Colorability of the U.S. Government's Access to Digital Personal Data
-- By
AasthaSaily - 04 Mar 2024
Governments love surveilling the people and they indeed do so, now unfettered. The traditional access route for data not voluntarily disclosed by the people is to compel disclosure of such data, either from the individual or the private sector. In the U.S., this compelled access is regulated by a handful of laws and mechanisms which amongst other things generally require an individualized, fact-based suspicion of wrongdoing. This is guarded by the Fourth Amendment which put simply, protects people from “unreasonable” search and seizure by the government. Accordingly, the government is prohibited by law from asking such information without probable cause and a warrant. The contours of the Fourth Amendment protection were redefined in Carpenter v. United States, where SCOTUS seemingly reaffirmed privacy of individuals in the digital age. But the decision was narrow focusing primarily on cellphone tower location data and the court did not venture into other modes of data collection. This lack of legal instruction has contributed to the current status quo – another (arguably) legal access route for the government – commercial data purchases.
Barring a few specific industries and types of institutions (such as medical sector and financial institutions), voluntary disclosure of data by private sector is not subject to legal restrictions. This has led to the explosion of a largely unregulated market of data brokers who buy, repackage and sell personal data, which is then referred as “commercially available information” or CAI. Government agencies and departments are not blind to the availability of this information stream and have been capitalizing on it. Essentially, the governmental agencies do not request companies or data brokers for information under their search and seizure authority, rather, the government, like a customer, buys the data from them. In the recent years, there have been unofficial reports and speculations that the various federal agencies and local police departments purchase data from a vast network of specialized data brokers to track the activities of individuals over time. For instance, a report suggested that federal agencies have been using commercial databases to obtain location data to detect undocumented immigrants and phone activities along the U.S. – Mexico border and combined with our surveillance tool, have used this information to track, arrest and even deport immigrants across the U.S. Last year, however, the government itself admitted to this practice in a declassified report published by Office of the Director of National Intelligence. The report reveals that the government intelligence agencies acquire a significant amount of CAI for mission-related purposes, including in some cases social media data. Some of the government buyers include the Defense Intelligence Agency (contracting with
LexisNexis? ); the FBI (contracting with cybersecurity company for social media alerts); the Department of Homeland Security (using a clearinghouse to identify foreign researchers working in the U.S. who were tied to their home country’s militaries). While technically, the blocks of information being sold are anonymized, it is understood that it is rather easy to deanonymize such data and link it to a particular individual.
Due to the “no-law” system adopted by the U.S. in respect of general data protection and privacy, the government is able to legally circumvent the Fourth Amendment and gain access to data especially when obtaining such data would otherwise not withstand “reasonable” standard. Since the parameters and particularities of the data obtained are not regulated, this practice (of data purchases) is not subject to the same judicial or other legislative oversight mechanisms to ensure that individuals’ civil rights and liberties are upheld. In addition, when the government buys data (as opposed to compelling disclosure), the typical democratic safeguards around retention, minimization requirements or standards, deletion and transparency are not applicable.
Without any constitutional safeguards and democratic accountability, this practice becomes troublesome and concerning since data aggregation allows for an almost unprecedented range of surveillance which needs to be restrained. The Fourth Amendment has struggled to keep pace with the novel privacy issues linked to the evolving surveillance technology and so it falls upon the U.S. Congress to restore the principles and true essence of the Fourth Amendment. As a first step, it is crucial to regulate the way data is queried by the government – indiscriminate and general transmission of data from private sector to the government needs to be stopped. While some steps have been taken by lawmakers in this direction, at present these are far from being law. The most important being the “Fourth Amendment Is Not For Sale Act” (which while has now passed in the House but still faces a lot of opposition), that would prohibit law enforcement and intelligence agencies from purchasing communications content, location data, and other highly sensitive data that would otherwise require a warrant. The bill would also limit the government’s ability to create workarounds in the future by establishing some mechanisms as the exclusive means by which government may acquire information about the people in the U.S. However, it only focuses on data purchases, and does not, in this form, apply to other type of voluntary disclosures by data brokers or app developers – which might be an arrangement that brokers might want to establish contact or rapport with the government.
Given the fast paced natured of technology and data transactions, and given further the gestation period of a legislation, it is imperative to bring in short term as well as long term measures. In the short term, Congress could affirm that voluntary disclosure of data sets by data brokers are subject to constitutional and statutory constraints and could impose some sanctions on enforcement actions taken on the basis of data not obtained by following constitutional safeguards. In the long term, in addition to FISA, the U.S. Congress should address privacy concerns by introducing a comprehensive data privacy and security framework applicable to all data collectors and processors. While inspiration should be taken from GDPR, it is also important to ensure that the protections which have turned out to be toothless (such as, sharing data with the government “for lawful purposes”, sweeping powers of the government and opt out right / right to be forgotten) should be carefully considered and bolstered in favor of the data subjects.
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines:
Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.