The 4th Amendment in a Zero Privacy World
Should the government need a warrant to get information it can buy on the open market?
Under the too-alarmist headline, “The US Is Openly Stockpiling Dirt on All Its Citizens,” Wired’s Dell Cameron points to the government’s exploitation of an obvious-in-hindsight loophole.
THE UNITED STATES government has been secretly amassing a “large amount” of “sensitive and intimate information” on its own citizens, a group of senior advisers informed Avril Haines, the director of national intelligence, more than a year ago.
The size and scope of the government effort to accumulate data revealing the minute details of Americans’ lives are described soberly and at length by the director’s own panel of experts in a newly declassified report. Haines had first tasked her advisers in late 2021 with untangling a web of secretive business arrangements between commercial data brokers and US intelligence community members.
What that report ended up saying constitutes a nightmare scenario for privacy defenders.
“This report reveals what we feared most,” says Sean Vitka, a policy attorney at the nonprofit Demand Progress. “Intelligence agencies are flouting the law and buying information about Americans that Congress and the Supreme Court have made clear the government should not have.”
Again, I find this too alarmist and hyperbolic.
In the shadow of years of inaction by the US Congress on comprehensive privacy reform, a surveillance state has been quietly growing in the legal system’s cracks. Little deference is paid by prosecutors to the purpose or intent behind limits traditionally imposed on domestic surveillance activities. More craven interpretations of aging laws are widely used to ignore them. As the framework guarding what privacy Americans do have grows increasingly frail, opportunities abound to split hairs in court over whether such rights are even enjoyed by our digital counterparts.
“I’ve been warning for years that if using a credit card to buy an American’s personal information voids their Fourth Amendment rights, then traditional checks and balances for government surveillance will crumble,” Ron Wyden, a US senator from Oregon, says.
While I’m not often on Wyden’s side in policy debates, he has a point. And I’ve argued for decades that the 4th Amendment has been construed far, far too narrowly by law enforcement agencies and the courts.
But here’s the thing: what we’re talking about here isn’t “surveillance” or “search” in any traditional sense. We’re literally asking if government agencies should have the same ability to buy information legally held by commercial entities as anyone else.
Wyden had pressed Haines, previously the number two at the Central Intelligence Agency, to release the panel’s report during a March 8 hearing. Haines replied at the time that she believed it “absolutely” should be read by the public. On Friday, the report was declassified and released by the ODNI, which has been embroiled in a legal fight with the digital rights nonprofit the Electronic Privacy Information Center (EPIC) over a host of related documents.
“This report makes it clear that the government continues to think it can buy its way out of constitutional protections using taxpayers’ own money,” says Chris Baumohl, a law fellow at EPIC. “Congress must tackle the government’s data broker pipeline this year, before it considers any reauthorization of Section 702 of the Foreign Intelligence Surveillance Act,” he said (referring to the ongoing political fight over the so-called “crown jewel” of US surveillance).
The ODNI’s own panel of advisers makes clear that the government’s static interpretations of what constitutes “publicly available information” poses a significant threat to the public. The advisers decry existing policies that automatically conflate, in the first place, being able to buy information with it being considered “public.” The information being commercially sold about Americans today is “more revealing, available on more people (in bulk), less possible to avoid, and less well understood” than that which is traditionally thought of as being “publicly available.”
Perhaps most controversially, the report states that the government believes it can “persistently” track the phones of “millions of Americans” without a warrant, so long as it pays for the information. Were the government to simply demand access to a device’s location instead, it would be considered a Fourth Amendment “search” and would require a judge’s sign-off. But because companies are willing to sell the information—not only to the US government but to other companies as well—the government considers it “publicly available” and therefore asserts that it “can purchase it.”
So, here’s the thing: I agree that government agencies should not be able to bypass 4th Amendment guarantees by buying this information. But, honestly, I’d rather the federal government have this information than just about anybody else.
Could US law enforcement or intelligence agencies misuse this information to the detriment of the civil liberties of American citizens? Absolutely. Should we put a stop to it? Almost certainly.
But isn’t the obvious solution to make it illegal to sell this information to anyone? To require companies collecting sensitive information to do so only to the extent required to provide the service for which they’re being contracted? To safeguard it properly under heavy penalty for failure? I’m no expert but that’s certainly my instinct.
If, however, we’re not interested in doing that—or it’s simply not technically feasible given the interconnected nature of the online universe we’ve created over the last three decades—then I don’t know how we can complain that the government is violating our privacy. We either have privacy or we don’t.
