The FBI has confirmed to the Senate it is once again buying data which can be used to track the locations of US citizens. That may have surprised the people who thought the precedent in Carpenter v. United States prohibited it. But while that case examined if it was legal for law enforcement to obtain location data from mobile networks without a warrant, here the FBI and other agencies have found a way to skirt the Fourth Amendment entirely. Over the last few years, they have taken to just buying location data from the same companies which power the enormous online advertising ecosystem.
Where does this data come from?
When your phone is connected to the internet, it broadcasts about itself, and so do the apps and platforms you use. That information includes your IP address and device type, as well as your longitude and latitude if your device has GPS. This data, known as Bidstream, alongside any third party cookies tied to your device, enables the process of Real Time Bidding (RTB). RTB is the process where your attention is auctioned off to the highest bidder in the milliseconds after you’ve loaded a page. In order to make the auctions work, these platforms need to know as much about you as they can.
As I explained in depth back in 2021, data such as your location and IP address is broadcast over the ad networks. This information can also be aggregated, licensed or sold to data brokers who can pair this with any “deterministic data” available. For instance, if you sign up to a platform and tell them your name, email address and annual income, that data could be licensed to a data broker. Even banks looking for new revenue streams are planning to license anonymized customer data to these companies. Data brokers can easily combine the two streams of information to build out a fairly extensive picture of you as a person, and what advertisers will be the most interested in you. Unfortunately, it’s extremely difficult to opt out of this and, even if it were, it would be even more difficult to destroy the data already in circulation.
In 2018 French company Vectaury, which acted as an ad sales intermediary for mobile apps, was inspected by the French data protection regulator. Officials found the company had built a database containing the personal data of 67.6 million people without proper consent.
Data brokers don’t just harvest and hoard this data to make online ad sales, however, they will also license and sell its databases to others. Lawmakers believe that these brokers have sold this data to rival nations looking for ways to spy on US citizens.
How are law enforcement agencies getting it?
In January, 404Media revealed the US Immigration and Customs Enforcement Agency (ICE) bought access to tools supplied by cybersecurity company Penlink. Specifically, it purchased access to tools named Tangles and Webloc, which can be used to surveil large numbers of people at once. The latter tool reportedly has the power to identify smartphones in a given area and time, and can then follow them on their journey through the day and back to their home at night.
Given the secretive nature of its business, Penlink does not reveal much about how its tools operate. A since-removed marketing page says Webloc automatically analyzes “location based information” available in “endless digital channels from the web ecosystem.” And 404Media’s report says these tools access “commercially available smartphone location data,” supplied by third-party data brokers. Forbes reports the system can also pull together data from a variety of sources, including social media, to offer a real-time view of an event. The Texas Observer says Webloc can use this information to enable “warrantless device tracking.”
A number of other US law enforcement agencies have also purchased location data from data brokers, including the Department of Homeland Security, Customs and Border Protection, the Secret Service and the Internal Revenue Service. This isn’t just limited to government agencies, however, as anti-abortion groups did similar while targeting people visiting Planned Parenthood clinics.
How can this be legal?
The Fourth Amendment guarantees the right of the people to be protected from “unreasonable searches and seizures,” made without probable case. But, as Dori H. Rahbar wrote in the Columbia Law Review, “the Fourth Amendment does not regulate open market transactions.” Aaron X Sobel, writing in the Yale Law and Policy Review, described the practice as “end-running warrants,” and urged legislators to close this loophole. The Electronic Frontier Foundation (EFF), is also pushing for legislation under the Fourth Amendment is Not For Sale Act.
It’s not likely that such legislation will be passed for a long time, and a cynic would suggest it’s not possible under the current administration. But, even if it is, it won’t address the bigger issue of the ad tech industry and its partners vacuuming up as much information about us as it can. When these companies — many of which aren’t even known to the public — are able to store up enough information on us that, if they were so motivated, they could follow our path through the day, it’s a sign something is very rotten indeed. If we’re concerned about governments having this sort of access, then we should be equally nervous about anyone else having it as well.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/dont-be-surprised-that-the-fbi-is-buying-your-location-data-182047627.html?src=rss