Last Friday, The Wall Street Journal revealed that the Department of Homeland Security has been using commercially available cell phone location records for immigration and border enforcement. US Immigration and Customs Enforcement, the paper reported, has used the data “to help identify immigrants who were later arrested,” while Customs and Border Protection uses it “to look for cellphone activity in unusual places.”
On the one hand, the news is kind of a duh. If you’ve been following privacy issues at all in recent years, you know that websites and smartphone apps are sharing your detailed location information with data brokers and advertisers. Why wouldn’t law enforcement want to take advantage of that trove of surveillance intel? On the other hand, while the extent and specific details of the DHS program remain unclear, its existence raises a much broader set of questions. There’s nothing stopping other law enforcement agencies from making use of these data sets. (The exception is Utah, which passed a 2019 privacy law requiring police to get a warrant for certain types of online data.) The Fourth Amendment is supposed to prevent government officials from tracking our every move. Can they really just buy their way around the Constitution?
The Fourth Amendment gives the people the right to be free from “unreasonable searches and seizures.” Applying that rule to location data generated by the devices we carry with us 24/7, however, is still very much a work in progress. The question first came up at the Supreme Court only two years ago, in Carpenter v. United States, and the answer was limited to a specific category of data known as cell site location information, or CSLI. To tie Timothy Carpenter to a string of robberies—of cell phone stores, neatly enough—the FBI in 2011 subpoenaed his cell-tower location records, which placed him near the scenes of the crimes. The government argued that it didn’t need to get a warrant because of the so-called third party doctrine, which says that you surrender any expectation of privacy when you share information with a third party.
The Supreme Court disagreed. In a landmark ruling, Chief Justice John Roberts sided with the court’s four liberals to hold that the third-party doctrine, which was established in the 1970s, simply doesn’t make sense for information as sensitive and revealing as CSLI. “When the government tracks the location of a cell phone it achieves near perfect surveillance,” Roberts’s majority opinion explained. Despite the sweeping language, however, the ruling was narrow: If the cops want to get seven days’ worth or more of individual location records from the likes of AT&T or Verizon, they need to come up with a warrant. Roberts left open what should happen in other scenarios, including cell-tower dumps, in which cops can request records of every mobile phone at a particular location over a certain time period.
Meanwhile, CSLI is far from the only type of location data available today, and wireless carriers are far from the only entities keeping track of our whereabouts. Software development kits embedded in thousands of apps, even ones that have no obvious need to know where its users are located, are gathering and selling that information across the digital advertising landscape. It comes not from cell tower pings but from things like GPS tracking and IP addresses. It’s purchased in bulk and often “anonymized,” or stripped of identifying info—although, as a recent New York Times report illustrated, it’s trivially easy to connect anonymized bulk location data back to individual cell phone users.
The bigger twist here is that, unlike in Carpenter, DHS isn’t subpoenaing location records; it’s buying them from Venntel, a data broker that according to the Journal has ties to Gravy Analytics, a major adtech company. Does the Fourth Amendment, or any other legal protection, even apply to this type of transaction?
Nathan Freed Wessler, the ACLU lawyer who successfully argued Carpenter’s case at the Supreme Court, said there are at least two ways in which this arrangement could violate the law. The first concerns the companies originally gathering location data, rather than the government. Under the Stored Communications Act of 1986, companies that store and transmit user data are generally prohibited from “knowingly” sharing those records with the government. That, Wessler said, probably doesn’t apply to a broker like Venntel that doesn’t deal with consumers directly. But it could apply to the app makers who are passing data along to companies like Venntel, if they know it will eventually end up in the government’s hands.
“If the Department of Homeland Security was going straight to the companies to get this stuff, there would be a bar on them voluntarily disclosing or selling it to DHS,” he said on Friday. “What happens if the weather app is selling it to some location aggregator, but they know that one or two or three steps down the chain of contract, DHS is buying it? Are they knowingly divulging it to a government entity? After today’s Journal story, if I was a lawyer at one of those companies, I would be sweating. It’s a really substantial question.”
Then there’s the Fourth Amendment issue. In Carpenter, the court held firmly that just because we let companies access our phone location, that doesn’t give the government carte blanche to access it. “What courts haven’t encountered yet is whether a law enforcement agency can evade the warrant requirement by paying money,” Wessler said. “And whether the fact that a company will take that money somehow means the Fourth Amendment doesn’t apply.”
The threshold question in Fourth Amendment cases is whether the government’s activities constituted a “search.” The Supreme Court has no clear test for answering that question. Instead, judges ask whether the defendant had a “reasonable expectation of privacy”—a cross between public policy judgment and sociological interpretation. In Carpenter, the answer was yes: cell phones are so “indispensable to participation in modern society,” the court held, that it would be unreasonable to make Americans give up their privacy in order to use one.
We don’t know exactly how DHS is using the data it buys. A CBP spokesman told the Journal, “While CBP is being provided access to location information, it is important to note that such information doesn’t include cellular phone tower data, is not ingested in bulk and doesn’t include the individual user’s identity.” But the key point of the Carpenter ruling is to limit the government’s capacity to obtain a comprehensive log of Americans’ location without having to show probable cause. If a government agency is using data location records to isolate the movements of specific individuals, then that same logic would seem to apply. The location tracking made possible by app data in 2020 is more precise and potentially even more comprehensive than the cell tower data that the FBI used back in 2011. Giving government as much access as it can buy raises the same prospect of “near perfect surveillance” that Roberts warned about. Similarly, it’s basically impossible to completely opt out of our location being tracked. “Only the few without cell phones could escape this tireless and absolute surveillance,” as Roberts put it in Carpenter. The impact on privacy would seem to be the same whether the government is subpoenaing the data or buying it.
“We don’t want to live in a world where, in the absence of a statute on point, the government can just buy its way around the Fourth Amendment,” said Wessler. “But, admittedly, the courts haven’t answered that question. And it’s a really substantial one.”
There’s no way to know how the Supreme Court would resolve a case raising these issues—a process that would take years. And that’s assuming there even is a case. One thing that makes it so hard to challenge this sort of surveillance is that defendants may not even know the government used it against them. That’s also true on a societal level. We now know that DHS is using commercial location data for immigration enforcement. But what about other federal agencies, not to mention the thousands of police departments around the country? Aside perhaps from tight budgets, there’s nothing stopping them from making use of data available on the open market.
Then there’s the fact that the Supreme Court has declared that it wants to move slowly and cautiously on adapting the Fourth Amendment to changing technological circumstances. It’s a reasonable position, but it makes it even more unlikely that the judiciary will be able to keep up with facts on the ground. Ultimately, then, this is probably a problem for Congress to solve. The Constitution is a legal floor, but statutes can add more rights on top of it. The Senate has been making noises about passing federal privacy legislation this year, though the possibility still seems remote. The DHS story is just the latest example of how important it is for lawmakers to get their act together. If they don’t, we may find out exactly how much our privacy was worth.