Tuesday, March 12, 2024

Data Brokers sell people’s private data to the government

Fourth Amendment protects people only against unreasonable searches by government

The Federal Trade Commission is poised to ban a data broker from selling sensitive location data as the Biden administration just issued an executive order to limit sensitive data sales to certain countries of concern, reported Lawfare. Yet a major customer of these data brokers is the U.S. government itself. For yearsnews outlets have reported on how federal and state agencies buy Americans’ data from private companies called data brokers—in mass. 

These brokers purchase and aggregate users’ location data from virtually all applications. Brokers, in turn, repackage and sell geolocation data to willing buyers, including the federal and state governments. This has led to the government purchasing data on 98 million users from a prayer app, as well as tens of millions of users’ data from dating apps, mobile games, the Weather app, Google, rideshare apps, and social media apps. This data can reveal some of the most intimate information about people, from their faithpolitical associations and beliefsimmigration statuspregnancy status or interest in seeking an abortion, and more. A recently declassified report from the Office of the Director of National Intelligence confirms what has been known for years: Brokers sell people’s private data to the government. 

Matthew Tokson describes this practice and some of the attendant Fourth Amendment issues in a previous Lawfare piece. Government attorneys claim agencies can purchase data without a warrant because the data is commercially available, meaning there can be no reasonable expectation of privacy with respect to this data, and because users signed a terms of service waiver, meaning they forfeited their privacy rights in the data. Tokson ably responds to both arguments, and suggests that a reasonable expectation of privacy persists in the data.

But commentators miss a foundational problem that puts this practice outside the scope of Fourth Amendment protection: a government purchase of data is not “state action” for constitutional purposes. As I argued in the Yale Law & Policy Review, even if users maintain a reasonable expectation of privacy over the data transacted by data brokers, the violation of their privacy is not cognizable under the Fourth Amendment. 

The Fourth Amendment in the Information Age

The Fourth Amendment prohibits “unreasonable searches” of people’s “persons, houses, papers, and effects.” It is the cornerstone legal protection against warrantless surveillance and a constitutional bulwark for privacy. The Fourth Amendment ordinarily requires law enforcement and intelligence agencies to obtain a warrant to conduct surveillance—for example, tracking people’s locations and wiretapping phones. As the Supreme Court has long made clear, a “search” occurs when the government violates your “reasonable expectation of privacy.” Thus, when the police, FBI, or CIA invade this reasonable expectation of privacy, they (generally) must obtain a warrant. 

In the 2018 Supreme Court decision Carpenter v. United States, law enforcement agencies forced two internet service providers to hand over detailed cell-service location information data on a robbery suspect. The Court held that the suspect had a reasonable expectation of privacy in these invasive geolocation records. Thus, to obtain these records, the government needed a warrant. It stands to reason that when the federal government and state agencies purchase equally sensitive geolocation data from brokers, users have an equally reasonable expectation of privacy in the data sold by brokers as that addressed in Carpenter. (And under Kyllo, even commercially available data can be subject to a reasonable expectation of privacy, as both Tokson and I address elsewhere. That users signed terms-of-service waivers does not undermine users’ expectation of privacy, either.) 

So if users have a reasonable expectation of privacy in the data sold by brokers to the government, then why did the government need to obtain a warrant in Carpenter but need not obtain a warrant to purchase the data?

This is because of the “state action problem.” Axiomatically, the Fourth Amendment protects people only against unreasonable searches by the government, not against those conducted by purely private parties. When the Supreme Court first articulated the “reasonable expectation of privacy” test, it made clear that the Fourth Amendment “protects individual privacy against certain kinds of governmental intrusion” (emphasis added). Thus, when a private citizen or company invades your reasonable expectation of privacy, those “invasions ... d[o] not violate the Fourth Amendment because of their private character.” Private searches, then, are not governed by the Fourth Amendment. (Instead, they are governed by common law tort and state statutes.) 

For the Fourth Amendment to require a warrant to purchase your data, then, the act of buying data itself must constitute a “search”–otherwise, there is no state action, and all that has occurred is a private search. 

To read more CLICK HERE

No comments:

Post a Comment