On January 22, 2021, the New York Times reported that the Defense Intelligence Agency (DIA) was acquiring commercially available databases from vendors containing U.S. person location data generated by smartphone applications, and the DIA was periodically using that data to track U.S. person device locations (specifically, the Times reported, “Defense Intelligence Agency analysts have searched for the movements of Americans within a commercial database in five investigations over the past two and a half years”).
The Times article included a link to a DIA memorandum prepared in response to inquiries about the practice received from the office of Senator Ron Wyden. Senator Wyden subsequently raised the issue during the confirmation hearing of Avril Haines for the position of Director of National Intelligence (DNI) asking Haines about “abuses” of commercially available location data. In a statement released by Wyden’s legislative office in connection with Haines’ confirmation process, he describes the DIA practice discussed in the Times article as “unacceptable” and as an intrusion on constitutional privacy rights, saying, “The Fourth Amendment is not for sale.”
Other elements of the Intelligence Community also acquire databases from commercial vendors that contain anonymized mobile location information generated by smartphone applications. In February 2020, the Wall Street Journal reported that the Department of Homeland Security (DHS) was purchasing commercially available databases containing such location information for use in immigration enforcement.
The WSJ described the location data as “drawn from ordinary cellphone apps, including those for games, weather and e-commerce, for which the user had granted permission to log the phone’s location.” In contrast to the comments by Senator Wyden, the WSJ reported that DHS’s use of such commercially available data in this manner “appears to be on firm legal footing because the government buys access to it from a commercial vendor, just as a private company could, though its use hasn’t been tested in court.”
Commercial sales of location data produced by smartphone applications also drew attention during the height of the Black Lives Matter protests in spring/summer 2020. In June 2020, BuzzFeed News reported that Mobilewalla, a tech firm that promotes itself as assisting companies to make informed business decisions through the use of unique consumer intelligence solutions, had used location data harvested from the cell phones of thousands of the protesters to produce a report detailing highly specific information on the demographics of the protesters. The BuzzFeed News report quoted Senator Elizabeth Warren condemning the practice as “an example of the consequences of the lack of regulation on data brokers in the US.”
Warren is correct, at least insofar as acknowledging the lack of federal regulation over the brokering of digital information by service providers. In fact, no federal law prevents the practice of selling customers’ wireless data. In April 2017, then-President Donald Trump signed legislation overturning a pending Obama-era Federal Communications Commission (FCC) rule that would have required wireless carriers and internet service providers (hereafter collectively referenced as “provider(s)”) to obtain explicit “opt-in” permission from customers before sharing their information with other companies. Those FCC rules also would have required internet service providers to protect that data from hackers and inform customers of any breaches. Despite the protests of significant minorities in both houses of Congress and numerous privacy advocates, Congress has left protecting the privacy of Americans’ wireless and internet service records essentially to state regulation.
The Times’ recent article on the DIA’s use of commercially available location data, combined with the topic’s broaching during the Haines confirmation hearing, has returned the issue to public view. More specifically, Senator Wyden’s insistence that the “Fourth Amendment is not for sale,” coupled with the Times’s brief discussion of the Supreme Court’s 2018 decision in U.S. v. Carpenter, raises the question of whether the government’s commercial purchase of such data violates the Fourth Amendment rights of the customers whose smartphones generated that information. Although civil liberties advocates may insist otherwise, there is nothing in the Carpenter decision that can fairly be argued as extending Fourth Amendment protections to preclude the DIA’s practice of purchasing commercially available data for intelligence purposes.
What’s in the Carpenter Decision?
Two basic principles demonstrate that the Fourth Amendment’s protections are not implicated when the DIA (or any government entity) purchases databases lawfully possessed by a commercial vendor that include cell phone location information. First, the Fourth Amendment operates to protect people against unreasonable searches and seizures by the government, and extensive Fourth Amendment jurisprudence documents that, absent a government “search” that triggers its protections, the Fourth Amendment is not implicated. Generally speaking, then, a “search” requires some government action because a search or seizure, even an unreasonable one, effected by a private individual or entity that is not acting as a government agent or in complicity with government officials does not trigger Fourth Amendment protections.
