By US Army Maj. Steven Szymanski
Introduction
The commercial data market has exploded. Data has even been dubbed “the oil of the 21st century.”[1] Aiming to capitalize on this blossoming industry, data brokerage companies have emerged to collect, collate, and sell personal data from nearly everyone who uses the Internet.[2] New online data auctions occur thousands of times per day, selling everything from users’ shopping preferences to their actual location.[3]
Many Americans have experienced the eerie phenomenon of receiving advertisements for regional businesses during cross-country travel. The realization that our smart phones and applications are tracking our movements is becoming common knowledge. While discount offers for local steakhouses may be welcomed during road trips, serious questions have emerged about the lack of regulation in this new market and the potentially ominous uses of commercial cellular location data. This piece focuses on a slice of this larger discussion by examining whether intelligence agencies should be permitted to purchase the commercial data without a court order.[4] It concludes that policy makers should preserve the U.S. intelligence community’s (IC) ability to purchase this information, while imposing substantial oversight to ensure that American privacy interests are preserved.
In early 2021, Senator Ron Wyden queried the Defense Intelligence Agency (DIA) to confirm: (1) whether DIA purchases commercial location data from apps installed on consumers’ smart phones; and (2) whether the agency construes the landmark Carpenter v. U.S. decision as “only applying to location data obtained through compulsory legal process” and not to “data purchased by the government?”[5] In January, the DIA affirmatively answered both questions, reasoning that Carpenter’s scope was limited to law enforcement and did not prohibit the IC’s authority to collect commercially available information to support intelligence requirements.[6]
Likely and predictably dissatisfied with the DIA’s response, Senator Wyden introduced the “Fourth Amendment is Not for Sale Act” (hereinafter, the Act) on April 21, 2021.[7] If passed, the Act would prohibit law enforcement and intelligence agencies from purchasing commercially available data without a court order or warrant.[8] Though the bill has been met with bipartisan endorsement and heralded by privacy advocates, the DIA should petition Congress to preserve its nearly four-decade authorization to collect publicly available information (PAI) for intelligence purposes to support national security objectives.
Part I of this article will briefly summarize the landmark Carpenter v. U.S. ruling. Part II will analyze the DIA’s position that its purchase of commercial data is lawful. Part III will describe the Department of Defense’s (DoD) current procedures to safeguard U.S. person information (USPI). Part IV will examine the Act. Finally, Part V will argue that prohibiting the DIA from purchasing commercially available data is imprudent and unnecessary. Instead, Congress should direct that DoD’s existing privacy oversight mechanisms be supplemented by routine audits from the Privacy and Civil Liberties Oversight Board (PCLOB).
I. Carpenter v. United States
In 2018, Chief Justice John Roberts authored a 5-4 majority opinion in Carpenter v. U.S.[9] According to the facts in the case, following the arrest of four suspects for a series of robberies, one suspect confessed and provided the FBI with his co-conspirators’ cell phone numbers.[10] The FBI then applied for three magistrate court orders to obtain “transactional records” which included their historic cellular cite location data (CSLI).[11] The judges granted the orders, citing authority under the Stored Communications Act, finding that the government met its burden of providing “specific and articulable facts showing reasonable grounds to believe that the records sought were relevant and material to an ongoing criminal investigation.”[12] On these grounds, the CSLI was admitted as evidence that Mr. Carpenter’s cell phone was in the vicinity of the crime scene during the date and time of the robberies.[13]
The central issue in Carpenter was whether law enforcement may acquire CSLI records from a data service provider via a mere court order, or whether such information requires a search warrant under the elevated Fourth Amendment probable cause standard?[14] The Court held that the acquisition of CSLI by law enforcement requires a search warrant.[15] The majority found, “[W]hen the Government tracks the location of a cell phone, it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user.”[16] “The retrospective quality of the (CSLI) data here,” the Court ruled, “gives police access to a category of information otherwise unknowable.”[17] Roberts suggested that society has evolved such that U.S. citizens are essentially compelled to carry movement-tracking smart phones.[18] The majority found it would be contrary to the Fourth Amendment’s privacy protections to permit the government access to that “near perfect surveillance” without a warrant.[19] Thus, at first glance, Carpenter seemed to reflect the Court’s thoughts on a potentially significant barrier to the government obtaining CSLI records without probable cause.