One possible caveat—and a big one—is suggested in this paragraph:
It is no secret, the report adds, that it is often trivial “to deanonymize and identify individuals” from data that was packaged as ethically fine for commercial use because it had been “anonymized” first. Such data may be useful, it says, to “identify every person who attended a protest or rally based on their smartphone location or ad-tracking records.” Such civil liberties concerns are prime examples of how “large quantities of nominally ‘public’ information can result in sensitive aggregations.” What’s more, information collected for one purpose “may be reused for other purposes,” which may “raise risks beyond those originally calculated,” an effect called “mission creep.”
It may simply be that the IC and LE agencies have more capacity to target the use of the information than commercial entities. Given my experience with federal government IT, though, I’m skeptical on that score.
Still, even ODNI is concerned about the implications:
Access to the most sensitive information about a person was once usually obtained in the course of a “targeted” and “predicated” investigation, the report says. Not anymore. “Today, in a way that far fewer Americans seem to understand, and even fewer of them can avoid, [commercially available information] includes information on nearly everyone,” it says. Both the “volume and sensitivity” of information the government can purchase has exploded in recent years due to “location-tracking and other features of smartphones,” and the “advertising-based monetization model” that underlies much of the internet, the report says.
“In the wrong hands,” the ODNI’s advisers warn, the same mountain of data the government is quietly accumulating could be turned against Americans to “facilitate blackmail, stalking, harassment, and public shaming.” Notably, these are all offenses that have been committed by intelligence agencies and White House administrations in the past. What constraints do exist on domestic surveillance activities are all a direct response to that history of political sabotage, disinformation, and abusive violations of Americans’ rights.
The report notes: “The government would never have been permitted to compel billions of people to carry location tracking devices on their persons at all times, to log and track most of their social interactions, or to keep flawless records of all their reading habits. Yet smartphones, connected cars, web tracking technologies, the Internet of Things, and other innovations have had this effect without government participation.”
The government must appreciate that all of this unfettered access can quickly increase its own power “to peer into private lives to levels that may exceed our constitutional traditions or other social expectations,” the advisers say, even if it can’t blind itself to the fact that all this information exists and is readily sold for a buck.
But, of course, nobody is compelling us to carry tracking devices. We eagerly do so of our own volition, upgrading to the latest and greatest every couple of years.
Obviously, we do it for the luxury—and, increasingly, necessity—of being in constant communication. But, either this information should be private and impossible for outsiders to access without a duly executed warrant or it’s for sale; it can’t be commercially available to everyone but the government.
FYI: This is the essence of the EU’s General Data Protection Regulation (GDPR). Personal data may only be collected, processed, and disseminated to the extent required to provide the contracted service (or to comply with certain legal obligations).
From a technical perspective, it can certainly be done – but Congress must want it.
For the most part people have no idea what information is available about them, and it predates the Web. In the early 90’s I worked on systems that addressed catalogs and magazines while they were being assembled at the printers (much, much more complicated than you might think) which had to deal with issues such as dropping a different GM ad in depending on demographics (Cadillac vs. Oldsmobile vs. Chevy). Curious as to how they got this information I started up a conversation with the in-house guy that dealt with the demographic databases. It turns out GM wasn’t collecting and keeping that info, they were simply renting it for the run. Lists were easily available that gave age, marital status, number of children and income level on a house by house basis. And of course that went with name and address. That was just standard and trivial. (Some of you old enough to remember the flood of catalogs and magazine that came cascading through your mail slot may recollect a seemingly random collection of letters in the address block, “DFBBZW” or simliar. Each one of those letters could be a trigger for dropping a specific add, or printing a specific offering on the order page.) I asked how specific they could get. Every divorced person on a block? Yes, although you couldn’t just rent one block. Every gay person? Sure, and whether they were male or female. Religion? Of course, and whether someone attended church every week. Where did this information come from? Well, specialty companies bought it from manufacturers who asked their customers to fill out warranty cards, specific interest magazines, credit rating services, DMV’s, doctors offices (yes, that’s why we have HIPAA now – doctors were free to sell lists of people who fit specific categories like “expectant mother”, “expectant father”, etc. and they most certainly did!). Even in the 90’s, there were thousands upon thousands of sources of compiled and collated information by household and name.
You’re missing the point. It’s not about the availability of the information, it’s about what can be done with it.
I’m thinking about building an indoor herb garden, since I’m letting my outdoor garden lie fallow this year to get rid of some nasty weeds. With the information on my purchases, my local hardware store can…. send me some coupons.
