Speaker 0
0:00 – 0:27
Hi. I'm Devon Hankerson Madrigal. I'm the research manager at CDT. You may not realize, but as a nonprofit, CDT relies on the generosity of donors like you. If you enjoyed this episode of Tech Talk, you can support it and our work at CDT by going to cdt.0rg/techtalk. If you have already donated, thank you. If you have not, we would love your support. Thank you for enhancing civil rights and civil liberties in the digital age. I'm
Speaker 1
0:36 – 0:36
age.
Speaker 0
0:42 – 0:44
Welcome to Tech Talk. Bye.
Speaker 2
0:45 – 0:45
CT.
Speaker 1
0:49 – 1:45
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Jamal Magby, and it's time to talk tech. CDT recently released a report, legal loopholes and data for dollars, exploring the data broker ecosystem, which is estimated to be worth about $200,000,000,000 and examining how law enforcement and intelligence agencies have been evading legal requirements by purchasing data from brokers. Here to talk about this report and what can be done to prevent the illegal sale of sensitive information is Greg Nojohn, senior counsel and director of the CDT Security and Surveillance Project, and Dhanaraj Thacker, research director for CDT. Greg and Dhanaraj, thank you so much for joining us. To kick us off, can you explain what a data broker is? I mean, what exactly do they do, and what type of information is sold and purchased?
Speaker 3
1:45 – 3:21
Sure. I can start. And that's an important question, Jamal, because, actually, the term data broker is used in different ways. In our recent report, we wanted to be as specific as possible. So we we, explained that by, a data broker, what we're talking about is essentially in a business that, no one collects, purchases, analyzes, or aggregates data, with the with the intent to identify individuals or devices. Right? And that that intent part is very important. And, ultimately, they are doing this for the purposes of selling that data to other other parties. So so that is what we have defined it. And then and then in terms of the types of information that that's involved there, it's quite broad. The data brokers ecosystem, involves many different, brokers that are engaged in different kinds of data. So we could be talking about data related to people's health, their financial, data. It could also include data more specifically, and and that data that's more of specific interest, like, law enforcement intelligence agencies, like location data, data, that's linked to, license plate readers, and and and so on. Yeah. So there are a lot of different kinds of data that's in that's encompasses the data broker ecosystem.
Speaker 2
3:21 – 4:25
A lot of times, if I could just add one quick thing, this is Greg, a lot of times, the brokers will add value to the data that they collect. So they might collect location information, for example. They might collect it from a variety of different sources so they can get a better picture and deliver a better picture, of, a person's location. And then they might add other value to it, like what was near the person at the time, that they were in the location that's relevant. Those things that are near might be static. Sometimes they could be dynamic because they could be other people as well. So, think of the broker as collecting the data, adding value to it, then either selling the data or selling limited access to the data. So so a law enforcement or intelligence agency could get a subscription instead of getting the data itself.
Speaker 1
4:25 – 4:40
So, Greg, what I'm understanding is that they they gather the data, they take the data, and they sell some parts of it. Is does is that right? They don't sell the whole why why don't why don't they sell all the data? They could.
Speaker 2
4:41 – 4:50
For some brokers, that would mean they were selling the crown jewels of the company. So they might want to instead sell access to the data.
Speaker 1
4:50 – 5:09
This feels a little scary if if you were to ask me. And, I'm wondering how are they able to to purchase this information? Why why aren't any protectors in place? I I feel like you can do a lot with this data, and the average person would need to be protected from just any Tom, Jim, or Bob buying my data.
Speaker 2
5:10 – 7:11
When the protections that pertain against law enforcement and intelligence agency access were put in place by Congress, and that's in the Electronic Communications Privacy Act and in the Foreign Intelligence Surveillance Act. Nobody was thinking about data brokers. They didn't exist. What there were were providers or at least there was an anticipation that there would be communication service providers, that they would gather the data. And so rules were driven were were were were fashioned around the world as people knew it at the time. What was the time? 1978 for FISA, 1986 for ECPA. So there weren't really brokers to worry about at that time. When they created ECPA, the Electronic Communications Privacy Act, they said, Congress, well, this only applies to providers of remote computing services and electronic communication services. They have, complicated definitions, but, think of, Gmail, for example, as an ECS service. And, the calendar that you, put up in the cloud and only you have access to, that's an RCS service. So congress drew the rules and said, if law enforcement wants to get at this data, it's going to need to get a subpoena, a court order, or a warrant in order to get to it, depending on the type of data that's being protected. There was no rule about non ECS, non RCS providers. They just weren't covered. They just weren't included in the statute. So that's why the government can purchase the data from the brokers. The brokers
Speaker 1
7:12 – 7:24
aren't covered by the Electronic Communications Privacy Act. So I I hear you say the police a lot and law enforcement. Are they the biggest purchasers of this data, or are there others?