II. The DIA’s Narrow Interpretation of Carpenter
Despite Carpenter’s enhanced protections for CSLI, the DIA has interpreted thedecision to sustain its ability to purchase commercially available data. The DIA’s two primary arguments were that: (1) Carpenter was a narrow opinion pertaining to law enforcement actions; not intelligence collection, and (2) the IC has been authorized to collect “publicly available information” (PAI) for nearly four decades and purchasing commercial data is consistent with that enduring and sensible authority.
First, DIA distinguished that its procurement is for “intelligence purposes,” versus the law enforcement purposes that were at issue in Carpenter.[20] The DIA contends that the Carpenter Court deliberately limited the scope of its decision and “expressly did not consider collection techniques involving national security.”[21] By extension, the Court did not address the process, if any, associated with the acquisition of bulk commercial geolocation data for foreign intelligence and counter-intelligence purposes.[22]
Support for DIA’s position can be found within the Carpenter opinion. The Court stressed that its “ruling was a narrow one.”[23] The majority stated it was not addressing police access to other types of records, including smaller amounts of historical CSLI.[24] Moreover, it explicitly provided that, “our opinion does not consider other collection techniques involving foreign affairs or national security.[25] The Court explained that it planned to “tread carefully in such cases” so as not to “embarrass the future.”[26] Thus, from the plain reading of Carpenter, the DIA’s argument that its activities are beyond the scope of the opinion is persuasive.
Second, the DIA highlights that the purchased data is “commercially available.”[27] While not expounding in its memo, this point likely references Executive Order (EO) 12333.[28] EO 12333, “United States Intelligence Activities,” which establishes the IC’s membership, structure, and the parameters upon which it may lawfully collect information to support intelligence requirements.[29] While many intelligence activities are geared toward foreign actors, EO 12333 also authorizes the collection, retention, and dissemination of U.S. person information (USPI) in furtherance of an intelligence mission upon certain conditions.[30] The first condition is that the information is “publicly available.”[31]
While most people in 1981 likely considered (PAI) to be content found in newspapers, magazines, and telephone books, the Internet has widened the aperture. Department of Defense Manual (DoDM) 5240.01 (detailed in the next section) defines PAI as:
Information that has been published or broadcast for public consumption, is available on request to the public, is accessible on-line or otherwise to the public, is available to the public by subscription or purchase (emphasis added).[32]
Given DoD’s definition, “commercially available data,” likely constitutes PAI so long as the information is “available to the public for purchase.”[33] But, to safeguard privacy concerns, the DIA developed Attorney General-approved procedures “to control access and use of commercial data collected from locations inside the U.S.”[34]
III. DoD’s Current Privacy Safeguards
Department of Defense Manual 5240.01 “establishes procedures that enable DoD intelligence components (e.g. DIA) to conduct authorized intelligence activities in a manner that protects constitutional and legal rights and the privacy and civil liberties of U.S. persons.”[35] The manual promulgates ten “procedures” governing its collection activities. Notably, Procedures 2, 3, and 4 concern the “collection, retention, and dissemination” of USPI.[36] At each respective phase, the manual affords USPI significant privacy protections.
Procedure 2 provides that a DoD intelligence component may intentionally collect USPI “only if the information sought is reasonably believed to be necessary for the performance of an authorized intelligence mission or function assigned to the component,” and if the information falls within another list of specified criteria; the first of which is that it is publicly available.[37] Procedure 2 also prohibits collection for the purposes of monitoring activities protected by the First Amendment or other Constitutional activities.[38] Thus, in order for the DIA to purchase commercial data, it must first reasonably assess that it is necessary for an intelligence mission.
