Monday, March 29, 2021

Government Purchases of Sensitive Private Data

By Matthew Tokson

Carpenter v. United States held that the government must get a warrant before collecting an individual’s cellphone location data. Such data would allow the government to constantly track citizens, revealing their activities, associations, relationships, purchases, and countless other details about their lives. But what if the government can just purchase similar data from a private vendor? Does the Fourth Amendment regulate government purchases, or has the government found a valid way around Carpenter’s restrictions?

These are important and very new questions, and they've begun to attract a lot of scholarly attention. They arise because several government law enforcement agencies have purchased private location data from data brokers in the wake of Carpenter. The Department of Homeland Security, the IRS’s Criminal Investigations Division, the Defense Intelligence Agency, and several other federal and local law enforcement agencies have purchased location data drawn from cellphone apps for various law enforcement purposes. 

Lawyers at these agencies have argued that the purchase of such data does not implicate the Fourth Amendment, in part because Carpenter only directly addressed cell-site location data, not app-based location data. Further, app-based location data is sometimes collected with user permission and is often available for purchase in aggregate form by non-government entities. If a private corporation can purchase it, they say, the government should be able to purchase it too. On the other hand, a Treasury Department watchdog report casts doubt on this conclusion, stating that future courts may conclude that Carpenter precludes government purchases of app-based data. What is the law here?

It's a difficult question, but the most likely answer is that the government must obtain a warrant before purchasing sensitive personal data from a data vendor. The government’s main arguments in favor of unregulated government purchases of app data are 1) such data is commercially available and therefore the government should be able to purchase it without restrictions, and 2) customers give permission to apps to use their location data, so it’s fair game in any event. Both of these arguments are questionable.

First, while the government does purchase this data from private entities, the data is hardly publicly available or exposed. You and I generally cannot purchase location tracking data on our fellow citizens from these vendors. The vendors who sell such data often do so either exclusively to law enforcement agencies or in large anonymized chunks to other marketing companies for use in automated advertising. Companies like Venntel (the vendor that sold data to DHS and IRS) are not consumer-facing, and go to great lengths to avoid disclosing information about their services or their clients. Companies like Babel Street (which sold to several agencies) go even further, keeping their location tracking services confidential via a series of non-disclosure clauses and other restrictions. Access to these services would also be prohibitively expensive for most individuals. But even if some of these services were available to the general public, that still doesn’t mean that the government can lawfully access them without a warrant. In cases like Kyllo v. United States, the Fourth Amendment barred police officers from activities that private citizens could in theory undertake but generally do not. The standards of Kyllo and related cases would likely govern here. Because this sensitive data is not publicly exposed (and is generally stored in big anonymized blocks when not in government hands), it remains functionally private. And because a government purchase of such data from a surveillance vendor is state action that eliminates this privacy, it is a Fourth Amendment search.

Second, in many cases customers do not meaningfully consent to the collection of their location data via cellphone apps. Nor should it matter much for Fourth Amendment purposes if they do. The explanations customers see when an app asks for permission to access their location are often insufficient or misleading, and usually say nothing about such data being sold or shared with other parties. Nor can customers be reasonably expected to read or comprehend the detailed privacy policies of every app or service they encounter. And basing Fourth Amendment protections on the voluntariness of data disclosures is nonsensical anyway, as I argue in a recent Cornell Law Review article. Disclosure of data to services like Uber, Google Maps, dating apps, smart home devices, websites, and countless other providers is in theory voluntary and avoidable, but in practice a beneficial and important part of modern life. Punishing users for disclosing their data to service providers creates terrible incentives and is incompatible with meaningful Fourth Amendment protection in the digital age. It would also expose the most sensitive forms of personal information to government surveillance, and create substantial inequalities in Fourth Amendment law. Technologies that are avoidable for most people (and thus unprotected from government surveillance) are often unavoidable for others, including the disabled, the poor, and other disadvantaged populations.

Courts are just beginning to address the complex question of government purchases of sensitive data—but the first such decision accords with the analysis above. In Cooper v. Hutcheson, a federal district court held that a plaintiff successfully stated a claim against a Missouri Sheriff for his purchase of location data from Securus, a private company. The court noted that Securus’s customers were exclusively law enforcement personnel and that it sold a product designed to track individuals in criminal investigations. Because Securus was a willful participant in joint surveillance activity with the government, it could be considered a state actor for Fourth Amendment purposes. The Sheriff’s use of the service accordingly violated the plaintiff’s Fourth Amendment rights under Carpenter (according to the facts alleged by the plaintiff at the pleading stage). The data at issue in Cooper was not voluntarily disclosed to cellphone apps, so it remains possible that such data would be treated differently by courts. But the Sheriff’s use of a vendor didn't allow him to circumvent the Fourth Amendment. At least where vendors cater to law enforcement customers and provide them with services designed for tracking individuals, government purchases of location data are likely to require a search warrant.

Some of my favorite privacy and Fourth Amendment scholars are in the process of writing articles about this issue, and they may be initially skeptical that the 4th Amendment will protect data purchased from a vendor. And while I think the Fourth Amendment should and will protect such data, I largely agree with these scholars that statutory protections are the optimal approach here. There are at least two reasons for this. One is that Fourth Amendment protection for this data isn't guaranteed, especially given the new, more conservative Supreme Court. Another is that, even if the government never gets involved, there’s a lot of sensitive information being bought and sold by private vendors, causing substantial privacy harms and associated risks for consumers. The time is right for meaningful regulation of data collection by cellphone apps and data brokers. But given that such regulation is often slow to arrive in practice, the Fourth Amendment issue is likely to be an important one. Courts should resolve it consistently with Carpenter and Kyllo--and in favor of Fourth Amendment protection.


egarber said...
This comment has been removed by the author.
egarber said...

This is only going to become more prevalent, as big data continues to drive everything in business.

To simplify it all, I see two prongs:

1. Nothing about this evolution should alter the basic test for state actors - i.e., requiring individualized suspicion to track somebody. It seems pretty clear to me that there is a reasonable expectation of privacy on that dimension. "Wait, I volunteered to see custom ads, and now law enforcement can track my location????? Whoa...."

2. Rather than wait for the courts to draw lines, which are likely to get muddled, I completely agree that Congress should take the lead here and codify privacy / 4th Amendment rules via statute.

One side question: would Congressional authority for such rule making emanate from the commerce clause here - or might it be pursuant to Sec 5 of the 14th? I'm guessing it could be both.

Matthew Tokson said...

egarber, thanks and interesting question. I think the Commerce Clause works here, because we're dealing with nationwide purchases. Congress also has the power "To make Rules for the Government" in art. 1, Sec. 8, if it wants to regulate federal surveillance that doesn't involve commerce. Section 5 of the 14th Amendment would likely work for state and local surveillance, as with the Section 1983 statute.

egarber said...

I’m always intrigued by Boerne when it comes to this stuff. When is a congressional statute not remedial via Sex 5, but an attempt to impermissibly augment or change a core holding? And that squishiness ties back nicely to other posts here about legal realism; nothing about these thorny issues is like calling balls and strikes. :)

egarber said...

Really? sex 5? Sorry. Sec 5. :)

Fred Raymond said...

Thanks much to Matthew Tokson for linking to the Cornell article; as a non-legal type, I indeed got a lot out of it.