Speaker 3
7:24 – 9:34
This is this is a tough question to answer, Jamal. This goes out to one of the problems that we, along with many others, highlight in terms of the lack of transparency around the data broker ecosystem on a whole. So we are able to identify who some of the major brokers are. It's less it it's it's it's less clear who who are who all is purchasing this data. We we so so because of the many types of data, that are is is being considered here, we know that many different, actors would be of would be interested in this. So if you think of, applications for employment or insurance or other kinds of, you know, instances where people wanna identify an individual to understand their background, those industries are often involved in the purchase of of data or transactions with data brokers. And in some of those cases, rare some of those rare cases, they are there's actually some regulation in place, like, the fair credit report and after things like that. But in most cases, there's not. So you do have many, existing industries, legitimate, businesses that are engaged in the, purchase and and use of, data from brokers. And you have many others as well, and and what we focus on in our on our report specifically is on the law enforcement intelligence agency, community, who are also very much engaged, in in the purchase of this data. It's just very hard to put this in a dollar amount, which ultimately would be would be really would really help understand the scale of the problem and who are the main you know, the biggest purchasers, because that those dollar amounts are often, obfuscated. So yeah. I think that that's a kind of, partial answer to your question.
Speaker 1
9:35 – 9:44
So I wanna turn this back a little bit towards law enforcement agencies. I'm curious to know how they use this data, and why don't why don't they need warrants to obtain this information?
Speaker 2
9:44 – 11:26
Well, they put it to different uses, but let me answer the second question first. Why don't they need warrants to obtain the information? When When you think about the Fourth Amendment, it it the government interprets it to apply only when it is compelling, its own access. So, law enforcement agent wants to search your home. They knocked on the door. They say, can we search your home? You say no. They say, well, we have a warrant. This warrant gives us permission to search your home even if you don't want us to search it. What if instead law enforcement knocks on your door and says, can we search your home? And you say, yes. Well, they don't need a warrant. You have voluntarily allowed them in. It's the same the government uses the same theory to get the data from brokers. The government's theory is the brokers own the data even though it pertains to you, and the brokers can give the government permission to access the data even if a warrant would be required if the government was trying to compel its own access. The brokers, they're like, well, you want this data? You don't need a warrant. You need money. And so they're they're happy to sell the data to, law enforcement when they come, with a a a checkbook instead of with a warrant.
Speaker 1
11:27 – 11:48
Wow. So it almost sounds like we're trading people are trading our privacy for money. Our our our privacy and and our private, you know, data is is just being, well, like we said earlier, sold off to the highest bidder. So but what does this mean for the future of privacy then? Can can all of our data just be purchased?
Speaker 3
11:49 – 15:17
Well, this is yeah. It's not a good question because the issue on privacy, you know, comes back or or the current state of of the data broker ecosystem comes back to, the lack of a comprehensive federal privacy law in the in the in The United States. I mean, that that that gap, in fact, is one of the drivers historically of the emergence of, this the data brokers and the way in which they operate. And that current gap also helps explain why there there are so many, problems and and obstacles around individuals like us trying to exercise our our rights to privacy. It's very it the the data broker ecosystem and the the fact that brokers will collect and add value to data, as Greg was alluding to earlier, and then, in fact, sell that to other brokers, essentially creates this very complicated supply chain. So there are many different people involved in the buying and selling and piecing together and and for you know, aggregating and so on of our data along the way between that initial point when we share data, for example, where we use a mobile an app on our mobile phone, and, ultimately, when someone purchases it for, you know, purposes of identification. And to get related with, one example of this is, let's say you have, an app on your phone that's, you know, meant to help with your health, like a fitness app. Right? And it collects some data about you, about your fitness, your health, and so on. The privacy policy in that app might, be clear about what that app is gonna do with it do with your data, as well as as as be clear that it's gonna share that data with third parties or brokers, right, for certain purposes. And it may direct you to that third party or broker to to examine their privacy policy to understand what they do with the data. And if you were to do that, and this this is an actual case that we outlined going back to our report, and if you were to do that and look at a third party or a brokerage, understand what they're doing with your data, they would say that what that their client in this case is actually the mobile app developer and not you, the individual. And your specific data, your individual data is not covered by their privacy policy, and they would instead refer you back to the mobile app developer. And so you're stuck in this loop of not being clear about who's how your privacy is being protected and whose responsibility it is it is to do so. And this is just one instance how how the this supply chain of of many different, actors being involved in the in in, you know, the the collection and and eventual sale of your data, it becomes very complicated. And that just means it weakens, an individual's ability to, you know, exercise their privacy rights and even understand how they can exercise it and who is responsible for it. And this is the current environment that we exist in now, and it will just get more and more complex and more and more opaque in this way, you know, as, there is a increased reliance and churn and and use of, data broker services, more generally.