The smartphone-generated geolocation data purchased by the DIA is provided by a commercial vendor that, in turn, obtains the information—either directly or indirectly—from the provider that services the smartphone generating the data. Neither the DIA, nor, likely, the commercial vendor from which the DIA purchases the data, directly interacts with the smartphone user, and the sale of the information by the service provider to the commercial vendor is presumably a transaction to which the user has consented—albeit perhaps as part of a densely worded contractual document prepared exclusively by the provider that governs the terms of service between the provider and the user. Expressed more concisely, the commercial vendor likely has acquired the smartphone user’s anonymized location data in a transaction with the provider that does not violate any federal law, and in which the government, i.e., DIA, has played no part. The absence of any participatory role by the DIA in obtaining the database information from the user means that no “search” or “seizure” has occurred that triggers Fourth Amendment protections.
Moreover, the user’s “consent,” whether implied or explicit, to allow the provider to share the smartphone’s data with third parties directly implicates the Supreme Court’s longstanding “third party” doctrine, which, according to the majority opinion written by Chief Justice John Roberts in Carpenter, retains viability post-Carpenter. In the context of the DIA’s acquisition of this smartphone-generated location data, the DIA acquires the information from an entity that is also a third party, which obtained the information in a commercial transaction from the provider—the third party initially generating and possessing the user data in question.
This thumbnail sketch of the commercial transaction that produces the smartphone-generated database ultimately purchased by the DIA is readily distinguishable from the government’s compelled production of cell-site location information (CSLI) that was the focus in Carpenter. There, as then required by the Stored Communications Act, the government obtained an administrative subpoena compelling MetroPCS and Sprint (Carpenter’s providers) to produce the CSLI, which became part of the evidence used by the government to convict Carpenter at trial.
Pre-Carpenter, the government’s acquisition of those CSLI records would have been governed by the third-party doctrine, which formed the legal premise for allowing the government to obtain the information pursuant to an administrative subpoena as opposed to a warrant based on probable cause. But, in a decision that reshaped Fourth Amendment law, the Supreme Court concluded that the increasingly intrusive technology associated with, and the pervasive use of, cellular telephones warranted extending Fourth Amendment warrant protection to the compelled production of CSLI—at least where the government pursued more than seven days of CSLI. It is worth emphasizing that Carpenter dealt solely with CSLI. Arguably, the Carpenter holding does not affect other information collected by providers, including, for example, banking information, texts, and emails, although, admittedly, the type of geolocation data purchased by the DIA is technologically analogous to the CSLI at issue in Carpenter.
A full discussion of Carpenter and of its meaning in the broader context of Fourth Amendment law would consume many pages, and others have written on the decision and its ramifications at length. However, in terms of evaluating the inapplicability of the Carpenter holding to the DIA’s action in acquiring smartphone-generated location information from commercial vendors, the significant features of the Carpenter decision are these material factual distinctions and the majority opinion’s own self-imposed limitations. Chief Justice Roberts described Carpenter as a “narrow” ruling that did not disturb the underlying cornerstone holdings of U.S. v. Miller and Smith v. Maryland, which underlie the third-party doctrine. Equally important in terms of the DIA’s acquisition of location services information for foreign intelligence purposes, the Supreme Court majority provides that its “opinion does not consider other collection techniques involving foreign affairs or national security.”
Both the DIA and the DHS, in connection with the DHS’s own acquisition of commercially available databases containing anonymized location information, have generated internal memoranda concluding that the practice does not offend the Fourth Amendment and is not affected by the Carpenter decision. The DIA internal memorandum, focusing on the admittedly “narrow” scope of that decision and on its disavowal of any intent to affect “collection techniques involving foreign affairs or national security,” as noted above, concludes that the Carpenter decision “did not address the process, if any, associated with commercial acquisition of bulk commercial geolocation data for foreign intelligence/counter-intelligence purposes.” Given the material differences distinguishing the facts in Carpenter from the transactional process by which the DIA acquires geolocation data, this seems a sound conclusion, and Senator Wyden’s comment is misleading to the extent it implies that the DIA’s purchase of geolocation data from a commercial vendor offends either the Fourth Amendment, generally, or, more particularly, the Supreme Court’s Carpenter holding.
It’s Up to Congress to Act
Executive Order 12333, which governs the conduct of U.S. intelligence activities, specifically authorizes intelligence components (like the DIA) to collect, retain, or disseminate information concerning U.S. persons that is publicly available or collected with the consent of the person so long as that information is collected in a manner consistent with the Constitution and applicable law, and in accordance with procedures approved by the head of the component and the Attorney General.