The police can decide that it’s probably cause that I’m growing pot and smash in my door, lob in some flash-bangs, run in weapons drawn, man-handle me–or shoot me! And if you think I’m being hyperbolic, go back and read the news. Radley Balko has a whole list of incidents like this.
@Mu Yixiao: None of which addresses how — or even if — one can stop the police from obtaining publicly available information. So the availability of the information is still at issues.
Law enforcement doesn’t need public data to make egregious overpolicing errors.
@Mu Yixiao: I don’t think you are being hyperbolic at all. I agree this needs legislation, and it has to be new legislation because in the past it has been accepted that you have no right to privacy with respect to information out in the public. For example, the police (or anyone else) is free to search your trash once it leaves your premises. They don’t need a warrant to watch your comings and goings from a public place. What does “comings and goings” mean wrt the Web and our online transactions? We have no right to privacy if we walk into a red state Walmart and buy an assault rifle or a twinkie. Do we have that right if we “walk” into Amazon?
But it’s not just government. Recently a right wing Catholic Group bought location data for people frequenting gay sites and used it to out Catholic Clergy. People are focusing way too much on the government here. James’ question isn’t even whether the government can collect this information – that’s a separate issue. It’s whether they can purchase it from a company that is selling it to the general public. In the example above, Walmart can (and does!) sell lists of people who have purchased all manner of things from them, as does virtually every store. Your grocery receipt has a detailed list of items you’ve purchased and unless you paid cash and didn’t use a store discount card, it’s tied to your name and address. So, if we are going to control this it has to be at the collection points.
@MarkedMan:
It’s the classic libertarian fallacy that only governments have power (and are in a position to abuse it).
@MarkedMan: Yep. My first thought was “If it is so bad for the US govt to have my info, what about Saudi Arabia? Russia? China?” Ad nauseum.
I’ve believed for many years that the effort to protect privacy was doomed (good lord William Safire used to rant about it before he died) and we should begin to understand that we now live in a village where everyone knows everyone else’s business. Less hypocrisy would mean less shame would mean less concern for privacy. Total transparency?
I keep hearing how all this data will result in. . . something. . . but what? No one has ever had more detailed data on consumers than Netflix. Can Netflix reliably produce a popular show? Nope. Can their algorithm even push shows I’m sure to like? Nope. Rather the contrary.
And what about Amazon? They know everything about me and what does it get them? I’ve never had Amazon make a useful suggestion, whether in media or in products. See also: Door Dash and Instacart and everyone else who ‘knows everything about me.’ And Google? What don’t they know about me? And why should I care?
@Michael Reynolds:
I suspect it has led to a lot of somethings already. Remember, all of this stuff gets mixed in when machine learning based systems are picking and chosing. So it can affect whether or not you get a mortgage and the rate you pay. What you pay if you are uninsured and need medical care. Whether your small town will get a chain store. Whether you will be recruited by a company or ignored when you apply. And perhaps the worst? What scams to target you with, and what supplemental details will cause you to fall for them the hardest.
I don’t know any of this for a fact but I think it is reasonable to assume at least this much.
@MarkedMan:
The thing is all those concerns predate the internet. Credit ratings have been around a long time. And the health care industry’s been running wallet biopsies since forever. As for scams, once you hit 65 you go on all the scam lists, (wouldja like some vinyl siding?) and yet, out here in reality, none of them have enticed me.
If I assumed that absolutely everyone knew absolutely everything about me, so what? CVS knows my preferred brand of laxative, oh no! They could, um, send me a coupon or something!
There is a great deal of power in honesty. As a man who kept secrets for decades I’ve found life out in the open to be a huge relief.
Now, misuse of data, for example creating lists of trans people? That’s not about the list, it’s about the use of that list by bad actors. But if it’s possible to use data to target gay people, it’s possible to use data to target bigots. If it’s possible for a hospital to weed out less profitable patients, it’s also possible for patient groups to out and even sue those hospitals. Can Proud Boys find lists of LGBTQ people? Yes, and clearly government can use data to locate Proud Boys.
My point is not that any of this is great, but rather that we have returned to the peasant village where there were no secrets. In the olde times if you fucked your sheep everyone in the village knew.