Speaker 2
15:18 – 17:19
Yeah. I think I think, the future is not bright for privacy unless the brokers are properly regulated. And so far, that proper regulation has not been put into place. Let me a recent example came to light. One broker that was collecting location information also mapped the planned parenthood clinics. And shortly after the draft the leak of the draft, decision reversing Roe v Wade, came to light, that brokers, activities in mapping the planned parenthood, clinics and making it possible for people to see for a price, who was going to the clinic and where they went after they went to the clinic became a really big issue. And the reason it's a really big issue is because women who seek abortions are going to sometimes have to cross state lines if Roe v Wade is overturned in order to get to a state where, the abortion is legal. Some states have or will enact legislation that would allow them to prosecute, that abortion, even though it didn't occur in the state. What's gonna happen is law enforcement agencies using the data brokers are going to get the data that they need to prosecute people for having or performing abortions. This is this is a a potential incredible disaster for privacy rights in The United States.
Speaker 1
17:20 – 17:57
So I have one more question. But before I preface it before I before I ask it, I wanna preface it by saying, you guys have to leave us with a little hope because right now, I'm I'm I'm feeling a little doom and gloom, and I I wanna I wanna have some hope that there that there's a future for for some good privacy protections that'll, you know, keep the consumers safe, you know, and and keep our information private. So just just ending us off and and rounding us out, what are some of the recommendations that CDT has put forth to close some of these legal loopholes and stop the government purchase of personal information from data brokers?
Speaker 2
17:58 – 21:46
Well, there's already legislation pending that would make a good start, Shamal. It's a a bill by senator Wyden called the Fourth Amendment is not for sale at, very appropriately named. The theory of the bill is that, the government shouldn't be able to access, data, without a warrant even if it's held by a broker, instead of being held by, an entity that's an ECS or an RCS provider. And the idea is to close down some of the gaps in the electronic communications privacy act that the data broker industry, slips into. Another thing that, would be helpful would be, if law enforcement agencies and intelligence agencies revealed their interpretations of the Supreme Court's decision in the Carpenter case. Carpenter was a case that involved the collection of stored cell site location information over a period of seven days or more. And the Supreme Court said, if the government's gonna compel disclosure of that information, it needs to get a warrant. If it's gonna compel disclosure of a lengthier period of stored location information, it's gonna need a warrant. That's important. And the court in reaching this decision said the reasoning its reasoning was that such information is very revealing and can reveal the privacies of life. It seems to me that if in a law enforcement or intelligence agency is going to purchase data, that's going to reveal the privacies of life, it ought to abide by the warrant requirement set forth in the Carpenter case. That case did not, turn specifically on a distinction between, data in the public realm or data that was private, didn't turn on whether the data was compelled or whether it could be volunteered. So I think there's scope for agencies to look at that, Supreme Court decision and decide, you know, if we purchase this data from this broker, we're crossing the line. We are, entering the privacies of life to make sure that what we are doing is lawful. We wanna get a warrant before we do that. So far, agencies haven't done this. I think we can expect that there would be, litigation in the future about it. And and let me add one more thing. I mentioned earlier that the brokers add value to the data. They make it more revealing, more useful to law enforcement. They sometimes run algorithms against the data in order to, make it more useful for law enforcement. The algorithms allow law enforcement to draw more conclusions from the data that are helpful in their investigations. The running of algorithms, the addition of value to the data can, in it in and of itself, end up crossing that line into the privacies of life once revealed to law enforcement, thus triggering, the warrant requirement in the Carpenter case. So I think we're gonna see more litigation about that. Hopefully, we'll see some legislation like the Fourth Amendment is not for sale act to address it as well.
