate. In February 2026, Representative Shontel Brown led a group of House members in sending an oversight letter to DHS demanding answers about ICE’s contracts with PenLink and the agency’s use of commercially purchased location data for neighborhood-level surveillance. The letter cited public reporting on PenLink’s Webloc and Tangles products and pressed the department on whether ICE had resumed the data broker practices it had previously claimed to abandon. The inquiry reflects growing congressional concern that executive branch assurances of self-restraint are not adequate safeguards.

At the state level, a different kind of progress has begun. In May 2025, Montana became the first state in the country to enact a law closing the data broker loophole for state and local law enforcement. The law is codified in Mont. Code Ann. § 46-5-603 and bars Montana governmental entities from buying specified categories of personal data, including precise geolocation data and sensitive data, except pursuant to a court-issued search warrant or investigative subpoena. The Montana statute represents proof of concept, serving as evidence that the loophole can be closed legislatively and that doing so commands sufficient political support to survive the full legislative process in a politically conservative state.

The Montana law may catalyze a broader state-level movement. But state-level reform, however important as a model, carries an inherent structural limitation because state laws bind state and local agencies. They do not bind federal agencies operating within those states’ borders. ICE, the FBI, CBP, and the DEA are not subject to Montana’s warrant requirement. A patchwork of state laws can constrain some government actors in some jurisdictions, but it cannot address the federal purchasing programs that represent the most consequential use of brokered location data.

The legislative fight over the data broker loophole remains unresolved. The Government Surveillance Reform Act has bipartisan sponsors, a broad civil society push behind its core reforms, and a logical legislative vehicle in whatever Section 702 reauthorization fight follows the lapse. It also faces institutional opposition from agencies invested in the current system and political headwinds from leadership resistant to complicating a must-pass bill. Congress has allowed Section 702 to lapse without resolving the data broker issue, while existing certifications allow the surveillance to continue.

But the constitutional problem this cover story has documented does not depend on the outcome of a vote. If Congress closes the loophole, it will have done what the Constitution arguably already requires. If Congress does not, the loophole will remain open, the data will continue to flow, and the question may eventually reach the courts. The defense bar cannot afford to wait for Congress to act or for the courts to intervene.

The Amendment That Is for Sale

The Fourth Amendment was written in response to a specific historical abuse. British authorities wielding general warrants and writs of assistance could authorize agents of the Crown to search anyone, anywhere, without particularized suspicion, without prior judicial approval, and without meaningful limit on scope. The Founders understood what unchecked search power meant for a free society, and they drafted a constitutional provision designed to ensure that the government could not examine the private lives of the people it governed without first persuading a neutral magistrate that it had cause.

The data broker loophole resembles a digital-age general warrant. It permits agencies to query vast stores of location data to track movements, associations, and intimate activities without first appearing before a judge, establishing probable cause, or notifying the people whose data is searched. The mechanism is different, a purchase order rather than a writ, but the constitutional danger of broad surveillance separated from individualized suspicion and judicial oversight is familiar.

What distinguishes the data broker loophole is how much of the concern has been documented by official records, oversight findings, enforcement actions, and bipartisan reform efforts. DHS records obtained by the ACLU show that privacy officials raised legal and privacy questions and that projects involving Venntel data were temporarily halted. The records also show DHS continued bulk purchases. The DHS Inspector General documented privacy-compliance failures across CBP, ICE, and the Secret Service. The FTC brought enforcement actions against major suppliers, alleging that selling or using sensitive location data without adequate consent and safeguards violated Section 5. Commissioner Bedoya observed that consumers whose data Venntel collected had in no way voluntarily “assume[d] the risk” of disclosure. The House passed the Fourth Amendment Is Not For Sale Act with bipartisan support, and bipartisan lawmakers introduced legislation to close the loophole. Additionally, Carpenter’s reasoning, now reinforced by Chatrie’s protection of Google Location History, strongly supports applying Fourth Amendment scrutiny to high-precision commercial location data the government buys.

The question now is whether constitutional protections can survive a marketplace that has made them easier to bypass and whether the rights enshrined in the Fourth Amendment can withstand an industry built on selling access to intimate personal data together with a government eager to buy. The stakes are high and immediate. The data is being purchased now. The investigations it informs are underway now. The cases it may be shaping are moving through the system now. Defense attorneys who do not ask whether commercially acquired data played a role in their client’s investigation risk missing a significant undisclosed evidence source. Courts that do not confront the constitutionality of warrantless data purchases risk allowing the Fourth Amendment to be narrowed by a procurement process. And if Congress restores or reauthorizes Section 702 without closing the data broker loophole, it will have left in place a surveillance practice that members of both parties have characterized as unconstitutional.