@Michael Reynolds:
But what if there are no actors at all, at least not any human ones? What if it turns out that trans people are more likely to default on credit card debt or miss days of work, and a machine learning algorithm is factoring that in? Oh, not directly, of course. It would have been told, “don’t base any decisions on whether someone is trans or not, don’t even record that in the data set”. But unbeknownst to the users it has identified secondary, tertiary or even more remote correlations. It might be factoring in the fact that credit risks are more likely seen in the vicinity of certain hospitals or clinics, more likely to shop at certain web sites, or less likely to have an unambiguously gendered name. No one told it to do these things, and most likely attempts were made to prevent it, but it could still happen.
@Michael Reynolds:
So far. But what if you got a text one minute after checking out of a store saying “Thanks for your recent purchase. Click here for the free gift promotion associated with your product”, or another that said, “Dad, every time I try to log in to the new FIOS service we just signed up for it’s giving me this message [linkable message] Sis [by actual name] is having the same issue. I don’t know about Mom, she’s at the [location she often goes to about this time]”? The point of AI and all this available information is that it can craft incredibly precise forays.
Over 20 years ago Larry Ellison, then CEO of Oracle, gave a speech where he state that privacy was dead and we should get used to it. There was outrage after the talk, but Ellison was correct. What we are talking about today has a horse and barn door problem, where the horse escaped decades ago.
Much like @MarkedMan: experience, I did a small consulting gig for a customer facing marketing group at Anheuser-Busch in the early oughts, as part of that I worked with Axiom, the data aggregation company. They sent me, my data profile that they had, it was amazing the information they had on me and this was before data mining based on internet activity got really sophisticated.
@MarkedMan:
This is why I pay for things in cash, and don’t have discount cards for everything*. I run AdBlock Plus, ScriptSafe, and Privacy Badger on my browser. I have zero junk mail in my mailbox (except the occasional “We want to buy your house!” flier that everyone gets), and my primary e-mail addresses get zero spam (I have a couple spare addresses that get a constant stream, but that’s exactly what they’re for).
===
* I use my mother’s at the grocery store. And I have one for the hardware store, but rarely use it.
@MarkedMan:
Of course that could happen. But the likelihood is small and there are remedies. They got data, we got data, all god’s children got data. The Nazis had no problem finding Jews to murder, long before the word ‘data’ was even in common use. And they got away with it because they could largely keep it secret, something they’d have a much harder time with today.
If all this data is for sale, then what we have are secrets that are not secrets, information that is never exclusive. If you know I like armpit porn and I know you like diaper porn, where’s the advantage to either of us?
TBH my biggest beef with all the data collection is that like a lot of tech, it’s not very good or reliable. I’ve shopped every week for about 5 years thru Instacart and they’ll still offer me Velveeta. Netflix has never made a useful suggestion. Literally, never. Somehow, despite all the wondrous tech and mountains of data collected, FedEx has become actually incompetent. I’ve had far more trouble with them now than I did back in the day. I suspect that the vaunted data market supposedly worth trillions of dollars won’t be worth much at all in the end.
@Michael Reynolds: I think you may be failing to factor in the amount of digital advertising contact/purchase solicitation information that comes to you from people who are paying almost nothing for ad bombing you and may be hitching a ride on Amazon, Netflix, Travelocity, whoever.
@Michael Reynolds:
FWIW, I think you are misunderstanding the threat. The likelihood that machine learning algorithms are incorporating things from profiles that, if it were done deliberately, would be illegal or unethical? 100%. We know of dozens of cases where it’s happened already but only because it was being looked at closely and then they only found the things that were very obvious because the numbers were large. The remedies? I can’t think of any. At least not any that capture anything but the most egregious and obvious examples.
You can find out what Google knows
@Michael Reynolds:
Does Netflix sell data about you and your viewing habits to someone who actually can do “useful” things with them?
Is your auto insurance cost determined, in part, by how often you watch movies and shows with car chases? Or shows featuring Black people?
I have no idea whether Black folk have more car accidents per mile driven, I just expect the auto insurance companies to be randomly racist. I expect a lot of companies will find ways to basically reinvent red lining.
@Just nutha ignint cracker:
Sure, I’m being bombarded by ads, but if I never click on one, and never buy the products advertised, why should I care beyond the occasional load-time glitch? If the worst Big Data can do is send me a coupon, so what? And it’ll be a coupon I’ll never use because Big Data will not have figured out that I never use coupons. Of what value is data that results in me being offered a useless coupon? How many billions is that supposed to be worth?
I think we have a hugely inflated market that, were it priced realistically, wouldn’t be worth 10% of its current valuation. I don’t think the data is actually useful. None of my daily expenditures are in any way affected by data collection. The IRS is no more intrusive than it has ever been. Aside from the vague ickiness of, ‘people know things about me,’ I am not getting either the threat or the value.