Speaker 3
21:46 – 24:19
Yeah. So I was just gonna add a couple couple more points here in terms of, recommendations. One is around a transparency problem, which we mentioned several times earlier. Like, for example, Jamal, you asked about, you know, who are the biggest purchasers. And instead of lack of transparency, which is a crucial issue here, which, in fact, is something that, the government, and policymakers can act on, in trying to understand, what the the the scale and scope of, transactions between law enforcement, intelligence agencies, and data brokers, we looked at, solicitations or procurement awards or kinds of public available documentation that, these agencies these agencies have put out. And so we got some clues into what they were requesting from, data brokers, what kinds some some hints at what kinds of data they're looking at, but it was never fully clear. It was never fully transparent, nor was it clear what they would use that data for. And so there's an opportunity here to be much more transparent. These agencies could, make public what kinds of purchases and and what kinds of data they are, purchasing from data brokers and in what ways, they they are using that data. So they could be much more transparent in their procurement processes, and that would help the public at large and all of us better understand the extent to which they're they're using these these kinds of data. One other point is that and something that I've mentioned before is that data brokers, because this is highly highly, you know, essentially unregulated sector, data brokers are selling this data, personal information to, different, government agencies or or different industries within The US, but they could also be selling that information to foreign entities. And this becomes particularly problematic if, there are foreign governments that are purchasing, personal data, personal information about Americans. One opportunity here to improve transparency is for congress to, conduct hearings and exam to better examine and shed more light on these kinds of sales between data brokers and foreign governments. And and again, part of part of that would be to, remove, you know, the obfuscation that we've been talking about earlier and to understand these these these kinds of, transactions.
Speaker 2
24:19 – 26:53
Yeah. Congress has to move carefully in this area. They need to first get their heads around what's the scope of the problem, how are the brokers selling data to foreign governments, and, what kind of data, and how should it be regulated? There's one other aspect of the problem, though, where we have to be careful. I don't think we wanna put, our government in the position of being able to say to people in The United States, you can't use this communications channel because that use of that communications channel subjects the data about you to access by a foreign government. That's the logic that, president Trump used when he tried to outlaw, WeChat, a chat service. So I think that Congress has to tread very carefully here and make sure that if it is going to control the sale of data to, foreign governments, that it doesn't inadvertently outlaw, some of the communications channels that we now have because those communications channels, could make data available, to foreign entities that are subject to foreign jurisdictions and to foreign, data demands. And, let me add one more thing to that. It could be the case that a lot of data is being purchased, by law enforcement agencies, and a lot of access is being granted to law enforcement agencies that is not being used usefully in investigations. There need to be independent audits to assess the efficacy of the perk the the data that's being purchased, or the access that's being purchased by law enforcement and intelligence agencies. Is it actually helpful in investigations? And there needs to be, consideration about whether the data and the use of the data is leading to unequal outcomes and discriminatory applications. That too, Jamal, hasn't yet happened, but I I I'm quite confident that the, law enforcement intelligence agencies are thinking about this problem.
Speaker 1
26:53 – 27:02
That definitely gives me a little more hope than I had earlier. But before we go, I just wanna hear any final thoughts from either of you.
Speaker 3
27:03 – 27:31
I I just think this is a huge problem. Not to not to change the tone again, Jafar. But there is there there's a huge problem here, and and we definitely need more, transparency. There are legislative options, available right now, as Greg mentioned, the Fourth Amendment, not the SAL Act. So there are opportunities to act. But I think just think we we have a serious problem, and and we need to act upon it now.
Speaker 2
27:31 – 28:32
It's a huge problem. It's not going away. It's gonna get bigger. And, but we do know some of the things that could be done to make it a smaller problem. I think we have to look at it also from the point of view of the intelligence agencies and the law enforcement agencies. They're looking at a world where, in the commercial sector, this data is readily available. And they're thinking to themselves, if we don't avail ourselves of this data, well, we're just being foolish. So I think it's our role and, ultimately, the role of Congress to point out, how acquisition of this data could be regulated in a way that allows the agencies to do their important law enforcement and intelligence work while also protecting, the privacy of the people to whom the data pertains. We have to be able to strike that balance.
Speaker 1
28:38 – 28:50
Greg and Donaraj, thank you so much for being here today. If you would like to find out more about CDT's work, please feel free to visit us at cdt.org. I'm Jamal Magby, and thank you for talking tech.