WASHINGTON – A military branch of the intelligence community is buying commercially available databases of location data from smartphone apps and searching them for past American movements without a warrant. This emerges from an unclassified memo from the New York Times.
Defense Intelligence Agency analysts have searched a commercial database for the movements of Americans in five investigations over the past two and a half years, agency officials said in a memo they wrote for Senator Ron Wyden, Democrat of Oregon.
The disclosure sheds light on a looming loophole in data protection law in the digital age: In a landmark 2018 decision known as the Carpenter Decision, the Supreme Court ruled that constitutional government must obtain an arrest warrant Forcing telephone companies to hand over location information about their customers. But the government can buy similar data from a broker instead – and doesn't think they need an arrest warrant for it.
"D.I.A. Carpenter's decision to seek a judicial arrest warrant confirming the purchase or use of commercially available data for intelligence purposes should not be interpreted in that way," the agency said in the memo.
Mr. Wyden has made it clear that he intends to propose laws to protect American privacy related to commercially available location data. In a Senate speech earlier this week, he denounced the "where, instead of receiving an order, the government is simply buying Americans' private records from those bad and unregulated commercial data brokers who are simply above the law."
He described the practice as unacceptable and an interference with constitutional data protection rights. "The fourth amendment is not for sale," he said.
The government's use of commercial databases containing location information has been increasingly scrutinized. Many smartphone apps log the locations of their users, and the app makers can aggregate the data and sell it to brokers who can then resell it – including the government.
The government is known to sometimes use such data for law enforcement purposes on home soil.
The Wall Street Journal reported last year about law enforcement agencies using such data. In particular, two departments of the Ministry of Homeland Security – Immigration and Customs Control and Customs and Border Protection – used the data to monitor the border and investigate immigrants who were later arrested.
In October, BuzzFeed reported the existence of a legal memo from the Department of Homeland Security stating that law enforcement agencies were lawfully allowed to purchase and use location data from smartphones without a warrant. The inspector general of the department has initiated an internal review.
The military is also known to sometimes use location data for intelligence purposes.
In November, Vice's motherboard tech blog reported that Muslim Pro, a Muslim prayer and Quran app, had sent its users' location data to a broker called X-Mode, which in turn sold it to defense companies and the U.S. military. Muslim Pro then said it would stop sharing data with X-Mode, and Apple and Google said they would ban apps that use the company's tracking software from phones running their mobile operating systems.
The new memo for Mr. Wyden, written in response to requests from a privacy and cybersecurity assistant in his office, Chris Soghoian, complements this emerging mosaic.
The Defense Intelligence Agency appears to primarily buy and use location data for investigations into foreigners abroad. One of its main tasks is to discover threats to American forces around the world.
However, the memo states that the unidentified broker or brokers that the government buys bulk smartphone location data from does not separate American and overseas users. Instead, the Defense Intelligence Agency processes the incoming data to filter the records that appear to be on home soil and stores them in a separate database.
Agency analysts are only allowed to consult this separate database of American data if they have special permission. The memo goes on to say, “Permission to query US equipment location data has been granted five times for authorized purposes in the past two and a half years. ”
Mr. Wyden asked Avril D. Haines, President Biden's new director of national intelligence, during her confirmation hearing this week about what he called "misuse" of commercially available location information. Ms. Haines said she was not up to date on the issue but stressed the importance of the government being open to the rules by which it operates.
"I would try to essentially publish a framework that will help people understand the circumstances under which we are doing this and the legal basis under which we are doing this," she said. "I think that is part of what is vital to promoting transparency in general, so that people understand the guidelines by which the intelligence services operate."
Mr Wyden's impending legislation on the matter is likely to be embroiled in a major surveillance debate that flared up in Congress last year before it ran aground after unpredictable statements by President Donald J. Trump as he fueled his complaints about the Russia investigation and threatened to veto the bill and not make it clear what would satisfy him.
With Mr Biden in office, the legislature will resume this unresolved issue. The legislation focused on reviving several provisions of the Patriot Act that had expired and whether new safeguards should be put in place, including prohibiting the use of a part known as Section 215 to gather information about surfing the Internet without guarantee.