Put it this way: if Big Data knew absolutely everything about me, down to my DNA, could they convince me to buy a Mini Cooper? No. Too small. OK, so they target a car I might like, say, a Mercedes. OK, well, I was already going to buy the Merc and I was never going to buy the Mini, so what exactly did Big Data contribute? My mind, my likes and dislikes all predate whatever ad is thrown at me, so the best they can do is nod along to decisions I already made.
Let’s say Big Data realizes I bought a Merc and decide, ‘hey, this is a guy who might like high end sushi because people who drive fancy cars love them some sushi.’ OK, but I don’t really like sushi. Oh, oh, I got it! Sell me a steak. You know, the thing I was already going to get?
@Gustopher:
Then the same tools they use will be employed by consumers to uncover those uses. Consumers who are voters, who have control of government and can pass laws. The problem here is that people warning of the danger ignore the existence of countermeasures and assume the worst, and further assume that we are all helpless sheep. They also assume that competition doesn’t exist, that a rival insurance company won’t make hay by pushing inclusivity.
@Michael Reynolds:
I can name two instances where it’s been more than just a coupon.
1) Target started sending coupons for baby stuff to a woman. A couple weeks later she found out she was pregnant. Not a huge deal, but…
2) the same thing happened to a teen-age girl. She knew she was pregnant–but her parents didn’t. She hadn’t told anyone.
I’ve heard stories of advertising outing homosexuals based on shopping habits–and a funny one about “Netflix thinks I’m gay” (based on viewing habits).
Big Brother is turning out to be a lot friendlier than Orwell envisioned. I’m reminded of this meme.
Personally, I would like a law that gives individuals ownership and control over their personal data, but I think that would be very hard to operationalize – especially when it comes to drawing a line between public and private information.
@Andy:..I would like a law that gives individuals ownership and control over their personal data,..
I think the last time that happened was when landline telephone subscribers could get an unlisted number that would not appear in the local directory along with their name and address for an extra charge on the monthly bill. At least they got control. Your telephone number still belonged to the phone company.
The NRA likes to stoke fears of the gubmit keeping a list of gun owners. It was reported some years ago that the NRA maintains a pretty good database on gun owners. Wonder what LaPierre would sell it for?
@Mister Bluster: It is absolutely happening in the EU with GDPR and has been happening in the US with respect to medical data held by covered entities.
Congress should *absolutely* pass a US version of GDPR here.
@Mister Bluster: It is absolutely happening in the EU with GDPR and has been happening in the US with respect to medical data held by covered entities.
Congress should *absolutely* pass a US version of GDPR here.
@Michael Reynolds: I think you’re talking past my point, and I, too, never click on ads. But I do get a fair number–tho not many sent directly to me. I’m only noting that getting ads for products I have no interest in buying may be more of a function of the ads being virtually free to send rather than a reflection of AI being incompetent at targeting your or my interests–though I also agree that it’s probably not good at it.
@Andy:
I suspect such laws already exist due to the near universal ask to agree that our data be available for sale in terms of use agreements.
@SKI:..Congress should *absolutely* pass a US version of GDPR here.
Write your Senator. Write your Representative.
@Michael Reynolds:
You have a fairly incorrect belief about the transparency of corporations.
And consumers noticing. Bud Lite has been advertising to queer folk for over 20 years, and the conservatives just noticed. (Don’t tell them about Suburu)
Also, most insurance companies try to be “competitive” with the market leaders. If the major companies raise prices, the rest will follow suit, charging 10% less (or more) depending on their marketing plan.
@SKI: Congress should do a lot of things. I’ma not hold my breath waiting for them too happen, tho.
@Andy: Wiretap meme:
@Mister Bluster: I’m not sure as to why writing matters. If your reps are Dems, writing to them probably doesn’t matter and, if they’re Republicans, probably doesn’t help to change things. (And may put you on the list for the wiretap that doesn’t have any pancake recipes. )
@Mu Yixiao:
Have you tried sheet mulching?
https://modernfarmer.com/2016/05/sheet-mulching/
@Just nutha ignint cracker:..writing…
I suspect you are correct. Sometimes I think that I am slipping away from a healthy cynicism into a naivety like that of Jimmy Stewart’s character in “Mister Smith Goes to Washington”. I hope it’s not an indication of a decaying mind. I need to watch “Dr. Strangelove” again to set my head straight.