The Fourth Amendment is not for sale. That principle is either enforced or it is hollow. For millions of Americans whose phones generate the data that feeds this market, the safeguards required by Carpenter and Chatrie remain incomplete so long as the data-broker workaround persists. The loophole remains open. The data continues to flow. And the burden now falls on courts, Congress, and defense counsel to ensure that a purchase order does not become the digital substitute for a warrant.  

 

Sources: Jude Joffe-Block, Your Data Is Everywhere. The Government Is Buying It Without a Warrant, NPR (Mar. 25, 2026); ACLU, New Records Detail DHS Purchase and Use of Vast Quantities of Cell Phone Location Data (July 18, 2022); John Hewitt Jones, FBI Purchases 5,000 Licenses for Babel X Social Media OSINT Tool, FedScoop (Apr. 5, 2022); ACLU, DHS Is Circumventing the Constitution by Buying Data It Would Normally Need a Warrant to Access (Jan. 12, 2026); Sen. Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bill to Reform FISA Section 702, Protect Americans’ Constitutional Rights and Plug Data Broker Surveillance Loophole (Mar. 12, 2026); Demand Progress et al., Broad Coalition Opposes FISA Reauthorization Until AI/Data Broker Loophole Is Closed (Mar. 19, 2026); AJ Vicens, A Key Surveillance Law Is Expiring. What Does That Mean for U.S. Intelligence?, Reuters (June 9, 2026); David Morgan & Jonathan Landay, U.S. House Rejects Short-Term FISA Extension as Expiration Looms, Reuters (June 11, 2026); Statement of Commissioner Alvaro M. Bedoya, In re Gravy Analytics, Inc. & Venntel, Inc., FTC File No. 212-3035 (Dec. 3, 2024); Emile Ayoub & Elizabeth Goitein, Closing the Data Broker Loophole, Brennan Ctr. for Just. (Feb. 13, 2024); Dori Rahbar, Laundering Data: How the Government’s Purchase of Commercial Location Data Violates Carpenter and Evades the Fourth Amendment, 122 Colum. L. Rev. 713 (2022); Bennett Cyphers, How the Federal Government Buys Our Cell Phone Location Data, Elec. Frontier Found. (June 13, 2022); Lena Cohen & Hudson Hongo, The Government Uses Targeted Advertising to Track Your Location. Here’s What We Need to Do, Elec. Frontier Found. (Mar. 5, 2026); Brian Krebs, The Global Surveillance Free-for-All in Mobile Ad Data, Krebs on Security (Oct. 23, 2024); Complaint, In re Gravy Analytics, Inc. & Venntel, Inc., FTC File No. 212-3035 (Dec. 2024); U.S. Dep’t of Homeland Sec. Privacy Office, Privacy Threshold Analysis: CBP AdID Efficacy Pilot, CBP-2022-086516; Joseph Cox, Secret Service Bought Phone Location Data from Apps, Contract Confirms, Vice/Motherboard (Aug. 17, 2020); Joseph Cox, Military Unit That Conducts Drone Strikes Bought Location Data from Ordinary Apps, Vice/Motherboard (Jan. 22, 2021); U.S. Dep’t of Homeland Sec., Off. Inspector Gen., OIG-23-61, CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data (Sept. 28, 2023); Natalia Alamdari, This Nebraska Company Is Supplying ICE with Surveillance Tech, Flatwater Free Press (Feb. 20, 2026); FTC, FTC Takes Action Against Gravy Analytics, Venntel for Unlawfully Selling Location Data Tracking Consumers to Sensitive Sites (Dec. 3, 2024); Joseph Cox, IRS Could Search Warrantless Location Database Over 10,000 Times, Vice/Motherboard (Nov. 24, 2020); Joseph Cox, The DEA Abruptly Cut Off Its App Location Data Contract, Vice/Motherboard (Dec. 7, 2020); Joseph Cox, How the U.S. Military Buys Location Data From Ordinary Apps, Vice/Motherboard (Nov. 16, 2020); Cooper Quintin, ICE Is Going on a Surveillance Shopping Spree, Elec. Frontier Found. (Jan. 7, 2026); Yves-Alexandre de Montjoye et al., Unique in the Crowd: The Privacy Bounds of Human Mobility, 3 Sci. Rep. 