Tag Archives: Big Data

Is the Fourth Amendment Really for Sale? The Defense Intelligence Agency’s Purchase of Commercially Available Data

By US Army Maj. Steven Szymanski

Introduction

The commercial data market has exploded.  Data has even been dubbed “the oil of the 21st century.”[1]  Aiming to capitalize on this blossoming industry, data brokerage companies have emerged to collect, collate, and sell personal data from nearly everyone who uses the Internet.[2]  New online data auctions occur thousands of times per day, selling everything from users’ shopping preferences to their actual location.[3] 

Many Americans have experienced the eerie phenomenon of receiving advertisements for regional businesses during cross-country travel.  The realization that our smart phones and applications are tracking our movements is becoming common knowledge.  While discount offers for local steakhouses may be welcomed during road trips, serious questions have emerged about the lack of regulation in this new market and the potentially ominous uses of commercial cellular location data.  This piece focuses on a slice of this larger discussion by examining whether intelligence agencies should be permitted to purchase the commercial data without a court order.[4]   It concludes that policy makers should preserve the U.S. intelligence community’s (IC) ability to purchase this information, while imposing substantial oversight to ensure that American privacy interests are preserved.

In early 2021, Senator Ron Wyden queried the Defense Intelligence Agency (DIA) to confirm: (1) whether DIA purchases commercial location data from apps installed on consumers’ smart phones; and (2) whether the agency construes the landmark Carpenter v. U.S. decision as “only applying to location data obtained through compulsory legal process” and not to “data purchased by the government?”[5]  In January, the DIA affirmatively answered both questions, reasoning that Carpenter’s scope was limited to law enforcement and did not prohibit the IC’s authority to collect commercially available information to support intelligence requirements.[6] 

Likely and predictably dissatisfied with the DIA’s response, Senator Wyden introduced the “Fourth Amendment is Not for Sale Act” (hereinafter, the Act) on April 21, 2021.[7]  If passed, the Act would prohibit law enforcement and intelligence agencies from purchasing commercially available data without a court order or warrant.[8]  Though the bill has been met with bipartisan endorsement and heralded by privacy advocates, the DIA should petition Congress to preserve its nearly four-decade authorization to collect publicly available information (PAI) for intelligence purposes to support national security objectives. 

Part I of this article will briefly summarize the landmark Carpenter v. U.S. ruling.  Part II will analyze the DIA’s position that its purchase of commercial data is lawful.  Part III will describe the Department of Defense’s (DoD) current procedures to safeguard U.S. person information (USPI).  Part IV will examine the Act.  Finally, Part V will argue that prohibiting the DIA from purchasing commercially available data is imprudent and unnecessary.  Instead, Congress should direct that DoD’s existing privacy oversight mechanisms be supplemented by routine audits from the Privacy and Civil Liberties Oversight Board (PCLOB). 

I.  Carpenter v. United States

In 2018, Chief Justice John Roberts authored a 5-4 majority opinion in Carpenter v. U.S.[9]  According to the facts in the case, following the arrest of four suspects for a series of robberies, one suspect confessed and provided the FBI with his co-conspirators’ cell phone numbers.[10] The FBI then applied for three magistrate court orders to obtain “transactional records” which included their historic cellular cite location data (CSLI).[11]  The judges granted the orders, citing authority under the Stored Communications Act, finding that the government met its burden of providing “specific and articulable facts showing reasonable grounds to believe that the records sought were relevant and material to an ongoing criminal investigation.”[12]  On these grounds, the CSLI was admitted as evidence that Mr. Carpenter’s cell phone was in the vicinity of the crime scene during the date and time of the robberies.[13]

Continue reading Is the Fourth Amendment Really for Sale? The Defense Intelligence Agency’s Purchase of Commercially Available Data

Defining the Scope of “Possession, Custody, or Control” for Privacy Issues and the CLOUD Act

With a growing number of US companies storing their electronic data across country lines, US law enforcement agencies are left with the difficult task of trying to access electronic evidence stored outside of their physical jurisdictions.

In response, Congress passed the Clarifying Lawful Overseas Use of Data Act (Cloud Act) in 2018 to provide the US government with the power to order the production of electronic evidence that is stored outside of the US if it is within a US company’s “possession, custody, or control.”

However, the Cloud Act does not define what constitutes the “possession, custody, or control” of electronic evidence, raising concerns about the scope of US authority under the Act. Through their examination of existing domestic and international jurisprudence interpreting these terms in other legal contexts, Hemmings, Srinivasan, and Swire outline the key factors courts should balance in analyzing this pivotal phrase.

Gathering Intelligence: Drifting Meaning and the Modern Surveillance Apparatus

Since its implementation in 1981, Executive Order 12,333 has served as a general charter governing the structure and operations of the Intelligence Community. While legislation has imposed a degree of added judicial and congressional oversight, the executive branch continues to retain sole discretion over large swathes of foreign intelligence activity today.

Over the past several decades, and in accordance with E.O. 12,333’s mandate, members of the Intelligence Community have each created internal agency manuals to guide their foreign intelligence operations. These manuals identify and define a range of technical terms critical to determining the scope of agencies’ intelligence-gathering authority, including what information is gathered, how long that information is retained, and the uses to which it may be put. But over time, the dispersion of authority to make decisions within and across intelligence agencies has enabled drift in the meaning of these terms. Together, the manuals have created a thicket of often conflicting and unclear definitions that are difficult for Congress, the courts, and even committees within the executive branch to understand.

In this article, Diana Lee, Paulina Perlin, and Joe Schottenfeld provide the first sustained analysis of these definitional inconsistencies, their consequences, and efforts to address the problem from within and outside the executive branch. In particular, it focuses on three terms that determine when the intelligence cycle “officially” begins: “collection,” “acquisition,” and “targeting.” By analyzing these three terms, this Article demonstrates the lack of clarity that executive discretion and dispersal create. This lack of clarity, in turn, makes it difficult for meaningful oversight, such as congressional hearings, to occur. The Article concludes by offering recommendations to clarify the parameters of the government’s intelligence-gathering authority. As technological advancements continue to expand the Intelligence Community’s capacity to gather information, it is imperative that the government adopt measures to facilitate effective oversight over the executive’s foreign intelligence operations.