The DIA’s acquisition of geolocation data from a commercial vendor appears entirely consistent with the mandate of Executive Order 12333. Moreover, Congress, in §1052 of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), acknowledges open-source intelligence as a valuable component “to be integrated into the intelligence cycle to ensure that U.S. policymakers are fully and completely informed” while tasking the DNI with the responsibility of ensuring that the intelligence community “makes efficient and effective use of open-source intelligence and analysis.” Acting on this congressional mandate, the DNI’s website defines “Open-Source Intelligence” as “publicly available information appearing in print or electronic form including radio, television, newspapers, journals, the Internet, commercial databases, and videos, graphics, and drawings.” The commercially available databases acquired by the DIA represent precisely this sort of “Open-Source Intelligence.”
Consequently, it is hard to understand how the DIA’s pursuit of open-source intelligence—a tasking found in executive directive and congressional legislation—warrants commentary implying that the DIA, and the Intelligence Community in general, are “using legal loopholes in the law and the warrant requirement in the Fourth Amendment” to “purchas[e] the private records of Americans from sleazy commercial data brokers.” This is the language Senator Wyden chose to use while insisting that the Intelligence Community needs to rebuild trust by “making sure Americans know what kind of surveillance the government is conducting on them.”
Lumping elements of the Intelligence Community in with “sleazy commercial data brokers” hardly seems justified when Congress has directed that the IC take action to ensure that open-source intelligence “be integrated into the intelligence cycle to ensure that U.S. policymakers are fully and completely informed.” This is especially true considering that “sleazy commercial data brokers” remain unregulated by federal law precisely because Congress chose to eliminate proposed FCC regulations that would have required some level of consumer privacy protection in connection with their commercial activities.
As explained above, nothing regarding the DIA’s acquisition of this commercially available data violates the Fourth Amendment, and any suggestion to the contrary is misleading. That said, if Congress wants to regulate the public trafficking in consumers’ data held by providers, it certainly has the authority to do so by appropriate legislation. However, given that Congress passed on such an opportunity a few years ago, prudence demands that any future statutory initiative ensure that American intelligence activities are not unnecessarily disadvantaged through reliance upon the questionable legal conclusion that the practice of purchasing internet databases made available by commercial vendors runs afoul of the Fourth Amendment. The congressional acknowledgment of the importance of including open-source information into the intelligence cycle remains as valid today as it was when Congress formally documented that significance in IRTPA in 2004. It is a virtual certainty that foreign intelligence services acting either in the public market through the same “sleazy commercial data brokers” or simply by hacking into providers’ databases are obtaining the same information that Senator Wyden suggests should be available to U.S. intelligence agencies only pursuant to court order.
It seems likely that this open-source issue will become part of a larger discussion on foreign intelligence surveillance when Congress returns its attention to the Foreign Intelligence Surveillance Act (FISA) in the coming year. Before the pandemic upended the legislative calendar in March 2020, Senators Ron Wyden and Steve Daines had introduced the “The Safeguarding Americans’ Private Records Act” (the “Safeguarding Bill”) calling for amending FISA to require the application of Carpenter’s probable cause requirement whenever a component of the Intelligence Community seeks to acquire CSLI, GPS information, and/or browser and internet search history. While the debate on the Safeguarding Bill and other proposed FISA “reform” legislation was prematurely truncated by the arrival of the pandemic, that proposed legislation called for extending the holding in Carpenter well beyond the “narrow” confines of Chief Justice Roberts’s majority opinion and overriding the Supreme Court’s deliberate decision to exempt from Carpenter’s reach “collection techniques involving foreign affairs or national security.” When that FISA debate almost certainly resumes later this year, particularly careful concern should be taken to avoid handcuffing the nation’s intelligence capabilities using suspect constitutional interpretation that only serves to distort efforts to balance effective intelligence collection with constitutional liberties. Like prudent medical care, the best approach to producing carefully crafted legislation like FISA affecting the national security should always be, “first, do no harm.”
The views expressed in this article are those of the author alone and do not necessarily reflect the position of the Foreign Policy Research Institute, a non-partisan organization that seeks to publish well-argued, policy-oriented articles on American foreign policy and national security priorities.
*About the author: George W. Croner, a Senior Fellow in the Program on National Security at the Foreign Policy Research Institute, previously served as principal litigation counsel in the Office of General Counsel at the National Security Agency. He is also a retired director and shareholder of the law firm of Kohn, Swift & Graf, P.C., where he remains Of Counsel, and is a member of the Association of Former Intelligence Officers.