Procedure 3 mandates that intentionally collected USPI must be evaluated no later than five years after collection to determine if it should be permanently retained.[39] In order to be permanently retained, the intelligence component must find that retention “is reasonably believed to be necessary for the performance of an authorized intelligence mission or function.”[40] If the information is not retained, the USPI will be presumptively deleted after five years unless an extension is approved. Procedure 3 also requires the DIA to store USPI in a manner that minimizes unauthorized access by agency personnel.[41] Protective measures include multi-layer approvals before one may access USPI, audits, and routine reviews to ensure compliance.[42]
Finally, Procedure 4 governs how USPI may be disseminated within the IC, to other federal agencies, state governments, or foreign governments/international bodies. Procedure 4 requires that prior to disseminating USPI to other federal or state agencies, the DIA must determine that the recipient is “reasonably believed to have a need of such information for the performance of its lawful missions and functions.”[43] Again, senior level approvals are required in accordance with the manual.[44]
In response to Senator Wyden’s inquiry, the DIA outlined its specific process for commercial data purchases.[45] The agency initially segregates U.S. data location points from foreign data location points, presuming that the data found in the U.S. is USPI.[46] Once complete, DIA personnel may only query the USPI database after completing an intensive process, which includes approval from the Office of General Counsel, Office of Oversight and Compliance, and DIA senior leadership.[47] Accordingly, permission to query the USPI database has only been granted five times in the past 2.5 years.[48]
IV. The Fourth Amendment is Not for Sale Act
On April 21, 2021, Senator Wyden and eighteen other co-sponsors introduced “The Fourth Amendment is Not for Sale Act.”[49] The bill purportedly intends to “close the legal loophole” which allows data brokers to sell USPI to law enforcement and intelligence agencies without judicial oversight.[50] The bill would require the government to obtain a court order to compel data brokers to disclose data.[51]
The bill would also prohibit law enforcement and intelligence agencies from purchasing data pertaining to people in the U.S. and about Americans abroad, if the data was obtained from a user’s account or device, or via deception, hacking, violations of a contract, privacy policy, or terms of service.[52] It would also close loopholes that would permit the intelligence community to purchase metadata about Americans’ international communications without a court order under the Foreign Intelligence Surveillance Act.[53] Finally, it would statutorily prohibit the use of any information wrongfully obtained by a government agency from being introduced as evidence in a legal proceeding against a U.S. citizen.[54]
V. Recommendation: DoD Should Petition Congress for an Exemption and Permit Increased Oversight from the Privacy and Civil Liberties Board (PCLOB)
In the weeks since its introduction, the bill has been well-received by privacy rights advocates like the ACLU.[55] Predictably, the idea of government agencies purchasing and storing location data is unpopular. This work does not argue that law enforcement agencies should be permitted to purchase commercially available data to acquire information that they would otherwise need a court order or warrant to obtain. However, it does take issue with it prohibiting IC, especially the DIA, from responsibly collecting and maintaining commercial data assessed to be reasonably necessary for an authorized intelligence mission.
In response, the DoD should strongly advocate that its intelligence components be exempted from the proposed prohibition because: (a) limiting DoD’s access to publicly available data will be detrimental to national security interests; and (b) DIA’s current procedures for safeguarding USPI are sufficiently robust.
In October 2020, DoD published its Data Strategy.[56] It asserts that “DoD is a data-centric organization that uses data at speed and scale for operational advantage and increased efficiency.”[57] It recognizes that data underpins digital modernization and is increasingly the fuel of every DoD process.[58] Thus, at a point when the DoD is recognizing and leveraging data for strategic national security advantage, the proposed legislative proscriptions project to stymie its momentum by incorporating burdensome hurdles to purchasing data sets that may contain substantial national security intelligence value. The bill’s provisions could result in DoD intelligence requirements being grounded by cumbersome FISA application processes to obtain what has been traditionally considered PAI; a staple IC information source since EO 12333’s enactment forty years ago.
Moreover, the legislative hurdles are unnecessary. The DoD has already developed a robust set of set of procedures designed to protect USPI in DoDM 5240.01. The fact that DIA’s USPI holdings database has only been queried five times in the last 2.5 years displays DoD’s dedication to privacy. In short, the bill offers a solution to a problem that does not exist.
If Congress remains concerned about the DIA’s process, it should use a precise scalpel rather than a sledgehammer-like fulsome ban. Congress should supplement the current DoDM 5240.01 procedures by codifying requirements that PCLOB, an independent privacy rights agency, conduct routine oversight of DoD’s procurement of commercial databases.[59] Congress should also specify that DIA only be permitted to purchase “off the shelf” bulk data sets and may not request customized DIA-specific products. This measured approach would help assuage particularized “surveillance” concerns while preserving the DIA’s authority to purchase commercially available public information. Finally, the bill should be amended to expressly prohibit the DIA from sharing its commercial data with law enforcement agencies without an appropriate court order, thereby creating a codified “wall” protecting USPI from inappropriate law enforcement use.
In conclusion, The Fourth Amendment is Not for Sale Act promises significant privacy protections. Yet, Congress should carefully consider its potential sweeping impact on DIA’s intelligence mission. The DIA should zealously advocate to retain its authority to collect PAI per EO 12333 and enthusiastically welcome additional PCLOB oversight and other reasonable preconditions essential to preserving its ability to purchase commercial data.