1376 (2013); Luca Rossi et al., Spatio-Temporal Techniques for User Identification by Means of GPS Mobility Data, 4 EPJ Data Sci. 11 (2015); Complaint, In re InMarket Media, LLC, FTC Matter/File No. 2023088; Decision and Order, In re InMarket Media, LLC, FTC Docket No. C-4803, FTC Matter/File No. 2023088; FTC, FTC Finalizes Order Prohibiting Gravy Analytics and Venntel from Selling Sensitive Location Data (Jan. 14, 2025); Decision and Order, In re Gravy Analytics, Inc. & Venntel, Inc., FTC File No. 212-3035 (Jan. 14, 2025); Elec. Frontier Found., Location Data Brokers; Brennan Ctr. for Just., Congress Must Close Data Broker Loophole by Prohibiting Government Purchases of Americans’ Sensitive Data (Mar. 17, 2026); Elizabeth Goitein, How to Fix U.S. Surveillance Law, Brennan Ctr. for Just. (July 18, 2023); Elec. Priv. Info. Ctr. et al., Joint Comment Regarding OMB’s Request for Information on Executive Branch Agency Handling of Commercially Available Information; Babel Street, Inc., End User Subscription Terms; Human Rights Watch, Dark Side: Secret Origins of Evidence in U.S. Criminal Cases (Jan. 9, 2018); Brian Chen, Big Data and Brady Disclosures, 99 N.Y.U. L. Rev. 1754 (2024); Nat’l Ass’n of Crim. Def. Laws., Omnibus Tech Discovery List (Jan. 29, 2026); Elec. Frontier Found., Law Enforcement Purchasing Commercially-Available Geolocation Data Is Unconstitutional (Dec. 2020, updated June 2023); Nathan Freed Wessler, Documents in ACLU Case Reveal More Detail on FBI Attempt to Cover Up Stingray Technology, ACLU (Sept. 24, 2014); Adam Bates, Stingray: A New Frontier in Police Surveillance, Cato Inst. (Jan. 25, 2017); Kim Zetter, Police Contract With Spy Tool Maker Prohibits Talking About Device’s Use, Wired (Mar. 4, 2014); The Citizen Lab, Uncovering Webloc: An Analysis of PenLink’s Ad-Based Geolocation Surveillance Tech (Apr. 9, 2026); Final Order, In re Mobilewalla, Inc., FTC File No. 2023189; FTC, FTC Finalizes Order Banning Mobilewalla from Selling Sensitive Location Data (Jan. 14, 2025); FTC, FTC Reminds Data Brokers of Their Obligations to Comply with PADFAA (Feb. 9, 2026); FTC, FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data (Jan. 9, 2024); FTC, FTC Finalizes Order with InMarket Prohibiting It from Selling or Sharing Precise Location Data (May 1, 2024); Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50, div. I, 138 Stat. 955; 404 Media, ICE to Buy Tool That Tracks Locations of Hundreds of Millions of Phones Every Day (Sept. 30, 2025); Rep. Veronica Escobar, Over 70 Democrats Call for Investigation of ICE, DHS Warrantless Purchases of Americans’ Location Data (Mar. 4, 2026); H.R. 4639, 118th Cong. (2024); U.S. House of Representatives, Roll Call Vote No. 114 (Apr. 11, 2024); S. 4082, 119th Cong. (2026); Rep. Shontel Brown, Brown Leads Oversight Letter to DHS on ICE’s Troubling Mass Surveillance Tech (Feb. 19, 2026); Elec. Frontier Found., Montana Becomes First State to Close the Law Enforcement Data Broker Loophole (May 14, 2025); Hannah James & Elizabeth Goitein, Section 702 of the Foreign Intelligence Surveillance Act, Explained, Brennan Ctr. for Just. (updated June 9, 2026); EPIC, EPIC Statement on House Passage of Fourth Amendment Is Not For Sale Act (Apr. 17, 2024); Elec. Frontier Found., Victory! 702 Has Expired! (June 2026); TechCrunch, FBI Is Buying Location Data to Track U.S. Citizens, Director Confirms (Mar. 18, 2026); Gravy Analytics, Inc.; Analysis of Proposed Consent Order to Aid Public Comment, 89 Fed. Reg. 96,986 (Dec. 6, 2024).

As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login

 

 

Federal Prison Handbook - Side
Advertise Here 2nd Ad
Federal Prison Handbook - Side