25 July 2022

BUYING LOCATION DATA IN BULK (Report today in Techdirt)

 

Thanks To ACLU FOIA Requests, We Now Have More Details On The DHS’s Warrantless Acquisition Of Location Data

from the keep-those-'narrow-holdings'-coming,-SCOTUS! dept

Four years ago, the Supreme Court took a long look at the wealth of data generated by cell phones and made a good call. It said warrantless access to months of cell site location data was an unreasonable search. If cops wanted weeks or months of cell site location info, they’d need a warrant going forward.

But the holding was case-specific. While other courts have read the Supreme Court decision to have altered the contours of the Third Party Doctrine, the SCOTUS ruling limited itself to historical collections. It did not address near real-time collection via tower dumps, ping orders, or the misuse of trace/trace orders to obtain location info.

Law enforcement agencies saw the things they liked about this narrow holding and ran with them. The ruling only seemed to apply to obtaining cell site location info from cell service providers. Left unaddressed was the market created by data brokers who obtain location info from cell phone apps and provide bulk access to law enforcement agencies.

Who needs a warrant when you have willing private sector suppliers? That’s the thought process governing federal agencies’ continuous (and ever-expanding) utilization of third-party services hoovering data from other third party services to help government employees evade warrant requirements by giving them access to information they’re at least two steps removed from accessing directly.

Federal agencies love this unregulated, un-court-tested source of location data. CBP, ICE, the US Secret Service, the Department of Defense, and (somewhat disturbingly given the Supreme Court’s reversal of Roe v. Wade) the CDC have all purchased data from data brokers.

DHS components have already expressed their love for this constitutional workaround. Here’s one more to add to the list, as reported by Joseph Cox for Motherboard.

Recently released documents show in new detail how parts of the Department of Homeland Security have been using surveillance tools built on smartphone location data as part of investigations across the United States, including in multiple field offices and for a variety of different crimes.

The documents, obtained by the American Civil Liberties Union (ACLU) as part of a Freedom of Information Act (FOIA) lawsuit, provide the clearest picture yet of where, and why, law enforcement agencies have used tools like Venntel and Locate X, which are based on location data harvested from ordinary smartphone apps installed on peoples’ phones. The documents also show that some parts of Homeland Security Investigations (HSI) have used one of the tools to help state and local law enforcement.

HSI, like other government agencies, apparently has no problem doing business with a company currently facing a congressional investigation. According to the communications obtained by the ACLU, HSI uses the data to pursue criminal investigations related to smuggling (of humans or other contraband). The emails also indicate third-party location data obtained from brokers is of limited utility since it usually takes another round of searches (and a subpoena) to obtain identifying info.

But, more worryingly/interestingly, internal communications show HSI agents weren’t entirely sure this skirting of warrant requirements was actually legal. This is from the ACLU’s roundup of its latest release of FOIA’ed documents:

In scattered emails, some DHS employees raised concerns, with internal briefing documents even acknowledging that “[l]egal, policy, and privacy reviews have not always kept pace with the new and evolving technologies.” Indeed, in one internal email, a senior director of privacy compliance flagged that the DHS Office of Science & Technology appeared to have purchased access to Venntel even though a required Privacy Threshold Assessment was never approved. Several email threads highlight internal confusion in the agency’s privacy office and potential oversight gaps in the use of this data — to the extent that all projects involving Venntel data were temporarily halted because of unanswered privacy and legal questions.

Not that this minor internal crisis of constitutionality mattered. The documents make it clear DHS ignored these concerns to continue buying location data in bulk. And bulky, it was. A spreadsheet obtained by the ACLU shows CBP (just one DHS agency buying location data) obtained 113,654 location points covering a three day span in 2018: more than 26 location points per minute. And that was just from one area in the Southwest United States. DHS and its components have access (via data brokers) to location data covering the entire nation, as well as data points gathered beyond our borders.

Data brokers aren’t going to stop data brokering. Government agencies aren’t going to stop finding ways to route around minor inconveniences like Supreme Court precedent or the US Constitution. That leaves it up to Congress to fix it. There’s work being done on that end, at least, but we have a long way to go before this unaddressed location data loophole will stop being exploited by agencies who feel the best use of taxpayers dollars is to seek ways to bypass protections handed to citizens by other branches of the government.

Filed Under: , , , , , , , ,

No comments:

QOD: You can dig it