–
Maj. Steven Szymanski is a judge advocate in the United States Army Judge Advocate General’s Corps and a graduate of Georgetown University Law Center’s National Security Law LL.M. program. He is grateful to Professor Peter Gronvall for his thoughtful mentorship and inspiration. The opinions expressed are personal and do not necessarily represent the views of the Department of Defense or Department of the Army and are not made in his official capacity.
[1] Joris Toonders, Data is the New Oil of the Digital Economy, Wired (Jul. 2014), https://perma.cc/H47P-UCU3.
[2] Kate Cox, Military Intelligence Buys Location Data Instead of Getting Warrants, Memo Shows, Arstechnica (Jan. 22, 2021), https://perma.cc/MR7Z-HTP3.
[3] Id.
[4] Michael Kans, Data Brokers and National Security, Law fare Blog, (Apr. 29, 2021), https://perma.cc/FKB2-QNUM.
[5] Id.
[6] Defense Intelligence Agency Memo, U-21-0002/OCC-1, Clarification of Information Briefed During DIA’s 1 December Briefing on CTD (Jan. 15, 2021) [hereinafter DIA Memo], https://perma.cc/2KMA-V2TN.
[7] The Fourth Amendment is Not for Sale Act, S. 1265, 117th Cong. (2021); see also USA: Senators Introduce Fourth Amendment is Not for Sale Act (Apr. 22, 2021) [hereinafter the Act], https://perma.cc/JJ6K-F8FQ.
[8] Id.
[9] Carpenter v. U.S., 138 S. Ct. 2206 (2018).
[10] Id.
[11] Id. at 2207; The transactional records obtained by the government included the date and time of calls, and the approximate location where calls began and ended based on their connections to cell towers—”cell site” location information (CSLI).
[12] Id; see also 18 U.S.C. 2703(d).
[13] Carpenter, 138 S. Ct., at 2207.
[14] Id. The search warrant requirement imposes a burden on the government to show probable cause that a crime has been, will be, or is being committed.
[15] Id. at 2209.
[16] Id.
[17] Id.
[18] Id. at 2220.
[19] Id.
[20] DIA Memo, supra note 6.
[21] Id.
[22] Id.
[23] Carpenter, 138 S. Ct. at 2220.
[24] Id.
[25] Id. (emphasis added).
[26] Id. (quoting Justice Frankfurter in Northwest Airlines, Inc. v. Minnesota, 322 U.S. 292, 300 (1944)).
[27] DIA Memo, supra note 6.
[28] Exec. Order No. 12333 (Dec. 4, 1981), https://perma.cc/4SAP-PEAH.
[29] Id.
[30] Id. at § 2.3.
[31] Id. at § 2.3(a).
[32] Department of Defense Manual 5240.01, Procedures Governing the Conduct of DoD Intelligence Activities, (Aug. 8, 2016), https://perma.cc/DU5M-RY2Y.
[33] Id.
[34] Id.; see also EO 12333 at § 2.3.
[35] Id.
[36] Id.
[37] Id. at § 3.2(c). Procedure 2 also provides guidance about minimization measures to take if suspected USPI is incidentally collected. For instance, if USPI is incidentally contained on database portending to only have information pertaining to non-U.S. persons.
[38] Id. at § 3-2(f).
[39] Id. at § 3-3(c).
[40] Id. at § 3-3(e).
[41] Id.
[42] Id. at 3-3(f).
[43] Id. at 3.4(c) (4-5).
[44] Id.
[45] DIA Memo, supra note 6.
[46] Id.
[47] Id.
[48] Id.
[49] The Act, supra note 7.
[50] Haley Yamada, Lawmakers Propose Bill to Ban Feds from Buying People’s Private Data, ABC News, (Apr. 21, 2021) (quoting Sen. Wyden), https://perma.cc/RJ4P-TZ2S.
[52] Id.
[53] USA: Senators Introduce Fourth Amendment is Not for Sale Act, Data Guidance (Apr. 21, 2021), https://perma.cc/7FWV-CZVK.
[54] The Act, supra note 7.
[55] Ronald Newman & Kate Ruane, ACLU Endorsement, (Apr. 21, 2021), https://perma.cc/YB9S-B5KR.
[56] DoD Data Strategy, Unleashing Data to Advance the National Defense Strategy, (Sep. 30, 2020), https://perma.cc/95WB-GLY2.
[57] Id.
[58] Id. at 11.
[59] Privacy and Civil Liberties Oversight Board, Mission Statement, https://perma.cc/2699-YN77.