Kash Patel’s disclosure on Wednesday that the FBI has resumed buying location data on Americans has many people, including members of Congress, wondering: how does private information get into the hands of the US government in the first place – and how can federal law enforcement use that information to track peoples’ whereabouts?
Federal law enforcement agencies generally must obtain a warrant, which requires establishing probable cause in the eyes of a judge, to gather historical or real-time cellphone location data. The US supreme court has ruled that the fourth amendment to the US constitution, which protects against “unreasonable search and seizure”, prohibits the warrantless collection of individuals’ location histories. Buying such information, usually en masse, can circumvent this requirement, leading many privacy advocates to label the practice unconstitutional.
What did Kash Patel say?
The FBI director’s admission came in response to a question from Ron Wyden, a Democratic senator of Oregon and a longtime opponent of the warrantless surveillance of Americans. Wyden told Patel that his predecessor, Christopher Wray, testified in 2023 that the FBI did not at that time purchase location data derived from internet advertising, although he acknowledged that it had done so in the past.
“Is that the case still?” Wyden asked. “And if so, can you commit this morning to not buying Americans’ location data?”
“We do purchase commercially available information that’s consistent with the constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us,” Patel responded.
“So you’re saying that the agency will buy Americans’ location data,” Wyden said. “I believe that that’s what you’ve said in kind of intelligence lingo. And I just want to say as we start this debate, doing that without a warrant is an outrageous end run around the fourth amendment. It’s particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information.”
Where does the location data originate?
It starts, in most cases, with our phones. Mobile applications can track our movement precisely and often to make services like mapping apps useful. There’s a hidden cost, though, to using what otherwise may seem like an innocuous way to check the weather or plan a journey. “This is one way that apps that appear to be free or low cost to us are actually making money off of us – by making our very detailed location history the product,” said Nathan Freed Wessler, deputy director with ACLU’s Speech, Privacy, and Technology Project.
What can government agencies learn from your private location data?
Government agencies, companies, and even nefarious actors can buy and use location data to learn intimate details about you. “It’s incredibly revealing knowing where your phone goes over time,” Wessler said. “This level of detail shows your patterns of life.” This could be everything from where you go after work and where you sleep – as well as who you do those things with. Since it’s possible to track what phones are near each other, that can shed light on who you’re spending time with – even who you’re sleeping with – and what kind of gatherings you attend, whether it’s a psychiatrist’s appointment or a political rally.
Who is selling private location data to US law enforcement agencies?
Data brokers, which are companies that buy, collect and sell a vast array of data points on Americans with almost no oversight, have been able to cash in on large volumes of granular location data about people’s phones. These companies collect location data, often buying large amounts of it from app developers, and sometimes information about name, gender, health, political preferences and home ownership. It’s become a lucrative industry, worth billions of dollars.
“When you give an app permission to see your location, you’re also giving the other companies whose software is embedded in that app access to your location as well,” said Lena Cohen, staff technologist at the Electronic Frontier Foundation (EFF). Privacy experts note that once companies have your location, it’s hard to know – let alone control – what they do with it. It’s even difficult to figure out which particular apps sell users’ location data, although a few examples have been reported on. For example, one data broker bought location data from Muslim prayer and dating apps before that information ended up with the US military, according to Vice.
The EFF explains in a June 2022 blog post that data brokers can incentivize app developers to sell user data by paying per user for direct access to their device, which can allow the data broker to obtain location data when the app is open, or, in other cases, whenever the phone is on, even if the app is closed.
Targeted advertising can also be a source of location data. Real-time bidding allows websites and apps to auction off ad space. The EFF explains that all participants get data about people who would see their ad. “As a result, anyone posing as an ad buyer can access a stream of sensitive data about billions of individuals a day,” the EFF notes in a blog post. “Data brokers have taken advantage of this vulnerability to harvest data at a staggering scale.”
Data brokers also often maintain portals that allow government agencies to run queries about which phones are in an area at any given time, Wessler said.
What do federal agencies do with private location data?
Federal agencies, including the FBI and the Department of Homeland Security (DHS), previously bought location data for investigations. The Wall Street Journal reported in 2020 that the DHS used the information to find “undocumented immigrants and others who may be entering the US unlawfully” and “look for cellphone activity in unusual places, such as remote stretches of desert that straddle the Mexican border”. 404 Media reported earlier this month that an internal US Customs and Border Protection document showed the agency used location data from the online advertising industry to track phone locations. Congressional Democrats called, on 3 March, for an investigation of warrantless purchases of Americans’ location data by ICE and the DHS. They cited a 2023 report from the DHS inspector general that found ICE’s data purchases were illegal, leading to the program being shut down in 2023.
Who is pushing back on law enforcement agencies buying location data?
Many privacy advocates argue that funneling information from data brokers to government agencies is already illegal. They say it violates the fourth amendment by allowing the government to bypass requirements that it obtain a court warrant if it wants specific location data about a specific person. Some lawmakers are trying to close what they see as a loophole.
Leading the pack in Congress is Wyden, who introduced a sweeping surveillance-reform bill that includes a measure to stop the federal government from buying location information from data brokers without a warrant.
In the absence of strong federal privacy laws, people still have some agency. The EFF details steps people can take in a 5 March blog post. They can disable location ID and review the apps to which they have granted location permissions. “If you can’t disable location access completely for an app, limit it to only when you have the app open or only approximate location instead of precise location,” the EFF notes. The EFF also suggests that cellphone users disable their mobile advertising ID, noting that this identifier helps location data brokers “stitch together the information they collect about you from different apps”.
Still, Americans are worried about how much of their data is already exposed. Some may not know or encounter these tips. “Not everyone’s going to have the savvy to do that,” said Wessler. “So the real answer is that Congress needs to step in.”
